[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
EXAMINING SECURITY AT FEDERAL FACILITIES: ARE ATLANTA'S FEDERAL
EMPLOYEES AT RISK?
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
APRIL 30, 2002
__________
Serial No. 107-82
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
__________
U. S. GOVERNMENT PRINTING OFFICE
80-883 WASHINGTON : 2002
___________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
JOHN SULLIVAN, Oklahoma (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
C O N T E N T S
----------
Page
Hearing held on April 30, 2002................................... 1
Statement of:
Malfi, Ronald, Acting Managing Director, Office of Special
Investigation, General Accounting Office; John Cooney,
Special Agent, Office of Special Investigations, General
Accounting Office; Patrick F. Sullivan, Assistant Director,
Office of Special Investigations, General Accounting
Office; Wendell C. Shingler, Assistant Commissioner, Office
of Federal Protective Service, General Services
Administration; and Sabina Sims, Director, Office of
Federal Protective Service, GSA Region 4................... 12
Letters, statements, etc., submitted for the record by:
Barr, Hon. Bob, a Representative in Congress from the State
of Georgia, prepared statement of.......................... 5
Malfi, Ronald, Acting Managing Director, Office of Special
Investigation, General Accounting Office, prepared
statement of............................................... 17
Shingler, Wendell C., Assistant Commissioner, Office of
Federal Protective Service, General Services
Administration, prepared statement of...................... 23
EXAMINING SECURITY AT FEDERAL FACILITIES: ARE ATLANTA'S FEDERAL
EMPLOYEES AT RISK?
----------
TUESDAY, APRIL 30, 2002
House of Representatives,
Committee on Government Reform,
Atlanta, GA.
The subcommittee met, pursuant to notice, at 10:30 a.m., in
the Summit Building, 401 West Peachtree Street, Atlanta, GA,
Hon. Bob Barr (vice chairman of the committee) presiding.
Present: Representatives Barr and LaTourette.
Staff present: Daniel R. Moll, deputy staff director;
Robert A. Briggs, chief clerk; Susan Mosychuk, counsel; and
David Rapallo, minority counsel.
Mr. Barr. I hereby convene this hearing of the Committee on
Government Reform of the U.S. House of Representatives open.
The focus of the hearing will be to examine security at Federal
facilities, are Atlanta's Federal employees at risk.
The events of September 11, 2001 have focused our attention
on a frightening reality. Even our most sacred institutions are
vulnerable to attack. Terrorists do not engage in conventional
warfare.
While terrorists may attack or threaten our military, the
most tempting terrorist targets of choice are innocent and
unsuspecting civilians. They use fear as a weapon, and will go
to whatever extreme to heighten the shock effect.
Terrorists also seek to exploit environments that are a
normal part of our daily routine. They aim to take out large
numbers of victims to generate high media attention, and
engender mass panic and public anxiety. What better targets
than high profile landmarks and government institutions.
Government buildings are among the most visible
institutions in our society by design, and selecting them for
attack serves a very distinct purpose. When they attack these
institutions the terrorists not only kill, maim, and destroy,
but also instill fear that our government is unable to protect
us. When terrorists attack, they are always trying to catch
their victims in situations where they would otherwise feel
safe. How safe are we in our Federal buildings?
The September 11th terrorist attacks in New York and at the
Pentagon prompted immediate security crackdowns in Washington,
DC, including the closing of streets, bolstering the security
presence at Federal buildings, and curtailing visitor access to
government compounds and buildings. Securing Federal buildings
in the Nation's Capitol is clearly of vital importance.
However, we must not overlook the quality and effectiveness of
security in all buildings and facilities occupied by Federal
employees and visitors in every major city and across the
Nation.
Congress and the Federal Government had the opportunity to
lead by example working with the District of Columbia, local
business leaders, and concerned citizens to meet security needs
without necessarily impeding the city's or the government's
ability to go about its daily business in the Capitol.
Despite the workable security measures deployed at Federal
facilities in Washington, DC, many local Federal agencies have
not addressed, or remain unable to address security needs in
the aftermath of last year's terrorist attacks. Many media
outlets reported that security procedures at Federal agencies
varied tremendously in both process and effect throughout the
country. Inconsistent and vague security procedures at our
Federal facilities leave thousands of Federal employees,
visitors, and constituents highly vulnerable and at risk. The
extent to which our government buildings are vulnerable to
attack should concern not only the Federal employees of these
buildings, but every family member of these employees, any
member of the general public visiting these buildings, and any
individual or company that conducts business with an agency
housed in one of these buildings. In other words, this concerns
every member of our community.
Building security is not just about securing the physical
structure itself; it is about protecting the lives and
livelihood of everyone and everything in these buildings.
Consider for a moment the repercussions of a terrorist
attack at the IRS service center here in Atlanta. The building
which you can see a picture of here houses 3,000 occupants and
is the main processing center for the entire Southeast Region
of the United States. The human toll would be staggering, and
the financial impact devastating.
Or consider the repercussions of a terrorist attack at the
Sam Nunn Federal Building. Look at the sheer numbers of
employees and the variety and importance of the government
agencies that would be directly affected.
Today representatives from the General Accounting Office,
Office of Special Investigations [OSI], will provide testimony
on the results of a recently completed investigation. At the
request of this committee the investigators tested security
measures at five Federal office buildings in the Atlanta area,
which has one of the largest Federal presences outside of
Washington, DC.
Acting in an undercover capacity investigators were able to
gain unauthorized access to every secured government building
they attempted to penetrate. Not only were the investigators
able to gain unauthorized access to these buildings, they
gained access which allowed them unfettered admission to any
areas of the buildings day or night.
The ease whereby the investigators were successful is
shocking. A simple pretext was concocted and easily carried
out, allowing agents to obtain building passes. In fact, they
were able to obtain passes which denote the bearer as being
authorized to carry firearms. This building pass allowed them
to move freely about, and extensively bypassing magnetometers
and x-ray machines. They even obtained an after-hours access
code allowing them to enter the facilities after security
personnel had gone home.
By employing a few simple tactics and off-the-shelf
technology investigators thwarted the security in such a manner
that weapons, explosives, nuclear, chemical, or biological
agents, listening devices, and other life-threatening or
hazardous materials could have easily been carried into and
left throughout these Federal buildings. They were given in
effect the keys to the kingdom. In the words of the
investigators, they owned those buildings.
At a time when Federal facilities are operating under the
highest level of security, these undercover investigators were
able to freely enter the buildings without proper
identification or authority carrying packages which had not
been scanned or inspected.
The problem is not isolated to the Atlanta area alone. The
Department of State in Washington, DC, recently had to overhaul
its security operations following a string of serious breaches
compromising classified information.
It had been an open secret that security was lax at State.
In fact, in late 1998 an unidentified man in a brown tweed
jacket entered then Secretary of State Albright's executive
suite and carried out unchallenged a pile of classified
documents. He was never seen again.
We no longer live in an environment in which we can afford
such a casual attitude toward security and safety. All
principal personnel must stress the importance of security, and
combat perceived weaknesses in the security culture, and proper
measures must be demanded and enforced.
Beyond that, there are specific areas in which we can focus
with regard to security personnel, training, and equipment.
Following numerous security reviews, inspections, and reports
one major area for reform at the State Department was
tightening controls of the State Department building passes. At
the time there were 33,000 State Department passes with 2,000
per year completely lost. Diplomats kept their passes even when
stationed overseas, making those passes prime targets for theft
or misuse.
Given the potential threat, State Department began a
process of redoing all building passes, deactivating those of
former employees, and making the process of obtaining them much
tougher.
Implementing security procedures with the aim of thwarting
any and every conceivable infiltration would be impractical. To
do that would make daily operations of our government agencies
impossible. However, we can, and should, and must make
buildings both safe and accessible by consistently following
guidelines, deploying appropriate technology, and employing
basic common sense.
We must take a rational approach to security to ensure
safety concerns are addressed in a manner that does not make
things worse. We cannot allow terrorism to destroy our sense of
community or the ability of the institutions that run our
government to serve us.
Understanding the nature of terrorist attacks and how
terrorists organizations operate helps us prepare and prevent
future attacks. We can regain control and eliminate fear by
taking proactive steps to avoid falling victim.
I thank the witnesses that will be appearing here today,
and look forward to working with them and others on a
subsequent legislative remedy to provide an oversight remedy to
provide security procedures at our Federal installations.
While the results of this current investigation are
frightening, we hope the steps taken in response will be
reassuring in both effect and perception.
[The prepared statement of Hon. Bob Barr follows:]
[GRAPHIC] [TIFF OMITTED] 80883.001
[GRAPHIC] [TIFF OMITTED] 80883.002
[GRAPHIC] [TIFF OMITTED] 80883.003
[GRAPHIC] [TIFF OMITTED] 80883.004
[GRAPHIC] [TIFF OMITTED] 80883.005
Mr. Barr. I would like to now turn to my colleague from the
State of Ohio, a senior member of our Government Reform
Committee, Steve LaTourette.
Mr. LaTourette. Thank you very much, Chairman Barr. And
first of all thank you for inviting me to Atlanta. And second I
want to commend Congressman Barr for the leadership that you
and the chairman of our full committee, Dan Burton of Indiana,
have demonstrated in dealing with the security of the Federal
buildings, this particular issue, and you in particular because
of your concern for the men and women that work in the
buildings in Atlanta, Ga.
As you correctly point out in your opening remarks the
security of the Federal work force and those who visit the
Federal buildings in the United States is of vital concern to
the government. In 1995 one of the shocking revelations that
came to our attention after the bombing of the Murrah Federal
Building in Oklahoma City was that there was one contract guard
assigned to three different buildings on that occasion, and
clearly security was not where we needed to be in 1995. I think
many of us hoped that in the years between 1995 and certainly
2002 improvements have been made.
The report that we are here to talk about today is
disturbing. Although the agents that we will hear from are
certainly skilled at what they do, the ability to completely
breach the buildings in Atlanta, GA I think is incomprehensible
in the wake of September 11th.
Hopefully this hearing and other hearings like it will help
assist not only the agencies in charge of the security, but
also the Congress and the administration reach some conclusions
that can make these buildings safer.
One of the other happy tasks that I have in the Congress is
chairing the Public Buildings, Economic Development, and
Emergency Management Subcommittee of Transportation and
Infrastructure that has concurrent jurisdiction over some of
the issues that we are going to be talking about today, and the
good news is that legislation relative to the Federal
Protective Service is in fact moving through that committee,
and one of the alarming notes I would say is that we appear to
be going backward. When we talked to Steve Perry, the
administrator of the General Services Administration, the goal
was to beef up the Federal Protective Service work force from
600 full-time employees to 900, and what we have seen instead
according to Mr. Perry is that they have gone down to 450, and
the reason being--and we must bear some of that
responsibility--is that there is about a $10,000 starting
salary differential between what someone for FPS can make and
what someone can make working for the Capitol Hill police
department. So that is an example of some of the things that we
are going to have to take a look at in the Congress.
The other thing that the hearings revealed on this
particular issue is that the training received by the contract
guard authorities utilized by GSA do not receive equivalent
training to those who are employed as police officers in my
home State of Ohio or here in the State of Georgia, and
training is something that we also have to emphasize.
And last, I am not a big believer in gotcha anything, but I
did read the report, I read the recommendations following the
briefing of the GAO officers, and one of the recommendations
was that there be at least three people stationed by the
magnetometers, and during our break I went outside to engage in
one of the few vices I am allowed, and that is to have a
cigarette, and I came back in through the building and there
were only two stationed at the magnetometer that I entered, and
I am also today in possession of two visitors passes permitting
me access to this building, and it seems to me that we can
address that during the hearing as well to determine how that
could be.
I thank you very much.
Mr. Barr. Is that in case you lose one?
Mr. LaTourette. I do not know if it is in case I lose one,
or in case I have another visitor I want to bring with me.
I appreciate very much the opportunity to be here today,
and I thank you again for your leadership.
Mr. Barr. Thank you very much.
For those unfamiliar with hearings conducted by the
Government Reform Committee, basically what we will do now is
we will swear in the five witnesses, and we will hear from each
one of them if in fact each one of them wishes to make an
opening statement for the record. If there is any additional
material that any of our witnesses seeks to be made a part of
the record either in more extensive opening statement or
additional material that might come to light, or be relevant
based on subsequent questions, the record will remain open for
10 days for the submission of any additional material.
Following the opening statements of witnesses, Mr.
LaTourette and I will ask questions. If counsel has any
additional questions, she will ask questions as well. And then
we will conclude the hearing.
At this time if the five witnesses would stand, please, to
be sworn. If you would raise your right hands.
[Witnesses sworn.]
Mr. Barr. Let the record reflect that all witnesses
responded in the affirmative. Thank you, and please be seated.
We have five very distinguished witnesses here today, all
of whom have the same goal in mind that we on this committee
do, and that is to provide the very best security for not just
the Federal buildings and Federal employees and their families,
but all who visit, come in contact with, or have an interest in
our Federal Government, and we appreciate each one of them
being with us today to assist us in our oversight
responsibilities to ensure this vital function of our Federal
Government is carried out, and to hear from them not only with
regard to what steps they have and believe ought to be taken,
but ways in which we in the Congress might help. As Mr.
LaTourette mentioned, we in the Congress have a responsibility
to make sure that the laws reflect the needs of our Federal
agencies and our Federal officials, and also that the funds
necessary to carry out those functions are made available. So
this is very much a team effort, and we appreciate again the
witnesses being with us today.
The witnesses that we will hear from today--I believe there
is a witness list available in the back of the room--we will
hear from in the following order.
Mr. Ronald Malfi, the Acting Managing Director, Office of
Special Investigations, General Accounting Office. He has
extensive background which he is certainly free to go into to
establish his bona fides in the Secret Service.
Also then testifying second will be Mr. Patrick Sullivan,
the Assistant Director, Office of Special Investigations for
the General Accounting Office, also with extensive background
in law enforcement and particularly with the Secret Service;
and finally testifying on behalf of GAO will be Mr. John
Cooney, Special Agent, Office of Special Investigations,
General Accounting Office, with a similar and very extensive
and distinguished background in Federal law enforcement.
We will then hear from Mr. Wendell Shingler, the Assistant
Commissioner of the Office of Federal Protective Service [FPS],
of the General Services Administration. The General Services
Administration is generally known as the government's landlord.
It is the responsibility of GSA to maintain thousands of
Federal buildings all across the country, including many of
those here in the Atlanta area.
And finally testifying will be Ms. Sabina Sims, the
Director of the Office of Federal Protective Service for GSA
Region 4 which includes as its center Atlanta, GA.
With that introduction, Mr. Malfi, the floor is yours to
make an opening statement, and if you would basically lay out
the parameters of why your agency got involved in this
investigation and how you carried it out.
STATEMENTS OF RONALD MALFI, ACTING MANAGING DIRECTOR, OFFICE OF
SPECIAL INVESTIGATION, GENERAL ACCOUNTING OFFICE; JOHN COONEY,
SPECIAL AGENT, OFFICE OF SPECIAL INVESTIGATIONS, GENERAL
ACCOUNTING OFFICE; PATRICK F. SULLIVAN, ASSISTANT DIRECTOR,
OFFICE OF SPECIAL INVESTIGATIONS, GENERAL ACCOUNTING OFFICE;
WENDELL C. SHINGLER, ASSISTANT COMMISSIONER, OFFICE OF FEDERAL
PROTECTIVE SERVICE, GENERAL SERVICES ADMINISTRATION; AND SABINA
SIMS, DIRECTOR, OFFICE OF FEDERAL PROTECTIVE SERVICE, GSA
REGION 4
Mr. Malfi. Thank you. Mr. Chairman, members of the
committee. We are here today to discuss the results of our
tests of security measures at Federal office buildings in the
Atlanta, GA area. Specifically you asked that special agents of
the Office of Special Investigations acting in an undercover
capacity attempt to gain unauthorized access to secure
facilities in such a manner that weapons, explosives, chemical/
biological agents, listening devices, or that hazardous
materials could have been brought into these facilities.
During February and March 2002 our agents breached the
security at four of the Federal office buildings that we tested
in the Atlanta area by entering these buildings without proper
authority, carrying a briefcase or package, and bypassing the
magnetometers and x-ray machines. They were able to move freely
and extensively throughout these facilities during both day and
evening hours, and were not challenged by anyone. Our
undercover agents could have carried in weapons, listening
devices, explosives, chemical/biological agents, or other such
items.
All buildings required screening of visitors and valises,
for example briefcases and baggage, which included the use of
magnetometers and x-ray machines at security checkpoints.
The buildings required the wearing of either a blue pass or
a yellow pass for identification of employees working in these
buildings, which allowed them to bypass the magnetometers and
x-ray machines.
The blue pass could also have an additional feature added
to it that would denote the bearer as being authorized to carry
a firearm. All passes included photo identification, and had
holograms on them, but were worn inside plastic pockets that
could partially obscure the hologram as well as the bearer's
photograph.
Mr. Barr. Excuse me, Mr. Malfi. Do you have a couple of
those badges we could look at while you are testifying?
Mr. Malfi. Yes, I do.
One of the badges that you are going to be getting, sir, is
the genuine, and one is the counterfeit badge. The genuine
badge has the holograms that are easily seen when they are
reflected off the light.
Mr. Barr. This one?
Mr. Malfi. That is correct. The other is a counterfeit
badge.
Mr. Barr. And they were put in these plastic pouches?
Mr. Malfi. That is how they were handed out. When the
building passes were given out, these plastic pouches came with
the passes. And you will note one side of the plastic is clear,
the other side is opaque, and we put the photograph, the
building pass with the photograph and the hologram in the
opaque side to obscure it.
Mr. Barr. Without going into--and I do not want you to
disclose particularly sensitive investigative techniques here--
would you describe what a pretext is?
Mr. Malfi. Basically a pretext is a ruse that we concocted
in order to allow ourselves to get into the building and to
meet with GSA people who were issuing the passes.
Mr. Barr. A story?
Mr. Malfi. It is a story, a fabricated story to give the
people a reason as to why we needed these passes.
Mr. Barr. Was there anything particularly complex about
that story? Could anybody have made something up?
Mr. Malfi. That is correct. We used one ruse; we could have
used one of many ruses to get into the building in order to
obtain a building pass.
Mr. Barr. Thank you.
Mr. Malfi. You are welcome.
I am going to go into how we exactly breached the security
of these buildings.
In early March using a pretext for gaining access, an agent
who had no building pass entered one of the buildings carrying
a briefcase, bypassing the magnetometer and the x-ray machines.
He met with the General Services Administration employee
responsible for issuing building passes, and obtained a yellow
building pass and an after-hours access code for that building.
The next day the same agent entered another building
carrying a briefcase. He showed his yellow pass and stated that
he wanted to obtain a blue pass for that building, and bypassed
the magnetometers and the x-ray machines based on the strength
of the yellow pass.
Mr. Barr. Do you have that yellow pass, please?
Mr. Malfi. Yes.
He then met with the GSA contract employee responsible for
issuing building passes, and based solely on the strength of
having a yellow pass obtained a blue building pass and an
after-hours access code to two of the subject buildings.
In addition, this agent was able to obtain a second feature
on the blue building pass that identified him as a law
enforcement officer and permitted him to carry a firearm in
those buildings.
Finally, through the use of another pretext the same agent
obtained----
Mr. Barr. Excuse me. There is a specific designation on the
badge that the folks at the building would know authorized the
bearer to carry a firearm in the building?
Mr. Malfi. That is correct. It is a little round insignia
that would notify the marshals basically that the bearer had
the right to carry a firearm.
Finally, through the use of another pretext the same agent
obtained the security guard's after-hours access code for one
of the buildings.
Mr. Barr. This would be a security code that was designated
specifically to that particular person?
Mr. Malfi. That is correct.
Mr. Barr. And he gave it to the undercover agent, yourself,
or one of your colleagues----
Mr. Malfi. That is correct.
Mr. Barr [continuing]. So that they could get into the
building after hours?
Mr. Malfi. Based again on some social engineering we had an
access code that allowed us entry to the building at night.
Mr. Barr. What do you mean social engineering?
Mr. Malfi. Basically conning the security guard into having
him reveal his access code. The importance to that would have
been that if anything would have occurred we could have used
that access code to gain entry into the buildings after hours.
If something--we could have put explosives in the building, and
basically if they would have went back and checked who entered
in they never would have even been able to check it to our
false identification. They would have wound up going back to
the guard as one of the people that gained entry into that
building that night.
Then after we received the original passes we counterfeited
both the yellow and blue building passes using commercially
available software, inserting in them the fictitious names used
by our undercover agents and their photographs in preparation
for an attempt as a group to breach the security of these
facilities.
Mr. Barr. Excuse me. In other words, the software that was
used to create the false badges is available to anybody on the
open market? It was not something that was uniquely available
to yourselves as law enforcement officials and investigators?
Mr. Malfi. That is correct. Everything that we did and we
used was available to the public. We did not use any of our
inside technology in order to enhance this operation. We wanted
to make it that anyone basically without being involved in the
law enforcement community could have accomplished what we did.
The counterfeit passes contained printed holograms on them,
not actual holograms. Had anyone made a physical inspection of
the counterfeit passes they should have been able to detect
them as being bogus.
Mr. Barr. In other words, the hologram that is available if
you look at it?
Mr. Malfi. That is correct. On the counterfeit ones we just
printed a duplicate of the hologram which did not perform the
function that a hologram does. It does not change shades when
it is exposed to the light or moved; it is flat.
Mr. Barr. And that is obvious to us, and it would have been
obvious had one of the guards checked it, just physically
looked at it for a moment?
Mr. Malfi. That is correct.
Mr. Barr. But that did not happen?
Mr. Malfi. That is correct.
Later in March other agents using the counterfeit yellow
and blue building passes entered three of the buildings
bypassing the magnetometers and x-ray machines. One of these
agents carried a briefcase. The same agents also successfully
entered these same buildings in the evening utilizing the
access codes that they previously acquired.
An agent using a counterfeit yellow building pass met with
the GSA contract employee responsible for issuing building
passes for the two buildings. Based on the strength of the
counterfeit yellow pass and a fictitious request form the agent
was issued a genuine blue building pass and an access code for
the evening entry after security check points were closed.
Additionally, one agent wore another agent's legitimate
blue pass into one of the buildings, crossed over into another
building through a tunnel, and was never challenged.
Mr. Barr. Is there a physical similarity between the person
who utilized that badge and the picture on the badge?
Mr. Malfi. Actually I used Agent Cooney's picture
identification to gain access into the buildings.
Mr. Barr. I will not ask which one of you was insulted, but
in other words you used the badge of somebody that does not
look very much like you at all, and you were not challenged?
Mr. Malfi. That is correct.
Two agents then drove to another Federal facility, and
based on the strength of a legitimate yellow pass and a
counterfeit yellow pass and a pretext gained admittance to that
building bypassing the magnetometer and x-ray machines.
Finally, after we completed our test of the security for
these buildings we met with officials from the U.S. attorney's
office, the U.S. Marshal Service, GSA, and the Federal
Protective Service, and briefed them on the results of the
security tests, identifying the weaknesses we found.
Mr. Barr. This was immediately following the conclusion of
your investigation?
Mr. Malfi. That is correct. Actually the day that I wore
the pass was the day of the meeting, so we were finished. As
soon as we finished the actual last function of the operation
we immediately had a meeting with these individuals and advised
them of the weaknesses that we found.
Subsequently, the Federal Protective Service issued a
security bulletin which addressed weaknesses we identified.
In closing, I would like to add that last week GAO's chief
technologist testified at a hearing before the Subcommittee on
Technology and Procurement Policy, House Committee on
Government Reform, concerning security technologies to protect
Federal facilities. As part of that testimony it was
acknowledged that effective security also entails having a
well-trained staff that follows and enforces policies and
procedures. It was noted that breaches in security resulting
from human error are more likely to occur if personnel do not
understand the risks and the policies that are put in place to
mitigate them. Good training is essential to successfully
implementing policies by ensuring that personnel exercise good
judgment following security procedures.
Cited as an example was our previous work where we breached
the security at 19 Federal agencies and two airports. This case
further exemplifies this point. Further, the Federal Protective
Service bulletin reinforces this point.
Mr. Chairman, that completes my prepared statement. We
would be happy to respond to any questions you have, or members
of the committee. Thank you.
[The prepared statement of Mr. Malfi follows:]
[GRAPHIC] [TIFF OMITTED] 80883.006
[GRAPHIC] [TIFF OMITTED] 80883.007
[GRAPHIC] [TIFF OMITTED] 80883.008
[GRAPHIC] [TIFF OMITTED] 80883.009
Mr. Barr. Thank you, Mr. Malfi.
Mr. Sullivan, do you have an opening statement?
Mr. Sullivan. No, sir, I do not have an opening statement.
Mr. Barr. Mr. Cooney?
Mr. Cooney. Also I have none.
Mr. Barr. You are both available to answer any questions?
Mr. Cooney. Yes, sir.
Mr. Sullivan. Yes, sir.
Mr. Barr. Mr. Shingler.
Mr. Shingler. Good morning, Mr. Chairman, members of the
committee.
I am Wendell Shingler, Assistant Commissioner of the
Federal Protective Service, General Services Administration
[GSA]. Although I am relatively new to this position, I have 30
years of security experience in progressively more demanding
positions within the Federal Government, most recently with the
U.S. Marshal Service.
I look forward to the challenges that we face, as well as
working with other Federal agencies in meeting their needs. I
am pleased to appear before you today and provide information
on the GSA's program to secure Federal buildings that it owns
or leases, and the methodology that we use to assess potential
vulnerabilities to these facilities.
GSA's Federal Protective Service [FPS] provides law
enforcement and security to over 8,000 owned and leased
buildings, and approximately 1 million Federal employees and
visitors to these facilities on a daily basis.
We are comprised of police officers, criminal
investigators, physical security specialists, and rely on the
use of nearly 7,000 contract guards to supplement our needs.
With the terrorist attacks of September 11th there is one
clear message: that there is no security silver bullet.
Security is a dynamic and ever-changing discipline. GSA's
Federal Protective Service strives to provide the safest
environment for the Federal agencies we house and the American
public that visit these Federal buildings. The threat and our
response to it changes daily.
The dedicated men and women of the Federal Protective
Service welcome that challenge, and are constantly striving to
improve our services and reduce potential threats to our
buildings. Our primary goal is to make everyone feel safe when
entering GSA-controlled buildings.
Since there is no one-size-fits all in security to achieve
this goal, each of our facilities receives an individual
building security assessment. The building security assessment
program is designed to determine the specific security measures
needed to eliminate or reduce threats directly associated with
each individual building. Tailored security measures,
countermeasures are then recommended based on reducing or
eliminating determined vulnerabilities and threats at
buildings.
In addition, we are now working with the FBI, CIA, State
and local law enforcement agencies in sharing of intelligence
information that enables us to better assess the credibility of
those threats.
In addition to physical countermeasures such as guards,
physical barriers, alarms, cameras, x-ray machines, and
magnetometers we also provide law enforcement services. These
services include responding to calls, arrests, and when
necessary conducting investigations.
On a national level we accomplish this challenging and very
important job of protecting GSA-controlled facilities with a
small but dedicated uniformed staff. To augment our Civil
Service force, we rely on 7,000 contract guards nationwide.
Here in GSA's Southeast Sunbelt Region we have 1,327
buildings of which 143 are Level 4, our highest security level.
To protect these facilities we supplement our law enforcement
personnel with 960 armed contract guards.
The only acceptable minimum security level for all of these
facilities nationwide is that which provides a safe and secure
environment for GSA co-workers, customers, and visitors. This
is the driving force behind our FPS mission, to permit Federal
agencies and members of the public to conduct their business
without fear of violence, crime, or disorder.
I know I face many challenges in my new position, and I am
certain that the Federal Protective Service and I are ready to
take them on.
This concludes my prepared statement, Mr. Chairman, and we
are prepared to answer any of your questions.
[The prepared statement of Mr. Shingler follows:]
[GRAPHIC] [TIFF OMITTED] 80883.010
[GRAPHIC] [TIFF OMITTED] 80883.011
[GRAPHIC] [TIFF OMITTED] 80883.012
Mr. Barr. Thank you, Mr. Shingler.
Ms. Sims, please.
Ms. Sims. I have nothing further to add, but I would be
more than happy to answer any specific questions that you have
for me.
Mr. Barr. OK. Maybe you could briefly for the benefit of
the audience and the listening public who are very concerned
about this just very briefly describe the FPS or the Federal
Protective Service and its function, and how it interfaces with
GSA.
Ms. Sims. The Federal Protective Service is the law
enforcement and security arm of the U.S. General Services
Administration. I am 1 of 11 FPS regional directors around this
country, and I am the Director of the Southeast Sunbelt Region.
I have approximately 1,300 facilities around eight States in
this region.
Mr. Barr. OK. Thank you.
I have a couple of preliminary questions, and then I would
like to turn to my colleague Mr. LaTourette, then I may have
some more, and he may as well.
Back in 1993 the World Trade Center was bombed in the
garage. Two years later the Murrah Federal Building in Oklahoma
City was bombed and crumbled with tremendous loss of life, and
of course on September 11th of last year our Nation suffered
the most serious terrorist attacks ever perpetrated against us
in our homeland or anywhere.
After each one of those I would presume that our government
took a look at security procedures, not just at Federal
buildings, but particularly at Federal buildings, and took
steps to address those, yet obviously we still have some
problems.
I know also, Mr. Malfi, that your office conducted an
investigation I think 2 years ago was it. If you could, briefly
describe that investigation.
Mr. Malfi. We were requested to test the security at
various government buildings and airports. We undertook an
operation, undercover operation where we used false police
credentials in an effort to obtain access into these buildings
and bypassing the magnetometers and x-ray machines, carrying in
briefcases to simulate the fact that we could have brought in
weapons, explosives into these buildings.
We attempted 19 entries in the Washington area, and were
successful in all 19 entries. We attempted two airports, and
obtained entry into both airports, circumventing the
magnetometers and x-ray machines in all the instances where we
went out.
Mr. Barr. Were steps taken subsequent to that investigation
to correct the deficiencies that investigation uncovered?
Mr. Malfi. After we completed the investigation we had
again a debriefing with the agencies that were involved, and
they instituted immediate steps to try and correct the measures
that made it allowable for us to circumvent their security. So
there was much concern about it, and the agencies reacted to
this and put in certain policy changes to effectively enhance
their security measures.
Mr. Barr. I want to make sure that Mr. LaTourette and the
public and we understand exactly the scope of what you were
able to do here, but also to indicate as I would like you to
whether or not there were in fact areas of these Federal
buildings--and we see pictures of the Federal buildings with
many, many agencies housed therein, and many thousands of
Federal employees--it is my understanding that you were able to
gain access to each one of the I think actually four buildings
that you sought to penetrate; is that correct?
Mr. Malfi. That is correct.
Mr. Barr. And the identification cards that you were able
to secure based on pretexts, that is false stories which
apparently were not checked out; is that correct?
Mr. Malfi. That is correct. No due diligence was done in
regards to the story that we used for the reasons we needed a
building pass. We were able to obtain--Agent Cooney was able to
obtain two legitimate building passes. From those legitimate
building passes we counterfeited building passes for our other
agents to gain infiltration into these buildings as a group,
and then we went and on the strength of some counterfeit
passes, building passes, we were able to obtain a legitimate
building pass. So in turn through a ruse we got genuine
building passes, counterfeited them, were able to get entry
into the buildings using the counterfeited building passes, get
access to the buildings when they were closed and after hours,
and based on the strength of a counterfeit building pass we
were able to obtain genuine building pass. So we would have
eventually turned all of the counterfeit credentials,
counterfeit building passes we had into legitimate passes.
Mr. Barr. Of course if one of our law enforcement agencies
were conducting a true undercover operation, or an intelligence
operation, you are familiar with the concept of backstopping;
correct? In other words, if you are going to send an agent out
in an undercover capacity you will backstop so that steps are
taken down the line so that if his story is checked out it
appears to be legitimate.
Mr. Malfi. Absolutely.
Mr. Barr. Their undercover operations are backstopped. You
did not do that in this case; is that correct?
Mr. Malfi. Actually there was no need for us to do that in
this investigation because nobody checked, pulled back the
first layer. We had a system set up that in case we needed some
verification for the fictitious stories that we laid out that
we would have been able to provide that. But it was not
necessary in this case.
Mr. Barr. In other words, there was not one call or effort
made to check out the veracity of what you told the individuals
in order to secure the passes or the codes?
Mr. Malfi. That is correct.
Mr. Barr. Thank you. Mr. LaTourette.
Mr. LaTourette. Thank you very much. Mr. Chairman.
Mr. Malfi, did you or your team actually carry explosives
or firearms into these buildings?
Mr. Malfi. No, we did not.
Mr. LaTourette. And Mr. Barr asked one of the questions,
but all of you have extensive law enforcement experience, each
over 20 years if I heard you correctly earlier. Some missions
that you are assigned to I assume are very, very difficult,
some are very, very easy, and like the three bears some are in
the middle I guess. How would you characterize the difficulty
that you had in accomplishing what you did here in Atlanta?
Mr. Malfi. I would say we did not have much difficulty
accomplishing this assignment. Even though there were some
technical things that we had to do, we had to counterfeit the
passes, but we used basic computerized software to do this, and
it was not really that difficult.
Mr. LaTourette. And again basic computer software, is there
anything extraordinary, any lengths that you had to go to, to
recreate the passes that you have shown us here today?
Anything--could Mr. Barr and I do this if we knew how to work a
computer?
Mr. Malfi. I believe so. I mean the original pass was
scanned, which is a common technology now that is used for
computer printing. It was scanned in, it was worked on a little
bit to get the colors as close as possible, and basically it
was printed out.
The holograms which is a security feature, which is a good
security feature, that appeared on the genuine passes. We did
not duplicate--I mean we could have went through a more high
scale type of technology and could have gotten holograms
produced. I mean you can replicate that type of technology, but
we did not go that far. We strictly produced a flat hologram
that had the appearance if you just looked at it one way that
it looked like there was something there, but it did not do the
effect that an actual hologram does, which is when it hits the
light reflects different colors to it.
Mr. LaTourette. In our earlier discussions with Ms. Sims
and Mr. Shingler it came up that each building has a committee
I guess set up to determine what security is maintained, it is
a security committee; is that correct?
Mr. Shingler. Yes, sir. One of the recommendations from the
original Department of Justice vulnerability assessment that
Congressman Barr referenced was the establishment of building
security committees. Those committees are made up of the
tenants of the building, and they are each represented, each
member is represented.
Mr. LaTourette. Is the adoption of security committees for
each building something again that came out of this DOJ report?
Mr. Shingler. Yes, sir.
Mr. LaTourette. Is it required?
Mr. Shingler. It is required, yes, sir.
Mr. LaTourette. Let me ask you this. Could the General
Services Administration mandate through rule or regulation what
level of security is in each building?
Mr. Shingler. Could we, sir?
Mr. LaTourette. Yes.
Mr. Shingler. Yes, sir.
Mr. LaTourette. Are you aware of any--Ms. Sims, let me ask
you this for the buildings that you are in charge of--are you
aware of any security committee that has adopted a
recommendation that everyone that enters the building go
through the magnetometer?
Ms. Sims. I am not aware of that recommendation.
Mr. LaTourette. Let me ask you, Mr. Malfi, I indicated
before where Mr. Barr and I work everybody goes through the
machines, and the reason is that we have former staffers that
are no longer working on the Hill that do not turn in their
credentials and can gain access to the building, and for
security purposes we ask everybody to go through the machines,
and people understand that I think.
Is there any reason that--well, let me ask you this: If
that had been the policy at these buildings you obviously could
not have carried in briefcases and valises and other things
without going through the magnetometers.
Mr. Malfi. That is correct. The whole purpose of us getting
the building pass was after we did the surveillance on the
buildings we realized that people that had the building passes
were not subject to go through the magnetometers or to have
their belongings x-rayed. So our purpose was to obtain a means
in which we could bypass the magnetometers and x-ray so we
could if we wanted to bring in weapons and explosives into the
building.
Mr. LaTourette. And you talked about the fact that you had
been here before, before you engaged in the attempt to get
passes, and I guess I would ask you the same question. Did you
spend an unusually long amount of time for a law enforcement
operation casing the joint before you reached the conclusions
you did necessary to breach the security of these buildings?
Mr. Malfi. No. We did this fairly quickly. I think it was
two visits that it took us here. Manpower-wise it took about 3
days before we were ready to come back and actually do the
operation.
Mr. LaTourette. Mr. Shingler, Steve Perry who is the
Administrator of GSA has made some observations relative to the
Federal Protective Service which is under your care and
direction. One of the things that he has noted at least to me
in another capacity that I have is that there is a pay
differential that is hard the make up for the Federal
Protective Service, and the one example that he cited was that
there is a $10-an-hour difference between what someone can make
working for the Capitol Hill police force as opposed to the
starting wage in your salary. Is that an accurate observation?
Mr. Shingler. Yes, sir, very accurate.
Mr. LaTourette. Does that create a turnover problem for
you?
Mr. Shingler. Yes, sir, constantly.
Mr. LaTourette. And likewise it is my understanding that
you started, if not this year, a little while ago with 600
FTEs, full time FPS workers, and now you are down to the
neighborhood of 450?
Mr. Shingler. Yes, sir. Turnover is tremendous.
Mr. LaTourette. Has the GSA put together, worked with the
administration in a way to develop legislation to help correct
some of the deficiencies relative to first pay scale, and
second training?
Mr. Shingler. Yes, sir, we have.
Mr. LaTourette. And can we anticipate that in the near
future?
Mr. Shingler. I would say yes, sir.
Mr. LaTourette. And the other deficiency that came up in
some of the hearings, and this was principally brought to our
attention by the officers within the Federal Protective Service
is that there is a variation in the training that some of the
contract guards are subject to in order to be under contract.
Is that an accurate observation?
Mr. Shingler. Yes, sir. As a matter of fact, we have an
active effort to bring some balance to that training effort,
including a drastic increase to that training in what we are
going to call our building security guards, yes, sir.
Mr. LaTourette. And, Mr. Malfi, back to you. It is my
understanding that the equipment was in place at all of these
buildings, and people were in place in all of these buildings,
and the breakdown I guess would be two, and I would like your
comment, one is that when you have a policy that as long as you
have one of these you can bring anything into the building that
you want without having it checked, I would consider that to be
a deficiency, and second of all the deficiency appears to be
human error, that you were permitted to get through with
credentials that were phony, and in one instance where you had
even switched pictures with the other fellow.
Mr. Malfi. Exactly. Basically Congressman Barr brought this
out earlier in his opening statements, that common sense and
diligence is really the key to security, and as long as you
have people that are watching but not paying attention, or
looking and not seeing these type of vulnerabilities will
continue to be a problem.
Mr. LaTourette. And last Mr. Shingler and Ms. Sims, it is
not appropriate to talk about the recommendations that are
attached in the confidential report that followed the briefing
that you received, but I think that the fellow that issued is
named Constable which is a good name I think for someone
involved in law enforcement, but have you reviewed each of you
all of the recommendations contained in that?
Mr. Shingler. Yes, sir, we have.
Ms. Sims. Yes, sir.
Mr. LaTourette. OK. And I would just indicate, and again I
do not think that we should try and surprise people, but I
would just indicate that upon my entrance to this building, re-
entrance that I found that the recommendations contained in Mr.
Constable's report are not being followed, and I am sure that
you will take that to heart and do what is necessary to fix it.
Mr. Shingler. By all means, sir.
Mr. LaTourette. Thank you very much. Thank you, Mr.
Chairman.
Mr. Barr. Thank you, Mr. LaTourette.
It is my understanding that currently FPS, or the Federal
Protective Service is under the control of the Public Building
Service, and does not function as a truly independent security
advocate for Federal facilities. Has the GSA ever considered
moving the FPS out from under the Public Building Service to
allow it to function truly as a law enforcement agency?
Mr. Shingler. We actually are very close to that as of this
moment. The GSA did realign all of the regional offices, much
as this one is, reporting to headquarters. In days past they
used to report to the region itself. Now the Federal Protective
Service is controlled out of the central office headquarters in
Washington. Although we are part of the Public Building
Service, we are a fairly integral part of that effort because a
lot of what we do requires funding, and it is funded out of the
Federal building fund. The Federal building fund is controlled
by the Public Building Service. So we are a totally dedicated
service as of this moment, and we do rely on the funding
mechanisms of the Federal building fund which are controlled by
the Public Building Service.
Mr. Barr. The funding is very important, and as both Mr.
LaTourette and I mentioned earlier, the Congress certainly has
the responsibility there to make sure that all of these
functions are funded properly.
I am not so much interested in the funding mechanism as
separating FPS out so that it truly can function as a law
enforcement agency.
Mr. Shingler. We have complete authority as of this moment,
sir, to do that. I have never had--in the 2-months that I have
been here already we have not had any interference whatsoever
to try to do exactly as you said, to be a full-fledged at-the-
table law enforcement agency.
Mr. Barr. Mr. Malfi, in your experience both in law
enforcement and in these type of investigations involving
Federal facilities do you see that it would help at all--and
this is something we are looking at from a legislative
standpoint as well I suppose--to separate FPS out and give it
more autonomy as a law enforcement agency, as a separate
entity?
Mr. Malfi. Actually I have not thought about or looked into
that aspect of it, and I know GAO has not looked at that, but
based on my experience if you have people that are involved in
law enforcement that are involved in security and they are
answering to people of the same culture with a law enforcement
background things normally seem to run better for that arena
based on the culture and the experience level that you have.
Mr. Barr. With regard to the meeting that you had
immediately following the conclusion of the undercover phase of
your investigation, have steps been taken, Mr. Shingler and Ms.
Sims, since that time, just I guess a little over a month ago--
actually when was that meeting, Mr. Malfi?
Ms. Sims. March 20th.
Mr. Malfi. March 20th.
Mr. Barr. So just about a month ago. And, by the way, let
me say we appreciate your doing that, even more important than
getting your information, or even physically getting back up to
Washington you sat down with the agencies here because you
perceived that there was a very serious problem, something of
which they should be made aware of immediately, and I think
that is very appropriate and commendable.
In followup to that, Mr. Shingler and Ms. Sims, could you
again without revealing any sensitive law enforcement
techniques, tell us some of the steps that have already been
taken to address the deficiencies that GAO discovered.
Ms. Sims. Let me just say that during that March 20th
meeting one of the first things that Agent Malfi said to us is
that there has never been a facility that he has set his sights
on that he has been unable to penetrate, and that is evidenced
by his testimony in which he said that he has been able to
penetrate 19 Federal facilities and two airports.
We at the U.S. General Services Administration take no
consolation in being lumped into that group. We do not make an
excuse by being lumped into that group now.
But what I will say is that within hours of that March 20th
meeting we took immediate, decisive, and what we believed to be
effective steps, probably a dozen steps to further improve
security postures in the Federal facilities, and we are
currently working on at least a dozen more. And that is in
addition to what we have always done prior to September 11th,
prior to the penetrations by the U.S. General Accounting
Office.
Some of those that we have been doing would include
security surveys, would include occupant emergency planning,
would include building security committee meetings, would
include daily contact with the tenants and visitors, and
implementing the feedback that they give us each and every day.
Mr. Barr. Two of the items that Mr. Malfi discussed and
that his colleagues have mentioned also, though, would seem to
be of the sort that would not require a serious problem like
this in order to be directive.
Both prior to and after this investigation will all of
those folks under GSA's or FPS's authority actually look at a
badge physically to determine that it is in fact, or that at
least it appears to be in fact a valid identification pass?
Ms. Sims. Yes, sir. We employ a three-step process by which
we look at the badge, we look at the face of the individual,
and we look again at the badge, and we are confident that those
strategies are currently being employed.
Mr. Barr. That was not the case, though, obviously prior to
the undercover investigation, that three-step process obviously
was not used.
Ms. Sims. I believe that it was used in most cases.
Security is a very unforgiving discipline, and it requires
daily iterative followup, and that includes meeting one-on-one
with contract security guards and the contractor to reiterate
what the ongoing policies and procedures are.
Mr. Barr. With the particular badges that you have
described, if somebody, Mr. Malfi, had simply looked at it even
cursorily and seen that it did not have the proper hologram on
it for example, how many times were collectively you all able
to secure access to Federal buildings based on those badges?
Mr. Malfi. I believe if they would have looked at the
badges first of all they would have definitely caught the fact
that I was using John's building pass because his photograph
appeared on it, not mine.
If they also looked at the passes, all of the counterfeit
building passes should have been detected and those people
should not have been not allowed entry, and a followup
investigation should have occurred. So in all instances----
Mr. Barr. But about how many times did that occur?
Mr. Malfi. On almost all of the entries that we made.
Mr. Barr. I mean a number of times?
Mr. Malfi. We infiltrated the buildings I think on two
occasions. We went back twice. I mean because once we got
through then we wanted to go through at night time with the
crew, you know, with the group, and we saw no need to
continually, you know, for 3 weeks straight go in and out of
these buildings. Once we penetrated it, we got inside, you
know, that operation was over as far as we were concerned.
So I believe there was like two penetrations for most of
the buildings, and one penetration for another.
Mr. Barr. By each one of you?
Mr. Malfi. That is correct.
Mr. Barr. So that would mean at least six penetrations?
Mr. Malfi. Six, and then we had two other undercover agents
that also went into the buildings.
Mr. Barr. And in not one of those instances was the badge
physically inspected?
Mr. Malfi. That is correct.
Mr. Barr. This is the problem that we have, Mr. Shingler.
It may be your belief or your wish that in most instances that
simple step occurs, but apparently in none of these instances--
I mean it is not as if they were stopped most of the time and
looked; it was never looked at. Is that a concern?
Mr. Shingler. It is deeply a concern. Policies are one
thing, all the equipment in the world are another just as Mr.
Malfi said. And I was at the hearing the other day that his
counterpart was at. All the technology in the world is not
going to do you any good if your staff is not there and trained
to identify it and do something with it. We feel that is a key
for us, and training and getting the proper staff is definitely
going to be one of our major efforts. I have already spoken to
Mr. Malfi about--the Federal Protective Service faces a lot of
challenges. This effort has helped us focus and set priorities
for addressing those challenges, and that is what we are
attempting to do, sir.
Mr. Barr. When an initial approach is made as Mr. Malfi and
his colleagues did in order to secure an initial pass, building
pass, and a story is told that obviously is not true, is there
a process now in place that obviously was not in place before
so that in every instance that story is checked out at least
one level?
Mr. Shingler. Yes, sir, that practice is in place now. I
think for the most part most policies were in place, although
we have issued further policy guidance. It was the actual doing
the work, and it is great to talk the talk, but walking the
walk is the thing, and we just were not totally walking the
walk at that point, and I think we are now, sir.
Mr. Barr. As a result of the briefing on March 20th and
this operation generally, have you all been able to identify
particular individuals that committed serious breaches of
security and allowed this to happen, allowed these penetrations
to occur and these false badges to be used?
Mr. Shingler. I misunderstood the question, sir.
Mr. Barr. Have you been able to identify particular
individuals who fell short of the standard that you all
maintain?
Mr. Shingler. Employee-wise, or contractor-wise?
Mr. Barr. Yes.
Ms. Sims. Yes, sir, we have.
Mr. Barr. And has action been taken to correct those
situations?
Ms. Sims. Yes, sir, it has been.
Mr. Barr. Have persons been terminated?
Ms. Sims. No, sir.
Mr. Barr. Have any contract personnel been removed from
those responsibilities?
Ms. Sims. Yes, sir.
Mr. LaTourette. Mr. Barr was talking about the new
technology, and let me just ask if you are based upon your
experience aware of any additional security technologies
including smart cards or biometric devices that you think could
be used to help eliminate some of the human error that was
discovered in this operation, Ms. Sims, and then you, Mr.
Shingler? Are any of those currently under discussion or
consideration by the GSA relative to building security?
Ms. Sims. Yes, sir. GSA in several regions across the
country is currently employing pilot projects which utilize
smart card technology. Certainly if we had our druthers the
Nation would move toward that.
Mr. LaTourette. And just for the benefit of those that do
not know what a smart card is, maybe you could just explain
what it is that those pilot projects are doing.
Ms. Sims. Well, there are variations on it. Up in New York
several buildings utilize smart card technology in which the
individual's--I am sorry. Wendell, would you like to----
Mr. Shingler. Absolutely.
Basically what it is is it is an identification card with a
computer chip inside, and within that computer chip could be a
variety of pieces of information, the person's name, Social
Security number, and a physical picture so that when it comes
up on a computer screen and it is accessed through a reader you
could doubly verify that it is the person on that card and in
person in front of you. So there is a wide variety of checks
within those pieces of equipment.
Biometrics is another issue that we are looking at. Again
as I said in my opening statement I do not know that there is a
silver bullet, but it is definitely one of those items that we
intend to work with the Interagency Security Committee which is
also from the vulnerability assessment that is a government
sharing of information, and that is where we will address a lot
of those areas, especially with the Defense Department who has
done a lot of research into those areas.
Mr. LaTourette. I do not want to get too far afield from
the subject of this hearing in terms of an internal
penetration, but both what happened in Oklahoma City and at the
World Trade Center had to do with things happening externally
to buildings. Has GSA engaged in a study of the properties
under its control relative to external security? Say the
building we are sitting in today?
Mr. Shingler. Yes, sir. We are actively doing that in two
methods. One, the new buildings that the Hill authorizes for
new courthouses and the like, we are looking at new
technologies and old technologies. We are putting seismic
things, designing them into the building that probably were not
used in years past in other than the seismic regions such as
the West Coast. So we are looking at those things.
We have done a lot of research in glass. As you may be
aware, in Oklahoma a lot of people were hurt or injured or
killed because of flying glass, so we have done a lot in the
scientific look-sees at glass.
We are also using a lot to address the existing buildings.
We are looking at set-backs, how we can increase set-backs
using street closures or lane changes, or even just changes to
the surfaces of the buildings. So we are actively looking at
all of those areas.
Mr. LaTourette. And actually one of the not-often-enough-
told stories is one of the women who lost a child in the day
care center in the Murrah Building and started a foundation
called People First, and it has specifically dedicated itself
to the development and research of shatterproof glass for not
only Federal buildings but for also other facilities, and she
is doing wonderful work.
And last, Mr. Malfi, maybe to impress, and I want to
indicate that I guess what concerns me about the answer to Mr.
Barr's question, again when I went outside the building not
only did I get a second visitor's pass, but someone with a
yellow pass just blew right past the guards and the
magnetometer, no one touched the pass, nobody examined the
pass, nobody matched up the picture, and so I know that you are
in here and you have contracted with people to engage in
security, but it appears to me that we are still not quite
there, even in the fact that I assume most of the people in the
building know what we are doing here if they watch television,
so I would think that they would take it a little more
seriously.
And maybe to give the matter some seriousness, Mr. Malfi,
what was the biggest container that you or your agents brought
in in terms of a suitcase that you could put in an overhead
bin, or a briefcase?
Mr. Malfi. We took in a travel bag, a valise-type bag that
could have been used to bring in certain equipment, certain
explosives, anything basically we wanted to bring into the
building.
Mr. LaTourette. And did any of you during the 20-plus years
that each of you had with the Secret Service, do you have
experience with explosives training?
Mr. Malfi. Enough to know to get away from them. That is
about it.
Mr. LaTourette. Are you able to estimate or guesstimate
based upon the size of the valise that you brought in what sort
of damage you could have done to this building if it had been
packed for instance with C4 explosives?
Mr. Malfi. Well, basically depending on where we would have
placed those, how much we would have brought in. It depends. I
mean once you have access to a building and free reign on the
building then you can sort of accomplish basically anything you
want to.
I do not think anybody would have stopped us if we all
walked in carrying two large duffel bags each. I mean we had
the building passes that allowed us to bypass the magnetometers
and the x-rays. The main thing is that technology is not a
cure-all for security, money is not a cure-all for security.
The bottom line is that due diligence is really the most vital
factor in regards to any type of security that you have set up.
People have to be diligent in what they are hired to do,
they have to adhere to the policies and understand why those
policies are in effect so that it makes sense to them so that
they could prevent things like this from going on.
Mr. LaTourette. And part of that is not only going over
things, but it is training, and it is also compensating
somebody at a rate that motivates them to do their job I would
assume.
Mr. Malfi. That is correct.
Mr. LaTourette. Thank you very much.
Mr. Barr. Going back, Mr. Malfi, to the one aspect of the
badges, you say there was the designation on the badges that
allowed the person, or indicated that the person possessing the
badge could carry firearms into the building. What was done in
order to secure that additional authority?
Mr. Malfi. Basically Agent Cooney just did a little social
engineering in regards to having that person put that extra
feature on that badge.
Mr. Barr. In other words, he just gave them a story that he
needed to carry a firearm?
Mr. Malfi. In the conversation it came up that he may need
this, and he says, yeah, he says I definitely could use this,
and they put it on. So it was volunteered, right, John?
Mr. Cooney. Correct. I did not have to explain in detail
what the need for a firearm was. I just said I would be coming
in with firearms at some time, and they said ``Well, then you
need this feature on it,'' and I said ``Yes, I would like to
have that.'' They were very willing.
Mr. Barr. What steps have been taken to correct that
particular deficiency in the wake of this investigation? Ms.
Sims.
Ms. Sims. Would you elaborate on the question, please?
Mr. Barr. Not really on the question, but what steps have
been taken to address that particular deficiency? In other
words, the ease with which the undercover officer was able to
get the designation on the badge that allowed them to bring
firearms in without having to explain or provide any sort of
documentation at all.
Ms. Sims. Without getting too detailed on our security
protocols, there are at least a half dozen steps that we have
taken specifically to that element of building entry. One would
include tightening up the policies and procedures associated
with the issuance of the badge. The actual badge issuance
procedure has changed in terms of who issues the badge, the
actual application for the badge has changed, and the
validation process by which we issue the badge has changed and
tightened up.
Mr. Barr. We have been talking generally today very
specifically about the facilities here in Atlanta in Region 4.
Are the measures that we have been talking about here today
being implemented across the country in all regions of the
country, in all facilities under the jurisdiction and control
and responsibility of GSA and FPS?
Mr. Shingler. The specific ones that are being done here
may not necessarily be, but the intent is each of Sabina's
counterparts, the regional directors in the balance of the
country are specifically addressing similar types of issues.
Some of the ID card issuance procedures are different from
location to location, but the ultimate intent of tightening up
our security of getting in and out of buildings is definitely
being addressed nationally, sir.
Mr. Barr. I mean it would seem to me that what we are
talking about here is just so basic, namely not just giving
somebody a designation to carry a firearm into a Federal
building without asking any questions or checking anything out,
but the issue of simply checking to see whether the person that
they say they are coming to see actually needs to see them,
physically looking at a badge, and these are all so basic I am
somewhat at a loss to understand why we cannot have the
assurance today that they are in fact being implemented in all
GSA regions for all Federal buildings.
Mr. Shingler. No. Absolutely, sir. I misunderstood what you
were asking. Yes, sir, that is happening. They have tightened
up security nationally. I misunderstood what you were talking
about, the holograms and one thing or another.
Mr. Barr. So as we sit here today can you assure us in the
Congress and the American people that at least these specific
steps that we have identified here today as being deficiencies
in Federal building security are being addressed, have been
addressed, and will continue to be addressed properly?
Mr. Shingler. Yes, sir.
Mr. Barr. Ms. Sims.
Ms. Sims. Absolutely.
Mr. Barr. We talked earlier about the different levels of
security for the Federal buildings, and we have pictures of the
different Federal buildings, at least five of them here in the
Atlanta area. What is the level of security for each one of
these buildings?
Mr. Shingler. They are all Level 4 facilities.
Mr. Barr. And if you could just explain briefly what Level
4 means.
Mr. Shingler. The vulnerability assessment, the DOJ
vulnerability assessment categorized virtually all Federal
buildings in one of five levels. Primarily the first four, 1
through 4, are the ones that we deal with. The fifth level are
those agencies such as the Pentagon, or the CIA headquarters
where they may employ their own security requirements. But the
1 through 4 levels are based on a variety of things, primarily
how many people are in them, the size of the building, the type
of mission that goes on within the building, the threat
assessments that could happen, from the shopping center type of
recruiting office all the way to a building of this magnitude
here in Atlanta. So that is where they range between the 1
through 4 levels.
Mr. Barr. The buildings earlier, in your earlier
investigation 2 years ago, Mr. Malfi, were they all Level 4
facilities?
Mr. Malfi. I believe a lot of those buildings were Level 5.
Mr. Barr. In other words, even a higher level of security
and vulnerability associated with them?
Mr. Malfi. That is correct.
Mr. LaTourette. Mr. Shingler, if I could just have one more
sort of housekeeping question, Mr. Barr was talking about where
the money comes for the Federal Protective Service, and it does
come from the Public Building side of GSA, and it is my
understanding that the tenants, for instance if the Internal
Revenue Service is in a GSA-operated building that they pay you
so much per square foot or whatever to provide security. Am I
right about that?
Mr. Shingler. Yes, sir. For the most part there is an
across-the-board charge, and each square foot of rent an X
percent goes to security. And then there are building-specific
charges that are added onto that which in some cases there are
multiple entrances that they may want to have guards at, or
anything that is above what the basic security charge covers.
Mr. LaTourette. And GSA could by regulation--we have
already I think said this--but GSA by regulation could require
everybody that comes into this building to go through the
magnetometer, but you have chosen not to do that, you have
chosen to leave it up to the security committees.
Mr. Shingler. Yes, sir.
Mr. LaTourette. I think I would ask you to chat with Mr.
Perry and see if that could be reevaluated. But likewise are
there lease arrangements because not every building that you
operate is a government-owned building, there are also leased
buildings that you lease on behalf of the government. Are there
restrictions by landlords, or are there lease restrictions that
somehow impede your ability to protect the men and women of the
Federal work force and the people that visit them?
Mr. Shingler. Balancing security with openness is a primary
issue that we are constantly addressing. One of our biggest
challenges right now are leased facilities, but we are working
closely with the Interagency Security Committee to come up with
a minimal standard to implement security in leased locations.
We are also working with organizations such as BOMA,
Building Owners and Managers Association, to come up with
standards that not only they can live with, but meet our needs
of protecting our government employees. So we are actively
addressing those issues, sir.
Mr. LaTourette. Are any of the buildings that we are
talking about today in Atlanta leased, or does the Federal
Government own them all?
Ms. Sims. We own them all.
Mr. LaTourette. You own them all.
Ms. Sims. Yes, sir.
Mr. LaTourette. Thank you very much.
Ms. Sims. Excuse me, let me correct. The Sam Nunn Atlanta
Federal Center is a complex lease-to-own financial deal. At the
end of a period of time we will own that facility.
Mr. LaTourette. But do you currently on behalf of the
Federal agencies that are located there, do you lease it from
someone at the moment?
Ms. Sims. Yes, sir.
Mr. LaTourette. OK. Are there any restrictions--I guess
that is what I want to get to--are there any restrictions in
the lease that prevent you or hinder you from engaging in the
security that you engage in in a wholly owned Federal building?
Ms. Sims. At that facility no. That facility is operated as
if it were ours from a security stance.
Mr. LaTourette. Thank you very much.
Ms. Sims. Sure.
Mr. Barr. The investigation, the undercover investigation
that took place in early March, and we have identified what I
presume we would all agree are serious security problems, the
failure to look at a badge, the ease with which somebody gets
the badge based on a false pretense that was not checked out,
the additional volunteering of the designation to be able to
carry firearms in, agents giving an access code to these
undercover agents without checking them out properly, would
everybody here agree that those things should not have
occurred?
Ms. Sims. Yes, sir.
Mr. Barr. What specific steps--and were those problems,
were those errors made by both contract personnel and FPS
employees?
Ms. Sims. Employee singular, and contract employee
singular. Yes, sir.
Mr. Barr. And are there any limitations under which GSA or
FPS now operates that would prevent effective disciplinary
action being taken against either employees or contract
personnel for identified security lapses such as these?
Ms. Sims. The contract employee referenced in the scenarios
no longer provides the service to the U.S. General Services
Administration.
With respect to the GSA employee, that employee has been
reprimanded.
Mr. Barr. Is that sufficient in your view? Are there--I
guess I am asking a more general question. Are there any
limitations under which you all have to operate now that would
prevent you in any way from taking what you believe is
effective disciplinary action against an employee that commits
a serious error in security? Do you have sufficient authority?
Ms. Sims. Yes, sir, we do.
Mr. Barr. Does that include termination of an employee?
Ms. Sims. If it were deemed appropriate, yes, sir, it most
definitely would include up to termination.
Mr. Barr. OK. And you do have the ability to terminate the
services of a contractor similarly, and you have plenty of
authority to do that?
Ms. Sims. Unilaterally and very quickly.
Mr. Barr. Thank you.
Do any of you all have anything additional that you would
like to add for the record today that we might not have gone
over, or to supplement anything that we have touched on today?
Mr. Shingler. We appreciate the opportunity to be here.
Mr. Barr. Thank you.
As I indicated--do you have anything else, Mr. LaTourette?
Mr. LaTourette. I do not. Thank you.
Mr. Barr. Counsel?
As I indicated, the record will be kept open for 10 days so
that if there are any additional materials that you would like
to submit.
And let me ask just one final question I forgot. With
regard to followup measures, is this an ongoing process, Mr.
Shingler or Ms. Sims?
Mr. Shingler. We will constantly be following up, because
weapons and terrorist activities have changed drastically.
Hopefully we will never be able to sit here and say we have
done everything we could do, because we will constantly adjust
to that.
Mr. Barr. Now, we have purposely not gone into in this
public setting all of the details of the security breaches,
which is good both from the standpoint that we have not
indicated a specific road map or game plan that somebody could
use, and I think people would be shocked even at some of the
details that we did not go into here, the ease with which the
security breaches were effectuated, but knowing, Mr. Shingler
and Ms. Sims, as you do the full details of this undercover
investigation here, can you assure us that if that same
operation were carried out tomorrow it would very clearly not
succeed?
Mr. Shingler. Yes, sir, I can say that.
Mr. Barr. Ms. Sims.
Ms. Sims. I am confident that we have taken the steps that
we need to take, and that we are continuing to take the daily
iterative steps that we need to protect the people and the
properties, and the daily visitors who frequent our facilities.
Mr. Barr. I mean this is not a trick question at all. I am
just wondering if as you sit here today you feel confident that
if this same type of operation were carried out tomorrow that
it would not succeed. Do you feel confident in that?
Ms. Sims. As I said, I am confident in the fact that we
have done everything, and we continue to do everything to
protect the people and the properties.
What is a little bit frustrating is that with the state of
technology today is it difficult to discern fake
identification.
Mr. Barr. No, it is not. I mean that is the whole point of
this hearing. I mean it is not. This is one that has the proper
hologram, this is one that is not. It is not difficult to tell
that one does not have the proper hologram and that one does.
Yes, there certainly other aspects of falsification of
identification that are much more difficult to discern, you are
absolutely correct, but the undercover operation that was
effected here is something that a high school student--I mean
no insult to these gentlemen, but they especially and
consciously dumbed down their operation. Is that correct, Mr.
Malfi, that you sort of dumbed it down, you used the lowest
level of technology to thwart the security measures; right?
Mr. Malfi. Correct. To duplicate the building passes, like
I said, we did not use anything that was sophisticated. We used
something that was accessible to the general public.
I mean we could have--with the technology that is available
to us we could have duplicated these things very, very close to
the originals. That was not our intent. Our intent was to give
basically a fighting chance to show that if somebody paid
attention to these things it would have been detected.
Mr. Barr. And that is sort of my point, Ms. Sims, and I
come back to it again. I am not talking about the more
sophisticated measures that somebody might come up with and
that we have to be continually on guard against, just with
regard to these most elementary measures that thwarted security
measures at Federal buildings here in Atlanta, can you give us
your assurance that at least this level of threat has been
taken care of and if this type of operation, not a more
sophisticated one, and we hope the answer would be the same for
that, but just for this level of security breach are there
measures in place today so that if the same type of operation
were attempted tomorrow you feel confident that it would not
succeed?
Ms. Sims. Yes, sir, I am confident that the scenarios
employed would not meet with the success before, yes, sir.
Mr. Barr. OK. We appreciate very much the time and effort
that our witnesses from GAO put in in traveling down here, and
we also appreciate very much the swift response and continuing
effort by Mr. Shingler, Ms. Sims, and their colleagues and the
other Federal agencies in addressing these problems.
And with that I would like to thank Mr. LaTourette for
traveling here from the great State of Ohio today and being
with us. I appreciate counsel and the committee staff for all
of the preparatory work here, and I hereby declare this hearing
of the Government Reform Committee closed.
[Whereupon at 11:55 a.m., the committee was concluded.]
[Additional information submitted for the hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] 80883.013
[GRAPHIC] [TIFF OMITTED] 80883.014
[GRAPHIC] [TIFF OMITTED] 80883.015
[GRAPHIC] [TIFF OMITTED] 80883.016
[GRAPHIC] [TIFF OMITTED] 80883.017
[GRAPHIC] [TIFF OMITTED] 80883.018
[GRAPHIC] [TIFF OMITTED] 80883.019
[GRAPHIC] [TIFF OMITTED] 80883.020
[GRAPHIC] [TIFF OMITTED] 80883.021
[GRAPHIC] [TIFF OMITTED] 80883.022
[GRAPHIC] [TIFF OMITTED] 80883.023
[GRAPHIC] [TIFF OMITTED] 80883.024
[GRAPHIC] [TIFF OMITTED] 80883.025
[GRAPHIC] [TIFF OMITTED] 80883.026
[GRAPHIC] [TIFF OMITTED] 80883.027
[GRAPHIC] [TIFF OMITTED] 80883.028
[GRAPHIC] [TIFF OMITTED] 80883.029
[GRAPHIC] [TIFF OMITTED] 80883.030
[GRAPHIC] [TIFF OMITTED] 80883.031
[GRAPHIC] [TIFF OMITTED] 80883.032
[GRAPHIC] [TIFF OMITTED] 80883.033
[GRAPHIC] [TIFF OMITTED] 80883.034
[GRAPHIC] [TIFF OMITTED] 80883.035
[GRAPHIC] [TIFF OMITTED] 80883.036
[GRAPHIC] [TIFF OMITTED] 80883.037
[GRAPHIC] [TIFF OMITTED] 80883.038
[GRAPHIC] [TIFF OMITTED] 80883.039
[GRAPHIC] [TIFF OMITTED] 80883.040
[GRAPHIC] [TIFF OMITTED] 80883.041
[GRAPHIC] [TIFF OMITTED] 80883.042
[GRAPHIC] [TIFF OMITTED] 80883.043
[GRAPHIC] [TIFF OMITTED] 80883.044
[GRAPHIC] [TIFF OMITTED] 80883.045
[GRAPHIC] [TIFF OMITTED] 80883.046
[GRAPHIC] [TIFF OMITTED] 80883.047
[GRAPHIC] [TIFF OMITTED] 80883.048
[GRAPHIC] [TIFF OMITTED] 80883.049
[GRAPHIC] [TIFF OMITTED] 80883.050
[GRAPHIC] [TIFF OMITTED] 80883.051
[GRAPHIC] [TIFF OMITTED] 80883.052
[GRAPHIC] [TIFF OMITTED] 80883.053
[GRAPHIC] [TIFF OMITTED] 80883.054
-
�