[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]




  HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A 
  REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES

=======================================================================

                                HEARING

                               before the

                            SUBCOMMITTEE ON
                      OVERSIGHT AND INVESTIGATIONS

                                 of the

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             FIRST SESSION

                               __________

                             AUGUST 3, 2001

                               __________

                           Serial No. 107-56

                               __________

       Printed for the use of the Committee on Energy and Commerce


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house

                                _______

                  U.S. GOVERNMENT PRINTING OFFICE
74-853                     WASHINGTON : 2001

____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001


                    COMMITTEE ON ENERGY AND COMMERCE

               W.J. ``BILLY'' TAUZIN, Louisiana, Chairman

MICHAEL BILIRAKIS, Florida           JOHN D. DINGELL, Michigan
JOE BARTON, Texas                    HENRY A. WAXMAN, California
FRED UPTON, Michigan                 EDWARD J. MARKEY, Massachusetts
CLIFF STEARNS, Florida               RALPH M. HALL, Texas
PAUL E. GILLMOR, Ohio                RICK BOUCHER, Virginia
JAMES C. GREENWOOD, Pennsylvania     EDOLPHUS TOWNS, New York
CHRISTOPHER COX, California          FRANK PALLONE, Jr., New Jersey
NATHAN DEAL, Georgia                 SHERROD BROWN, Ohio
STEVE LARGENT, Oklahoma              BART GORDON, Tennessee
RICHARD BURR, North Carolina         PETER DEUTSCH, Florida
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
GREG GANSKE, Iowa                    ANNA G. ESHOO, California
CHARLIE NORWOOD, Georgia             BART STUPAK, Michigan
BARBARA CUBIN, Wyoming               ELIOT L. ENGEL, New York
JOHN SHIMKUS, Illinois               TOM SAWYER, Ohio
HEATHER WILSON, New Mexico           ALBERT R. WYNN, Maryland
JOHN B. SHADEGG, Arizona             GENE GREEN, Texas
CHARLES ``CHIP'' PICKERING,          KAREN McCARTHY, Missouri
Mississippi                          TED STRICKLAND, Ohio
VITO FOSSELLA, New York              DIANA DeGETTE, Colorado
ROY BLUNT, Missouri                  THOMAS M. BARRETT, Wisconsin
TOM DAVIS, Virginia                  BILL LUTHER, Minnesota
ED BRYANT, Tennessee                 LOIS CAPPS, California
ROBERT L. EHRLICH, Jr., Maryland     MICHAEL F. DOYLE, Pennsylvania
STEVE BUYER, Indiana                 CHRISTOPHER JOHN, Louisiana
GEORGE RADANOVICH, California        JANE HARMAN, California
CHARLES F. BASS, New Hampshire
JOSEPH R. PITTS, Pennsylvania
MARY BONO, California
GREG WALDEN, Oregon
LEE TERRY, Nebraska

                  David V. Marventano, Staff Director

                   James D. Barnette, General Counsel

      Reid P.F. Stuntz, Minority Staff Director and Chief Counsel

                                 ______

              Subcommittee on Oversight and Investigations

               JAMES C. GREENWOOD, Pennsylvania, Chairman

MICHAEL BILIRAKIS, Florida           PETER DEUTSCH, Florida
CLIFF STEARNS, Florida               BART STUPAK, Michigan
PAUL E. GILLMOR, Ohio                TED STRICKLAND, Ohio
STEVE LARGENT, Oklahoma              DIANA DeGETTE, Colorado
RICHARD BURR, North Carolina         CHRISTOPHER JOHN, Louisiana
ED WHITFIELD, Kentucky               BOBBY L. RUSH, Illinois
  Vice Chairman                      JOHN D. DINGELL, Michigan,
CHARLES F. BASS, New Hampshire         (Ex Officio)
W.J. ``BILLY'' TAUZIN, Louisiana
  (Ex Officio)

                                  (ii)


                            C O N T E N T S

                               __________
                                                                   Page

Testimony of:
    Bodman, Hon. Samuel W., Deputy Secretary, accompanied by 
      Thomas Pyke, Acting Chief Information Officer, U.S. 
      Department of Commerce.....................................    40
    Dacey, Robert F., Director, Information Security Issues, U.S. 
      General Accounting Office..................................    20
    Frazier, Hon. Johnnie E., Inspector General, U.S. Department 
      of Commerce................................................    10

                                 (iii)

  

 
  HOW SECURE IS SENSITIVE COMMERCE DEPARTMENT DATA AND OPERATIONS? A 
  REVIEW OF THE DEPARTMENT'S COMPUTER SECURITY POLICIES AND PRACTICES

                              ----------                              


                         FRIDAY, AUGUST 3, 2001

                  House of Representatives,
                  Committee on Energy and Commerce,
              Subcommittee on Oversight and Investigations,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 9:30 a.m., in 
room 2123, Rayburn House Office Building, Hon. James C. 
Greenwood (chairman) presiding.
    Members present: Representatives Greenwood, Burr, and 
Tauzin (ex officio).
    Staff present: Tom Dilenge, majority counsel; Mark 
Paoletta, majority counsel; Will Carty, legislative clerk; and 
Peter Kielty, legislative clerk.
    Mr. Greenwood. Good morning. The subcommittee will come to 
order.
    I apologize for starting a little late. It was a late night 
last night, and we are hoping some of the other members arrive, 
but we do not want to dishonor anyone's time. So we will start 
now.
    We are here today to continue the committee's review of 
computer security, or lack thereof, as the case may be, at 
Federal agencies under our jurisdiction. Since 1998, this 
committee has reviewed computer security policies and practices 
at the Environmental Protection Agency, the Department of 
Energy, the Health Care Financing Administration, and today we 
will be focusing our attention on the Department of Commerce.
    Without exception, we have found significant security 
problems at each of these agencies, all of which either took or 
are taking prompt action to correct the deficiencies identified 
as a result of our oversight.
    Unfortunately, it appears that information security rarely 
becomes a priority within an agency until the white hot lights 
of public and congressional attention focus on that agency's 
specific flaws.
    Today we will hear from information security experts at the 
General Accounting Office, who at this committee's request 
conducted an in depth evaluation of the department's management 
and implementation of computer security at seven of its 
operating divisions, including the Bureau of Export 
Administration, the International Trade Administration, the 
Economics and Statistics Administration, and the Office of the 
Secretary.
    GAO's team of ethical hackers identified and exploited 
vulnerabilities in the computer systems of these divisions to 
gain virtually unlimited access to them internally from within 
the department's network and externally from the Internet.
    Not only could these systems be accessed without 
authorization, but the information contained in them could be 
read, modified, or deleted at will, even with respect to the 
most sensitive systems and data files within these seven 
divisions.
    And with such access also comes the power to completely 
disrupt critical department operations. It is no secret that of 
the systems reviewed and found to be vulnerable by GAO, many 
contain highly sensitive personal, financial, commercial, and 
national security related data and are critical to the 
department's overall mission.
    Included in this list are the export control licensing 
systems and the networks that are used by the International 
Trade Administration for communications with our foreign 
commerce outposts around the world.
    The state of the department's security was truly 
deplorable. GAO found instances in which systems did not 
require passwords even for system administrator accounts. Other 
systems had easily guessed passwords, such as ``password.''
    Certain passwords and password files were either 
unencrypted or not otherwise protected, permitting anyone on 
the network, authorized or unauthorized, to read and obtain 
even the most powerful account passwords.
    And six of the seven bureaus did not even limit the number 
of times an individual could try to log onto the system, 
allowing would be hackers excessive opportunities to crack 
these poor password controls.
    GAO also found that poor network security and 
configurations permitted GAO's experts to circumvent the 
limited security controls that were in place and thus, to 
travel between and among the seven connected bureaus, 
essentially finding that the lowest common denominator among 
these bureaus set the security standard for the rest of them.
    Some of the bureaus did not even have firewalls in place to 
protect all of their sensitive internal systems from the 
Internet or, if they did, they were either so poorly 
implemented as to be largely ineffective or could be easily 
bypassed by alternative access routes.
    These failures place all of the connected bureaus at 
significant risks of intrusions.
    Equally troubling, and despite advanced notice of the GAO 
hacking attempts, the department's monitoring of cyber 
intrusions failed to detect the overwhelming majority of GAO's 
intrusion and scanning efforts, including the successful ones.
    In fact, GAO reports that its hackers gained access to one 
system only to find that a Russian hacker had been there before 
them without the department's apparent knowledge. And only two 
of the bureaus reviewed by GAO had formal intrusion detection 
systems in place.
    In short, the department simply has no idea of whether its 
sensitive systems are being or have been compromised, a totally 
unacceptable situation.
    The reason for these failures, according to GAO, is the 
lack of an effective security management program at the 
department. Basic and longstanding Federal security 
requirements have essentially been ignored for years. Only 3 of 
the 94 sensitive systems reviewed by GAO had documented risk 
assessments, and only seven had current security plans, none of 
which have been approved yet by management.
    The department's computer security policies have not been 
updated since 1995, despite the tremendous growth of the 
Internet and the increased interconnectivity between Commerce 
bureaus and the outside world, and there are virtually no 
minimum security requirements for all Commerce computer 
systems, even, for example, on basic issues such as password 
lengths or characteristics.
    In addition to GAO, we will hear today from the 
department's Inspector General, which also has done work in 
this area. A recent IG report essentially confirmed that the 
lack of effective security management found by GAO with respect 
to seven of the department's operating divisions was not 
unusual.
    Across the department adequate risk assessments and 
security plans are the exception rather than the norm with 
roughly 92 percent of the department's systems failing to 
comply with at least one of these Federal security 
requirements.
    The IG's financial control audits, which beginning this 
year contained a limited penetration test of computer security 
controls, also confirm that access control problems similar to 
those identified at the seven bureaus reviewed by GAO exist at 
many other Commerce bureaus as well, including the Census 
Bureau, NOAA, NIST, and others, posing threats from both 
internal and external sources.
    How could this situation exist and for so long? The short 
answer is that until this committee started asking questions 
early last year, no one at the department was even seriously 
looking at these issues.
    Despite Federal requirements for independent reviews of 
security controls on major systems on a routine basis, GAO 
found that neither the department's Chief Information Officer 
nor six of the seven bureaus reviewed had conducted any such 
audits or oversight.
    Unfortunately the situation is not at all unusual. Our 
cyber security reviews have consistently shown that this lack 
of real world testing of the effectiveness of security controls 
is one of the major problems facing not just the Commerce 
Department, but the Federal Government as a whole.
    This lack of attention to cyber security is reflected by 
the lack of resource devoted to this purpose. At Commerce, for 
example, the department's Office of Information Technology 
Security, which is responsible for setting the department's 
computer security policies and conducting oversight to insure 
compliance by these various bureaus, was a one-person operation 
until March 2000, when the Director of this office was given 
two interns to assist with these important functions.
    I am pleased to hear that Secretary Evans recently approved 
a redirection of additional personnel and funding for this 
office, which in addition to computer security is also 
responsible for the department's overall critical 
infrastructure protection efforts.
    It certainly is time; indeed, it is well past time for the 
Commerce Department to start taking the security of its data 
system seriously, much more so than it was under the previous 
administration.
    In the 21st Century effective computer security is as much 
a part and cost of doing business as having locks on the front 
was during previous centuries. And we will continue our 
oversight in this area until Commerce and the other Federal 
agencies under our jurisdiction get this message loud and 
clear.
    I want to welcome and thank our witnesses for testifying 
today on this important topic, and we'll now recognize the 
Ranking Member.
    Actually, I will now recognize the chairman of the full 
committee, Mr. Tauzin, for his opening statement.
    [The prepared statement of Hon. James Greenwood follows:]

 Prepared Statement of Hon. James Greenwood, Chairman, Subcommittee on 
                      Oversight and Investigations

    We are here today to continue this Committee's review of computer 
security--or lack thereof as the case may be--at Federal agencies under 
our jurisdiction. Since 1998, this Committee has reviewed computer 
security policies and practices at the Environmental Protection Agency, 
the Department of Energy, the Health Care Financing Administration, and 
today we will be focusing our attention on the Department of Commerce. 
Without exception, we have found significant security problems at each 
of these agencies, all of which either took--or are taking--prompt 
action to correct the deficiencies identified as a result of our 
oversight. Unfortunately, it appears that information security rarely 
becomes a priority within an agency until the white-hot lights of 
public and congressional attention focus on that agency's specific 
flaws.
    Today we will hear from information security experts at the General 
Accounting Office who, at this Committee's request, conducted an in-
depth evaluation of the Department's management and implementation of 
computer security at seven of its operating divisions, including the 
Bureau of Export Administration, the International Trade 
Administration, the Economics and Statistics Administration, and the 
Office of the Secretary.
    GAO's team of ethical hackers identified and exploited 
vulnerabilities in the computer systems of these divisions to gain 
virtually unlimited access to them internally, from within the 
Department's network, and externally, from the Internet. Not only could 
these systems be accessed without authorization, but the information 
contained in them could be read, modified, or deleted at will--even 
with respect to the most sensitive systems and data files within these 
seven divisions. And with such access also comes the power to 
completely disrupt critical Department operations.
    It is no secret that, of the systems reviewed and found to be 
vulnerable by GAO, many contain highly sensitive personal, financial, 
commercial, and national security-related data, and are critical to the 
Department's overall mission. Included in this list are the export 
control licensing systems and the networks that are used by the 
International Trade Administration for communications with our foreign 
Commerce outposts around the world.
    The state of the Department's security was truly deplorable. GAO 
found instances in which systems did not require passwords, even for 
system administrator accounts. Other systems had easily guessed 
passwords, such as ``password.'' Certain passwords and password files 
were either unencrypted or not otherwise protected, permitting anyone 
on the network--authorized or unauthorized--to read and obtain even the 
most powerful account passwords. And six of the seven bureaus did not 
even limit the number of times an individual could try to log on to the 
system, allowing would-be hackers excessive opportunities to crack 
these poor password controls.
    GAO also found that poor network security and configurations 
permitted GAO's experts to circumvent the limited security controls 
that were in place, and thus to travel between and among the seven 
connected bureaus--essentially finding that the lowest common 
denominator among these bureaus set the security standard for the rest 
of them. Some of the bureaus did not even have firewalls in place to 
protect all of their sensitive internal systems from the Internet--or, 
if they did, they were either so poorly implemented as to be largely 
ineffective, or could be easily bypassed via alternative access routes. 
These failures place all of the connected bureaus at significant risk 
of intrusions.
    Equally troubling, and despite advance notice of the GAO hacking 
attempts, the Department's monitoring of cyber intrusions failed to 
detect the overwhelming majority of GAO's intrusion and scanning 
efforts, including the successful ones. In fact, GAO reports that its 
hackers gained access to one system, only to find that a Russian hacker 
had been there before them, without the Department's apparent 
knowledge. And only two of the bureaus reviewed by GAO had formal 
intrusion detection systems in place. In short, the Department simply 
has no idea of whether its sensitive systems are being or have been 
compromised--a totally unacceptable situation.
    The reason for these failures, according to GAO, is the lack of an 
effective security management program at the Department. Basic and 
longstanding Federal security requirements have essentially been 
ignored for years. Only three of the 94 sensitive systems reviewed by 
GAO had documented risk assessments, and only seven had current 
security plans, none of which had been approved yet by management. The 
Department's computer security policies have not been updated since 
1995, despite the tremendous growth of the Internet and the increased 
inter-connectivity between Commerce bureaus and the outside world. And 
there are virtually no minimum security requirements for all Commerce 
computer systems--even, for example, on basic issues such as password 
lengths or characteristics.
    In addition to GAO, we will hear today from the Department's 
Inspector General, which also has done work in this area. A recent IG 
report essentially confirmed that the lack of effective security 
management found by GAO, with respect to seven of the Department's 
operating divisions, was not unusual. Across the Department, adequate 
risk assessments and security plans are the exception rather than the 
norm, with roughly 92% of the Department's systems failing to comply 
with at least one of these Federal security requirements.
    The IG's financial control audits, which, beginning this year, 
contained a limited penetration test of computer security controls, 
also confirm that access control problems similar to those identified 
at the seven bureaus reviewed by GAO exist at many other Commerce 
bureaus as well, including the Census Bureau, NOAA, NIST, and others, 
posing threats from both internal and external sources.
    How could this situation exist, and for so long? The short answer 
is that, until this Committee started asking questions early last year, 
no one at the Department was even seriously looking at these issues. 
Despite Federal requirements for independent reviews of security 
controls on major systems on a routine basis, GAO found that neither 
the Department's chief information officer, nor six of the seven 
bureaus reviewed, had conducted any such audits or oversight.
    Unfortunately, this situation is not at all unusual. Our cyber 
security reviews have consistently shown that this lack of real-world 
testing of the effectiveness of security controls is one of the major 
problems facing not just the Commerce Department, but the Federal 
government as a whole.
    This lack of attention to cyber security is reflected by the lack 
of resources devoted to this purpose. At Commerce, for example, the 
Department's Office of Information Technology Security--which is 
responsible for setting the Department's computer security policies and 
conducting oversight to ensure compliance by the various bureaus--was a 
one-person operation up until March 2000, when the director of this 
office was given two interns to assist with these important functions. 
I am pleased to hear that Secretary Evans recently approved a re-
direction of additional personnel and funding for this office, which in 
addition to computer security is also responsible for the Department's 
overall critical infrastructure protection efforts.
    It certainly is time--indeed, it is well past time--for the 
Commerce Department to start taking the security of its data systems 
seriously, much more so than it was under the previous Administration. 
In the 21st century, effective computer security is as much a part and 
cost of doing business as having locks on the front door was during 
previous centuries. And we will continue our oversight in this area 
until Commerce and the other Federal agencies under our jurisdiction 
get this message loud and clear.
    I want to welcome and thank our witnesses for testifying today on 
this important topic, and will now recognize the Ranking Member for an 
opening statement.

    Chairman Tauzin. Thank you, Mr. Chairman.
    And let me echo your comments regarding the need for 
Federal agencies to start devoting a great deal more attention 
and resources necessary to secure the computer systems of our 
country safe from the attacks or misuse from hackers.
    I want to congratulate you, Jim, on the excellent work you 
have done as our O&I chairman this year, and this, of course, 
may be some of the most important work you do, even ranking 
with the important work you have done in tire safety this year 
to protect Americans.
    Protecting the security of our systems is critical not only 
to the privacy of American citizens, who share information with 
these systems very often involuntarily, but they do not even 
have a chance to say, ``Please do not use it for something 
else,'' but it obviously has huge implications for the 
potential for someone to create some real mischief in some very 
sensitive data banks in this country.
    What we learned about the capability of hackers to move 
into, for example, CMS, (Center for Medicaid/Medicare Services) 
the agency formerly known as HCFA (Health Care Financing 
Administration), and interfere with the provision of health 
care services and reimbursement, sensitive medical accounts, it 
is pretty frightening.
    You know, there is one area where citizens are keenly aware 
of the privacy of their information and the sanctity of that 
privacy. It is in the health care area.
    I cannot tell you how appalled I was to learn that that 
information might be compromised and that the systems that my 
mother and so many other Americans depend upon for their health 
care might be ripped because somebody got in and managed it 
improperly and misused it.
    And so again, I want to stress how important it is. This 
subcommittee has been moving on this issue, and again, Mr. 
Chairman, I congratulate you.
    The Commerce Department, which is the focus of our hearing 
today, the GAO and Inspector General audit findings are 
alarming. Hackers from GAO and the Inspector General's Office 
were able to have their way with the department's various 
computer systems, violating the integrity of the department's 
computer networks virtually at will.
    You know, if our government ethical hackers can get in, I 
guarantee you there are kids in Russia and Cal Tech, somewhere 
all over this world who can get in.
    And while the findings are quite troubling, they don't 
surprise me based upon the committee's work on other agencies. 
When an administration, like the last administration, devotes 
so little time and attention to this particular matter, we are 
not surprised that these problems are so pervasive.
    It is clear to me that while the former President might 
have said that this was an area of importance, the 
administration simply failed constantly, consistently to make 
the protection of our Nation's critical cyber assets a true 
priority. There just was not enough attention paid to it.
    Somebody was asleep at the computer switch, and that is why 
I am pleased to see the new Secretary of Commerce is taking a 
very different approach.
    He has instituted a new management structure with increased 
authority, responsibility, and accountability for the 
department's information officers, and he has allocated more 
resources to the security functions at the departmental level.
    And probably most importantly, the Secretary has made clear 
to his Under Secretaries that they will make computer security 
a priority as an integral part of their programmatic missions 
and will allocate additional resources as necessary to get the 
job done.
    Those are strong words. We have heard strong words before. 
So we want to make sure those strong words are translated today 
and hereafter into very strong action.
    In this vein I'm very pleased to have the newly confirmed 
Deputy Secretary of the department here today, signifying, I 
think, the importance of this topic to the Secretary and the 
level at which these issues are now being handled by the 
department. That is very encouraging.
    Let me just finish by emphasizing that good computer 
security is not a simple fix. We have learned that in this 
committee. It is sort of like the radar systems, you know. For 
every new radar system they manufacture for the police, the 
same company is manufacturing a radar detection system for 
consumers to put in their cars.
    And we know that the people who make the best security 
systems also know how to break them, and very often the people 
that are really good at this stuff figure it out on their own.
    And while it takes consistent and sustained leadership, 
particularly in the beginning, effective long-term information 
security programs require their implementation, sound processes 
and policies that can carry on absent or despite the particular 
personalities involved.
    I hope the Commerce Department and all of the Federal 
agencies of our country keep this principle in mind as they 
take the long overdue steps to improve the security of 
sensitive data when the American people have entrusted them or 
that they have entrusted us, rather, to protect.
    When they give us their information, very often 
involuntarily, we have a sacred duty to protect their privacy 
and the integrity of that information, and we cannot look at it 
any less solemnly than that.
    Thank you, Mr. Chairman.
    [The prepared statement of Hon. W.J. ``Billy'' Tauzin 
follows:]

 Prepared Statement of Hon. W.J. ``Billy'' Tauzin, Chairman, Committee 
                         on Energy and Commerce

    Thank you, Mr. Chairman, and I want to echo your comments regarding 
the need for all Federal agencies to start devoting the attention and 
resources necessary to secure their computer systems from attacks or 
misuse. The government must do more to protect the sensitive personal, 
financial, proprietary and national security-related data on its 
systems.
    I also want to stress how valuable the work of this Subcommittee 
has been in moving the ball forward on these issues. There should be 
little doubt in anyone's mind that, absent the aggressive oversight of 
this Subcommittee, agencies such as EPA, DOE, HCFA (now known as CMS) 
and others would not have taken many of the actions that they recently 
have taken to improve the security of their sensitive data and systems. 
While none of them are yet perfected, and none will likely ever be 
perfected due to rapidly changing technology, keeping the pressure and 
the focus on these issues is critically important to our nation and to 
its citizens.
    As for the Commerce Department--which is the focus of our hearing 
today--the GAO and Inspector General audit findings are alarming. 
Ethical hackers from GAO and the Inspector General's office were able 
to have their way with the Department's various computer systems--
violating the integrity of the Department's computer networks virtually 
at will.
    While these findings are quite troubling, they don't surprise me at 
all, based on the Committee's work at other agencies. When an 
Administration, such as the Clinton Administration, devotes so little 
attention and resources to a particular matter, we shouldn't be 
surprised to find that such problems are so pervasive. It is clear to 
me that, despite what the former President might have said about the 
importance of computer security, his Administration failed to take 
actions to make the protection of our nation's critical cyber assets a 
true priority.
    That is why I am so pleased to see that the new Secretary of 
Commerce is taking a different approach. He's instituted a new 
management structure--with increased authority, responsibility, and 
accountability for the Department's information officers. He's 
allocated more resources to these security functions at the Department 
level. And, probably most importantly, the Secretary has made clear to 
his Under Secretaries that they will make computer security a priority 
as an integral part of their programmatic missions, and will allocate 
additional resources as necessary to get the job done.
    In this vein, we are pleased to have the newly-confirmed Deputy 
Secretary of the Department here today to testify, signaling the 
importance of this topic to the Secretary and the level at which these 
issues are now being handled within the Department.
    Let me finish just by emphasizing that good computer security is 
not a simple fix. While it takes consistent and sustained leadership, 
particularly in the beginning, effective long-term information security 
programs require the implementation of sound processes and policies 
that can carry on absent, or despite of, particular personalities. I 
hope the Commerce Department, and all Federal agencies, keep this 
principle in mind as they take these long-overdue steps to improve the 
security of the sensitive data which the American people have entrusted 
them to protect.
    I thank the Chairman, and yield back the balance of my time.

    Mr. Greenwood. The Chair thanks the chairman for his 
comments and for his presence and for his assistance and 
cooperation and help with this investigation, and recognizes 
for an opening statement the gentleman from North Carolina, Mr. 
Burr.
    Mr. Burr. I thank the chairman and full committee chairman.
    Having finished a hectic legislative schedule this week, if 
we look a little tired, it is because we are, and this 
committee contributed greatly to major legislation in the form 
of a comprehensive energy package and a patient's bill of 
rights that some dreamed would never happen.
    But the issue that we are here to look at today is of 
interest to every member, Republican and Democrat. That is 
certainly not indicative of the participation that we have this 
morning. It is more indicative of the lack of sleep that all 
have had and their anxiousness to go home since the business is 
over.
    This subcommittee has looked at computer security issues at 
a number of government agencies. As troubling as many of the 
problems that those agencies were, and still are in many cases, 
I am especially troubled by some of the concerns raised by the 
General Accounting Office audit of seven Commerce bureaus.
    In particular, I am more than a little concerned about the 
security of the Bureau of Export Administration, which is 
responsible, among other things, for regulating the export of 
sensitive goods and technology, enforcing export controls, 
anti-boycott and public safety laws, cooperating with and 
assisting other countries on export control and strategic trade 
issues, assisting U.S. industry to comply with international 
arms control agreements, and monitoring the viability of the 
United States' defense industrial base.
    That mission statement came straight off BXA's Web site. I 
imagine most of us recognize those as some very serious 
responsibilities, and I imagine most of us will be equally 
disturbed by the fact that BXA has one of the worst computer 
security problems and is among the most susceptible to 
unauthorized access of the seven bureaus examined by GAO.
    I suspect, based on the track record, that it is not a 
stand out among the rest of the department's bureaus either. 
Apparently BXA had not tested its system since 1991 and had not 
conducted a risk assessment since 1994.
    Many of the problems GAO will discuss were also identified 
by the Commerce Inspector General in a 1999 report. Here we are 
today, August 2001. It must be Groundhog Day, starting at the 
same point with the same problems once again.
    Now, what this means is that the Commerce Department has 
apparently not made much progress adhering to PDD 63 issued in 
May 1998 that set up groups within the Federal Government to 
develop and implement plans that would protect government 
operated computer and communications infrastructure.
    The directive identified 12 areas critical to the 
functioning of this country. Commerce was designated as lead 
agency for information and communications security. Foreign 
affairs and national defense are also key elements of the 
directive, and it is my understanding that the export control 
system is considered, under PDD 63, critical.
    And I have the sneaking suspicion that GAO is about to tell 
this subcommittee that it was able to gain unauthorized access 
to administrative level BXA systems.
    That's not the only portion of the mission statement on the 
Web site. It also states that another of the bureau's missions 
is to promote Federal initiatives and public-private 
partnerships across industry sectors to protect the Nation's 
critical infrastructure. To protect the Nation's critical 
infrastructure. I think that one phrase justifies why we are 
here today, and I think why everybody takes it seriously.
    In closing, I will say to our friends from the Department 
of Commerce: you inherited this problem. The challenge is that 
you have inherited a problem you have to fix.
    I hope the next Congress with the next Commerce 
Department--hopefully they are the same people we have today in 
the next Commerce Department--but heaven forbid we ever have a 
situation where we come back up here to talk about this problem 
again because I believe that this committee is serious about 
making sure that we work as a partner to make sure that the 
problem of security within BXA, within Commerce, within all 
Federal agencies is eliminated as it relates to the access that 
we've seen.
    Mr. Chairman, once again, let me thank you, and yield back 
the balance of my time.
    Mr. Greenwood. The Chair thanks the gentleman for his 
statement and welcomes our first two witnesses.
    They are the Honorable Johnnie E. Frazier, Inspector 
General, U.S. Department of Commerce, and Mr. Robert F. Dacey, 
Director of Information Security Systems at the U.S. General 
Accounting Office.
    You gentlemen are aware that the committee is holding an 
investigative hearing, and when doing so has had the practice 
of taking testimony under oath. Do you have any objections to 
testifying under oath?
    Mr. Frazier. No, sir.
    Mr. Greenwood. Seeing no such objections, the Chair then 
advises you that under the rules of the House and the rules of 
the committee you are entitled to be advised by counsel.
    Do you desire to be advised by counsel during your 
testimony today?
    Seeing a negative response, in that case if you would 
please rise and raise your right hands, I will swear you in.
    [Witnesses sworn.]
    Mr. Greenwood. Thank you.
    You may be seated, and you are now under oath, and, Mr. 
Frazier, we will begin with you for your opening statement.
    Please proceed. Welcome.

 TESTIMONY OF HON. JOHNNIE E. FRAZIER, INSPECTOR GENERAL, U.S. 
    DEPARTMENT OF COMMERCE; AND ROBERT F. DACEY, DIRECTOR, 
  INFORMATION SECURITY ISSUES, U.S. GENERAL ACCOUNTING OFFICE

    Mr. Frazier. Thank you, Mr. Chairman.
    Mr. Chairman and members of the committee, I am very 
pleased to be here today to talk about the OIG's work as it 
relates to the Department of Commerce IT security.
    The detailed results of our work have been included in my 
long statement, which I would like to have submitted for the 
record, but I would like to take a few minutes right now just 
to talk about a few of the projects that we have been working 
on.
    Commerce, as you know, has many complex computer systems 
that provide essential services to the public and support 
critical mission activities, such as the Nation's weather 
services, care of the environment, promotion of trade, economic 
growth, and scientific research.
    As the department's systems have become more 
interconnected, vulnerabilities have also increased, thus 
increasing the need to continuously improve IT security 
measures. I cannot overemphasize the importance of IT security.
    Indeed, in our recent semi-annual reports to the Congress, 
we have identified strengthening department-wide security over 
information technology as one of the top ten management 
challenges facing the Department of Commerce.
    During the past year, we have engaged in various audit, 
inspection, evaluation, and investigation activities aimed at 
strengthening IT security Commerce-wide. We have coordinated 
with GAO and the CIO to ensure that we address the most 
important issues and avoid duplication of effort.
    In our resulting reports and briefings, we have made 
numerous observations and recommendations aimed at improving IT 
security. Let me briefly mention a few of our efforts.
    One recent evaluation which examined the Office of the 
CIO's oversight of the department's IT security program found 
that despite some progress in recent years, additional 
improvements are needed. The department's IT security policy 
needs to be revised and expanded because it has not been 
updated to comply with significant revisions of OMB guidance, 
and it has not kept pace with recent trends in technology and 
related security threats.
    Additional IT security compliance procedures are needed 
because security for many of the department's systems has not 
been adequately planned. The security reviews have not been 
performed, and several of our agencies do not even have 
adequate awareness plans or training plans or even sufficient 
capabilities for responding to IT security incidents.
    Another one of our evaluations revealed that although the 
department made early strides in its critical infrastructure 
protection planning, important milestones had slipped. The 
inventory of critical assets needed to be reevaluated and 
vulnerability assessments, remediation plans, and budget 
justifications just simply had not been completed.
    A third evaluation identified privacy and security concerns 
raised by the department's use of Internet ``cookies'' and Web 
``bugs'' on its Web sites.
    We have also identified security issues through our 
inspections of Commerce offices and activities, both 
domestically and overseas. Likewise our investigative work has 
identified and examined specific incidents or allegations 
involving IT security weaknesses, vulnerabilities, or threats.
    And finally, our systems security audits of departmental 
financial management systems are designed to identify IT 
security problems. These audits are performed by certified 
public accounting firms under contract with us and include 
security reviews of the department's financial management 
systems and related networks.
    The CPAs use the GAO Federal information system controls 
audit manual as their guidance.
    The fiscal year 2000 financial statement audits included 
review of general system controls at the department's seven 
data processing locations. We found weaknesses at all seven 
locations, including our observations that formal security 
plans either did not exist, were outdated, or were not approved 
for the major financial management systems and associated 
support systems.
    Moreover risk assessments needed to be completed and 
approved, and more security monitoring was clearly needed.
    In addition to the general system security control reviews, 
penetration testing was also performed at four of the seven 
locations to identify weaknesses in access controls. The 
penetration testing found open modems and ports that were 
accessible to potential hackers, readily accessible sensitive 
information on Web sites, and firewall configurations that 
could allow a hacker to introduce a virus.
    As for physical security, some computer rooms in sensitive 
work areas were not adequately secured.
    It is important at this point to note that the department 
and its operating units have reported progress on some of these 
weaknesses, and I should also note that we are aware that they 
are working to address others.
    But you should also note that we are in the process of 
performing our annual follow-up work to try and confirm many of 
these observations and reported accomplishments.
    We currently have other IT security reviews underway, 
including looking at some of the classified systems, looking at 
the background investigations behind some of the people who run 
these systems and a host of other projects.
    Finally, I am pleased to note that just last month my 
office entered into a memorandum of agreement with the 
department's Office of the CIO and the Office of Security to 
define our respective roles and responsibilities related to 
Commerce's IT security program. This agreement is intended to 
promote a partnership among the three offices to ensure 
improved coverage of IT security matters.
    In closing, it is clear to me that cooperative, continuous, 
and concerted efforts are needed by each of us, and I mean each 
of us, as we move to address IT security weaknesses. These same 
efforts are needed if we are to have any chance of at least 
staying one step ahead of hackers and others that see IT 
security as some sort of cat and mouse game.
    I am encouraged that the senior management of the 
department and its operating units increasingly recognize the 
need to take a proactive approach to do this. For example, the 
Secretary's recent directive increasing the authority of 
operating unit CIOs and making them a more integral part of the 
bureau management team is an important initiative.
    Likewise, the recent appointment of the Senior Advisor to 
the Secretary for Privacy should be instrumental in addressing 
such issues as ``cookies,'' Web ``bugs,'' and other security 
and privacy matters.
    Program officials are being strongly reminded that they, 
too, have key IT security responsibilities and need to work 
closely with operating CIOs and security officials to ensure a 
more effective security program.
    This concludes my statement, and I will gladly answer any 
questions.
    [The prepared statement of Hon. Johnnie E. Frazier 
follows:]

   Prepared Statement of Johnnie E. Frazier, Inspector General, U.S. 
                         Department of Commerce

    Mr. Chairman and Members of the Committee, I am pleased to appear 
before you today to discuss the Office of Inspector General's (OIG) 
work and other activities related to the security and protection of the 
Department's critical information technology (IT) systems, programs, 
and activities.
    The Department of Commerce has numerous complex computer systems 
that provide essential services to the public and support critical 
mission activities, such as the nation's weather services, 
environmental stewardship, promotion of trade and economic growth, 
scientific research, and technological development. As the Department's 
systems have become more interconnected, vulnerabilities have also 
increased, thus increasing the need to continuously improve IT security 
measures. Strong IT security measures are vital to (1) protecting the 
privacy of information, (2) safeguarding the integrity of computer 
systems and their networks, and (3) ensuring the availability of 
services to the American public and other users. I cannot emphasize too 
much how important these measures are.
    Indeed, in our recent Semiannual Reports to the Congress, we have 
identified ``Strengthening Department-wide Information Security'' as 
one of the top 10 management challenges facing the Department of 
Commerce because of that issue's:

1. Importance to the Department's mission and the nation's well-being,
2. Complexity and sizable expenditures, and
3. Need for significant management improvements.
    During the past year, we have engaged in a number of audit, 
inspection, evaluation, and other activities involving Commerce IT 
security matters--all aimed at strengthening IT security Commerce-wide. 
We have completed evaluations of the Department's efforts to implement 
its Critical Infrastructure Protection (CIP) plans. We also have 
assessed the Office of the Chief Information Officer's (CIO) IT 
security policy and the effectiveness of its oversight of the 
Department's IT security program. In addition, we have evaluated the 
use of persistent Internet ``cookies'' and ``web bugs'' on Commerce 
Internet sites. Furthermore, in support of the OIG's fiscal year 2000 
financial statement audits, we have conducted security reviews of the 
Department's financial management systems and their related networks.
    Moreover, assessments of IT security policies and practices are 
often an integral part of the operational inspections we conduct of 
Commerce activities, units, and offices domestically and overseas. 
These inspections are intended to provide operating unit managers with 
useful, timely information about their operations, including IT 
security issues. IT security problems have also been identified through 
our investigative work. In addition, we have worked closely with many 
of the Department's key IT managers, top security personnel, and senior 
program officials in an effort to identify the most critical IT 
security issues and help craft corrective measures. Let me briefly 
summarize the results of some of our recent efforts.

EARLY PROGRESS MADE IN CRITICAL INFRASTRUCTURE PROTECTION, BUT PLANNING 
                     AND IMPLEMENTATION HAVE SLOWED

    Last year, we evaluated the Department's CIP plan, identification 
of minimum essential infrastructure (MEI) assets, and vulnerability 
assessments of its cyber-based assets. MEI assets are the physical and 
cyber-based assets essential to the minimum operations of the economy 
and the government. Our evaluation found that although the Department 
had made initial progress by developing a Department-wide CIP plan, 
identifying critical infrastructure assets, and initiating 
vulnerability assessments, there were several areas that warranted 
management attention:

 The Department's CIP plan needed to be strengthened because 
        several of its elements were outdated or missing, and important 
        milestones had slipped. The asset inventory, vulnerability 
        assessment framework, and budget estimates included in the plan 
        were not current. The plan also did not include requirements 
        for reviewing new assets to determine whether they should be 
        included as MEI assets, periodically updating vulnerability 
        assessments, or developing a system for responding to 
        infrastructure attacks.
 The MEI asset inventory needed to be reevaluated because of 
        limitations in data gathering. In most cases, asset managers 
        were neither interviewed nor given adequate guidance before 
        filling out complex questionnaires used to gather asset 
        information, and the officials most knowledgeable about the 
        assets were seldom interviewed because of logistical problems 
        and limited resources. Establishing a reliable MEI inventory is 
        important because it forms the basis for later activities, such 
        as selecting the highest risk assets for vulnerability 
        assessments and taking remedial actions.
 Vulnerability assessments, remediation plans, and budget 
        justifications needed to be completed. Reportedly due to 
        resource constraints, the Department had current vulnerability 
        assessments for less than 10 percent of MEI assets and had not 
        developed any remediation plans.
    The CIO's office agreed with our findings and stated that the 
Department's focus would be on the broad spectrum of IT security, which 
emphasizes assets critical to the Department's mission and includes 
most cyber-based MEI assets. Short-term actions were identified to 
improve guidance to operating unit personnel involved in vulnerability 
assessments and increase their involvement in the MEI asset inventory, 
revise the MEI asset list, and evaluate new assets to determine whether 
they should be included as MEI assets.

      ADDITIONAL FOCUS NEEDED ON IT SECURITY POLICY AND OVERSIGHT

    The CIO is responsible for developing and implementing a 
departmental IT security program to ensure the confidentiality, 
integrity, and availability of information and IT resources. The CIO's 
responsibilities include developing policies, procedures, and 
directives for IT security and providing oversight of the IT security 
programs of the Department's operating units.
    We conducted an evaluation to assess the CIO's policies and the 
effectiveness of his oversight of the Department's IT security program. 
Our review focused on the CIO's compliance with laws and regulations 
governing IT security and his actions in recent years to oversee the 
Department's IT security program.
    We found that although in the past IT security did not receive 
adequate attention, in more recent years, the CIO's office had expanded 
its focus on and increased the resources devoted to IT security. For 
example, the office conducted its first Department-wide assessment of 
IT security planning in 1999 and reviewed operating unit self-
assessments in 2000, which resulted in increased compliance with 
security requirements. Nevertheless, policy and oversight need further 
improvements. Specifically:

 IT security policy needs to be revised and expanded. The 
        Department's IT security policy is out of date because it was 
        developed in 1993 and 1995, prior to a significant revision of 
        OMB Circular A-130, which communicates policy on the security 
        of federal automated information resources. The policy is also 
        missing important components because it has not kept pace with 
        recent trends in technology and related security threats. The 
        Department's policy must be kept current and complete because 
        the operating units use it as the foundation for their general 
        and system-specific policies. We recommended that the CIO's 
        office update and expand its IT security policy as soon as 
        possible.
 Additional IT security compliance procedures are needed. 
        Security for many of the Department's systems has not been 
        adequately planned, and security reviews have not been 
        performed. In addition, several operating units do not have 
        adequate awareness and training programs or adequate 
        capabilities for responding to IT security incidents. The 
        Government Information Security Reform Act (GISRA) requires the 
        CIO's office to conduct annual IT security evaluations in 2001 
        and 2002 similar to the self-assessments it monitored in 2000. 
        We recommended that the office commit to a program of reviews 
        that extends beyond GISRA's 2-year review requirement. 
        Moreover, the CIO's office should work with the Department's 
        acquisition and budget managers to ensure that IT-related 
        procurement specifications include security requirements, and 
        that funds for meeting these requirements are included in 
        operating unit budgets.
    During our evaluation of the Department's IT security policy, we 
provided the Department with a written analysis that identified 
weaknesses and deficiencies in the policy, and made recommendations for 
specific changes to bring the policy into compliance with applicable 
laws and regulations.
    The CIO's office agreed with all of our recommendations and cited a 
number of corrective actions it planned to take to implement them. 
Among other things, it agreed to revise, expand, and update the 
Department's IT security policy; continue its compliance review program 
beyond the 2-year period required by GISRA; and begin security reviews 
as soon as possible.

    USE OF INTERNET ``COOKIES'' AND ``WEB BUGS'' RAISED PRIVACY AND 
                           SECURITY CONCERNS

    We evaluated the use of persistent Internet cookies and web bugs by 
departmental Internet sites, as well as the adequacy of the privacy 
statements posted on the main web pages of the Department and its 
operating units. We conducted our evaluation in response to Public Law 
106-554, the Consolidated Appropriations Act of 2001, which required 
the Inspector General of each agency to submit a report to the Congress 
disclosing any activity regarding the collection of information 
relating to any individual's access or viewing habits on the agency's 
Internet sites.
    Persistent Internet cookies are data stored on web users' hard 
drives that can identify users' computers and track their browsing 
habits. Web bugs are software code that can monitor who is reading a 
web page. These technologies are capable of being employed in ways that 
could violate the privacy of individuals visiting the Department's web 
sites and can also pose security threats.
    Web bugs are considered security threats because they can perform 
malicious actions, including searching for the existence of specific 
information, such as financial information, on a user's hard drive, and 
downloading files from, or uploading files to, a user's computer. A web 
user would be unaware of the presence of web bugs without using 
detection software. Even if such software were used, the malicious 
actions performed by identified web bugs could go undetected.
    We found that most of the Department's Internet sites do not use 
either persistent cookies or web bugs. However, we did find several 
instances in which persistent cookies were being used without a 
compelling reason or the approval of the Secretary, as required by 
Department and OMB policy. We also found a number of web pages using 
web bugs. At the time we began our evaluation, the Department did not 
have a policy regulating web bug use, but it promptly developed and 
issued one when informed of the problem. Finally, we found that many of 
the operating units' privacy statements did not provide all of the 
information required by the Department's privacy policy.
    We recommended that the Department's CIO direct operating unit CIOs 
and senior management to implement a strategy to control the use of 
persistent cookies and web bugs and to certify annually that the 
operating unit is in compliance with the Department's applicable 
policies. We also recommended that the CIO direct operating unit CIOs 
and senior managers to revise their privacy policy statements to make 
them compliant with the Department's policy. The CIO's office agreed 
with our findings and worked with us to help ensure that the cookies we 
had identified were removed. The Secretary of Commerce's new Special 
Assistant for Privacy is working to remove all web bugs and develop a 
uniform privacy policy statement.

 SYSTEMS SECURITY AUDITS OF DEPARTMENTAL FINANCIAL MANAGEMENT SYSTEMS 
                            REVEAL PROBLEMS

    Our audits of Commerce operating units' financial statements, 
performed by certified public accounting (CPA) firms under contract 
with us, include security reviews of the Department's financial 
management systems and related networks that support the statements. 
Our CPA contractors use GAO's Federal Information System Controls Audit 
Manual (FISCAM) as a guide in performing these reviews. FISCAM provides 
guidance on assessing the reliability of computer-generated data that 
supports financial statements, including physical security and logical 
access controls designed to prevent or detect unauthorized access or 
intrusion into systems and networks.
    In 1999 we adopted a systems security review strategy that provides 
for full coverage of each financial management system and its related 
networks on a two-year basis. Every two years, a review addresses the 
six systems security areas identified in FISCAM: (1) entitywide 
security program planning and management, (2) access controls, (3) 
application software development and change control, (4) systems 
software, (5) segregation of duties, and (6) service continuity. In the 
alternate years, we routinely conduct penetration testing (in which 
someone playing the role of a hostile attacker tries to compromise 
systems security) and application-level testing. Review of the system 
environment for significant changes and follow-up on open 
recommendations occurs annually.
    The audits of operating units' individual fiscal year 2000 
financial statements included reviews of the general system controls 
over the major financial management systems at the seven data 
processing locations. In the reports on our audits of the Department's 
fiscal year 1999 and 2000 consolidated financial statements, we noted 
that these systems security reviews disclosed weaknesses in controls 
over major financial management systems at all seven locations that 
provide data processing support. Specifically, these reviews found 
that:

1. Entitywide security program planning and management needed 
        improvement at all seven locations. This control is the 
        foundation of an entity's security control structure and a 
        reflection of senior management's commitment to addressing 
        security risks. It is intended to ensure that security controls 
        are adequate, consistently applied, and monitored, and that 
        responsibilities are clear and properly implemented.
2. Access controls for both operating systems and the financial 
        management systems needed strengthening at all seven locations, 
        and monitoring of external and internal access to systems 
        needed strengthening at five locations. These controls should 
        limit or monitor access to computer resources to guard against 
        unauthorized modification, loss, and disclosure.
3. Applications software development and change control needed 
        improvement at four locations. These controls should help 
        prevent the implementation of unauthorized programs or 
        modifications to existing programs.
4. Systems software improvements were needed at four locations. 
        Controls in this area should limit and monitor access to the 
        important software programs that operate computer hardware.
5. Segregation of duties improvements were needed at five locations. 
        Appropriate controls in this area include policies, procedures, 
        and an organizational structure to prevent one individual from 
        controlling key aspects of computer-related operations, thus 
        deterring unauthorized actions or access to assets.
6. To ensure service continuity, contingency plans needed to be 
        prepared, updated, or improved at all seven locations. 
        Appropriate controls in this area include procedures for 
        continuing critical operations, without interruption and with 
        prompt resumption of those operations, when unexpected events 
        occur.
    Of particular note, among the weaknesses identified by the CPA 
firms in the area of entitywide security program planning and 
management, was the fact that formal comprehensive security plans 
either did not exist, were outdated, or were not approved for the major 
financial management systems and associated general support systems on 
which the applications were processed. In addition, risk assessments 
needed to be completed and approved, and security monitoring needed to 
be performed.
    At four locations, penetration testing was also performed on the 
network that supports the financial management systems to identify 
weaknesses in access controls. As part of the penetration testing, the 
CPA firms reviewed the adequacy of access controls, which include 
logical and physical controls. Logical access controls involve the use 
of computer hardware and software to prevent or detect unauthorized 
access, such as by hackers, to networks, systems, and sensitive files 
by requiring users to input user ID numbers, passwords, and other 
identifiers that are linked to predetermined access privileges. 
Physical controls involve keeping computers in locked rooms to limit 
physical access. The firms' penetration testing of logical controls 
found that in some cases:

 Open modems and ports were accessible to potential hackers.
 Sensitive information on websites was readily accessible.
 Sensitive active system services could allow unauthorized 
        access, downloading of files, and gathering of information.
 Firewall configurations could allow a hacker to introduce a 
        destructive virus.
    In addition, physical access controls over networks and financial 
management systems needed strengthening. For example, at one location, 
automated exterior locking systems had not been installed on doors to 
restrict access, and the key card lock for the data center's computer 
room was inappropriately placed on the inside of the door, rather than 
the outside. In addition, personnel did not consistently lock and 
secure their work areas. At another location, hardware that processed 
very sensitive information was located in an area accessible by 
numerous employees and contractors and was not segregated in an 
individually secure area.
    For fiscal year 2000, the CPA firms concluded that four operating 
units had system security weaknesses that rose to the level of 
``reportable conditions.'' Taken together, these conditions, combined 
with the Department's lack of an integrated financial management 
system, constituted a material weakness in the audit of the 
consolidated financial statements. In our report on the audit of the 
consolidated statements, we recommended that the CIO's office continue 
to develop and implement a database for tracking and reporting on 
corrective actions planned and taken to address the outstanding general 
controls recommendations. We also recommended that the office review, 
monitor, and provide guidance to the reporting entities on their 
corrective actions planned and taken in response to our current and 
prior years' audit reports on general controls.
    We issued audit reports with recommendations to correct the control 
weaknesses identified at each of the seven data processing locations, 
and the operating units generally agreed with our recommendations. The 
Department and its operating units are required to provide us with 
audit action plans that address each of our recommendations. We have 
reviewed the plans submitted to date and concur with the actions taken 
or planned. Moreover, we are in the process of performing our annual 
follow-up of the adequacy of the corrective actions planned or taken.

 IT SECURITY ISSUES HAVE ALSO BEEN IDENTIFIED THROUGH OIG INSPECTIONS 
                           AND INVESTIGATIONS

    We have also identified IT security issues through our inspections 
and investigative work. Our inspections unit, for example, conducted a 
1999 assessment of the Bureau of Export Administration's (BXA) Export 
Control Automated Support System as part of a larger review of BXA's 
administration of the federal export licensing process for dual-use 
commodities. While we determined that most of the system's general and 
application controls were adequate, we found that BXA's IT security 
controls could be enhanced by improving database access controls, 
preparing a security plan, performing periodic security reviews, 
officially assigning the security duties to its security officer, 
providing all users with current security training, and restricting the 
number of BXA employees with file manager access. BXA management 
implemented some corrective actions immediately and agreed to take 
action on our other recommendations dealing with the IT security of its 
licensing system.
    We are also conducting a series of inspections of the National 
Weather Service's weather forecast offices (WFOs) that have identified 
a number of IT security issues that need to be addressed by local 
managers. Among other problems, we noted that one WFO we visited did 
not have a designated security officer, and office personnel did not 
follow the Weather Service's policy on IT security. We found other 
problems, which I cannot describe in detail in a public hearing, that 
highlight how vulnerable some systems can be without proper management 
attention. Fortunately, the Weather Service has greatly improved its IT 
security both locally and nationally since the start of our review. 
During the past nine months, we visited two other WFOs. Although we 
continued to identify some IT security problems, we have found that 
designated security officers have been named and are receiving 
necessary training on IT security. More importantly, WFO personnel 
appear to better understand IT security concepts and requirements.
    IT security problems have also been identified through our 
investigative work. Through our OIG Hotline and other information 
channels, specific incidents or allegations involving IT security 
weaknesses, vulnerabilities, or threats have been brought to our 
attention and examined. For example:

 In one incident, a foreign hacker penetrated a network server 
        and installed software without the knowledge of the system 
        administrator. Had the software been activated, the server 
        would have been prevented from performing its normal network 
        services and would have been one of many computers 
        simultaneously activated to overload a designated Internet 
        site. As a result of the incident, the number of points of 
        access to the network was reduced to a bare minimum, and 
        existing monitoring software was activated.
 In another incident, a hacker caused extensive damage to an 
        operating unit server, and it took more than 5 work days to 
        repair the server and restore operations. Because the software 
        on the server was destroyed, the system administrator was not 
        able to determine how the attack had occurred. Security 
        features were added when the software was restored, to reduce 
        the risk of another shutdown.
 In a third incident, an after-hours contract cleaning employee 
        used a computer that had not been properly secured to gain 
        access to the Internet via a network system and view 
        pornographic materials. Coordination with the contracting 
        officer, property manager, and president of the contract 
        company resulted in the employee's immediate removal from the 
        facility contract and subsequent termination. In addition, the 
        practice of routinely leaving the computer on overnight was 
        discontinued.

 ADDITIONAL OIG REVIEWS OF IT SECURITY MATTERS ARE EITHER UNDERWAY OR 
                                PLANNED

    We are currently conducting IT security evaluations related to (1) 
the Economics and Statistics Administration's and the Census Bureau's 
preparation and release of the Advance Retail Sales Principal Economic 
Indicator, (2) the Department's classified information systems, and (3) 
the Department's IT security program and practices, as required by the 
Government Information Security Reform Act.
    The objective of our security evaluation of the Advance Retail 
Sales indicator is to determine whether adequate internal controls and 
system safeguards are in place to prevent the unauthorized disclosure 
or use of the economic indicator data before its release to the public. 
We have found that employees dealing with the indicator do not always 
have appropriate background investigations and that their positions are 
not always assigned the appropriate level of risk as required by Title 
5, Part 731, of the Code of Federal Regulations and OMB Circular A-130. 
In some instances, the Department's records did not identify the type 
of investigation done, if any, for personnel working on Principal 
Economic Indicators. We also noted a lack of guidance from the Office 
of Human Resources Management, as well as from the Office of Security, 
suggesting that the problems associated with assigning appropriate risk 
levels to positions and ensuring that background investigations are 
performed may exist throughout Commerce. We are conducting additional 
work to examine this issue.
    Our review of the Department's classified information systems will 
assess the adequacy of its policies for protecting classified 
information and the effectiveness of its oversight of these systems.
    The GISRA-mandated review is the annual evaluation of the 
Department's IT security program and practices. This evaluation will 
incorporate information from our security reviews, as well as results 
of related evaluations performed by operating units, GAO, and 
contractors. We are also continuing our security reviews of Commerce's 
financial management systems and related networks as part of our fiscal 
year 2001 financial statements audits. These reviews will be in line 
with our IT security review strategy and will include penetration 
testing of the U.S. Patent and Trademark Office and FISCAM reviews for 
the other operating units.
    The need for the OIG to provide oversight and evaluation of IT 
security will be increasingly critical in the coming years. Our 
independent evaluation of the Department's IT security program being 
performed under GISRA and our security reviews of the Department's 
financial management systems show that although the Department is 
giving greater attention to IT security, serious issues remain to be 
resolved. These issues appear to be the result of an earlier lack of 
attention to IT security, limited resources, and an environment in 
which the risks, threats, and vulnerabilities have continued to 
escalate in number and complexity. The weaknesses identified by GAO's 
recent network vulnerability analysis of the Department underscore our 
concerns.
    In our independent GISRA evaluation for the next fiscal year, we 
plan to evaluate the effectiveness of operating unit IT security 
programs and to conduct security evaluations of specific general 
support systems and major applications. We will use the findings of our 
current GISRA evaluation and of GAO's security audit to assist us in 
identifying specific operating units, general support systems, and 
major applications to evaluate in the future.

      COOPERATIVE EFFORTS NEEDED TO ADDRESS IT SECURITY WEAKNESSES

    I am pleased to note that, just last month, my office entered into 
a memorandum of agreement with the Department's Office of the CIO and 
Office of Security to define our respective roles and responsibilities 
relating to the development, implementation, and management of the 
Commerce IT security program. This agreement is intended to promote a 
partnership among the three offices that both ensures complete coverage 
of IT security matters and prevents wasteful duplication of effort.
    Under the agreement, the CIO's office has the basic responsibility 
for developing and implementing the Commerce-wide IT security program, 
which includes developing IT security policies and procedures, 
promoting IT security awareness and training, serving as the 
Department's critical infrastructure assurance officer, and convening a 
meeting of the incident response group when incidents or intrusions 
occur. Commerce's Office of Security has the primary responsibility for 
security for the Department's classified systems and, in conjunction 
with the Department of State, for IT security at Commerce overseas 
posts. My office is responsible for conducting investigations of IT 
incidents and intrusions, and for conducting reviews of the 
Department's IT security program and individual systems, including the 
annual independent evaluations of the program required by GISRA.
    In closing, it is clear that cooperative, continuous, and concerted 
efforts are needed by each of us--and I mean each of us--if we are to 
address IT security weaknesses. These efforts are needed if we are to 
have any chance of staying at least one step ahead of the hackers and 
others that see IT security as some sort of cat-and-mouse game.
    I am confident that the senior management of the Department and its 
operating units increasingly recognize the need to take a proactive 
approach to do this. For example, the Secretary's recent directive 
increasing the authority of operating unit CIOs and making them a more 
integral part of the management team is an important initiative. 
Likewise, the recent appointment of a Senior Advisor to the Secretary 
for Privacy should be instrumental in addressing such issues as 
cookies, web bugs, and other security/privacy matters. And program 
officials are also being strongly reminded that they too have key IT 
security responsibilities and need to work closely with operating unit 
CIOs and security officials to ensure an effective security program.
    We intend to continue our partnership with all of these managers by 
identifying weaknesses and potential vulnerabilities in IT security and 
by searching for ways to improve it. Through this relationship, I 
believe we can help strengthen IT security within the Department.
    This concludes my statement. A list highlighting some of the 
reports we have issued that address IT security issues is included as 
an attachment. Mr. Chairman, I would be happy to answer any questions 
you or other members of the Committee might have.

                               Attachment

                      U.S. DEPARTMENT OF COMMERCE
                      OFFICE OF INSPECTOR GENERAL
    RECENT AUDIT, INSPECTION, AND EVALUATION REPORTS ON INFORMATION 
                      TECHNOLOGY SECURITY MATTERS

                              Evaluations

1--Office of the Chief Information Officer: Use of Internet ``Cookies'' 
        and ``Web Bugs'' on Commerce Web Sites Raises Privacy and 
        Security Concerns, OSE-14257, April 2001
2--Office of the Chief Information Officer: Additional Focus Needed on 
        Information Technology Security Policy and Oversight, OSE-
        13573, March 2001
3--Office of the Chief Information Officer: Critical Infrastructure 
        Protection: Early Strides Were Made, but Planning and 
        Implementation Have Slowed, OSE-12680, August 2000
4--Bureau of the Census: Computer Security for Transmission of 
        Sensitive Data Should Be Strengthened, OSE-10773, September 
        1998

                      Financial Statements Audits

 [Note: These audits are performed annually; listed below are only the 
reports covering FY 2000. In addition, the reports on security reviews 
                 are not publicly available documents.]

5--Department of Commerce: Consolidated Financial Statements, FY 2000, 
        FSD-12849-1, March 2001
6--National Institute of Standards and Technology, Improvements Needed 
        in the General Controls Associated with Financial Management 
        Systems, FSD-12859-1, February 2001
7--Economic Development Administration, Improvements Needed in the 
        General Controls Associated with Financial Management Systems, 
        FSD-12851-1, January 2001
8--Bureau of the Census, Improvements Needed in the General Controls 
        Associated with Financial Management Systems, FSD-12850-1, 
        January 2001
9--National Technical Information Service, Improvements Needed in the 
        General Controls Associated with Financial Management Systems, 
        FSD-12857-1, January 2001
10--Office of the Secretary, Follow-up Review of the General Controls 
        Associated with the Office of Computer Services/Financial 
        Accounting and Reporting System, FSD-12852-1, January 2001
11--International Trade Administration, Review of General and 
        Application System Controls Associated with the Fiscal Year 
        2000 Financial Statements, FSD-12854-1, January 2001
12--National Oceanic and Atmospheric Administration, Improvements 
        Needed in the General Controls Associated with Financial 
        Management Systems, FSD-12855-1, December 2000
13--United States Patent and Trademark Office, Improvements Needed in 
        the General Controls Associated with Financial Management 
        Systems, FSD-12858-1, December 2000

                              Inspections

14--National Oceanic and Atmospheric Administration: San Angelo Weather 
        Forecast Office Performs Its Core Responsibilities Well, but 
        Office Management and Regional Oversight Need Improvement, IPE-
        13531, June 2001
15--National Oceanic and Atmospheric Administration: Raleigh Weather 
        Forecast Office Provides Valuable Services, but Needs Improved 
        Management and Internal Controls, IPE-12661, September 2000
16--Bureau of Export Administration: Improvements Are Needed to Meet 
        the Export Licensing Requirements of the 21st Century, IPE-
        11488, June 1999
17--Office of Security: Vulnerabilities in the Department's Classified 
        Tracking System Need to Be Corrected, IPE-11630, March 1999

    Mr. Greenwood. We thank you very much for your testimony, 
and we will be getting to questions shortly.
    Mr. Dacey.

                  TESTIMONY OF ROBERT F. DACEY

    Mr. Dacey. Mr. Chairman and members of the committee, I am 
pleased to be here today to discuss our review of information 
security controls over unclassified systems at the Department 
of Commerce.
    As you requested, I will briefly summarize our written 
testimony.
    At the seven Commerce operating units we reviewed, 
significant and pervasive computer security weaknesses place 
sensitive Commerce systems at serious risk. We demonstrated 
through commonly or readily available software and common 
techniques that individuals, both internal and external to 
Commerce, could gain unauthorized access to these systems and 
thereby read, copy, modify or delete sensitive financial, 
economic, personnel and confidential business data.
    Moreover, intruders could disrupt the operations of mission 
critical systems, and due to poor incident detection 
capabilities, unauthorized system access may not be detected.
    As an illustration of these points, a recent media report 
announced the discovery of security vulnerabilities that 
allowed sensitive business information to be publicly accessed 
from a Commerce Web site, forcing the department to temporarily 
shut down a part of that site.
    Our review identified vulnerabilities in four key areas. 
First, controls intended to protect information systems and 
critical data from unauthorized access were ineffectively 
implemented, leaving systems highly susceptible to intrusions 
or disruptions.
    Specifically, management of user IDs and passwords, 
including those related to powerful system administration 
functions, were not effective. As you alluded to earlier, in 
many systems passwords were not required or were easy to guess.
    Also, bureau operating systems were not securely 
configured, including exposing excessive amounts of system 
information and allowing unnecessary or poorly configured 
system functions to exist.
    Further, none of the Commerce bureaus reviewed had 
effective external and internal network security controls. Our 
testing demonstrated that extensive unauthorized access to the 
department's networks and systems could be gained as a result 
of weakly configured external control devices, poorly 
controlled dial-up modems, and ineffective internal network 
controls.
    Second, we found other significant weaknesses. 
Specifically, computer duties were not properly segregated to 
mitigate the risk of errors and fraud.
    Software changes were not adequately controlled to ensure 
that only authorized and tested programs were put in operation, 
and comprehensive and complete recovery plans were not 
developed to ensure the continuity of operations in the event 
of a service disruption.
    Third, Commerce bureaus did not adequately prevent, detect, 
respond to, or report intrusions, providing little assurance 
that unauthorized attempts to gain access to its systems would 
be identified and appropriate actions taken in time to prevent 
or mitigate damage.
    For example, software updates to correct known 
vulnerabilities were not installed, tested bureaus were 
generally unable to detect our extensive intrusion activities, 
and in two instances when our activity was detected, Commerce 
employees inappropriately responded by launching attacks back 
against our systems.
    Moreover, these two incidents were not reported to the 
security managers of the various bureaus.
    Also, we identified evidence of hacker activity that 
Commerce had not previously detected on a system containing 
sensitive personnel information.
    Fourth, and most important, Commerce does not have an 
effective, department-wide information security program, as Mr. 
Frazier earlier discussed, to proactively insure that sensitive 
data and critical operations are adequately protected.
    The lack of an effective security program is exacerbated by 
the highly interconnected nature of Commerce's systems. Key 
weaknesses existed in each of five critical areas.
    First, there was lack of a strong, centralized management 
function to oversee and coordinate department-wide security 
activities.
    Second, there was a widespread lack of risk assessment. For 
example, as of March 2001, of the bureau's 94 sensitive systems 
we reviewed, 91 did not have documented risk assessments, 87 
had no current security plans; and none were authorized for 
processing by Commerce management.
    Third, there were significantly outdated and incomplete 
information security policies which did not reflect current 
Federal requirements in many important areas, had not been 
updated to reflect certain risks related to the Internet, and 
did not establish baseline security requirements for all 
systems.
    Fourth, there was inadequately promoted security awareness 
and training. Although each of the bureaus had informal 
programs in place, none had documented computer security 
training procedures that meet Federal requirements to ensure 
that security risks and responsibilities are understood by all 
managers, users, and system administrators.
    Fifth, there was a lack of an ongoing program to test and 
evaluate security controls. No oversight reviews of the 
bureau's systems had been performed by either the staff of 
Commerce's information security program or six of the seven 
bureaus. There had been isolated tests at one bureau.
    In a draft report to Commerce, we made recommendations, 
which are summarized in our written statement, to address these 
weaknesses. The Commerce Secretary's response stated that 
Commerce has developed and is currently implementing an action 
plan to correct the specific problems we identified.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer any questions that you or members of the committee 
may have.
    [The prepared statement of Robert F. Dacey appears at the 
end of the hearing.]
    Mr. Greenwood. I thank you, Mr. Dacey.
    And the full statements of both witnesses will be entered 
into the record.
    Here is a question that I would like you each to respond 
to. Both of you used the term ``sensitive'' to describe the 
types of systems and the data at issue here. Can you be more 
specific with respect to the types of information that are 
susceptible to compromise and why it is that Congress and the 
American people should be concerned about these 
vulnerabilities?
    Mr. Frazier. I will be happy speak first.
    There are so many systems in the Department of Commerce 
that we view as sensitive. You can start with the Census 
Bureau, for example. The Census Bureau has lots of information 
that is protected by Title 13, and in fact, I have heard you 
speak to the concern about how the American public must come to 
trust and know that information that they share with us is 
going to be protected.
    Mr. Greenwood. That was a huge issue in this whole last 
census exercise where so many Americans were reluctant to fill 
out long forms because of the fear of compromise in the 
integrity of the system.
    And, of course, we all assured them that that was not a 
problem.
    Mr. Frazier. Yes. I should tell you that in 1998, in 
advance of the decennial census, we found an incredible 
vulnerability there, and we brought it to the attention of 
census managers, and that was handled as a red cover report for 
obvious reasons.
    The concern was that if that information got out, people 
would begin to question whether it was wise to send in 
information. It was just an oversight on the part of a security 
manager that we could not believe, something that we would 
think would be as obvious as this. I am not giving the details 
here for obvious reasons, but we were just amazed that 
something as basic as that could have that kind of potential 
consequence to the integrity of the system.
    Mr. Greenwood. To interrupt you for a moment, is it 
conceivable that a hacker could go in through the Census Bureau 
to my Greenwood family long forms, Census form, and scan it and 
identify information as being responses that our family gave to 
the Census form?
    Mr. Frazier. No. When we found this problem, fortunately it 
was before the decennial census. It was in doing the work we 
did for the dress rehearsal, and so we were able to plug that 
gap. Of course, once you brought that to the attention of the 
Department and Census officials, that was something that they 
were going to correct immediately. So that was not a problem 
there.
    But, again, I go back to tell you how something as 
important as that system would have been overlooked. You know, 
that was incomprehensible to us that that could be the case.
    As we have gone in to look at the work at BXA, as you are 
aware, we have done quite a bit of work in BXA, and for many 
years, too many years, we have raised concerns about the 
adequacy of its ECASS system, which has the sensitive 
information on export controls, licensing requests.
    We have made recommendations----
    Mr. Greenwood. Could you elaborate on why that is 
sensitive? What makes that particular information sensitive?
    Mr. Frazier. Well, part of it is business proprietary from 
the standpoint if you are Company X and are getting ready to 
export radars to a certain country, you have to provide the 
department with certain information that they can use to assess 
your license request.
    In the process of doing that, that is information that you 
surely do not want your competitors to have. So that would be 
extremely sensitive.
    Mr. Greenwood. You mentioned radar. I assume that could 
apply to other military equipment that is being exported, 
information that we would certainly not want some individuals 
or organizations to have ready access to, who might have an 
interest in intercepting that military equipment.
    Mr. Frazier. As you know, Commerce handles what we call 
dual use items, which have both military and civilian uses, and 
so you are right on the money when you suggest that that is 
information that we would surely want to protect as much as we 
possibly can.
    Mr. Greenwood. In fact, in the GAO report, it says 
sensitive data such as relating to national security, nuclear 
proliferation, missile technology, and chemical and biological 
warfare reside in the bureau system.
    Mr. Frazier. Yes.
    Mr. Greenwood. Mr. Dacey, would you like to elaborate on 
the same subject?
    Mr. Dacey. Yes. Basically, in addition to the export 
license information we talked about, there is certain other 
information. There is something called the safe harbor, which I 
alluded to in my oral statement, which is a method for filing 
to satisfy European Union privacy requirements, and by filing 
you demonstrate that you meet certain requirements and then can 
obtain certain personnel information and bring it back to your 
company.
    And that included information like revenue, you know, what 
companies are you doing business with, number of employees and 
such nature of information which was exposed as well.
    There is, additionally, other information that the bureaus 
have on the personal side, and that would have to do with 
credit card information, for example the ESA subscription 
services. They collect credit card information.
    The bureau itself has data bases containing significant 
information on Commerce personnel, including various 
information, Social Security numbers, and that sort of thing.
    So there is a variety of information, including financial 
information, that is out there on the systems that are at 
Commerce.
    Mr. Greenwood. And what about the ability to go through the 
Commerce Department systems? Is it conceivable that one could 
go through the Commerce Department's system and then thereby 
reach out to consulates, to our consulates around the world?
    Mr. Dacey. One of the tests that we performed, we were able 
to--let me back up a minute.
    When we do our testing, our target or goal is to gain what 
we call administrative control of the systems we are looking 
at, and that means we could place ourselves in the position of 
system administrator and thereby do just about anything that we 
would want to do on that system, including reading files, 
copying files, deleting files, changing software, any number of 
things that a system administrator could do.
    We gained that level of access on several of Commerce's 
systems. Some of those allowed us to gain access to networks 
which went to the Foreign Commercial Service posts as well as 
the systems that contained some of this sensitive information.
    Mr. Greenwood. And those consulates are, of course, in 
turn, interconnected to other sensitive agencies of the Federal 
Government so that it would seem to me to heighten the 
sensitive nature of this leak.
    Mr. Dacey. We did not specifically look at the connectivity 
of those Commerce installations in foreign posts with other 
potential agencies, but that is an issue which might be 
explored in the future as another task.
    Mr. Burr. Would the chairman yield?
    Mr. Greenwood. Certainly.
    Mr. Burr. What I understand your answer to be that you did 
not try to go outside of the Commerce system within the 
embassy?
    Mr. Dacey. That is correct. We went to Commerce 
installations in the various foreign posts, and because that 
was the limit of our testing, we stopped at that point. We did 
not try.
    Mr. Burr. If the focus at the embassies was to keep people 
out of their system, but not to limit their movement from 
within their system that they were in, had you tried you might 
have been able to go anywhere within the embassy system.
    Mr. Dacey. It is hard to speculate where we could have 
gone, but if there was interconnectivity, we had significant 
rights on the system, Commerce's system. We just do not know 
what interconnectivity might exist.
    Mr. Greenwood. The Chair's time has expired, and the 
chairman recognizes the chairman of the full committee for 5 
minutes to inquire.
    Chairman Tauzin. Thank you, Mr. Chairman.
    Mr. Dacey, I want to understand the concept of the weakness 
within the system, if you do not mind. In your testimony you 
state that the individuals both within and outside Commerce 
could compromise internal and external security controls to 
gain extensive unauthorized access.
    I want to know what you mean by ``extensive.'' Is that 
another term for what is call root access or total control of 
the systems?
    Mr. Dacey. Right. That is what I was referring to as 
administrative level access on the networks. That is referred 
to as root access, and we were able to gain that level of 
access on several systems.
    Chairman Tauzin. Now, you also state that the department 
was able to detect your extensive intrusion activities on only 
four occasions. How many intrusions should have been detected 
if they had had a good system in place?
    Mr. Dacey. We attempted to scan over 1,000 system devices. 
So I do not say that they would detect all 1,000, but certainly 
we would have expected a significantly higher number of those 
attempts to be detected.
    Chairman Tauzin. So you are saying 4 out of 1,000 were 
detected?
    Mr. Dacey. Over 1,000.
    Chairman Tauzin. Over 1,000?
    Mr. Dacey. Yes.
    Chairman Tauzin. What is that .4 of 1 percent, something 
like that were detected? So that in effect, if again my math is 
right, something like 99.6 percent of the intrusions were not 
detected.
    Mr. Dacey. Something like that, yes.
    Chairman Tauzin. That is purer than Ivory Snow. That is a 
huge number. It basically says that you could walk around 
undetected in cyberspace, in effect, within the department's 
data banks.
    Mr. Dacey. Right. That is one of our concerns, as I said in 
my oral statement. There was actual hacker activity on one of 
the systems which we discovered, which Commerce was not 
previously aware of.
    Chairman Tauzin. Can you give me a little more information 
about the fact that your auditors discovered the intrusion of a 
Russian hacker in the system? What exactly happened there? What 
was going on?
    Mr. Dacey. We identified a server, a network server, and 
when we went in to start to explore it, we identified certain 
tools that were left behind by a hacker, and at that point in 
time we turned that over to the agency and suggested that they 
investigate the situation and resolve it and figure out what 
happened.
    Chairman Tauzin. Well, did they find out what the Russian 
was up to?
    Mr. Dacey. I believe, based on my recollection, the IG 
really followed up on the process afterward. I don't know if 
Mr. Frazier has any further information.
    Chairman Tauzin. Could you tell us?
    Mr. Frazier. Vladimir was his name.
    Chairman Tauzin. Vladimir?
    Mr. Frazier. Yes.
    Chairman Tauzin. Good, old Vladimir. What was Vladimir 
doing in our data banks?
    Mr. Frazier. We found out that he had hacked into a number 
of government systems.
    Chairman Tauzin. Was he just having fun or was he up to 
mischief?
    Mr. Frazier. Well, we could not determine that. He got into 
the system. He got into the systems at other agencies, and he 
did not do any major damage to our knowledge, but that is part 
of the problem. You do not know how long he had been there. You 
do not know what else he had----
    Chairman Tauzin. Well, I mean, you detected only .4 of 1 
percent. So he could have been all over the place, and if he 
did not drop a tool here or there, you may never know he was 
there.
    Mr. Frazier. We would have never known he had been there.
    Chairman Tauzin. So he could have been in a lot of other 
places that he did not leave his tracks, right?
    Mr. Frazier. Yes. So what they will do is close that door.
    Chairman Tauzin. That is right.
    Mr. Frazier. But many other doors are left open.
    Chairman Tauzin. Yes, let's talk about doors. One of the 
thing you mentioned, Mr. Dacey, is the interconnectivity of the 
Commerce Department, the bureaus you reviewed. 
Interconnectivity is good, of course, in a sense because it 
allows all of the bureaus to share information and to relate to 
one another. It could be a problem if a hacker or Vladimir 
finds, excuse my expression, the weakest link in the system and 
through interconnection, he is everywhere, and then bye-bye, he 
is gone.
    Tell me about interconnectivity within the bureau, within 
the department, rather, among its bureaus.
    Mr. Dacey. One of the issues is the interconnectivity 
between us. As you suggested, it is a good thing. It is used to 
communicate between the bureaus at Commerce. One of the issues 
though is protecting those systems and that interconnectivity 
so that if someone gains unauthorized access to one bureau 
system, that there are measures to prevent them from going 
further once they are inside the network.
    What we found, in fact, was that some of the accesses that 
we obtained to some of the more sensitive information were 
actually through other bureaus that we----
    Chairman Tauzin. So you actually did that. You found the 
weakest link, and then bingo, you had access to other 
information that you might not have directly been able to 
access, right?
    Mr. Dacey. That is correct. When we identified these, 
again, our tests were not designed also to detect every 
vulnerability, but we found sufficient evidence to----
    Chairman Tauzin. Well, I guess here is probably the most 
important question. Have you done enough testing to be able to 
advise the Commerce Department on how to seal those doors and 
how to protect against the Vladimirs of the world?
    Mr. Dacey. We provided detailed out-briefings at the time 
that we performed our work in the field, and our understanding 
is that the agency has fixed some and is working on others, and 
that is consistent with their response to----
    Chairman Tauzin. Was your testing complete?
    Mr. Dacey. But that was what I was going to suggest, is 
that we do a limited amount of testing. We spent about, let's 
say on average, 2 weeks at each bureau, and we found sufficient 
vulnerabilities to support our conclusions. I would not aver 
that, in fact, we found all of the vulnerabilities.
    In fact, we did not find all of the vulnerabilities. One of 
the important steps that Commerce needs to take is really to 
develop an active testing program of their own and identify 
these vulnerabilities from a management viewpoint and fix them.
    We certainly did not find them all.
    Chairman Tauzin. Mr. Chairman, one final thought, and I do 
not want to at all cast aspersions on either one of your 
operations because you do a very good job for us, but we heard 
from a lot of agencies that we are losing talented people, and 
they are reaching retirement age, and I assume that is true of 
your agency as well, that you are losing some of your best 
people.
    What we have learned in this area of the high tech commerce 
world is that some extraordinarily good people are the youngest 
people, and I just wonder, are you satisfied that within your 
ranks are, indeed, some of the brightest and most capable 
people who could be charged with determining whether we have 
left doors open and whether the systems are adequate or 
whether, in effect, we really know all the answers as to how 
inappropriate access can be obtained.
    I guess what I am asking you is: are we as bright within 
your agencies as the people out there, particularly the younger 
people who are coming up and know these kind of systems like 
the back of their hands? Are we as bright as they? And are we 
as capable as they in understanding what is possible when it 
comes to entries of access?
    Mr. Frazier. Let me comment on that on a number of levels. 
First, I think that we recognize the need to go out and get new 
talent, if you will, to stay current with this. We are using 
contractors like never before because, as you point out, we 
cannot literally keep IT specialists. The private sector will 
hire them away very, very, very quickly.
    But at the same time, I am fortunate that I have an 
assistant IG for systems who I think is one of the best in 
government. She has brought a lot of people from the private 
sector, and we have been able to keep them.
    It is not easy, you know, but I think that that is 
something that we have worked very hard to do.
    But I think that even more important is for managers to 
recognize that it is not just about the IT specialist or the 
security specialist. It is about program officials taking 
responsibility for this.
    You know, you used the term ``weakest link,'' and it is 
exactly the word that describes the problem. I can put in the 
best system. I can hire the best people. I can get the best 
contractors, but then if I get an employee who decides that he 
or she is going to leave his system on overnight so that a 
cleaning person can access the system, as we found in one case, 
then it does not matter that I have hired the best and the 
brightest.
    So the goal here, I think, is to get managers in the 
Department of Commerce involved. That is why we are so 
impressed with the Secretary's recent memo that said to the 
Under Secretaries and others: This is your responsibility.
    When we issue our reports to the CIO or if I issue my 
report to the Director of Security, I am preaching to the choir 
at that point, but the reality is that I've got to turn around 
and talk to the people who run those systems, who do not 
understand, who do not see that information security is their 
responsibility.
    It is an awareness program. I have to tell you when you go 
in and you brief many senior officials and you start to talk 
about security reviews and doing quarterly reviews, their eyes 
kind of gloss over because it sounds so boring or that is ``not 
my responsibility.''
    Quite the contrary, it is something that has not been taken 
seriously in the past, and until all of us, until everyone 
recognizes the role that they are charged with playing, I think 
that we are going to come back to you year in and year out with 
the same kinds of problems. That is my frustration.
    Chairman Tauzin. Very well said.
    Thank you, Mr. Chairman.
    Mr. Greenwood. I thank the chairman of the full committee 
for his participation and note that with his heavy schedule and 
six subcommittees to cover, it is impressive that he manages to 
come to each one of our hearings and spend the time. We 
appreciate it.
    The Chair recognizes the gentleman, Mr. Burr, to inquire.
    Mr. Burr. Thank you, Mr. Chairman.
    Mr. Dacey, I have seen a lot of folks behind you going like 
this. So I assume that they are part of the security analysis 
team, and let me thank them for their good work.
    But let me ask you a real important question. Are they the 
best that is out there?
    I think we have a very good team actually, whether they are 
behind me or not.
    Mr. Burr. And I am sure you do, and I thought of another 
way to ask it, and I could not think of it, but the likelihood 
is there is somebody out there that is going to be as good if 
not better.
    Mr. Dacey. Our aggregate experience averages about 20 years 
per person on our staff doing this work at this point in time.
    Mr. Burr. Well, then you may have the best.
    Mr. Dacey. No, I do not profess we have the best. I do not 
think they would profess that, but we have some good folks 
here.
    The issues are in this whole environment that there are a 
lot of people who are out there that are finding these 
vulnerabilities and issues with systems that apparently have 
the time and abilities to go do that. We do not try to discover 
new ones. We just try to figure out if agencies have processes 
in place to find them and fix them, and that has been a 
challenge, and we have pursued that role to try to do that.
    Mr. Burr. The question that I am trying to get answered: 
there are a host of folks in the world who have skills at least 
equal to the folks that conducted this review of the 
deficiencies and security at Commerce. Would that be safe to 
say?
    Mr. Dacey. Yes.
    Mr. Burr. So we have got an ever looming threat of people 
who want to get into these systems. Now, I would assume that 
commerce is probably linked to the Department of Energy, and if 
one could hack into Commerce, they might find their way at 
least to try to get into the Department of Energy, and if the 
Department of Energy had an area that might have a deficiency 
and they got into that, the Department of Energy is linked to 
the nuclear labs, and you follow the path I am going, that one 
could enter in Commerce and potentially end up in the Los 
Alamos system.
    Is that conceivable?
    Mr. Dacey. We really did not look at that connectivity, but 
if, in fact----
    Mr. Burr. If they were connected.
    Mr. Dacey. And if it was not adequately controlled, yes, 
that is conceivable, but again, given the particular facts I do 
not know. We did not look at the interconnectivity of Commerce 
to other bureaus.
    So it is an issue, but I think it is one that has not been 
actively explored, and that is not just Commerce, but the 
interconnectivity between various bureaus. I mean there is some 
of that interconnectivity. When we do our work, we find 
connections to other bureaus routinely.
    We have not tested those because our work has typically 
been focused on the bureau that we have been looking at at that 
time.
    Mr. Burr. And we know that employees of Commerce are paid 
by the United States Treasury. Therefore, there is probably a 
link to the Treasury, and because there is a link to the 
Treasury, the Treasury is probably linked to every other 
agency, and there might be a way to go that system and test 
numerous different agencies within the Federal Government.
    Mr. Dacey. It depends on the connectivity and the controls. 
In some cases, for example, the information may, in fact, be 
just downloaded and pushed down to another entity. There may 
not be a live connection, and there are a lot of other things 
that go on.
    So I think though that that is an increasing risk because 
what we are seeing overall is more interconnectivity as time 
goes on. It is certainly convenient, and it saves time and 
cost.
    At the same time, there need to be adequate controls in 
place to prevent someone from doing what you suggested.
    Mr. Burr. And am I correct that a scenario like that could 
happen if you had one entry point that they could get into?
    Mr. Dacey. In the situation, take Commerce, for example. As 
I said, some of our access to this sensitive data was obtained 
through other bureaus. So we were able to get in.
    Typically that is what we do. As I said before, we do not 
explore every conceivable opportunity to get into the systems 
because when we find one and gain the level of access we 
obtained----
    Mr. Burr. You are completed.
    Mr. Dacey. [continuing] we do not need to go further to do 
what we do.
    So there are definitely weakest link concepts that we 
talked about earlier that need to be protected against.
    I would also like to reiterate that most of our testing 
that we have done here is technical in nature. We have tools 
that are available to virtually anyone that can identify these 
types of vulnerabilities and tools to exploit them.
    What we have not done much of, one thing that the hacker 
community does, is something called social engineering, where 
they try to gain information like passwords and other 
information from employees, which is why employee awareness is 
very important as we talked about earlier.
    And so those are the issues. The weakest link might be 
someone answering a phone and saying, ``Yes, here is my 
password and user ID,'' and someone else using it to log onto 
the system, and if you get a little bit into the door, 
oftentimes you can get information, including network traffic, 
that has other passwords and escalate your privileges to the 
level we seek to obtain.
    Mr. Frazier. And, in fact, as part of our penetration 
testing for the financial statements, our CPAs did exactly 
that, called up, pretended to be the system administrator, told 
someone that they needed their password to get in, and the 
person gave it to them over the phone, and so we know that that 
has, in fact, happened.
    Your questions are right on the money. Those are the 
questions that the system's administrators, that the program 
officials, and the security people should be asking every day. 
You should make the assumption that people are constantly 
trying to get into your system.
    And what is important is that you should make the 
assumption that they are trying to get into your system so that 
they can get into other parts of the Department of Commerce 
because you do not know what the interconnectivity is, and so 
until you do the extensive testing, which is seldom done at any 
agency, you have to make that assumption that this is happening 
on a continuous basis.
    Mr. Burr. Let me ask you real directly, Mr. Frazier: do you 
know all the connectivity point?
    Mr. Frazier. No. Right off the bat, no.
    Mr. Burr. Is there anybody at the Commerce Department that 
does?
    Mr. Frazier. And I would venture to say at this point, no.
    Mr. Burr. So even if it was not a technical deficiency that 
we had, a simple password management problem might create 
access for somebody intending to enter the system and figure 
out where they can go.
    Mr. Frazier. Yes.
    Mr. Burr. Okay. Let me ask you real quickly. Your testimony 
seemed to rehash some of the issues covered in the 1999 report 
your office sent to then Secretary Daley. I believe, in fact, 
the report had your name on it, if I am correct.
    Mr. Frazier. Yes, it did.
    Mr. Burr. Why should we have confidence in your office's 
ability to insure needed changes do take place, I guess, 
considering the fact that you have raised the issue? You have 
raised the issue. We know it has gone to the level of the 
Secretary, and we still have a problem.
    Mr. Frazier. It is an easy answer there. We identify the 
problems. We then report those problems to managers. We, as you 
know, report to the Congress also. We come to the Congress and 
tell them the same story. We send them our list of the top ten 
challenges.
    We sent that report up to the Hill. Unfortunately we have 
not been empowered with what I call the enforcement tool that 
says, ``You are going to put the resources into this area to 
develop it.''
    If you use BXA, for example, you can go back 5 years and 
find out where the IG's Office--I was not the IG--recommended 
that that system be improved, that the system be updated. It 
identified many weaknesses as long ago as 5 years.
    In our 1999 report, we found a litany of problems, whereas 
we have checked recently and found out that about half of those 
issues have been addressed, but some of the most critical ones, 
the ones that say are you trying to see if people can penetrate 
your system, are you regularly developing the kinds of security 
plans that are required by the government rules and 
regulations, and the answer is still no.
    Now, we have not let that drop because we currently have an 
inspection team that is in there looking at the ECASS system 
again. And again we will take the message of our findings to 
the Congress, to the Secretary, and you hope that they will get 
the message.
    Again, I would go back and emphasize the program officials 
having the top responsibility for making sure that these are 
implemented.
    We have testified that in the case of BXA, that there 
should be additional funding to support the resources that were 
necessary to develop that system, and that's something that an 
IG usually does not do. We are usually trying to find ways to 
cut resources.
    But in that case, we went on record as saying, yes, we 
think that that system definitely needed to be upgraded. It 
needed additional support, and again, that's not an excuse. It 
says that this is the way it is in the sense that we do not 
have the authority, if you will, to go in and make somebody do 
anything.
    We can surely use the bully pulpit. That is why I am so 
pleased with this hearing today because it represents an 
opportunity for these issues to be aired. In fact, they should 
have long been done.
    Mr. Burr. Well, we hope you will continue to speak very 
loudly on it and not wait for the invitations from us. I think 
you have gotten an administration that is very anxious to solve 
some of these problems.
    Both of you in your testimony, I think, alluded to one 
phrase that I found very interesting, excessive user 
privileges, and I remember when we were in the heat of the 
investigation at our nuclear labs. One of the problems that we 
found was the lack of different levels of security within the 
lab.
    We had adopted this policy in the early 1990's where rather 
than offend somebody, we sort of brought everybody in at the 
same status and never thought about the fact that that gave 
everybody the same type of access to the sensitive areas of a 
computer system, and that contributed to the potential 
nightmare that we saw.
    Does there exist a separation of individuals' levels of 
access that they can get in the Commerce system, or once you 
are in, you are in everything or you are only in a 
compartmentalized area?
    Mr. Frazier. It is hard to generalize, but I can tell you 
examples where that has definitely been a problem in the 
Department of Commerce, without mentioning the bureau's name, 
where certain people who should have had the authority, for 
example, to only read information were inadvertently given the 
authority to not only read, but to alter the information.
    Now, that can have very dire consequences when you give 15 
people access to a system that should not have access.
    Now, what was equally troubling, of course, when we found 
this out, the second time what was of great concern to us, if 
they had done what I call the quarterly monitoring, if they had 
done the risk assessment, that is something that would have 
been identified, and again, managers too often think of this as 
just these requirements that really do not have any impact, and 
you cannot overemphasize that these are things that are put on 
the books for a very good reason.
    So the answer is yes.
    Mr. Burr. Mr. Dacey?
    Mr. Dacey. There are different levels of access that one 
can give to different systems. Our main target in our review is 
to try to get at the system administrator level of access, 
which is the one that should be fairly tightly controlled and 
limited to only a limited number of folks. So there is the 
ability to do that.
    What we found in Commerce though is not a regular review 
process, as was just discussed, to look at those and see if, in 
fact, they have been properly allocated to the right people.
    Additionally, we also found system administrator passwords 
and information in files in certain bureaus that would give us 
that ability. So even if we had not been given the direct 
access, we could have gained information that would have 
allowed us to log on or sign on at that level of access.
    Mr. Burr. So that would sort of come under that header of 
password management problem?
    Mr. Dacey. And how is it stored in the system.
    Mr. Burr. I will ask one last question. The chairman has 
been very patient.
    Could we at least conclude that if an individual who had a 
password that allowed them the same access you were able to 
achieve as an administrator left the Department of Commerce, 
could we believe that their password would be canceled, 
altered, or are we convinced that they could not access the 
system when they left today?
    Mr. Dacey. We did not specifically look at that at 
Commerce. I know in other bureaus it is an issue of people 
revoking passwords on a timely basis, but I believe the IG has 
done some work in that area.
    Mr. Frazier. Yes, there are cases where that does not 
happen. If you are in the private sector, my brother-in-law 
works for CISCO, and he points out that when you go in and tell 
them that you are going to leave, they change your password 
before you leave the room, terminating your access to the 
systems.
    We have people who have been out of the Department of 
Commerce for 3 years and who still we found have access to the 
system.
    That is unacceptable, absolutely unacceptable, you know.
    Mr. Burr. I thank both of you.
    I yield back.
    Mr. Greenwood. The Chair thanks the gentleman for his 
inquiry. The gentleman asked if you folks had the expertise. It 
is my observation that you do not need the smartest hackers in 
the world to get into a department who has a computer security 
system that is the cyberspace equivalent of the Keystone Cops.
    So I do not think you need to worry about what your 
capacity is.
    Mr. Burr. Mr. Chair, could I say that I think Mr. Dacey has 
the smartest ones?
    Mr. Greenwood. Both of you have also found in your 
respective audits a failure on the part of the Commerce bureaus 
to prepare risk assessments and security plans for their 
sensitive systems, including some that have been designated as 
critical to our national security.
    Is this just a paper work problem, or should we be truly 
concerned about this lack of documented assessments and plans? 
Either gentlemen.
    Mr. Frazier. Well, see, I think that therein is part of the 
problem, is there are too many managers who perceive it as a 
paper work exercise. This is just another check list for us to 
go through.
    And I cannot overemphasize the importance of changing that 
thinking, establishing a different culture that says we need to 
do this, and it needs to be done on a regular basis.
    That is part of the problem, and again, I think I mentioned 
that.
    Mr. Greenwood. Let me ask this to both gentlemen. We have 
your official reports and so forth, but I also know that in 
some of these tests you gave advanced warning to the department 
that you were going to be doing this testing. I assume you had 
conversations with people in the department whose work you were 
examining and whose job--maybe you did not, but I would be 
interested in what those informal conversations were like.
    I mean, did people in the department say, ``Oh, God, you 
are going to look at our system, and I know you are going to 
find that it is awful and I am embarrassed,'' or, ``we are 
doing the best that we can, but we just are overworked. We will 
get to it?''
    When you communicate with folks in the department whose job 
it is to set up these security systems, what kind of dialog is 
that? What has that been like?
    Mr. Frazier. Well, when we do our penetration testing with 
the CPAs through the financial systems, we usually identify one 
bureau official who is sworn to secrecy and will work with us, 
but as I have pointed out, usually once you identify these 
problems, these are people who are in the systems business, who 
understand systems, and you are preaching to the choir.
    The message has to be conveyed to their supervisors, to the 
top officials to let them know that they have got to get the 
message out on a broader level. This is not just a problem for 
the accountants to worry about or the systems people to worry 
about or the security people to worry about.
    And traditionally that is what happens.
    Mr. Greenwood. But I am talking about the people in the 
department whose job it has been to comply with the Federal law 
and to make sure that these systems are secure. When you 
communicate with them, have they said, ``Our hands are tied. We 
do not have the resources. We are not well trained enough. I do 
not have enough people?''
    What do they say?
    Mr. Frazier. A number of things, but, in fact, I think that 
Bob alluded to the fact also that the department has agreed to 
implement the recommendations.
    We went back in preparation for this hearing and looked at 
the recommendations that we had issued, say, in the last 2 to 3 
years in the areas of IT security, and almost without 
exception, I mean, let's say if there were 100 recommendations, 
there may have been 5 to 7 that the bureau said, ``We disagree 
with you on.''
    So they give you the assurances that they are going to deal 
with this, and they send in what we call action plans to tell 
us how they propose to deal with it, but also, if you look at 
those audit action plans and inspection action plans, usually 
they raise questions about the limited resources that they have 
available to implement some of the recommendations.
    And then the other thing is that they, too, are faced with 
the problems of making sure that they have the talent to do 
this.
    Now, you take one bureau. I will not mention the name, that 
has plenty of resources, and they went out and hired a CPA firm 
to try and penetrate their system doing the exact same thing 
that we do or GAO would do, and any bureau can do that.
    In fact, most bureaus should have that as part of their 
risk management plan. So part of it does come down to 
resources, but, again, it comes down to a commitment.
    Mr. Greenwood. But when they have complained about 
inadequacy of resources and they have asked for the resources, 
did you get a sense of how far up into the hierarchy? Did those 
requests go to the Secretary's level? Did the Secretary 
transmit those requests to the administration?
    Where was the weakest link, so to speak, in terms of the 
folks in the department or in the administration who failed to 
provide the resources?
    Mr. Frazier. I send all of my reports to the head of the 
bureaus, the Under Secretary level or the Assistant Secretary 
level, and any finding or observation that has IT security 
implications would have been sent to the department's CIO and 
to the department's Deputy Assistant Secretary for Security.
    So the report, the information has surely been made 
available.
    Mr. Greenwood. And the problem, I think--correct me if I am 
wrong about this--but the CIO has a variety of responsibilities 
beyond. The security of the IT is a subset of the CIO's 
responsibilities; is that correct?
    Mr. Frazier. Yes, that is correct.
    Mr. Greenwood. Okay, and what were some of the other 
responsibilities of the CIO?
    Mr. Frazier. One of the things I looked at, how long we 
have had IT security on our list of the top ten management 
challenges, and it has been about 1\1/2\ years, and I asked my 
Assistant IG, ``Well, why didn't we have this on there 
earlier?'' Because we knew that there were problems.
    And she said, you know, a lot of times we forget that back 
in 1988 and 1989 most of us were preoccupied with the Y2K 
issues, which you know, we kind of forget. The concern was 
whether----
    Mr. Greenwood. Do you mean 1988 or 1998?
    Mr. Frazier. I am sorry. 1998.
    Mr. Greenwood. Nobody was thinking about it in 1988.
    Mr. Frazier. The concern was whether the systems were going 
to function literally, and so people were not worried about 
some of the details.
    And the other thing, if the truth be told, is these systems 
have become more sophisticated and more interconnected. This 
problem has grown, and I do not think that our interest and 
attention has kept up with the way that the system technology 
has grown, and so I think that that is part of the problem.
    Mr. Greenwood. Mr. Dacey, do you have any other comments?
    Mr. Dacey. No. I think it is a matter of emphasis. Some of 
the things that we have found is that for some of the bureau's 
security officers, it was a part-time duty. They had other 
responsibilities even besides security management. They did not 
have a full-time security manager, even one in some bureaus. I 
think that is a major issue.
    In terms of thoughts, I know they had time to prepare, and 
I know in the process of doing our work things improved because 
they were aware we were there and we were certainly fixing 
issues.
    But when we raise these issues, they are generally not a 
big dispute, and generally the people we talk to appreciate the 
significance of the vulnerabilities that we highlight. So we do 
not have a lot of convincing to do.
    So the real issue is really focusing attention because I 
think if it was placed that they would be able to find the same 
kind of vulnerabilities that we find and use some of the same 
tools that we use to do that.
    Mr. Greenwood. Mr. Frazier, in your financial control 
audits for fiscal year 2000, you looked at seven Commerce 
bureaus including NOAA, NIST, the Census Bureau, and others, 
and found that access control problems existed at all seven 
locations. Can you be more specific about what you mean by 
access controls?
    Mr. Frazier. Well, we looked at the access controls at four 
of the seven, and what that means is that we were able to get 
into the system. I mentioned that we were able to get one 
individual system administrator to compromise his or her 
password.
    We also were able to get into the system in ways that we 
should not have been able to get into the system, and again, 
the CPAs use Cybercop and several other readily available 
software packages to try and do this penetration testing, and 
so it is not like they have some special techniques that need 
to be used, but in using what is readily available software, 
they were able to access these systems.
    Mr. Greenwood. Do you believe that this represented a 
material weakness or a reportable condition under the relevant 
statutory authorities?
    Mr. Frazier. Well, they were reportable conditions, but of 
course, once you pull them together and we issued our 
consolidated reports for the Department of Commerce, we became 
concerned that it was a material weakness.
    Individually it may not have been a material weakness at 
the various bureaus, but again when pulled together and looked 
at together, it would be a material weakness.
    Mr. Greenwood. Okay. A related question, again, for you, 
Mr. Frazier, and, Mr. Dacey, if you would like to comment, 
please do.
    GAO has testified that at the seven bureaus it reviewed, 
none of them had effective internal or external network 
security controls. It appears based on the body of IG audit 
work at other Commerce bureaus that there is nothing unique 
about these seven bureaus in this respect, and that in your 
opinion similar deficiencies either have been or would be found 
at virtually any commerce bureau.
    Would that be a fair statement?
    Mr. Frazier. Let me clarify one thing. GAO is looking at 
seven bureaus. We are looking at seven financial data centers. 
So we are talking about apples and oranges. There would be, for 
example, one financial data center, such as NOAA, and BXA would 
be the same one. So it is not the same seven.
    So when we talk about what we have found in problems at all 
of these seven locations, it is not the same seven. Okay?
    Mr. Greenwood. But the problems are similar.
    Mr. Frazier. The problems are definitely similar.
    Mr. Greenwood. And there is no indication that anybody at 
the department level Commerce-wide had been creating security 
systems in other bureaus that would make the seven that you 
looked at unique.
    Mr. Frazier. I'm sorry?
    Mr. Greenwood. I am assuming that what you found in these 
seven bureaus and these seven centers, there is no reason for 
us to believe that they were unique. One would assume that----
    Mr. Frazier. If you look at seven and you find----
    Mr. Greenwood. [continuing] the department as a whole 
allowed these weaknesses in these seven bureaus, there was 
nothing going on at the department at the top most level that 
would have presented these weaknesses in other bureaus.
    Mr. Frazier. Yes, I do not think so.
    Mr. Greenwood. Mr. Dacey, any further comments?
    Mr. Dacey. No. Just based upon a reading of some of the 
reports that the IG has issued, the nature of the 
vulnerabilities appeared to be similar.
    Mr. Greenwood. Okay. We are about to hear from the new 
Deputy Secretary. Let me just ask you in his presence if you 
could make one recommendation, each of you gentlemen, what 
would be your most critical recommendation to the department?
    Mr. Frazier. Well, I have had the pleasure of meeting with 
Deputy Secretary Bodman, and when we sat down at our first 
meeting, the first thing we talked about were the challenges 
facing the department. It was a lengthy meeting, and one of the 
things that I was encouraged about, as you know, he has an 
engineering background. He comes from the business sector. He 
comes out of the academic community, and it was very clear that 
he understands systems.
    But more to the point was getting the message out to the 
program officials to hold them responsible. I think often we 
look for very complicated fixes, and the point that I surely 
tried to convey to him, that part of this is an awareness 
program.
    And so there is a short memo that came out that said 
basically to the secretarial officers: you are now basically 
responsible for security in your agency.
    That will probably have a greater impact than putting an 
additional $2 million in every budget in the department. I mean 
if you begin to change that culture.
    So I am encouraged, is the word that I use, that I think he 
will bring a new dimension there.
    Chairman Tauzin. Mr. Chairman.
    Mr. Greenwood. The Chair recognizes the chairman.
    Chairman Tauzin. Could I be recognized and strike the last 
word for a second?
    Mr. Greenwood. The Chair yields to the gentleman.
    Chairman Tauzin. I thank the gentleman.
    Mr. Chairman, I have to be at the White House in about 10 
minutes for a cabinet meeting on global warming, and so I am 
going to have to leave right now, and I will not have a chance 
to visit with the witness from the Commerce Department, but I 
wanted to put on the record at this point my deep concern about 
the existence of ``cookies'' and Web ``bugs'' within the 
Commerce Department systems, and my concern that even now that 
the department is focusing on the existence of these 
``cookies,'' that as the testimony indicates are there without 
a compelling reason and without the approval of the Secretary, 
that the department's CIO is now recommending a strategy to 
control the use of persistent ``cookies'' and Web ``bugs.''
    My concern is that I think we ought to go further than 
that. My understanding of the policy of the government is that 
unless there is a very good reason for a ``cookie'' or a Web 
``bug'' to exist on Federal sites, that we will have a very 
serious concern about Americans having to deal with these 
devices when they are sharing their information, as I said, 
involuntarily with the government.
    I can understand ``cookies'' and Web ``bugs'' on commercial 
sites that I enter voluntarily and choose to visit and do 
business with, but when American citizens are asked to 
involuntarily do their business with the government with the 
Internet only to find that we have permitted someone else, some 
other institution, perhaps not even a government institution, 
to be collecting that information for other purposes sometimes 
without the knowledge or consent of the citizens of this 
country, that raises grave concerns.
    When leader Dick Army and I asked for a study by the GAO of 
the existence of security and privacy on Federal sites, we were 
appalled to find out; so was the Senate appalled to find out 
that there were so many ``bugs'' on the systems and so many 
``cookies'' that were actually out there. We found one on an 
IRS site. We found a ``cookie'' for a private enterprise 
concern in this country collecting information from citizens on 
an IRS site.
    Now, how abominable is that? It is bad enough having to 
deal with the IRS, but to think that the IRS is sharing our 
information with other people without our consent is 
outrageous.
    And so, Mr. Chairman, again, my apologies for having to 
leave because this is such a good hearing and it is such a 
serious focus of your oversight investigations work that I hate 
to leave it, but I want to leave it with this thought, and I 
hope the department witnesses are prepared to speak out 
forcefully about their intention about how they intend to deal 
with these ``bugs'' and this ``cookie'' problem.
    Americans ought not to have to be surprised to find out 
that private information is being shared by their own 
government with people they might not want to share it with. It 
is as simple as that.
    Mr. Frazier. As you are aware, we did find 12 of them in 
the Commerce system, but to the department's credit, the 
Secretary has hired a special advisor for privacy. He has met 
with me and my systems people to ask about other particulars.
    Chairman Tauzin. Well, you do not need an expert consultant 
to tell you that when we have got a Federal Trade Commission 
that is pounding on private companies in America to have good 
policies of disclosure to consumers about what they are 
gathering and how they are using that information, you do not 
need an expert to tell you there is something deadly wrong 
about the government doing it without consumers' permission, 
particularly when it is information, as I said, that we are 
sharing not necessarily of our own volition.
    And if consumers have questions about privacy in the 
commercial world, I can promise you their concerns rise to 
astronomical levels when it comes to information they are 
sharing with the government very often only because they have 
to.
    So anything you can do to put a spotlight on this problem 
and anything the department can do to help us aggressively stop 
whoever it is in our government who thinks they have the right 
to do this without asking our consent as citizens of this 
country to allow others to come in and gather information about 
us without our consent, I hope you come down like a sledge 
hammer in your reports, and I hope the department comes down 
like a sledge hammer on any employee who thinks they have a 
right to do that without very important reasons that are well 
spelled out and well justified and approved at the top and with 
the disclosure to Congress of what is going on.
    And I thank you very much, Mr. Chairman.
    Mr. Greenwood. I thank the chairman, again, for his 
participation and for his keen interest in this issue.
    And before I recognize Mr. Burr for inquiry, I had a 
question on the table, to which Mr. Frazier has responded, and 
before I go to Mr. Dacey, Mr. Frazier made reference to the 
memo dated July 27 from Donald Evans, the Secretary, on the 
high priority to information technology security.
    The Chair would, without objection, enter it and several 
other documents provided to us by the department for the 
official record.
    Mr. Dacey, if you would respond to the question about your 
No. 1 recommendation, then I would following that recognize the 
gentleman from North Carolina.
    Mr. Dacey. I think it is important that a good foundation 
be established on which to build the future efforts to provide 
security at Commerce. There is currently an IT restructuring 
plan for IT overall, as well as a task force focused on 
computer security, and those groups are to provide 
recommendations and there are to be developed policies and 
procedures.
    I think in doing so there is an excellent opportunity for 
the department to put together that strong foundation and 
support, and they should do so, including clarifying the roles 
and responsibilities of the various parties for security in the 
department, including the department-wide CIO, as well as the 
bureaus' CIOs.
    It is also important to provide accountability and make 
sure those people are accountable for providing security, and 
also in that process, address the resource issue to insure that 
there are adequate resources put to bear to address the 
security issues.
    I think now is a critical time to do that, and it is 
important to proceed in that manner.
    Mr. Greenwood. Thank you.
    Mr. Frazier, were you about to say something?
    Mr. Frazier. No.
    Mr. Greenwood. Okay. The Chair recognizes the gentleman 
from North Carolina.
    Mr. Burr. Mr. Chairman, just for clarification if I could, 
Mr. Frazier, because in my last question you said that there 
had been instances where former employees' passwords stayed 
active in you said 3 years. Are there currently any former 
employees whose passwords are still active?
    Mr. Frazier. I could not answer that, but I would make the 
assumption that the answer is yes because it is not something 
that I have monitored. If someone left yesterday, it is that 
kind of situation.
    The concern is that there is not a system in place that 
would check that with such regularity to make certain that it 
could not happen. You know, I could not say that it is, but I 
would be amazed that it is not.
    Mr. Burr. Given your role, has a recommendation been made 
for a process to be set up to make sure that those passwords 
are eliminated?
    I mean, in the private sector they are eliminated as soon 
as you utter the words, ``I am leaving.''
    Mr. Frazier. Yes.
    Mr. Burr. I think one of you alluded to that.
    Mr. Frazier. That is the recommendation that I would make.
    Mr. Burr. It has been made or----
    Mr. Frazier. It has not been made, but it is interesting 
because I think I did not think of that until literally this 
morning. We raised the concern about people who had left, and 
we brought those to the attention, and we have a recommendation 
that says, on a bureau-by-bureau basis, that says when someone 
leaves, the password should be changed.
    And the question that I have to go to to look to see if we 
have elevated that to the CIO's office so that it could become 
a department-wide policy. It has been made at bureau level.
    Mr. Burr. I think you are going to get the answer.
    Mr. Frazier. Yes, it is at the bureau level as I have 
suggested. But is surely is one that should be made at the 
department level.
    Mr. Burr. I would hope before the end of the day that 
recommendation would be made.
    I thank you for the information.
    Thank you, Mr. Chairman.
    Mr. Greenwood. The Chair thanks the gentleman and wishes to 
thank both of the witnesses for your fine work, for your 
testimony, for your continued cooperation with this 
subcommittee.
    And allow me to thank both of your staff folks, those with 
you and those not with you, for the excellent service that they 
provide to the country. This is an issue that is in some ways 
obscure, but increasingly it becomes evident that this is so 
critical to our national security and to the confidentiality 
that our citizens demanded and have a right to, and so we thank 
you for your work and the work that you will do in the future.
    And we excuse you now.
    Mr. Dacey. Thank you.
    Mr. Frazier. Thank you.
    Mr. Greenwood. And call our next witness, who is the 
Honorable Samuel W. Bodman, Deputy Secretary for the Department 
of Commerce. He is accompanied by Mr. Thomas Pyke, the Acting 
Chief Information Officer.
    Welcome, Mr. Secretary. Welcome, Mr. Pyke. Thank you for 
being with us this morning.
    You are aware that the committee is holding an 
investigative hearing, and when doing so we have had the 
practice of taking testimony under oath. Do either of you have 
objection to testifying under oath?
    Seeing no objection, the Chair then advises you that under 
the rules of the House and the rules of the committee, you are 
entitled to be advised by counsel. Do you desire to be advised 
by counsel during your testimony?
    Mr. Bodman. No, sir.
    Mr. Greenwood. The gentlemen indicate negative in that 
case.
    If you would please rise and raise your right hand, I will 
swear you in.
    [Witnesses sworn.]
    Mr. Greenwood. So swearing, you are under oath, and you may 
now give your testimony, Mr. Bodman. Thank you, again, for 
being with us.

     TESTIMONY OF HON. SAMUEL W. BODMAN, DEPUTY SECRETARY, 
 ACCOMPANIED BY THOMAS PYKE, ACTING CHIEF INFORMATION OFFICER, 
                  U.S. DEPARTMENT OF COMMERCE

    Mr. Bodman. Mr. Chairman, I appreciate the opportunity of 
being here.
    I have submitted my formal statement, and I will attempt to 
summarize it in the interest of time.
    I am accompanied today by Mr. Pyke, who is our Acting Chief 
Information Officer for the department. I will count on him for 
the answer to any technical questions that may come up, 
although he took on his role only recently. His background in 
security, I think, is notable--in particular, his having 
directed the National Institute of Standards and Technology's 
program for the development of governmentwide computer security 
standards and guidelines, which assignment he had prior to his 
becoming the CIO at NOAA.
    And then he was asked recently to take on the acting CIO 
job for the department as a whole.
    I can report to you that Secretary Evans and I are very 
concerned about the findings that have been reviewed this 
morning. I am as concerned as the committee, perhaps more so.
    I want to thank the committee, and I want to thank the GAO 
with sincerity, as well as the IG's Office for all of the hard 
work that they have done on this.
    I have had experience in my prior life of having managed IT 
security systems at both Fidelity and at Cabot Corporation, 
where I was previously employed. I appreciate the significance 
of this matter, and I hope that my previous experience will be 
of some value in dealing with these problems.
    Speaking for the Secretary and myself, we accept the 
findings of the GAO report, both specifically and as to their 
general causes. I do not have much more to say. The defense 
stipulates the evidence.
    We are here to assure you that we will work hard on dealing 
with these issues. You have alluded before to some of the 
actions that the Secretary has already taken to build a strong 
and effective IT security program.
    First, he has directed all of the Commerce agency heads to 
focus their personal attention on this matter. I think, as the 
Inspector General alluded to already, at least in the part of 
his discussion and testimony that I heard when I arrived, that 
this is really a matter of a general manager's responsibility, 
not the responsibility of the CIO. This is a general manager's 
job.
    It is my job. It is Secretary Evans' job, not Mr. Pyke's 
job. We hope to rely on him to help us get this done, but this 
is our responsibility, and frankly, I am embarrassed to be here 
in front of you to hear the nature of what we are dealing with.
    Mr. Greenwood. Mr. Bodman, how long have you been on the 
job?
    Mr. Bodman. Six days.
    Mr. Greenwood. You do not need to feel embarrassed yet. We 
will let you know.
    Mr. Bodman. I am sorry, sir, but that is just the nature of 
responsibility. We have it. It does not matter how long we have 
had it. We are here now, and it is our job. To be responsible 
for something that is in this great a difficulty is not 
something that I find a great deal of personal comfort in, 
however long I have been here.
    And I know I speak for the Secretary in this matter.
    He has ordered a department-wide IT restructuring plan. We 
referred to that. It features the department's Chief 
Information Officer.
    Mr. Pyke. This oversight function will ensure that 
appropriate action is taken at the agency level to implement 
new departmental IT policies.
    Mr. Bodman. In the past the departmental CIO apparently had 
relatively little management authority. We believe we have 
fixed that. In the past the policy seems to have stalled at 
times when it got to the agency heads, who had in their view 
more important matters. And I believe that the new priority the 
Secretary has given to IT security will be very helpful.
    The plan also gives each of our CIOs the authority to 
manage IT security, IT planning and operations, and IT capital 
investment review. This new approach is in sharp contrast to 
the old way of doing business, and as I said before, I think it 
will be helpful.
    Third, we have established an IT security task force 
chaired by Mr. Pyke that will work under my personal oversight. 
The task force will improve our IT security by developing a 
comprehensive department-wide plan.
    The task force is made up of individuals with a lot of 
expertise in this area, including people from NIST, which has 
had a governmentwide responsibility in this area in the past.
    We have also enlisted assistance from the National Security 
Agency, and we are grateful to the NSA that they have been 
forthcoming with personnel to be helpful to us in dealing with 
these matters.
    The new task force is already at work. They have met more 
than once, and they are working on a fast track to develop an 
effective security program for the department and to identify 
actions that we should take.
    We have already received some short-term recommendations, 
and these have been implemented. We are doing the best we can 
to get on top of the things that can be dealt with immediately 
and to bring these problems to a much higher level of 
consciousness among our managers.
    Furthermore, the program development task force will 
address the assessment of risks throughout the department and 
the means for providing security commensurate with those risks. 
They will provide a road map for updating our approach to 
security problems, develop an oversight process with compliance 
testing as a key component, and plan a department-wide IT 
security awareness training program.
    The task force is also addressing the specific issues that 
have been identified, including strengthening access controls. 
You have heard extensive discussion about that. We are working 
on it.
    The problem with this area involves more of a mind set--how 
everybody in the department feels about his or her 
responsibility for security. It is a challenge to deal with 
these matters because security is a personal responsibility, 
and it is something that is difficult at times.
    I would imagine that even the Congressman may find it 
difficult at times to change your password and make sure that 
it is updated. This is a natural, human problem. Certainly I 
find it a pain in the neck to have to change a password and 
than remember what my password is.
    Mr. Greenwood. It is impossible for me to do it. That is 
why I have a 15 year old daughter to take care of that.
    Mr. Bodman. Well, you are way ahead of me, sir.
    In any event, it is something that we believe we can and 
will get started on, and it is that factor that makes it 
difficult to forecast exactly when we will be done. I guess the 
truth is we will never be done because this has got to be an 
ongoing effort.
    The Secretary and I are committed to supporting all of 
these efforts ourselves under the leadership of our agency 
heads and our CIOs, and we think that we will get there.
    And I want to thank you all for this opportunity of coming 
here and addressing this matter relatively early in my tenure. 
And I know I speak for the Secretary, since both of us have 
come from the private sector and have managed publicly owned 
companies, in saying that we recognize the kind of 
responsibility we have for the management of these systems and 
will do our best to get on top of these problems as quickly as 
we can.
    Thank you.
    [The prepared statement of Hon. Samuel W. Bodman follows:]

    Prepared Statement of Samuel W. Bodman, Deputy Secretary, U.S. 
                         Department of Commerce

    Good morning, Mr. Chairman. I appreciate this opportunity to 
discuss the Information Technology Security Audit of the Department of 
Commerce that was recently conducted by the General Accounting Office 
(GAO). Accompanying me today is Tom Pyke, Acting Chief Information 
Officer for the Department. Although Tom took on this role only 
recently, his information technology (IT) security experience includes 
directing the National Institute of Standards and Technology's (NIST's) 
program for the development of government-wide computer security 
standards and guidelines.
    Secretary Evans and I are very concerned about the findings of this 
GAO review because much of the work of the Department on behalf of our 
citizens depends on the quality and integrity of our data and IT 
systems. We thank the Committee and GAO for bringing this serious issue 
to the attention of the Department's new leadership. Having managed the 
IT security programs at Fidelity Investments and the Cabot Corporation, 
I appreciate the critical importance of IT security, and I trust that 
my management experience in this area will be of some value in meeting 
the challenges presented by the findings of the GAO review.
    Speaking for the Secretary and myself, we accept the findings of 
the GAO report, as to both the specific weaknesses identified in the 
audit and their underlying causes. To correct these security problems 
and prevent future incidents, Secretary Evans is acting to build a 
strong and effective Commerce IT Security Program and to correct the 
technical problems identified by the GAO audit.
    First, Secretary Evans has directed all Commerce agency heads to 
focus their personal attention on establishing IT security as a 
priority. Working in conjunction with their Chief Information Officers, 
they will allocate necessary resources to assure that the Department's 
data and IT systems are protected in order to avoid data loss, misuse, 
or unauthorized access, and to assure the integrity and availability of 
Commerce data. In this connection, the Secretary has also recently 
appointed a Senior Advisor for Privacy, another area important to 
overall IT security.
    Second, the Secretary has ordered the implementation of a 
Department-wide IT restructuring plan. The plan provides the 
Departmental Chief Information Officer (CIO) with the authority to 
guide individual agency CIOs as they address IT security problems. This 
oversight function ensures that appropriate action will be taken at the 
agency level to implement new Departmental IT policies. In the past, 
the Departmental CIO apparently had little management authority, and 
policy often stalled when it reached the agencies. I believe that the 
new priority given this matter by Secretary Evans and me, our agency 
heads and our CIOs will produce positive results.
    The plan also gives each of our CIOs the authority to manage IT 
security, IT planning and operations, and IT capital investment review. 
This new approach is in sharp contrast to the old way of doing business 
in which CIOs apparently were not key members of the Commerce 
management team.
    Third, Commerce has established an IT Security Task Force, which 
will work under my personal oversight. This Task Force will improve 
Commerce IT security by developing a comprehensive, Department-wide IT 
security program. The Task Force is made up of individuals with 
expertise in IT security management, including people from NIST, which 
has a critical Government-wide role in developing standards and 
guidelines for effective IT security programs. We also have enlisted 
the assistance of the National Security Agency. We appreciate NSA's 
willingness to share its institutional knowledge and leadership in this 
field as part of the Task Force.
    The new Task Force is already working on a fast track to develop an 
effective IT Security Program for the Department and to identify 
actions that Commerce should take quickly to bolster its IT security 
posture. These recommendations for short-term action will be made in 
the context of the Corrective Action Plans already developed by 
Commerce agencies in response to specific concerns identified in the 
GAO review.
    Furthermore, the program developed by the Task Force will address 
the assessment of risks throughout the Department and the means for 
providing security commensurate with those risks. The Task Force will 
provide a roadmap for updating the Department's IT security policies, 
develop an oversight process with compliance testing as a key 
component, and plan a Department-wide IT security awareness training 
program.
    The Task Force is also addressing specific issues, including 
strengthening access controls for the Department's IT systems, 
segregating assigned duties consistent with mitigating risk, and 
developing policies and procedures for authorizing, testing, reviewing 
and documenting software changes prior to implementation. Special 
attention is being given to network security, an area the GAO audit 
singled out in light of the Department's reliance on network 
connectivity to carry out its mission. The Task Force is designing 
recovery plans for the Department's sensitive systems; developing a 
Department-wide IT security incident detection and response process; 
and looking at other areas essential to a comprehensive Commerce IT 
Security Program.
    The Secretary and I are committed to supporting the efforts of the 
Commerce IT Security Task Force and to implementing its recommendations 
throughout the Department. Under the leadership of our agency heads and 
our CIOs, and guided by the efforts of this Task Force, we are 
confident that we are moving in the right direction, and that the 
Department's IT security program will be effective.
    Again, thank you for this opportunity to discuss the IT security 
initiatives underway at the Department of Commerce. Secretary Evans and 
I appreciate that effective IT security is vital to the Department's 
mission, and I am pleased that this important issue is among the first 
I have devoted my time and attention to after having been sworn in last 
week. I would be pleased to respond to any questions you may have.

    Mr. Greenwood. Thank you very much, Mr. Bodman.
    We are delighted to have you here. We are delighted to see 
the prompt response to an issue that this subcommittee thinks 
is crucial to our Nation's security, and we are very optimistic 
that in the short time you have been here you have recognized 
this problem, grappled with it, and are prepared, you as well 
as the Secretary, prepared to move the department in the right 
direction.
    Let me ask you a question. GAO notes in its testimony that 
IT management at the department has been very decentralized 
over the years, 14 different data centers, 20 independently 
managed E-mail systems, hundreds and possibly thousands of 
separate networks managed by individual bureaus or offices 
within bureaus and lots of different connections to the 
Internet, so much so that we are still not sure the department 
even knows about all of them.
    How would the reforms you have discussed this morning 
address what appears to be one of the fundamental problems 
preventing the department from implementing an effective 
security program?
    And, Mr. Pyke, if you would like to comment, you can do so 
as well.
    Mr. Bodman. Well, let me comment generally, and then I will 
ask Mr. Pyke to give you more factual information.
    First of all, I think that is an accurate statement. We 
have a very formidable task to bring to ground the management 
of the information systems that currently reside within the 
Commerce Department.
    The Commerce Department is difficult enough to manage 
because of the highly disparate nature of the various bureaus 
that reside therein. On top of that, we have a set of systems, 
most of which are interrelated, that have grown a bit like 
Topsy over the years and that do not use a common approach.
    And so we have had a department-wide effort to try to bring 
more common systems such that they can be managed in a more 
reasonable way, and that has been underway for some time.
    I will ask Mr. Pyke to speak to that.
    So we think that the competence and capability of this task 
force will enable us to start getting our arms around this 
issue, but I would be misrepresenting the facts if I were to 
tell you that we were going to be done in any short period of 
time. This is a long-time fix, and it will require our 
attention over many years, and we expect to put a program in 
place initially led by Mr. Pyke, and I hope led by him for many 
years, that will deal with it.
    Tom, do you want to speak to that?
    Mr. Greenwood. Let me insert another question, Mr. Pyke, 
that is related to that so that maybe you can answer both at 
the same time.
    And that is can you describe the number of Commerce 
personnel in these bureaus and at headquarters that are 
dedicated to computer security and their level of training and 
other job duties? So when you talk about what you are going to 
be able to do, also if you could tell us how well equipped you 
are in terms of person power.
    Mr. Pyke. Thank you, Mr. Chairman.
    The CIO management structure that has now been put into 
place and empowered by the Secretary and the Deputy Secretary, 
which includes the department level CIO and CIOs for each of 
the Commerce agencies, is now in the position to get on top of 
the extensive IT systems and networks that the department has. 
It is going to take a while to bring the necessary discipline 
in the area of IT security into the management of all of those 
systems and networks.
    It is important that at the departmental level we provide 
suitable guidance that is generic and strong guidance that 
provides a basis for the individual bureaus or agencies to get 
moving and to devote the necessary resources to IT security.
    As the Deputy Secretary said, the department's mission is 
broad, and the various agencies have diverse activities. And so 
it is important that each one of them have a CIO leader who I 
work very closely with, who is in a position to address the 
specific kinds of issues relative to IT security and IT 
management in general, on a continuing basis, that relate to 
that agency's mission and the kinds of systems they have.
    At the present time, we have a very small number of people 
at the department level devoted to IT security. We are 
increasing that number of people and the amount of contract 
support very substantially very fast.
    As was mentioned in earlier testimony, basically up until 
very recently we had a single person and a couple of 
assistants, and we are moving very fast now to bring on 
additional people and have already begun doing that.
    At the bureau level, some of the bureaus have a significant 
staff. At NOAA, for example, there are several people, about 
three government folks and several contractor folks who spend 
full-time on IT security, and there are dozens of others across 
the bureau that spend a lot of their time on IT security.
    One of the things we are going to be doing is to make sure 
that each of the bureaus has an appropriate number of 
individuals who devote their time to IT security and to 
managing the program and making sure all of the technical 
processes are in place.
    Mr. Greenwood. Let me ask you kind of an organizational 
chart question, a twofold question.
    First off, looking at your position, describe if you would 
all of your responsibilities to the extent that this computer 
security is a subset of your total duties. Do a similar 
explanation for us for the CIOs of the different bureaus, and 
then if you could explain to me, so I am interested in to what 
extent this is a subset of their duties, and explain to me what 
is changing, if anything, in terms of your ability to directly 
command, if you will, activities on the part of the CIOs at the 
various bureaus.
    Mr. Pyke. First, the general role of the CIO at the 
department level is to oversee all of the department's 
information technology activities, both its planning, 
development of policy at the departmental level, providing 
guidance relative to procedures, standards, and guidelines that 
need to be administered on a department-wide level, to monitor 
the compliance of the entire department, all of the bureaus 
with the policies, with the standards, with the guidelines.
    And with regard to IT security, that includes actually 
conducting compliance testing, including penetration testing of 
a kind similar to what both GAO and the Inspector General's 
Office have been doing, and in fact, that function we expect to 
be carried out also at the Bureau level.
    The planning functions of the CIO at the department level, 
as well as at the bureau level, include systematic review of 
proposals for new expenditures in IT, budget initiatives, 
review in terms of all the way from return on investment to 
consistency with our IT architecture, which guides our planning 
and guides our implementation of systems, to the plans for 
operating the systems and plans for implementing them, and 
nothing gets through our review without an IT security plan 
being an integral part of each proposal.
    We also carry out control reviews of ongoing information 
technology projects and programs across the department, and we 
are involved in evaluating after the fact how development 
efforts have gone and putting that information in the hands of 
the bureaus to build on.
    So at the department level it is policy, procedures, 
guidance, compliance testing. At the bureau level the CIOs also 
are responsible for any specialized policy guidance that is 
necessary, procedures that may be unique to the bureaus, with 
oversight of the operations of IT within each of those 
information technology computer systems and networks within 
each of the bureaus, and with making sure that the policies and 
procedures that are provided at the departmental level, and in 
part, provided on a Federal Government-wide level, are 
followed.
    We expect that the bureau CIOs will include compliance 
testing as part of their portfolio, too, and so what we will be 
doing at the departmental level will be to oversee them and, on 
a sampling basis, analogous to what the IG and what the GAO 
have been doing----
    Mr. Greenwood. So it will be your responsibility to make 
sure the CIOs and the bureaus have the resources they need so 
that the buck will to some extent stop with you. If a bureau or 
CIO says, ``I am sorry that we are not doing the things that we 
should be doing. We do not have the resources,'' that is when 
they call you back, and then that is when Mr. Bodman decides 
whether he is embarrassed again.
    Mr. Pyke. Yes, except this time we have two things in 
place. No. 1, we have this strong directive from the top to the 
agency heads themselves to get on top of IT security and to put 
the necessary resources into it, and this should be a big help 
to each of the CIOs and provide their marching orders basically 
from the top.
    Second, you asked about the reporting relationship a moment 
ago. Each of the CIOs in the bureaus, each of those CIOs have a 
dual reporting responsibility. They report first to their 
agency head or the deputy head, and they also report to me. 
They also report to the Commerce CIO.
    And in fact, when it gets to the end of the year, I have a 
cut at their performance evaluation in collaboration with their 
line manager. So they receive guidance from the CIO. They 
receive direction from the CIO. They are evaluated, in part, in 
their performance through the CIO. And I'm in a position to 
help them get the resources they need.
    But the person in charge of the resources when it comes 
right down to it is their agency head, and the agency head has 
now received appropriate direction.
    Mr. Bodman. If I could add.
    Mr. Greenwood. Please, sir.
    Mr. Bodman. At the risk of contradiction, the buck stops at 
the Secretary. The buck stops with me, and it is our 
responsibility, and that is how every general manager must feel 
in order to make this work.
    And this system that has been put in place calls for this 
dual reporting that Mr. Pyke has referred to quite correctly, 
and it is the only way that I am aware of, at least from my 
prior experience, when you have a crucial staff function to 
have it work, whether it is financial reporting, whether it is 
safety management, whether it is environmental management. It 
has to be handled at the local basis with an empowered 
individual who works for the local management, but who is 
audited and advised by a central, capable person. That is Mr. 
Pyke.
    And we believe that that dual reporting and that dual 
responsibility will work, but make no mistake. The ultimate 
responsibility, sir, is ours.
    Mr. Greenwood. Very well. I appreciate that.
    I would like to ask about the broader question, Mr. Bodman, 
of critical infrastructure. This will be my last question, and 
just for your information, we are aware that you have a 
commitment at noon.
    Mr. Bodman. Thank you, sir.
    Mr. Greenwood. And we will get you out of here in about 15 
minutes at the most.
    As I understand it, the department has assigned one person 
at the headquarters level to work on these critical issues with 
little or no support or funding to oversee the bureau's efforts 
to identify, assess, and then fix vulnerabilities in its 
critical systems.
    As you know, the IG issued a report last year on this topic 
which was critical of the lack of progress from the 
department's efforts to date. I want to read you some comments 
that were written by the department's CIO office in response to 
last year's IG audit of computer security policies and 
management.
    ``Given the lack of priority in funding by the Clinton 
administration in the area of critical infrastructure 
protection, we must disagree with the IG assertion that using 
information as security assessments scheduled to be performed 
on the department's critical infrastructure system would result 
in more systems being certified while realizing significant 
savings. In the event that the Bush administration raises the 
priority of critical infrastructure through the application of 
funding, we will take advantage of assessments gained through 
this avenue.''
    What do you and the Secretary plan to do about this 
important issue, given that your department has so many systems 
and assets critical to our national and economic security and 
the health and safety of our citizens?
    Mr. Bodman. Well, I cannot speak to the views of the 
previous CIO. I have never met the gentleman.
    I can tell you that the approach that we have put in place 
that I have described will, in fact, deal with these issues. I 
do believe that these are crucial. I do believe that--I am not 
quite sure I understood the quote in its entirety, but I do 
believe that the efforts that we will put in will bear fruit.
    In my view this is not so much a matter of additional 
funding. We may find that we need additional funding, but this 
is more a matter of priority. This is more a matter of 
management. This is a matter of placing importance on this 
function at the proper level so that we can deal with it. That 
is what this is about.
    I do not think it is a matter principally of money, and so 
we can count heads. We can count dollars, and we may need 
additional heads and additional dollars, but this is more about 
the people understanding that this has to be dealt with. This 
is more a matter of the bureau heads of the bureau CIOs 
understanding that we will deal with this and that we are going 
to do it.
    Tom, do you want to add?
    Mr. Greenwood. The Chair recognizes the gentleman from 
North Carolina to inquire.
    Mr. Burr. Mr. Secretary, welcome. Mr. Pyke.
    Mr. Secretary, let me thank you for one thing. I have been 
on the oversight committee for 7 years. You are the first--my 
memory is not great. I do not know if I could remember my 
password--but you may be the first; I think you are the first 
person who has testified who has ever, one, taken 
responsibility regardless of how long they have been there and, 
two, not used funding as a reason why it could not be 
accomplished.
    So if you keep those two things in the right perspective, I 
have more confidence in any answer you can give me that we will 
make tremendous progress at closing some of the problems that 
we have got.
    Mr. Bodman. Thank you, sir.
    Mr. Burr. Let me ask you two fairly lengthy questions, and 
my purpose for doing it is that these might be areas that you 
have not looked at, and I would be remiss if I did not double 
check with both of you to ask on that short term list. Did 
password management make it on that list today?
    From the conversation I had with Mr. Frazier, is password 
management now on that very quick to do list?
    Mr. Bodman. Yes, it did. It sure did.
    Mr. Burr. Thank you.
    Mr. Bodman. Today it will be done.
    Mr. Burr. Let me discuss and focus on BXA for a minute, 
which is one of the more sensitive bureaus within the 
department and the subject of negative audits by both the IG 
and GAO.
    The IG issued a report in June 1999 regarding BXA's 
management of its computer system, particularly the ECASS 
system, which is the export control licensing system. At that 
time the IG found that BXA did not have a security plan for the 
system. The risk assessment was 5 years old, and BXA had not 
conducted a security review of this system since the last Bush 
administration, all of which had long been required under 
Federal law and under the policy directives.
    And let me say my understanding of ECASS, given the nature 
of the licensing process that goes on, is that other agencies 
with direct interest in that process would be electronically 
linked: Department of Defense, the State Department, possibly 
the intelligence community.
    I won't ask you to assess whether that system is air gapped 
in any way, but I would have some belief that it is probably 
not from some of the things that I have heard today. Therefore, 
I would think that it is very susceptible to a potential entry 
point that sends them into some of the most sensitive areas 
singularly through the ECASS system.
    In response to the department's pledge to undertake those 
efforts promptly, yet as I understand GAO found the same things 
with respect to the ECASS nearly 2 years later: still no 
security plan, no risk assessment, and no security review 
conducted.
    Do you know why these issues weren't addressed by now? And 
how can we be confident that the department will take seriously 
these issues in the future?
    Mr. Bodman. First, I can tell you that we take it 
seriously. We take it so seriously that I am going to ask Mr. 
Pyke to give you a detailed answer rather than my trying to 
paraphrase what he told me before we walked in here.
    Mr. Burr. Thank you.
    Mr. Pyke. Mr. Burr, the problems with ECASS and Bureau of 
Export Administration are being addressed, and they will be 
addressed even more intensively as get the strengthened IT 
security program in place. As GAO conducted its audit, as they 
made specific findings of weaknesses, attempts were made on the 
spot, in a very short period of time, to correct those specific 
findings.
    The bureau has also prepared and put in place a corrective 
action plan that has attempted to address, either already in 
many cases, but certainly very quickly, all of the specific 
issues that GAO identified.
    As a part of the task force effort that we have now put in 
place at the department level, we are not only looking 
generically at computer security and all of the elements of a 
complete program, but we are looking at all of the specific 
findings of GAO and of the Inspector General over the last 2 to 
3 years, to generalize on those, and to provide very quick 
advice and guidance to the bureaus, including the individuals 
in BXA responsible for ECASS.
    So all of the findings in each of the agencies can be 
responded to in a general sense by all of the bureaus. All of 
this is being applied toward ECASS, and I can assure you that 
attention is being given by the CIO in BXA and by us to the 
special concerns that have been expressed about ECASS, and some 
steps have already been made, as I say, some steps, and we will 
work with them to make sure that things are completely taken 
care of in an appropriate way and that adequate protection is 
in place relative to the risks that they are confronted with.
    Mr. Burr. I appreciate that answer, and I think you 
understand the sensitivity of where someone might venture if, 
in fact, the correct level of security does not exist within 
that system.
    Mr. Bodman, I note that NIST computer security personnel 
played a prominent role in your new task force, but I cannot 
help but be concerned about that, given that despite it, its 
purported role is the government's expert on computer security.
    NIST itself fared rather poorly in the recent IG 
penetration test and was the subject of a repeat finding in 
1999 and 2000 regarding the lack of security plans for its 
system.
    In addition, the self-assessments that were performed by 
the bureau last year revealed that NIST was just as bad, if not 
worse, than most of the bureaus when it came to complying with 
the Federal guidelines on computer security, including those 
that NIST itself had crafted.
    Should we be concerned? If we were concerned before this 
hearing, should we be concerned after this hearing?
    Mr. Bodman. That is not one I am going to burden Mr. Pyke 
with answering since at one point in his life he was 
responsible for the information operations at NIST.
    Mr. Burr. That is why I directed the question to you.
    Mr. Bodman. I think it is entirely consistent with what we 
have been saying. This is not a problem with technology. This 
is a problem with management. This is a problem with priority.
    And to the extent that this becomes a matter that the 
bureau manager feels a responsibility for, then it will be 
dealt with, and to the extent that it is not something that the 
bureau leadership feels responsible for, it will not be dealt 
with because it is not something that the human being naturally 
does.
    This is something that is easily ignored, just given the 
nature of the fact that we all like to do something. We all 
have our own jobs. The thing that gives me great pleasure each 
day is not worrying about my password management. I have other 
things that I like to do that I am, I think, a little better at 
since I seem to have difficulty remembering the password from 
time to time.
    And so I think the fact that we are using the technical 
skills at NIST as a part of this is entirely understandable and 
bears no relationship to how that particular agency was 
evaluated with respect to the management of its information.
    Mr. Burr. I thank you for that answer.
    As a member of this committee, my goal every year is the 
hope that I will not see the same witnesses on the same issue 
at any point in the future. That goal has not been fulfilled 
yet, but I have reason to believe that as it relates to the 
security issue and you being here, this might be the last time 
that we have this conversation, unless it is to report on the 
progress that you have made.
    I thank you.
    Mr. Bodman. I thank you, sir.
    Mr. Burr. Thank you, Mr. Chairman.
    Mr. Greenwood. I thank the gentleman.
    And on that point, the report on progress, might we expect 
a report in 6 months from the department as to how you have 
responded to these issues?
    Mr. Bodman. We would be happy to report, sir, whenever you 
wish.
    Mr. Greenwood. Okay. We appreciate that.
    Again, thank you for your presence, for your testimony, for 
your good work. Welcome to Washington, and we look forward to 
working with you on a number of issues.
    Thank you again.
    Mr. Bodman. Thank you very much.
    Mr. Greenwood. This hearing is adjourned.
    [Whereupon, at 11:45 a.m., the subcommittee was adjourned.]
    [Additional material submitted for the record follows:]

    [GRAPHIC] [TIFF OMITTED] T4853.001
    
    [GRAPHIC] [TIFF OMITTED] T4853.002
    
    [GRAPHIC] [TIFF OMITTED] T4853.003
    
    [GRAPHIC] [TIFF OMITTED] T4853.004
    
    [GRAPHIC] [TIFF OMITTED] T4853.005
    
    [GRAPHIC] [TIFF OMITTED] T4853.006
    
    [GRAPHIC] [TIFF OMITTED] T4853.007
    
    [GRAPHIC] [TIFF OMITTED] T4853.008
    
    [GRAPHIC] [TIFF OMITTED] T4853.009
    
    [GRAPHIC] [TIFF OMITTED] T4853.010
    
    [GRAPHIC] [TIFF OMITTED] T4853.011
    
    [GRAPHIC] [TIFF OMITTED] T4853.012
    
    [GRAPHIC] [TIFF OMITTED] T4853.013
    
    [GRAPHIC] [TIFF OMITTED] T4853.014
    
    [GRAPHIC] [TIFF OMITTED] T4853.015
    
    [GRAPHIC] [TIFF OMITTED] T4853.016
    
    [GRAPHIC] [TIFF OMITTED] T4853.017
    
    [GRAPHIC] [TIFF OMITTED] T4853.018
    
    [GRAPHIC] [TIFF OMITTED] T4853.019
    
    [GRAPHIC] [TIFF OMITTED] T4853.020
    
    [GRAPHIC] [TIFF OMITTED] T4853.021
    
    [GRAPHIC] [TIFF OMITTED] T4853.022
    
    [GRAPHIC] [TIFF OMITTED] T4853.023
    
    [GRAPHIC] [TIFF OMITTED] T4853.024
    
    [GRAPHIC] [TIFF OMITTED] T4853.025
    
    [GRAPHIC] [TIFF OMITTED] T4853.026
    
    [GRAPHIC] [TIFF OMITTED] T4853.027
    
    [GRAPHIC] [TIFF OMITTED] T4853.028
    
    [GRAPHIC] [TIFF OMITTED] T4853.029
    
    [GRAPHIC] [TIFF OMITTED] T4853.030
    
    [GRAPHIC] [TIFF OMITTED] T4853.031
    
    [GRAPHIC] [TIFF OMITTED] T4853.032
    
    [GRAPHIC] [TIFF OMITTED] T4853.033
    
    [GRAPHIC] [TIFF OMITTED] T4853.034
    
    [GRAPHIC] [TIFF OMITTED] T4853.035
    
    [GRAPHIC] [TIFF OMITTED] T4853.036
    
    [GRAPHIC] [TIFF OMITTED] T4853.037
    
    [GRAPHIC] [TIFF OMITTED] T4853.038
    
    [GRAPHIC] [TIFF OMITTED] T4853.039
    
    [GRAPHIC] [TIFF OMITTED] T4853.040
    
    [GRAPHIC] [TIFF OMITTED] T4853.041
    
    [GRAPHIC] [TIFF OMITTED] T4853.042
    
    [GRAPHIC] [TIFF OMITTED] T4853.043
    
    [GRAPHIC] [TIFF OMITTED] T4853.044
    
    [GRAPHIC] [TIFF OMITTED] T4853.045
    
    [GRAPHIC] [TIFF OMITTED] T4853.046
    
    [GRAPHIC] [TIFF OMITTED] T4853.047
    
    [GRAPHIC] [TIFF OMITTED] T4853.048
    
    [GRAPHIC] [TIFF OMITTED] T4853.049
    
    [GRAPHIC] [TIFF OMITTED] T4853.050
    
    [GRAPHIC] [TIFF OMITTED] T4853.051
    
    [GRAPHIC] [TIFF OMITTED] T4853.052
    
    [GRAPHIC] [TIFF OMITTED] T4853.053
    
    [GRAPHIC] [TIFF OMITTED] T4853.054
    
    [GRAPHIC] [TIFF OMITTED] T4853.055
    
    [GRAPHIC] [TIFF OMITTED] T4853.056
    
    [GRAPHIC] [TIFF OMITTED] T4853.057
    
    [GRAPHIC] [TIFF OMITTED] T4853.058
    
    [GRAPHIC] [TIFF OMITTED] T4853.059
    
    [GRAPHIC] [TIFF OMITTED] T4853.060
    
    [GRAPHIC] [TIFF OMITTED] T4853.061
    
    [GRAPHIC] [TIFF OMITTED] T4853.062
    
    [GRAPHIC] [TIFF OMITTED] T4853.063
    
    [GRAPHIC] [TIFF OMITTED] T4853.064
    
    [GRAPHIC] [TIFF OMITTED] T4853.065
    
    [GRAPHIC] [TIFF OMITTED] T4853.066
    
    [GRAPHIC] [TIFF OMITTED] T4853.067
    
    [GRAPHIC] [TIFF OMITTED] T4853.068
    
    [GRAPHIC] [TIFF OMITTED] T4853.069
    
    [GRAPHIC] [TIFF OMITTED] T4853.070
    
    [GRAPHIC] [TIFF OMITTED] T4853.071
    
    [GRAPHIC] [TIFF OMITTED] T4853.072
    
    [GRAPHIC] [TIFF OMITTED] T4853.073
    
    [GRAPHIC] [TIFF OMITTED] T4853.074
    
    [GRAPHIC] [TIFF OMITTED] T4853.075
    
    [GRAPHIC] [TIFF OMITTED] T4853.076
    
    [GRAPHIC] [TIFF OMITTED] T4853.077
    
    [GRAPHIC] [TIFF OMITTED] T4853.078
    
    [GRAPHIC] [TIFF OMITTED] T4853.079
    
    [GRAPHIC] [TIFF OMITTED] T4853.080
    
    [GRAPHIC] [TIFF OMITTED] T4853.081
    
    [GRAPHIC] [TIFF OMITTED] T4853.082
    
    [GRAPHIC] [TIFF OMITTED] T4853.083
    
    [GRAPHIC] [TIFF OMITTED] T4853.084
    
    [GRAPHIC] [TIFF OMITTED] T4853.085
    
    [GRAPHIC] [TIFF OMITTED] T4853.086
    
    [GRAPHIC] [TIFF OMITTED] T4853.087
    
    [GRAPHIC] [TIFF OMITTED] T4853.088
    
    [GRAPHIC] [TIFF OMITTED] T4853.089
    
    [GRAPHIC] [TIFF OMITTED] T4853.090
    
    [GRAPHIC] [TIFF OMITTED] T4853.091
    
    [GRAPHIC] [TIFF OMITTED] T4853.092
    
    [GRAPHIC] [TIFF OMITTED] T4853.093
    
    [GRAPHIC] [TIFF OMITTED] T4853.094
    
    [GRAPHIC] [TIFF OMITTED] T4853.095
    
    [GRAPHIC] [TIFF OMITTED] T4853.096
    
    [GRAPHIC] [TIFF OMITTED] T4853.097
    
    [GRAPHIC] [TIFF OMITTED] T4853.098
    
    [GRAPHIC] [TIFF OMITTED] T4853.099
    
    [GRAPHIC] [TIFF OMITTED] T4853.100
    
    [GRAPHIC] [TIFF OMITTED] T4853.101
    
    [GRAPHIC] [TIFF OMITTED] T4853.102
    
    [GRAPHIC] [TIFF OMITTED] T4853.103
    
    [GRAPHIC] [TIFF OMITTED] T4853.104
    
    [GRAPHIC] [TIFF OMITTED] T4853.105
    
    [GRAPHIC] [TIFF OMITTED] T4853.106
    
    [GRAPHIC] [TIFF OMITTED] T4853.107
    
    [GRAPHIC] [TIFF OMITTED] T4853.108
    
    [GRAPHIC] [TIFF OMITTED] T4853.109
    
