[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]
COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
FINANCIAL MANAGEMENT AND
INTERGOVERNMENTAL RELATIONS
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
NOVEMBER 19, 2002
__________
Serial No. 107-240
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
______
89-165 U.S. GOVERNMENT PRINTING OFFICE
WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California CAROLYN B. MALONEY, New York
JOHN L. MICA, Florida ELEANOR HOLMES NORTON, Washington,
THOMAS M. DAVIS, Virginia DC
MARK E. SOUDER, Indiana ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio DENNIS J. KUCINICH, Ohio
BOB BARR, Georgia ROD R. BLAGOJEVICH, Illinois
DAN MILLER, Florida DANNY K. DAVIS, Illinois
DOUG OSE, California JOHN F. TIERNEY, Massachusetts
RON LEWIS, Kentucky JIM TURNER, Texas
JO ANN DAVIS, Virginia THOMAS H. ALLEN, Maine
TODD RUSSELL PLATTS, Pennsylvania JANICE D. SCHAKOWSKY, Illinois
DAVE WELDON, Florida WM. LACY CLAY, Missouri
CHRIS CANNON, Utah DIANE E. WATSON, California
ADAM H. PUTNAM, Florida STEPHEN F. LYNCH, Massachusetts
C.L. ``BUTCH'' OTTER, Idaho ------ ------
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
JOHN SULLIVAN, Oklahoma (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Government Efficiency, Financial Management and
Intergovernmental Relations
STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California MAJOR R. OWENS, New York
ADAM H. PUTNAM, Florida PAUL E. KANJORSKI, Pennsylvania
JOHN SULLIVAN, Oklahoma CAROLYN B. MALONEY, New York
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
Bonnie Heald, Staff Director and Chief Counsel
Dan Costello, Professional Staff Member
Chris Barkley, Clerk
Michell Ash, Minority Counsel
C O N T E N T S
----------
Page
Hearing held on November 19, 2002................................ 1
Statement of:
Forman, Mark A., Associate Director, Information Technology
and E-Government, Office of Management and Budget; James B.
Lockhart III, Deputy Commissioner and Chief Operating
Officer of Social Security, Social Security Administration;
Kenneth M. Mead, Inspector General, Department of
Transportation; Richard D. Pethia, Director, Cert
Coordination Center; and Robert F. Dacey, Director,
Information Security, U.S. General Accounting Office....... 4
Letters, statements, etc., submitted for the record by:
Dacey, Robert F., Director, Information Security, U.S.
General Accounting Office, prepared statement of........... 57
Forman, Mark A., Associate Director, Information Technology
and E-Government, Office of Management and Budget, prepared
statement of............................................... 8
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 3
Lockhart, James B., III, Deputy Commissioner and Chief
Operating Officer of Social Security, Social Security
Administration, prepared statement of...................... 19
Pethia, Richard D., Director, Cert Coordination Center,
prepared statement of...................................... 39
Taylor, Eugene K., Jr., Acting Chief Information Officer,
U.S. Department of Transportation.......................... 28
COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?
----------
TUESDAY, NOVEMBER 19, 2002
House of Representatives,
Subcommittee on Government Efficiency, Financial
Management and Intergovernmental Relations,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Stephen Horn
(chairman of the subcommittee) presiding.
Present: Representatives Horn and Lewis.
Staff present: Bonnie Heald, staff director; Henry Wray,
senior counsel; Dan Daly, counsel; Dan Costello, professional
staff member; Chris Barkley, clerk; Ursula Wojciechowski, staff
assistant; Michelle Ash, minority counsel; and Jean Gosa,
minority clerk.
Mr. Horn. This hearing of the Subcommittee on Government
Efficiency, Financial Management and Intergovernmental
Relations will come to order.
Federal agencies rely on computer systems to support
critical operations that are essential to the health and well-
being of millions of Americans. National defense, emergency
services, tax collection and benefit payments will all rely on
automated systems and electronically stored information. This
technology has greatly streamlined government operations. Yet
without proper security measures, Federal computers are highly
vulnerable to cyber attacks. These attacks are dramatically
increasing in volume and sophistication. Last year the number
of cyber attacks rose 71 percent above the previous year. In
addition, they are more complex, affecting government and
nongovernment computers alike.
Earlier this year, a British computer administrator
penetrated 100 U.S. military computers, shutting down networks
and corrupting data at the National Aeronautics and Space
Administration and at the Pentagon. Equally disturbing, the
hacker successfully attacked these sensitive systems by using
software that was readily available on the Internet. Threats
such as this demand that the Federal Government move quickly to
protect its critical computer systems.
This is the subcommittee's third annual report card and we
are now sending it out and we'll go into questions on it later.
This subcommittee will be--this was the third annual report
card, and we have been grading executive branch agencies on
their computer security efforts. I am disheartened to announce
that again this year the government has earned an overall grade
of F for its computer security efforts. Despite the
administration's welcomed focus on this important problem, 14
agencies scored so poorly that they earned individual grades of
an F. The Department of Transportation lags at the bottom of
the scorecard, earning an appalling 28 points out of a possible
100 on the subcommittee's grading systems.
At the top end of the report card, I am pleased to note
that the Social Security Administration continues to be a
shining example of sound leadership and focused attention
toward solving this important problem. Earning a score of 82,
the Social Security Administration's grade goes from a C-plus
to a B-minus. This agency was the first to become Y2K compliant
in 1999, and I have no doubt that it will also be the leader in
the government's effort to protect its critical computer
systems. Hopefully, the Department of Transportation and all
other failing agencies will benefit from the experience and
expertise of today's witnesses.
September 11, 2001 taught us that we must be prepared for
attack. We cannot allow government operations to be compromised
or crippled because we failed to heed that lesson.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T9165.001
Mr. Horn. I'd ask the vice chairman, Mr. Lewis of Kentucky,
if you'd like to have an opening statement, why----
Mr. Lewis. Thank you, Mr. Chairman. Well, I just want to
say one thing. At the end of this term, the American taxpayer
will be losing a man that has been in the front lines of
looking out after their interest and putting pressure on the
government to be efficient and to use taxpayer dollars wisely.
And, Mr. Chairman, it certainly will, again, be a sad day for
the American taxpayer and it'll be a sad day for all of us to
see you retire, but thank you for your great service.
Mr. Horn. Thank you very much, Ron. That's nice of you.
You've been a good partner.
I'm now going to bring in the witnesses and their
assistants and we'll have them take the oath. This is an
investigative committee and that's the way we operate. If
you'll stand and raise your right hands. And your assistants
behind you, the clerk will note all of the names there and put
in the hearing record.
[Witnesses sworn.]
Mr. Horn. The clerk will note and take the names. Thank
you.
And we will now start with the presentation, and the
presentation is simply down the agenda line, and we start with
Mark A. Forman, Associate Director, Information Technology and
E-Government, Office of the President's Management and Budget.
Mr. Forman, we're glad to see you again.
STATEMENTS OF MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION
TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET;
JAMES B. LOCKHART III, DEPUTY COMMISSIONER AND CHIEF OPERATING
OFFICER OF SOCIAL SECURITY, SOCIAL SECURITY ADMINISTRATION;
KENNETH M. MEAD, INSPECTOR GENERAL, DEPARTMENT OF
TRANSPORTATION; RICHARD D. PETHIA, DIRECTOR, CERT COORDINATION
CENTER; AND ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY,
U.S. GENERAL ACCOUNTING OFFICE
Mr. Forman. Good morning, Mr. Chairman and Mr. Lewis.
Before I begin, I would also like to acknowledge the
significant role that you've played in the last decade on IT
issues. Through your leadership we've all witnessed a
substantial increase in attention and efforts to improve the
Federal Government's management of information technology.
You've captured the attention of senior policy officials across
agencies, challenged administrations, and, as a result, have
helped focus on an understanding of the serious issues,
particularly IT security, financial management and the year
2000 conversion. Thank you for your work in these areas.
I also want to acknowledge the work of my lead security
analyst, Glenn Schlarman, who will be leaving OMB to work at a
department at the end of the year. Glenn has led OMB's work in
cyber security and related information policy since the mid-
1990's and deserves much credit for the progress made in this
area by Federal agencies.
Mr. Chairman, we all know that our Federal Government's IT
security problems are serious and pervasive. However, I'm
pleased to report today that while problems persist, several
agencies are demonstrating progress due in large part to your
leadership.
Since the last hearing in March, a number of achievements
have been made toward improving the Federal Government's IT
security: First, the combination of the Security Act reporting
requirements, OMB's reporting instructions, and agency plans of
actions and milestones have resulted in a substantial
improvement in the accuracy and depth of information provided
to Congress relating to IT security. In addition to IG
evaluations, agencies are now providing the Congress with data
from agency POAMs, the plans of action and agency performance
against uniform measures.
Second, OMB developed and issued objective IT security
management performance measures which were the basis for the
most recent agency reports and plans of action.
Third, we developed a governmentwide assessment tool based
primarily on the National Institute of Standards and
Technology's technical guidance and the GAO's Federal
Information Systems Control Audit Manual.
Fourth, to ensure successful remediation of security
weaknesses throughout an agency, every agency must now maintain
a central process through the CIO's office to monitor agency
compliance.
Fifth, we have developed additional guidance on reporting
IT security costs.
Sixth, several agencies have demonstrated mature IT
security management practices.
Seventh, governmentwide on-line IT security training and
course work is being made available and used.
And, eight, deployment of cross-agency E-authentication
capabilities is occurring.
As we move into the second year of actual reforms built
around the Government Information Security Reform Act and based
primarily on agency and IG reports submitted in September,
integration of security into agency budget processes and
recently updated and submitted IG security plans of action and
milestones, OMB has conducted an initial assessment of the
Federal Government's IT security status. Due to the baseline of
agency IT security performance identified last year, we are now
in a position to more accurately determine where progress has
been made and where problems remain.
Having objective performance measurements has improved the
quality process, and I'd like to say there are five good news
items we've found in our review:
First, more departments are exercising greater oversight of
their bureaus.
Second, at many agencies, program officials, CIOs, and IGs
are engaged in working together.
Third, the inspectors general have greatly expanded their
work beyond financial systems and related programs and their
efforts have proved invaluable to us in the process.
Four, more agencies are using their plans of action and
milestones as authoritative management tools to ensure program
assistant level IT security weaknesses, once identified, are
tracked and corrected.
And, fifth, OMB's conditional approval or disapproval of
agency IT security programs has resulted in senior executives
at most agencies paying greater attention to IT security.
The bad news is that as we predicted in our previous
testimony, the more IT systems that agencies and IGs review,
the more security weaknesses we're finding. Our initial
analysis reveals that while progress has been made, there
remain several significant weaknesses:
First, many agencies find themselves faced with the same
security weaknesses year after year. They lack system level
security plans and certification. Through the budget process
OMB is assisting agencies in prioritizing and reallocating
funds to address these problems.
Second, some IGs and CIOs have vastly different views of
the state of the agency security programs. Although some
agencies have already acted to address more rigorous findings,
OMB will highlight such discrepancies in our feedback the
agency has.
Third, many agencies are not adequately prioritizing their
IT investments, and therefore are seeking funding to develop
new systems while significant security weaknesses exist in
their legacy systems. OMB will assist agencies in
reprioritizing their resources through the budget process.
I'd like to talk a little bit about six common weaknesses
we identified in the IT security report to Congress last year:
First, lack of agency senior management attention to
security. In addition to conditionally approving or
disapproving agency IT security programs through private
communication between OMB and each agency head, we have used
the President's Management Agenda Scorecard to continue to
focus attention on serious IT security weaknesses. Through the
scorecard, OMB and senior agency officials are monitoring
agency progress on a quarterly basis.
Second, nonexistent IT security performance measures, as I
referenced earlier, also address the performance of officials
charged with implementing specific requirements of the Security
Act. These measures are mandatory and represent the minimum
matrix against which agencies must track and measure
performance and progress.
Third, poor security education awareness. As in my
testimony, the administration's electronic government
initiative called E-Training will incorporate additional
security courses, and of course agencies are using traditional
classroom-style training.
While OMB can and will continue to assist agencies with
their efforts in addressing the security weaknesses, but the
responsibility and the ability to fix these weaknesses
ultimately lies with the agencies.
I'd like also to address some additional areas for
attention. OMB, the President's Critical Infrastructure
Protection Board, Federal agencies, and others are addressing a
number of other significant IT security issues. The
administration strives to assure that disruptions of the
Federal IT systems are infrequent, of minimal duration,
manageable, and cause the least damage possible. In this
regard, we're essentially addressing two types of threats:
organized and ad hoc.
We'll assure that Federal agencies undertake effective
systems management practices with tools and training to ensure
timely deployment and continued maintenance of security of IT
systems. But countering sophisticated organized threats is far
more complex. The development of a governmentwide enterprise
architecture is a central part of the administration's IT
management and the electronic government efforts. Accordingly,
the administration will use this to better prioritize and fund
Federal Government security needs.
I run through a number of other additional comments in my
testimony. But let me conclude by saying, Mr. Chairman, again,
I'd like to express the administration's appreciation for your
untiring leadership on IT security and government IT management
in general.
Mr. Horn. Thank you.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] T9165.002
[GRAPHIC] [TIFF OMITTED] T9165.003
[GRAPHIC] [TIFF OMITTED] T9165.004
[GRAPHIC] [TIFF OMITTED] T9165.005
[GRAPHIC] [TIFF OMITTED] T9165.006
[GRAPHIC] [TIFF OMITTED] T9165.007
[GRAPHIC] [TIFF OMITTED] T9165.008
[GRAPHIC] [TIFF OMITTED] T9165.009
[GRAPHIC] [TIFF OMITTED] T9165.010
Mr. Horn. And we will now move to the next witness, and
then when we finish the witnesses, we will begin the
questioning. We are delighted to have the Honorable James B.
Lockhart, III, the Deputy Commissioner and Chief Operating
Officer of Social Security, Social Security Administration.
Mr. Lockhart. Thank you, Mr. Chairman and Mr. Lewis. Thank
you for inviting me here today to discuss computer security at
the Social Security Administration. Commissioner Barnhart and I
believe that it is indeed a critical ``24x7'' issue. We
recognize that creating an effective security program is not
just a technical issue, but also an issue that demands the
attention of top management.
Today I would like to outline the challenges we face and
the significant strides our agency has made to further
safeguard information security. Our approach to computer
security is forward-looking while focusing on continuous
monitoring and continuous improvement. The systems challenges
we face are substantial. In a typical workday we interact with
about 500,000 people through our field offices, telephone
network, and Internet services. To handle our workloads we rely
on seven mainframe processors based in a national computer
center and on more than 100,000 network-connected work stations
in over 1,500 locations throughout the country. These computers
process more than 35 million transactions a day.
Our Chief Security Officer sets agency policy for
information security. That position was recently elevated to
report directly to the Chief Information Officer, who reports
directly to the Commissioner and myself. The CIO reports to the
Commissioner annually on the state of security in SSA, but in
reality it's really a regular agenda item at all our executive
staff meetings and also at the Executive Internal Control
Committee which I chair.
We have made President Bush's management agenda including
E-government and a specific security measure part of our new
Senior Executive Service Performance System. We have also
incorporated a performance measure in our annual performance
plan. Systems security has been integrated into our systems
development life cycle for more than 15 years. However, in the
last year we've begun a number of improvements to ensure that
the security program remains responsive to evolving technology
and vulnerabilities.
Systems intrusions are one major area of concern. Social
Security uses a variety of proactive measures plus individual
testing--independent testing and evaluation of security
controls to detect and prevent attempted intrusions. For
example, we use state-of-the-art software that registers,
restricts, and records user access to data. It also determines
what function a person can do once they have access to the
data. Passwords are changed every 30 days. The software allows
Social Security to audit usage and provides a means to
investigate allegations of misuse. At least once a month we
also scan every work station, telephone, and system platform
for compliance.
Social Security's commitment to information security is
really shared throughout the whole organization. It is really
part of the Social Security culture that is reinforced through
training and frequent communications. Frontline employees know
to contact the agencywide help desk when a virus or intrusion
is suspected. The help desk quickly contacts the ``first
response group,'' comprised of both senior management and
technical staff, who can rapidly mobilize appropriate
resources.
Social Security has a strong critical infrastructure
protection process to assure Agency business processing
function despite catastrophes. The program includes project
matrix reviews, audits risk assessments, remediation plans and
related training.
Congress has greatly helped to raise awareness of
information security. The Government Information Security
Reform Act of 2000 furthered the agenda of systems security by
providing for an assessment and reporting mechanism. We
completed our annual security self-assessment in September of
this year. We actually hired an independent technology
consulting firm to look at our self-assessment, and they
concurred with our self-rating and were impressed with our
security program. Social Security's inspector general's review
stated that we met the GISRA requirements and made improvements
since last year. However, as we all know, there is always room
for further improvement.
In conclusion, Commissioner Barnhart and all of us at
Social Security recognize that system security is not a onetime
task but an ongoing mission. We know we must be vigilant to
ensure that personal records remain secure, taxpayer dollars
are protected, and public confidence in Social Security is
maintained.
I would also like to thank you, Mr. Chairman, for your work
over the years in improving awareness of the importance of not
only system security, but also a wide range of program
stewardship issues such as financial accounting and reporting
debt collection and Y2K. I can assure you that we will continue
to work with this subcommittee to help protect the information
security of the American people for which we are stewards. I
will be happy to answer any questions later.
Mr. Horn. Thank you. And I will hope that there will be
excellent people in this, both for the minority and the
majority. So thank you. Keep the heat on this subcommittee and
vice versa.
Mr. Lockhart. Yes Mr. Chairman.
[The prepared statement of Mr. Lockhart follows:]
[GRAPHIC] [TIFF OMITTED] T9165.011
[GRAPHIC] [TIFF OMITTED] T9165.012
[GRAPHIC] [TIFF OMITTED] T9165.013
[GRAPHIC] [TIFF OMITTED] T9165.014
[GRAPHIC] [TIFF OMITTED] T9165.015
[GRAPHIC] [TIFF OMITTED] T9165.016
Mr. Horn. And we now have a longtime friend of this
committee, the Honorable Kenneth M. Mead, Inspector General,
Department of Transportation.
Mr. Mead. Thank you, Mr. Chairman, Mr. Lewis. Like my
colleagues and Mr. Lewis, I would like to start by just saying
thank you for so many things over the years. This hearing is--I
suppose the words almost certainly would apply here--one of the
last hearings that you'll be conducting in this capacity. And
you've truly been a champion of good government. I think most
recently--the successful transition to Y2K was a triumph of the
oversight practices of this committee and your stewardship--but
it's the full range of management issues, that inspector
general community will miss you for.
I mentioned Y2K. Actually, computer security has a lot of
similarities with the Y2K experience. If you stop and think
about it, Y2K involved a process where you first had to
inventory your systems. You had to identify the
vulnerabilities. Then you had to do a cost-effective risk
analysis of what holes needed to be plugged and you had to set
priorities. A big difference, of course, is that in Y2K we had
a date certain to meet. No waivers from anybody. It was bound
to happen. Those were the marching orders.
Here the date is a little less fuzzy, but I think we need
to move forward with the same sense of vigor because of the
importance of the area.
I'd like to summarize where DOT has been, what progress has
been made, and what it needs to do to secure its critical
systems. And the bulk of my testimony is based on the report we
recently issued under GISRA. OMB has it. You have it. The
Secretary has it. And we're pleased with the Departments'
response. DOT's information security program remains a material
weakness, as reported last year, and we're going to recommend
that it be reported as such again this year.
I must say that under Secretary Mineta's leadership, DOT
has made a strong commitment for improvement and there is
noticeable progress that I can specify, but they have a long
way to go. A notable example of the progress has been that DOT
significantly enhanced defense against intrusions from the
Internet. FAA upgraded increased background collection on its
employees.
But there are six areas that DOT needs to focus on and here
they are: First and foremost, as in most things, establish
leadership. DOT does not have a CIO, Chief Information Officer.
And, in fact, in the 6 years since the Clinger-Cohen Act was
passed, we've had a CIO for 18 months of that period, and we
don't have one now. I should say that it's not for want of
active recruiting. But we need one. And, Mr. Chairman, it's not
only a case of just having a CIO, someone with that title. The
DOT CIO Office, in our judgment, does not have sufficient
authority or controls over the operating divisions' information
technology budgets or performance. You know, DOT is set up--we
have about 9 or 10 agencies: FAA, Coast Guard, the Federal
Highway Administration, so forth and so on. But the operating
divisions generally have not in the past been held accountable
to answer to the CIO. This will be evidenced in several of the
other points I'm going to illustrate here.
A second area is securing computer systems against
unauthorized intrusions. Several years ago when we reported to
this committee that DOT did not have firewall security.
Intruders could easily gain access to DOT computers systems
from the Internet. Two years ago, we testified that the
firewall security was not strong enough and there were
unsecured ``back doors'' to access DOT computers. Since then,
DOT has enhanced its firewall security against unauthorized
intrusions from the Internet which are referred to as the
``front door.'' But, despite repeated directives from the
Agency's CIO office, there are still a significant number of
unsecured ``back doors.'' What are back doors? Back doors are
dial-up modems. They are non-DOT computers that are connected
to those of DOT's, in many cases, by the hundreds of
contractors that DOT has. We think that's a significant risk
area.
Third, reporting cyber incidents. DOT needs to do a better
job in analyzing reporting major cyber incidents. Last year
they reported 25,000 incidents. But most of those were not
analyzed or stratified for degree of seriousness. And most of
them, my guess is, were innocent acts of somebody misusing a
password or whatever. We also found, though, that 3 of 10 major
incidents we had went unreported to the Federal Computer
Incident Response Center. We think that needs to be
strengthened.
Fourth, protect E-government services. DOT needs to better
protect its public Web sites from being attacked. In our audit
work, we identified 450-odd vulnerabilities throughout DOT.
Forty percent of them were at FAA, and the Federal Highway
Administration had 113 of them. Of the 450-odd vulnerabilities,
Mr. Chairman, we would rank about 80 of them as being very
serious, meaning that they could allow attackers to take
control over DOT Web sites. DOT, I should note, promptly
corrected the vulnerabilities we identified.
Fifth area, check contractors' employees background. DOT
still needs to do more in this area. I'm happy to report that
FAA has made progress. I believe it was at a hearing before
this and a couple of other congressional committees where this
was a major problem 3 years ago. Our tests now indicate that
about 84 percent of FAA contractor employees have received
background checks versus just 23 percent 2 years ago. But still
the delta between that 84 percent and 100 percent is too
significant, in my view. Unfortunately, other DOT agencies have
not made as much progress and their compliance rate rose only
from 13 percent to 14 percent.
And, finally, a major task is to get all DOT's 561 mission-
critical systems certified for adequate security. The current
date for doing that is set at December 2005. This challenge is
particularly similar to Y2K. Right now, we have completed the
security assessment--not we, the DOT, of 123 of 561 systems.
They have a long way to go. And I'm a little concerned about
the date of December 2005 being several years away. I'd like to
see this process be accelerated but it's going to require top
management commitment to put the pressure on.
And finally, Mr. Chairman, I'd like to say a word about the
role for inspector general and GAO. And I think this is alluded
to in Mr. Forman's written statement. I'm concerned that too
much reliance is being placed on the inspector generals and GAO
to identify vulnerabilities. As I noted, we identified 450-odd
of them. Those were plugged when we identified them. But you
don't want to rely on your inspector generals or GAO to
identify all the vulnerabilities. Inspector generals are fairly
small operations. We're supposed to audit. We are not in the
business of running the security program. I'm pleased to report
that I think under Secretary Mineta's leadership this is
beginning to change at DOT, but it needs to change in a much
larger way. Thank you.
Mr. Horn. Thank you, and we appreciate the thoughts you
have there and we'll get to that a little later.
[The prepared statement of Mr. Taylor follows:]
[GRAPHIC] [TIFF OMITTED] T9165.017
[GRAPHIC] [TIFF OMITTED] T9165.018
[GRAPHIC] [TIFF OMITTED] T9165.019
[GRAPHIC] [TIFF OMITTED] T9165.020
[GRAPHIC] [TIFF OMITTED] T9165.021
[GRAPHIC] [TIFF OMITTED] T9165.022
[GRAPHIC] [TIFF OMITTED] T9165.023
[GRAPHIC] [TIFF OMITTED] T9165.024
Mr. Horn. We now have Richard D. Pethia, and he is the
Director of the CERT Coordination Center of Carnegie Mellon,
and you've been very helpful to this subcommittee over the last
decade and a half. And you might want to put on the record,
what does CERT mean? And we would be glad to hear from you.
Mr. Pethia. Thank you. Mr. Chairman and members of the
subcommittee, thank you for the opportunity to testify on
computer security issues. And Mr. Chairman, thank you
especially for helping us all focus on this important IT-
related topic.
My perspective comes from the work that we do at the CERT,
the Computer Emergency Response Team, where since 1988 we have
handled over a 170,000 separate computer security incidents and
catalogued more than 8,000 computer vulnerabilities. During
that time, the Internet has changed dramatically and computers
have become such an integral part of American government and
business that computer-related risks cannot be separated from
national defense, general safety, health business and privacy
risk. Valuable government and business assets along with
personal information, critical services, are now at risk over
the Internet. Our increasing dependency on these network
systems is being matched by increasing the number of attacks
aimed at those systems.
The CERT Coordination Center alone, one of only over 200
incident response teams globally, has seen a dramatic increase
in the number of incidents reported over just the last 4 years,
from 3,700 in 1998 to over 53,000 in 2001; and at the current
reporting rates, 2002 will top 100,000 separate incidents.
These attacks are aimed at systems across government and
industry, and have led to loss and compromise of sensitive
data, loss of productivity, system damage, financial loss, and
loss of reputation and customer confidence. Virus and worm
attacks alone have resulted in hundreds of millions of dollars
of loss in just the last 12 months.
Most threatening of all is the link between cyber space and
physical space. Supervisory control and data acquisition
systems are used to control power grids, water treatment and
distribution systems, oil and chemical refineries, and other
physical systems. Increasingly, these control systems are being
connected to communications links and networks to reduce
operational costs by supporting remote maintenance and remote
control functions. These systems are potential targets of
individuals bent on causing massive disruption and physical
damage. This is not theory. Actual attacks have caused major
operational problems in Australia, for example, where attacks
against sewage plants have led to the release of hundreds of
thousands of gallons of sewage sludge.
The Internet has become a virtual breeding ground for
attackers. Intruders share information about vulnerable sites,
vulnerabilities in the technology and attack tools. Internet
attacks are difficult to trace. The protocols make it easy for
attackers to hide their identity and location on the network.
The number of cyber attackers that have been identified and
prosecuted is minuscule compared to the number of security
incidents that are reported on an ongoing basis.
Our systems are vulnerable. Last year we received 2,400
vulnerability reports, reports of weaknesses in pieces of
software, and we expect to receive over 4,300 reports by the
end of this year. These vulnerabilities are caused by security
weak design and development practices. With this number of
vulnerabilities, fixing vulnerable systems is deemed difficult.
System and network administrators are in a hard spot. It is
often months or years before patches are implemented on the
vulnerable computers, and we often receive reports even years
after the fact of attacks of vulnerabilities that have been in
fact known for 2 or 3 years.
And at the same time, the attack technology is advancing.
Today, intruders use worm technology and other automated
methods to reach tens of thousands of computers in minutes,
where it once took weeks or months.
Working our way out of this vulnerable position will
require a multipronged approach:
First, higher quality products. Good software engineering
practices can dramatically improve our ability to withstand
attacks. The solution is going to require a combination of
virus-proof software, reducing implementation errors by at
least two orders of magnitude over today's levels, and
requiring that vendors ship products with high security default
configurations. We encourage the government to use its buying
power to demand such higher-quality software.
Acquisition processes must place more emphasis on security
characteristics, and we suggest using code integrity clauses
that hold vendors more accountable for defects in their release
products. Acquisition professionals should be trained in
current government security regulations and policies, but also
in the fundamentals of security concepts and architecture. It's
important that these people understand not only how to work
within the letter of the law but also the spirit of the law to
get the quality of software that we require in our national
systems.
Also needed is wider adoption of security practices. Senior
management attention here is important. Senior management must
increase its involvement with visible endorsement of security
improvement efforts and the provision of the resources needed
to implement the required improvements. For the long term,
research is also essential to seek fundamental technological
solutions and preventive approaches. Needed in the long term is
a unified and integrated framework for all information
assurance analysis, rigorous methods to quantifiably assess and
manage risks, quantitative techniques to determine the cost/
benefit of risk mitigation strategies, and simulation tools to
analyze the cascade effects of attacks, accidents, and failures
across interdependent systems.
The Nation as a whole requires more qualified technical
specialists. Government scholarship programs that have started
are a good step in the right direction, but they need to be
expanded over the next 5 years to build the university
infrastructure we need for the long-term development of trained
security professionals.
Also needed is more awareness and training for all Internet
security users, with special emphasis paid to students in grade
schools who can begin to understand the ethics of use of these
wide area networks as they understand ethics in other kinds of
situations.
In conclusion, security incidents are almost doubling each
year, and attack technology will continue to evolve to create
attacks that are even more virulent and damaging. Solutions are
not simple but must be pursued aggressively to allow us to keep
our information infrastructures operating at acceptable levels
of risk. We can make significant progress by making changes in
software design and development practices, giving more
management support to risk management activities, increasing
the number of trained system managers and administrators, and
improving the level of knowledge of all users, and increasing
research under secure and survivable systems. Thank you.
[The prepared statement of Mr. Pethia follows:]
[GRAPHIC] [TIFF OMITTED] T9165.025
[GRAPHIC] [TIFF OMITTED] T9165.026
[GRAPHIC] [TIFF OMITTED] T9165.027
[GRAPHIC] [TIFF OMITTED] T9165.028
[GRAPHIC] [TIFF OMITTED] T9165.029
[GRAPHIC] [TIFF OMITTED] T9165.030
[GRAPHIC] [TIFF OMITTED] T9165.031
[GRAPHIC] [TIFF OMITTED] T9165.032
[GRAPHIC] [TIFF OMITTED] T9165.033
[GRAPHIC] [TIFF OMITTED] T9165.034
[GRAPHIC] [TIFF OMITTED] T9165.035
[GRAPHIC] [TIFF OMITTED] T9165.036
[GRAPHIC] [TIFF OMITTED] T9165.037
[GRAPHIC] [TIFF OMITTED] T9165.038
[GRAPHIC] [TIFF OMITTED] T9165.039
Mr. Horn. Thank you. I'd like to still know what CERT is.
And I've looked through here. You've got all sorts of things
that you could put in there. But, you know, is it the Center on
Readiness and Training and so forth?
Mr. Pethia. Computer Emergency Response Team.
Mr. Horn. OK. Good enough. You've got a busy type, and we
thank you for all the things you've done for us and the various
people in this town. So thank you for having that very fine
university in that very fine CERT Coordination Center.
Mr. Horn. We now go to the last presenter, Robert F. Dacey,
Director, Information Security, U.S. General Accounting Office,
and headed by the Controller General of the United States. And
you and your staff have done a marvelous position every year,
helping us look at this material when they come in to the
Office of Management and Budget. So, Director Dacey.
Mr. Dacey. Mr. Chairman and Mr. Lewis, it is a pleasure to
be here this morning. And before providing my testimony,
however, I would like to thank you personally, Mr. Chairman for
your sustained and dedicated efforts to improving Federal
information technology management especially in the areas of
Y2K and information security, and, from my prior experience,
your extreme interest in improving financial management
throughout the Federal Government. Your tireless vigilance has
resulted in increased attention to these important areas and
has stimulated many positive results.
As you requested, I will briefly summarize my written
statement. Federal agencies rely extensively on computerized
systems and electronic data to support their missions. If these
systems are inadequately protected, resources such as Federal
payments and collections could be lost or stolen. Computer
resources could be used for unauthorized purposes or to launch
attacks on others. Sensitive information such as taxpayer data
and proprietary business information could be inappropriately
disclosed or browsed or copied for purposes of espionage or
other types of crime. Critical operations such as those
supporting national defense and emergency services could be
disrupted. Data could be modified or destroyed for purposes of
fraud, deception, or disruption. And agency missions could be
undermined by embarrassing incidents that result in diminished
confidence in their ability to conduct operations and to
fulfill their fiduciary responsibilities.
As Mr. Pethia pointed out, the risks are dramatically
increasing over the years and have been. There are a lot of
reasons for this which he discussed and I would like to again
highlight. First of all, with its greater complexity and
interconnectivity of systems, including within Federal systems
and between Federal systems and other systems in many cases,
trusted relationships exist between these systems which allow
open access if someone breaks into one of the systems.
Second, standardization of systems hardware and software,
which combined with known vulnerabilities create significant
exposures.
Third, the increased volume, sophistication, and
effectiveness of cyber attacks, which combines with the readily
available intrusion or hacking tools and limited capabilities
to detect such attacks.
And, fourth, the development of cyber attack capabilities
by other nations, terrorists, criminals, and intelligence
services. In addition to the threat of external attacks, the
disgruntled insider is also a significant threat because such
individuals often have knowledge that allows them to gain
restricted access and inflict damage or steal assets.
While both the threat and ease of cyber attack are
increasing, our most recent analysis of reports issued since
October 2001 continues to show significant, pervasive
weaknesses in Federal unclassified computer systems that put
critical Federal operations and assets at risk. We have
reported on the potentially devastating consequences of poor
information security since September 1996 and have identified
information security as a high risk area since 1997.
Our chart, which is on the right here, illustrates the
significant weaknesses that were reported for each of the 24
agencies included in our review, which covers the six major
areas of general controls; that is, those areas that cover
either all or a major portion of an agency's information
systems and help to ensure their proper operation.
As the chart shows, most agencies had significant
weaknesses in many or all of the control areas, and efforts to
expand and improve information security may result in
additional significant deficiencies being identified. Also, all
agencies had weaknesses in security program management which
can often lead to weaknesses in other control categories.
At the same time, a number of actions to improve
information security are underway, both at an agency- and
governmentwide level. Some of these actions may require time to
fully implement and address all of the significant weaknesses
that have been identified.
Implementation of Government Information Security Reform,
commonly known as GISRA, is proving to be a significant step in
improving Federal agency information security. We are pleased
to note that Congress has recently passed legislation to
continue and improve these efforts. In its fiscal 2001 report
to Congress on GISRA, OMB acknowledged the information security
challenges faced by the Federal Government and highlighted six
common security weaknesses, which Mr. Forman earlier discussed.
Highlighting weaknesses through GISRA reviews, evaluations, and
reporting helps agencies to undertake corrective actions. Also
many agencies reported that first-year implementation has
resulted in increased management attention and created a
baseline for future reviews.
In addition, GISRA implementation has resulted in important
actions by the administration, which, if properly implemented,
should continue to improve information security in the Federal
Government. Mr. Forman previously highlighted these actions in
his testimony and some of the new actions they are taking. In
addition, the President has taken broader actions in the areas
of homeland security and critical infrastructure protection
that also can lead to improvements in Federal information
security.
In addition to these actions, GAO believes that there are a
number of important steps the administration and agencies
should take to ensure that information security receives
appropriate attention and resources and that known deficiencies
are addressed. These steps include: Delineating the roles and
responsibilities of the numerous entities involved in Federal
information security and CIP or Critical Infrastructure
Protection; providing more specific guidance on controls
agencies need to implement; obtaining adequate technical
expertise to select, implement, and maintain controls
allocating sufficient resources for information security; and
continuing research and development efforts to find new ways to
manage information security better.
Mr. Chairman, Mr. Lewis, this concludes my statement. I'll
be pleased to answer any questions that you have at this time.
[The prepared statement of Mr. Dacey follows:]
[GRAPHIC] [TIFF OMITTED] T9165.040
[GRAPHIC] [TIFF OMITTED] T9165.041
[GRAPHIC] [TIFF OMITTED] T9165.042
[GRAPHIC] [TIFF OMITTED] T9165.043
[GRAPHIC] [TIFF OMITTED] T9165.044
[GRAPHIC] [TIFF OMITTED] T9165.045
[GRAPHIC] [TIFF OMITTED] T9165.046
[GRAPHIC] [TIFF OMITTED] T9165.047
[GRAPHIC] [TIFF OMITTED] T9165.048
[GRAPHIC] [TIFF OMITTED] T9165.049
[GRAPHIC] [TIFF OMITTED] T9165.050
[GRAPHIC] [TIFF OMITTED] T9165.051
[GRAPHIC] [TIFF OMITTED] T9165.052
[GRAPHIC] [TIFF OMITTED] T9165.053
[GRAPHIC] [TIFF OMITTED] T9165.054
[GRAPHIC] [TIFF OMITTED] T9165.055
[GRAPHIC] [TIFF OMITTED] T9165.056
[GRAPHIC] [TIFF OMITTED] T9165.057
[GRAPHIC] [TIFF OMITTED] T9165.058
[GRAPHIC] [TIFF OMITTED] T9165.059
[GRAPHIC] [TIFF OMITTED] T9165.060
[GRAPHIC] [TIFF OMITTED] T9165.061
[GRAPHIC] [TIFF OMITTED] T9165.062
[GRAPHIC] [TIFF OMITTED] T9165.063
[GRAPHIC] [TIFF OMITTED] T9165.064
[GRAPHIC] [TIFF OMITTED] T9165.065
[GRAPHIC] [TIFF OMITTED] T9165.066
[GRAPHIC] [TIFF OMITTED] T9165.067
[GRAPHIC] [TIFF OMITTED] T9165.068
[GRAPHIC] [TIFF OMITTED] T9165.069
[GRAPHIC] [TIFF OMITTED] T9165.070
[GRAPHIC] [TIFF OMITTED] T9165.071
[GRAPHIC] [TIFF OMITTED] T9165.072
[GRAPHIC] [TIFF OMITTED] T9165.073
[GRAPHIC] [TIFF OMITTED] T9165.074
Mr. Horn. The vice chairman, Mr. Lewis, would like to take
a look at some of these, and I want him here because he's the
only member of this full committee and the subcommittee of Ways
and Means. That's a very lofty committee and goes back to the
first--1789. And they also have to do with tax administration.
And I'm hoping with him being on Ways and Means that we can get
our debt collection law, which Mrs. Maloney and I put together
in 1996--and it's going great right now. It's just that's for
nontax. And now we'd love to have you, Ron, as the--if you can
sneak in at night to get them to get the debt collection.
And when I looked at that--and that's when I asked the
then-President, how about getting a CEO, because we're not
getting anywhere, and IRS in one pot had $100 billion sitting
there to be collected. When I counseled that one, they said,
Oh, oh, there's one other one, easier; $60 billion. And we're
looking for money in this country? Let's get it done. And you
will be a hero, Ron. And good luck.
Mr. Lewis. Thank you, Mr. Chairman. We could use some extra
money right now.
Mr. Horn. Yep.
Mr. Lewis. Mr. Forman, the OMB has issued guidelines
stating that agencies must include security procedures in their
budget requests for information technology projects. They do
not--the OMB has said it will not fund the project. Has the OMB
refused any funding for this reason?
Mr. Forman. Yes, we did last year. There will of course be
some more feedback we'll give to the agencies. Generally the
approach--and we do this with a business case--is to refuse
funding if an agency does not have good justification on a
number of the components, security being one of them.
There are a number of programs last year that we put on the
high-risk list for fiscal year 2003 where security was the
predominant problem, and so we spent quite a few months working
with the agency to address the security problems. I'd say
generally--I can't say for a fact it's in every case--but
generally the agencies would rather work through their security
problems than not get funding, so that incentive structure
seems to work.
Mr. Lewis. Very good. Thank you.
Excuse me, I get the opportunity to give you some more
questions. The Security Act requires that agency corrective
action plans address all known vulnerabilities. If agency plans
fail to include all known vulnerabilities, what action will the
OMB take?
Mr. Forman. We, through both last year's guidance and then
this year's most recent guidance, have taken a comprehensive
approach. That's one of the reasons that we believe so strongly
in having both a CIO's report and an audit followup process
leveraging the IGs. The ultimate approach, therefore, when we
get the reports and the submission is to compare the two sets
of data. Also use the GAO data and work via the budget process
to ensure that remediation occurs.
Lets say, as I pointed out in my testimony, one of the
recurring problems that we've seen is agencies' desires to
invest in new IT and at the same time claim that they can't
remediate legacy systems problems. There's a tradeoff to be
made. Obviously, if a legacy system is only going to exist for
5 or 6 months, one may not invest in a total security overhaul,
and there are other ways to protect the system. But there are
too many instances still where we see agencies not doing what I
consider the nuts and bolts here.
A corrective action plan has to include some certification
and accreditation of the legacy systems. And so again we are
making very clear to the agencies that we're simply not going
to fund new investments and short remediation on accreditation
certification. I think you'll see that's a much bigger focus
this year for us when the report comes in in the February
timeframe.
Mr. Lewis. Based on the OMB's analysis if the performance
measures required in the Government Information Security Reform
Act Report, it accurately measures the agency's progress in
securing their critical computer systems. Does it?
Mr. Forman. The--I think there are a couple of issues to
consider. First of all, I'd say yes; but it's at a high
management level. And, of course, one of the things that the
chairman has worked so hard on for many years I think is coming
to fruition. We've got secretaries and deputy secretaries now
who are focusing on security. In fact, within the White House,
all the way up to the President, people are focused on cyber
security now. There's a difference, though as we get into the
details. And I think as my colleague from GAO has laid out very
clearly, it's time to get into the nuts and bolts. And program
management now comes much more to the forefront.
So we too are going to shift our focus on that and onto a
lot of nuts and bolts. At the same time, I don't think you can
ignore the fact that the vulnerability and threat picture has
shifted. So there are a couple of types of threats. One, I
would consider the hacker threat that we addressed in the
testimony. And in there we're making much heavier reliance on
FedCert and increasing their capabilities, the patch management
services contract that I alluded to. And by leveraging XML and
some of the easier reporting technologies to reduce the burden
and literally allow for electronic-type reporting of incidents
so you don't have to have a person in the process per se, we
can make that a seamless process and we'll move forward in
that.
The organized threats are going to take a different level
of response and a different approach to that, I think, than
what we're viewing in hackers. While I can't get into,
obviously, much of the discussions going on, I think you're
probably aware that the deadline for comments on the cyber
strategy is today. But what I can say is that regardless of
what happens, we know we have to tighten up the continuity of
business operation planning again, as Mr. Dacey alluded to.
It's better, but this is very similar to the Y2K issue. And
before September 11 last year, I'd say very few of the agencies
had been maintaining the continuity of operations plan. So that
too has become a big focus for us.
Mr. Lewis. One more question. The OMB's 2001 Report to
Congress required by the Government Information Security Reform
Act highlighted six common weaknesses of Federal agencies. Have
you noted any significant improvements in these areas?
Mr. Forman. As I alluded to in my testimony, yes, although
it's not as governmentwide as we would like to see in all the
areas. Some agencies are making marked progress. We have some
discrepancies based on our initial view, versus the chairman's
scorecard. But what I'd say is that the most marked increase is
in the senior manager, the secretary and deputy secretary
focus, and that, without a doubt, is uniform now across the
board, as I think you heard from Deputy Secretary Lockhart and
also others on the panel.
Mr. Lewis. Thank you.
Mr. Horn. Thank you. Let's talk about Commissioner
Lockhart's work and how that goes about. And would it be
possible, Mr. Forman, that OMB might have various types of
teams brought together of different Cabinet departments so that
you could go out--and the word ``accreditation'' was mentioned
a little while ago. And if we had a team like that needed some
help, would that be useful to OMB?
Mr. Forman. Well, there are some teams in the Federal
Government that do get involved in a range of security reviews:
obviously, the National Institution for Standards and
Technology, Department of Energy, and I believe some other
departments. There's a fruitful source of this support in the
private sector. The Interior Department, for example, has
engaged a company to help them with accreditation and
certification. This capability is a type of service that is
exactly as you laid out. It's project based. It's team based.
And I don't know that it's inherently governmental. There are
clearly a set of government rules and regulations, but they're
also industry practices. It gets down to things like what's the
proper way to install a certain type of software or a certain
server; is it outside or inside the firewall? And my preference
would actually be that rather than buildup huge teams within
the government that were forever trying to work across
traditional silos, that we would increase our reliance or
continue our reliance on the private sector teams. I know that
companies, as us, have a growing demand for that type of
service.
Mr. Horn. Commissioner Lockhart, would you be willing to
let some of your best people for a while go in other parts of
the executive branch?
Mr. Lockhart. Well, Mr. Chairman, we do have some very good
people and we have some very big challenges. Now, would we very
much like to work with the rest of the government and we're
trying to, through mechanisms like the President's Management
Council which I serve on, trying to go across government and
work together.
I guess I would agree with Mr. Forman that--and we use this
extensively. We use a lot of private sector expert technology
and consulting firms to do this kind of activity. We work with
them. We would be happy to share our expertise, but we have a
lot of needs. Even though we have good grades from you, we
still have a long ways to go. So I would like to keep them
internally, if we could.
Mr. Horn. Well, I can realize that. But it seems to me, you
don't have to do it all the years, but get in there and help
them.
Mr. Lockhart. Well, certainly we are involved in the CIO
group. We do share best practices, and we will continue to do
that. We learned from other departments, and hopefully they
learned from us.
Mr. Horn. With Social Security and with your being on the
council--aren't you? And that includes all CIOs?
Mr. Lockhart. Well, the council I referred to is President,
Managing Council, which is the Deputy Secretary, Deputy
Commissioner.
Mr. Horn. And that is your equivalent for Social Security?
Mr. Lockhart. Right.
Mr. Horn. And what I am wondering about, when I hear there
is no CIO in one place, Mr. Forman, do we have any more that
are missing CIOs?
Mr. Forman. Departments that are missing CIOs?
Mr. Horn. Yes.
Mr. Forman. Yes, we do. I thought we had gotten a full
cadre, but we seem to run up against the inevitable situation
in government where people stay in new jobs for around 18
months. And so we are working through getting some new folks.
What I would say is that we do seem to get good talent in
these jobs, as people are retiring or leaving for other
opportunities, finding good people to fill in; and I will give
you an example on that. I think one of the most important ones
here is the security liaison in the CIO counsel, and that's a
CIO that essentially works with the different committees--we
have three major committees, the Workforce Skills, the Best
Practices Committee, and the Architecture Committee--and fuses
security focus into those committees.
Ron Miller, who had been the CIO at FEMA, moved over to
work on the transition team. FEMA was able to promote a deputy
that he had recruited, a very talented and capable person, Rose
Parks, to their C IO. But meanwhile, we quickly, because of the
importance of this, wanted to make sure we had a solid CIO for
that liaison, and so we picked Van Hitch, who is the CIO at the
Justice Department.
Now, Justice is--one of the differences of opinion I would
have with your scorecard, I think they made good progress
there. But Van also was a recent hire from the private sector.
When he was hired into the government, he came in with--and
this was one of the early ones--Attorney General anointing the
CIO as having the responsibility that was originally envisioned
under the Klinger-Cohen Act.
So we are working through the inevitable rotation, and
there are some success stories there as well.
Mr. Horn. Now, CFOs, are we short them in some of the
agencies and departments?
Mr. Forman. That, I am not prepared to address.
Mr. Horn. Anybody here looking, stealing people from one
place to the other? Well, let us get it in the record; and,
without objection, it will be put in at this point.
I would just like to know the degree to which Chief
Financial Officers, what relation do they have to help in this
situation and work with the Chief Information Officer? And I
would like to hear how that--because part of the problem here
is who is getting what part of the pie to get the cyber
situation.
Mr. Lockhart. I can answer from the Social Security
standpoint. I think we find that working relationship extremely
important between the CFO, the CIO, and the Systems Group. And
they work very closely; they are all part of the senior
management team of Social Security. We work closely in a very
integrative fashion on the budget process; we work on the
fiscal security, as well as computer security, together. And I
think that teamwork has really helped and been part of our
success, in that we have people extremely devoted to the agency
and to our mission; and, you know, partially that is because
since almost day 1 of Social Security, we have been concerned
about personal security, personal privacy. That was our first
regulation. And so it is really infused in our culture, and
that includes the CFO, the CIO, the Systems Group, and really
the 65,000 people of Social Security.
And so that is one of the important ways that we have
tackled this.
Mr. Horn. I was heading just for you, the Inspector
General. And you have got a council, too. And so what is
happening that IGs, you are doing, for example on the financial
management part of your working? You are the one that can go
outside and put in the accounting aspects of it, and I would be
curious how much the I Gs can help the C IO so they can get the
resources they need.
Mr. Mead. I think the Inspector General concept is really
key to helping both the CIO and the CFO functions fully
blossom. And the creatures we call Inspectors Generals, have a
very peculiar reporting relationship. By law, we are to report
to the Secretary and the Congress to keep each currently and
fully informed.
Inspectors Generals are that part of the agency that are
responsible for auditing. They see things happening much
earlier than other outside oversight agencies might be able to;
and you are able to effect proactive change. And I think that
it is important that you have a collaborative relationship with
the CIOs and CFOs in these agencies.
And I would say, for example, that in the Department of
Transportation, the CFO is also the Assistant Secretary for
Budget, which means that CFO has clout. When the Assistant
Secretary for Budget speaks, she is also speaking with her CFO
hat.
We have turned the situation around on the financial
statements at DOT. For almost 8 or 9 years running, they got a
disclaimer, and now they have greatly improved their financial
situation.
The situation with the Chief Information Officer is a bit
different because the Chief Information Officer doesn't have
any line authority over much of anything. And I point that out
in contradiction to the Chief Financial Officer construct.
Mr. Forman. If I can add to that, I think that it is
important to understand the implications there on a couple of
fronts.
First of all, when we talk about the President's management
agenda and the five scorecards, there are a lot of
interrelationships, and the one that is important here is
between the financial management scorecard and the e-government
score. Generally--and we went through this in this last
quarter--when there is a material weakness related to the
security program, the agency is going to get a double zinger.
They will get it on the management scorecard and they will get
it on the e-government scorecard.
What the public sees is the scores. What the President sees
is the detail behind the scores, and that includes the name of
the person who is responsible for it. So they will see the
zinger on the two scores with the CIO, or whoever the e-
government lead is for that department; and the CFO, or whoever
is the financial management lead for that department.
It is important, therefore, I think, that we continue to
have computer security linked with being a financial material
weakness.
The other thing that you alluded to, though we did go
through this almost a year ago, a situation where a CFO said,
Oh, OMB will forget about the security issues; it is not a big
deal. And that CFO learned that was a career-threatening
comment. This is extremely important to the White House. And
that--I think that word has gotten around to the other CFOs
now.
Mr. Horn. There is a CFO in the executive forces of the
executive branch where OMB is there and a whole group of
agencies. Is that CFO still there?
Mr. Forman. That is a good question. Again, I don't know
for a fact that person is still in their job.
Mr. Horn. Well, we put it in there before the current
President, and it was--we tried to do it with the previous
President. And they said no, no, we don't want that. And I
said, hey, wait a minute. This will be for the next President.
Oh, no problem, they said, let them do it. Good heavens.
Now, I am just curious, because we do need a CFO and a CIO.
Now, who is the CIO that helps your colleagues in the executive
office of the President?
Mr. Forman. Well, I am not sure that we have the formal
or--the formal anointment of a CIO. Our CIO, who had been your
CIO here in the House, was promoted to the Office of
Administration. So his deputy moved up as at least the acting
CIO. And I think--as you know, we have worked fairly closely
with the Appropriations staff to make sure that the executive
office of the President is being held to the exact same
standard that we are holding all the other agencies to. That is
a commitment. You know, if you are going to hold other agencies
accountable, you have to start by holding yourselves
accountable. So we have done that.
I will say that--and I don't know our results on our
security review yet, but I will say, as the user, primary user,
I have had more things stripped from e-mails by our firewall,
which is one of the signs I know. We don't experience many--
much down time. And we are ultimately a prime target in the
hacker community. So we have extensively strong firewalls and
an exceedingly risk-adverse IT security policy that is employed
to fight firewalls and other tools.
Mr. Horn. Is there a question on this particular?
Mr. Lewis. No.
Mr. Horn. Go ahead.
Mr. Lewis. There is one question that I wanted to get to,
and I have to leave in just a second.
Mr. Mead, the Federal Aviation Administration, does the
Federal Aviation Administration have a tested contingency plan
to ensure that it can continue to operate its air traffic
control system if hackers were to successfully attack? That is
important to all of us.
Mr. Mead. I will give this in a two-part answer.
First, a decision was made earlier this year, based on a
report we issued, with recommendations that the air traffic
control system would not be tied in any way to the Internet.
There was a proposal from FAA that has been percolating from
1999 to 2000 period that they would have a system that, in
theory, would be insulated from the Internet, but we felt it
would be vulnerable.
A high-level decision was made this year, that would not be
the case. Therefore, the air traffic control system cannot be
hacked through directly from the Internet. And I think that was
a very good decision; although it is going to cost some money,
it is worth it.
Second, the air traffic control system, if one part of it
were to go down for some reason, other elements of it can pick
up the operations for a short period of time. We do think, as
reported in our GISRA report, that for the longer term FAA
needs a more robust contingency plan. But for the shorter term,
we think they have a good one.
In addition, as I noted in our testimony, the background
checks on people have improved dramatically over the last
couple of years. The principal exposure we have on the AT C
system is not from private attackers; it is insiders or
contractors. That is where the attention needs to be focused.
But for the short term, I can give you good assurances that
we are in decent shape. For the longer term, we need to pay
more attention. And that is what we reported to OMB and the
Secretary.
Mr. Lewis. Thank you.
Thank you, Mr. Chairman.
Mr. Horn. Thank you. Appreciate it.
Let us just have a couple with Mr. Mead, the Inspector
General. And the Security Act directs the agency's Chief
Information Officer to develop and maintain an agency-wide
information security program; yet, the Department of
Transportation has not had a Chief Information Officer since
January 2001.
Why has this been allowed to continue, and who has taken on
the responsibility in lieu of the Chief Information Officer?
Mr. Mead. Why has it happened? It has not been for want of
recruiting. They did have a candidate; that fell through for
one reason or another. They are now vetting other candidates.
But I have got to say that I think that the importance of the
position needs to be recognized more vigorously. If you were
talking about the FAA Administrator, the Assistant Secretary
for Budget, or the Deputy Secretary, those positions would not
be allowed to go vacant for such a long period of time.
We will have a Chief Information Officer. I think it will
take probably 2 or 3 more months. But we really need one.
You know, this year, Mr. Chairman, OMB did something I
think was quite good. They brought together the management side
of OMB, the budget side, at very senior levels--the Inspector
General, the budget people, the Chief Financial Officer. And
they went over their range of material weaknesses that needed
to be addressed. And missing, of course, was our Chief
Information Officer because we didn't have one.
Instead--and here is the answer to the second part of your
question--we had the acting Chief Information Officer who has
taken on that position frequently, given that over the last 6
years we have had a Chief Information Officer for only 18
months.
Mr. Horn. And you haven't seen a problem. Is that it? Or--
--
Mr. Mead. No. I have seen a problem, and the problem is two
fold at DOT. One, the CIO does not have line authority over
budgets. Two, the CIO does not have input into the performance
appraisals of the Chief Information Officers of the various
operating administrations. You need to have those two elements.
We did have a Chief Information Officer for 18 months
during the last administration, and we still had problems. We
had problems largely because the operating administrations did
not feel accountable to that CIO. And right now you have
Secretary Mineta and Deputy Secretary Jackson doing the street
work to get attention paid to information security. And they
are doing a good job, but they have a lot of other things to
do, too.
Mr. Horn. Mr. Forman, are there other CIOs that do not have
any--looking at, in terms of the budget? Or is it at the upper
level of the Deputy Secretary?
Mr. Forman. Well, obviously, especially in this era we want
the secretaries and deputy secretaries to focus on improving
the quality of the cyber security posture at the departments.
But I have to agree with Mr. Mead; where we have seen
progress, there has been clear action taken to empower the CIO.
We did some of that in the budget process last year. Obviously,
our focus on capital planning and enterprise architectures is
specifically for that purpose, but also other Secretaries, the
Attorney General. So, where there is a Secretary or where we
are working with the Secretaries make it clear that the CIO is
fully empowered, we see progress.
Now, I would say transportation is one where there is a
less-than-powerful CIO. I think, though, we have--whether it is
OMB or if you talk to the Secretary or Deputy Secretary, all
agree they need a powerful CIO. You run into an interesting
situation then, trying to recruit someone, because you know
that first person there is going to be one that is going to
take on some very longstanding cultural issues, political
issues, both internal and relationships between operating
administrations and the Congress. And it does take, I have
found, a concerted effort in working with this committee, with
the Appropriations committees, with the leadership of that
department and OMB, to make that change occur. And that is
really tough absent a burning document or crisis like the
situation at Interior.
Mr. Horn. Well, we will move to the Carnegie Mellon expert
here. And in your testimony, you state that the number of
reported incidents continues to rise. Mr. Mead stated that the
Department of Transportation has reported more than 25,000
incidents in 2002, although all may not have been intrusions.
Meanwhile, some agencies, such as the Department of Housing and
Urban Development, have reported no incidents.
Given your expertise on this subject, how would you explain
this disparity?
Mr. Pethia. Two reasons that I can think of. One of them is
that often organizations, both in the government and in the
private sector, shy away from reporting incidents because they
don't want the little black mark that goes next to their name
that says there is a possibility of a security problem. We
certainly see a lot of that in the private sector. Concerns
over loss of confidence in the organization make people
reluctant to want to report.
The second reason is that very often I think a lot of these
incidents go not just unreported but undetected. We know that
intrusion detection technology is only moderately effective. We
know that many organizations don't have active programs in
place to monitor their systems and monitor their networks to
look for signs of intrusion.
So I think it is a combination of both, organizations that
don't want to report because they are concerned about
embarrassment, but also, all too often, the case that these
incidents go undetected.
Mr. Horn. You expressed concern about the vulnerabilities
associated with the supervisory control and data access
systems. Can you give us a specific example of the result if
one of these systems which controls some of the Nation's
critical infrastructure were successfully attacked?
Mr. Pethia. The example that was in my testimony was a case
that was reported from Australia where it was actually a
disgruntled employee who decided to affect the operations of a
sewage control system, and in fact, hundreds of thousands of
gallons of sludge were dumped out into the environment causing
the environmental impact of that. You can hypothesize certainly
other kinds of incidents where, very simply, things like oil
stops flowing, natural gas stops flowing, power isn't delivered
to certain parts of the country, hydroelectric dams are
suddenly releasing water into river valleys where the level of
water is not expected.
So I think this is an area where we have to begin to
understand and pay more attention to the fact that the cyber
world and the physical world are now tightly connected. And we
often think about physical events and cyber events as separate
kinds of things, but now that we are living in a situation
where we have to pay attention to terrorists, people that want
to disrupt our society, I think we have to, all of us, have a
better understanding of how the cyber world and the physical
world are connected, how physical attacks--how the impact of
those attacks can be amplified by cyber attacks. So, for
example, if there were to be a physical attack on one of our
cities disrupting the communications systems that, at the same
time, would slow the response to that kind of an attack, it
would slow emergency services.
And similarly, we can see how physical attacks can
exacerbate the cyber attacks as well. And that is an area of
work that I think--you know, now that we are beginning to get
some of the basics in place, I think we need to look beyond
just cyber alone and look at the connection between cyber and
physical.
Mr. Forman. Mr. Chairman, if I may address a key point in
that. You know, we track data on intrusions, and we see the
numbers of thousands of intrusions. And while I am sure that is
important, the issue that has long existed is the internal
threat. And the corollary to that is, you have to know what you
do once you intrude. You have to know what a piece of data is.
Breaking into an Oracle or an I BM DB2 data base doesn't get me
anywhere if I don't have a copy of that somewhere on my
computer and know what that data structure is. Otherwise, all I
have done is revealed a string of, who knows what.
So it is not as--I don't believe, as simple as saying the
number of intrusions have gone up and therefore there is a real
problem here. You have to have some insight about what you are
doing in order to say there is a real vulnerability or threat.
Mr. Horn. Any thoughts on that comment?
Mr. Pethia. I think that is certainly true. The great
majority of what we see out there are what I often call
``recreational hacking attacks,'' hackers are out looking for
things to explore or out to prove some kind of a political
point who are not really bent on doing damage. But I think as
we become more reliant on this technology and as we
interconnect more and more of our systems, the people who are
serious about causing damage, or the people who are serious
about taking advantage of us for their personal profit, the
criminals and the terrorists, will begin to move more and more
into this space.
And I agree with Mark, you certainly can't attack a system
and do an awful lot of damage unless you do know something
about it. But we do know that our systems are being surveilled,
we know that they are constantly being probed, we know that
networks are being mapped. We know that there are people out
there who are working very hard to understand how our systems
are configured and how they are put together. And so I think a
lot of the thing we have to pay attention to is the insider
threat. But an awful lot of outsiders are working hard to
become as knowledgeable as the insiders, and we can expect to
see those kinds of attacks in the future.
Mr. Horn. Well, along that line of someone with your
extensive knowledge of Federal operations, what are the most
important actions Federal agencies must take to improve their
computer security?
Mr. Pethia. I am very happy to see GISRA and the effects
that it is beginning to have. I think the steps that are
outlined there are exactly the right ones for agencies to go
through right now. But as Mark said, Mr. Forman, earlier in his
testimony, as we are now beginning to get some of these high-
level things in place, it is time to get down into the details,
the nuts and the bolts.
And that is why I often speak about the need for more
trained professionals, more knowledge about security, security
issues, because this risk management action--as we begin to get
the senior level attention, as we begin to get security plans
in place, as we begin to go through an annual process, now it
is time to implement those corrections that are needed; and
that requires knowledgeable people. And so I think the next
step is for agencies to have a real understanding of exactly
why these vulnerabilities are serious, and then to put into
effect the right kind of implementations and monitor those
implementations for effectiveness over time.
Mr. Horn. Mr. Dacey, based on your analyses of the last 2
years of agency reports required by the Government Information
Security Reform Act, do you believe that the Federal Government
is making progress in its efforts to secure the government
computer systems?
Mr. Dacey. Yes, Mr. Chairman, I do believe they are making
progress. There are many actions under way both, as I said, at
a governmentwide level and agency level; and I would
distinguish some of those actions. I think some of them were
challenging, but longer-lasting actions will take some time to
fully implement. We have talked about some of these here this
morning.
Putting in an effective security management program, I
think is key, because oftentimes in doing our audits, we find
that maybe the agency in fact fixed some of the specific
weaknesses on the specific systems we audited, which is only a
small portion of the agency systems, and yet we find the same
types of incidents and problems occurring in other systems
within the agency; and in fact have seen on several occasions
the same weaknesses occur as new operating systems are
installed and the same changes aren't made to those new
operating systems that were fixed on the old ones.
So I do think security management is key. I think we are
seeing some fundamental changes taking place. We talked earlier
today, the Honorable Mr. Lockhart had talked about SSA and
their efforts to monitor their systems and put together a
program to really highlight to executive management what is
going on and really to probe their own systems and understand;
and we are seeing some efforts in that arena as well.
We are seeing responsibilities changing--VA recently moved
the responsibilities for security and all of the budget
decisions to the CIO similar to what we talked about. And I
know there are a number of agencies, although I don't know
which today, that is still an issue--but we have seen where
that is happening, it is starting to make fundamental changes
to the core, because what we really need is a structure of
management that can address these problems.
We talk about vulnerabilities that are showing up with a
magnitude of about a 12 or 13 a day, on average, and I am sure
that is increasing. Mr. Pethia might update us on that. But it
really calls for a fundamental structure; and it is a
management challenge rather than a technical one.
I do agree we need to address some of the technical issues.
I think with the bill that Congress recently passed to provide
some funding for research and development and education are two
key areas that will help address some of those problems. But--I
do think those are the issues, but I do think there are
improvements. I think there need to be more, though.
And again getting back to the other discussion, some of the
nuts and bolts, we know on one hand there is a big risk,
because there are a lot of hacker tools and a lot of known
vulnerabilities that exist. On the other hand, we need to take
that information and take it back to our own systems and say,
well, we know what kind of things that the hackers might
attack; we need to make sure that our systems are prepared to
address those areas.
So there is a lot of progress, but we also have got to keep
in mind that the risk, I think, is dramatically increasing. We
are not dealing in a static risk environment. I think it is
increasing; I think it will be a continuing challenge to make
sure that those improvements keep pace, or in fact we need to
outpace the increase in the risk to make progress, real
progress.
Mr. Horn. What lessons can be learned from those agencies
that are successfully improving their computer security?
Mr. Dacey. I think Mr. Lockhart addressed some of those
issues in terms of security management.
We issued a guide in 1998 which really laid out a lot of
the key issues. And GISRA was fundamentally based on some of
the same principles, and your grades which you put up today are
also based on security management concepts. And that is putting
in place a key function responsible for computer security at a
level in the agency that has the senior management's attention.
That is a key aspect. Making sure you have got risk
assessments, understanding what those risks are.
I know there are some governmentwide efforts now through
NIST to develop standardized guidance for certification and
accreditation that are now in draft and lay out three risk
levels; and they intend to go further and define minimum
controls for those risk levels, as well as techniques that can
be used to assess them.
So we really have a structure that is starting to take
place to assess the risks. I think those agencies that have
gone ahead and done that, that are far advanced in the
certification and accreditation process, have been able to
demonstrate a better knowledge of their systems and in fact
inventory their systems, which is something that is in the
Federal Information Security Management Act, the fundamental
process to make sure agencies have all their systems identified
so they can begin that risk assessment process. And agencies
like S SA, I think have done a reasonable job of trying to
identify those systems and manage them. So that is important.
The second area is making sure you have the necessary
controls. I think with some of the NIST efforts--that may go to
help. I think it is a promising action that could help, because
right now each agency is deciding on their own on what the
controls they need to implement, and there isn't a constancy.
And if we have that, as we talked about in testimony, I think,
in July, there can be some constancy in training as well as
tools developed to help people do what they need to do.
The third area is security awareness. I think a lot of
agencies are now putting together programs to make sure that
the employees are aware. Computer security is fine, but if
someone can call up somebody in the agency and they willingly
give up their password or use passwords that aren't very
secure, that really endangers the whole system, not only that
system, but anything it is connected to in a trusted
environment. So I think that is another area where we have seen
progress.
And the last area is really in the monitoring, and we are
starting to see some agencies, such as Social Security, go
outside to really have someone come in and help them test their
systems to see if they are secure. I think that is a key
component that has been long missing, but we are starting to
see a lot of activity in that regard.
Also, as part of the certification and accreditation
process, NIST is working on developing standards for
accrediting entities that would do that.
I think one of the important elements, if we are going to
proceed in this effort--and I think it is important--is to
ensure some consistency in the types of testing of controls
that are carried out, because right now there is a wide
variation in the quality and extent of the procedures that may
be used by the private sector. And I think bringing those to
some consistency will be important.
So I think those are all aspects that, where agencies have
done those kind of things and put responsibility in the CIO
position, we are starting to see some fundamental changes. But
again, those will take some time to come to fruition and for
all the significant weaknesses we talked about to be
identified.
Last, those significant weaknesses that I said in my
testimony will likely increase, because I think we are still
finding more of them, and as those get identified, hopefully
those will get addressed as well, and we will get the numbers
down.
Mr. Horn. In the help GAO and you have given us, to what
degree are the agencies having very realistic, adequate
contingency plans to recover their critical operations without
a significant loss in their ability to conduct their mission?
Mr. Dacey. Based upon our review in the chart, we
identified 20 agencies that had one or more significant
weaknesses in contingency planning. And I think that is
particularly important, because we were looking at report
issued since September or after September of last year. And so
that is a critical area. And I know a lot of agencies have been
trying to address that, but again, to get back to fundamental
issues: Do you know your systems? What they are? In some cases,
we still struggle with that when we do our audits and go in,
ask for inventories and structures of networks, we oftentimes
don't get up-to-date pictures of what the agency has; and they
need that.
Second, we have seen where there are plans, they may not be
complete and assets properly prioritized, and probably one of
the most important elements missing in many is really a
comprehensive testing. Again, some agencies are doing that, but
unless you comprehensively test this process--and I mean
frequently; I don't know, there is no definite frequency, but
with some degree of frequency--you don't know if it is going to
work in case you have to employ it.
I know there are a lot of lessons learned based upon the
effects of September 11 on the private sector, which we have
had in prior testimonies before this committee. I think those
are important lessons. Some of the more successful entities in
the private sector had fairly extensive disaster recovery
programs, as well as regular drills.
I do remember one of them, in fact, having practiced what
happens if senior management, who makes the key decisions,
isn't available to talk to. And, in fact, they practiced that,
and that is what happened on September 11. They were busy
evacuating lower Manhattan. The people who don't make day-to-
day decisions had to make them, and they had prepared to do
that by prior exercises.
So I think there are a lot of challenges still in that
area, and in post-September 11 situations, particularly as Mr.
Pethia pointed out, the increasing threats for intentional
damage that might occur.
Mr. Horn. Are there any things that we have not brought up
that would be useful in terms of getting a better type of a
score in the last year or 2 more years, and there wouldn't be a
lot of Fs all over that place? Let us see how many could be in
Social Security, and that would help.
Mr. Mead. I would like to see some tighter milestones.
Having gone through the Y2K experience at Transportation, where
we have a lot of operational systems like air traffic control
or search and rescue, I think there is a very important value
in having a date that everybody is marching toward. And the
beauty of Y2K--it may be in hindsight, if I could use that word
was that it had an unwaiverable date. It was certain to occur,
and the agency heads and all the staffs knew that they were
marching to get that done. And a serious computer security
incident would get our attention, it might come too late.
Mr. Horn. Mr. Dacey.
Mr. Dacey. I would like to echo Mr. Mead's comments. I
think one of the key areas that we have indicated in some of
our prior reports and testimonies, both for Federal information
and security and critical infrastructure protection, is the
need to establish deadlines and goals.
I know one of the efforts that OMB has put forward as a
result of last year's GISRA report is requiring all major
agencies to undergo a project matrix review, which would
identify significant assets of the agency and go about to
identify interdependencies and come out with a plan to remedy
those, any risks that they identified.
One of the challenges there though is, it has now taken a
fair amount of time to get through that, and I don't know how
many agencies have finished the first step. I know--Social
Security has, I believe, already done that and is moving on in
the second step.
But I think one of the challenges is, when does the
government expect these actions to be--some of these key
actions to be completed? And I think that is an important part
of setting--again, a deadline helps to solidify what resources
you need to get to that deadline. I think that could be
beneficial.
Mr. Horn. I want to thank our witnesses today and the vice
chairman, Mr. Lewis. And I am heartened by the administration's
attention to this urgent problem. However, I am confident that
the sustained pressure by the Office of Management and Budget,
the General Accounting Office, and the Committee on Government
Reform in the Congress, Federal agencies will continue to make
strides to protect these vital systems.
We must solve this problem, and we must solve it quickly.
The American people desire to know that the information they
share with the Federal Government is protected. They must also
be assured that the government services they rely on will not
be interrupted.
I want to thank the subcommittee staff that has worked on
this with a number of you. Bonnie Heald, the staff director,
put your hand up; don't be shy around this place. Henry Wray,
senior counsel; he is down working--he was very--working in
terms of three bills we had the last night of this Congress,
and they are about to go to be signed by the President. Counsel
Dan Daly; Dan Costello, professional staff; the majority clerk,
Chris Barkley; and staff assistant, Ursula Wojciechowski.
And then the detailee from the General Accounting Office
has spent a lot of time on this. She is working here with my
left hand and your right; and we are delighted with the General
Accounting Office, and Elizabeth Johnston has done a wonderful
job. I hope we can keep her longer, although I don't know; GAO
might want her back, or at least put a chain on her. So she has
done a great job.
And on the minority staff we have Michelle Ash, counsel,
and Jean Gosa, the minority clerk. And they have done a
wonderful job at every hearing I have done.
I thank the court reporters, Christina Smith and Desirae
Jura. Thank you very much.
And, with that, we are adjourned.
[Whereupon, at 11:41 a.m., the subcommittee was adjourned.]
[Additional information submitted forthe hearing record
follows:]
[GRAPHIC] [TIFF OMITTED] T9165.075
[GRAPHIC] [TIFF OMITTED] T9165.076
[GRAPHIC] [TIFF OMITTED] T9165.077
[GRAPHIC] [TIFF OMITTED] T9165.078
[GRAPHIC] [TIFF OMITTED] T9165.079
[GRAPHIC] [TIFF OMITTED] T9165.080
[GRAPHIC] [TIFF OMITTED] T9165.081
[GRAPHIC] [TIFF OMITTED] T9165.082
[GRAPHIC] [TIFF OMITTED] T9165.083
[GRAPHIC] [TIFF OMITTED] T9165.084
�