[House Hearing, 107 Congress]
[From the U.S. Government Publishing Office]




 COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?

=======================================================================

                                HEARING

                               before the

                 SUBCOMMITTEE ON GOVERNMENT EFFICIENCY,
                        FINANCIAL MANAGEMENT AND
                      INTERGOVERNMENTAL RELATIONS

                                 of the

                              COMMITTEE ON
                           GOVERNMENT REFORM

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION

                               __________

                           NOVEMBER 19, 2002

                               __________

                           Serial No. 107-240

                               __________

       Printed for the use of the Committee on Government Reform


  Available via the World Wide Web: http://www.gpo.gov/congress/house
                      http://www.house.gov/reform



                                 ______

89-165              U.S. GOVERNMENT PRINTING OFFICE
                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½090001

                     COMMITTEE ON GOVERNMENT REFORM

                     DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York         HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland       TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut       MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida         EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York             PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California             CAROLYN B. MALONEY, New York
JOHN L. MICA, Florida                ELEANOR HOLMES NORTON, Washington, 
THOMAS M. DAVIS, Virginia                DC
MARK E. SOUDER, Indiana              ELIJAH E. CUMMINGS, Maryland
STEVEN C. LaTOURETTE, Ohio           DENNIS J. KUCINICH, Ohio
BOB BARR, Georgia                    ROD R. BLAGOJEVICH, Illinois
DAN MILLER, Florida                  DANNY K. DAVIS, Illinois
DOUG OSE, California                 JOHN F. TIERNEY, Massachusetts
RON LEWIS, Kentucky                  JIM TURNER, Texas
JO ANN DAVIS, Virginia               THOMAS H. ALLEN, Maine
TODD RUSSELL PLATTS, Pennsylvania    JANICE D. SCHAKOWSKY, Illinois
DAVE WELDON, Florida                 WM. LACY CLAY, Missouri
CHRIS CANNON, Utah                   DIANE E. WATSON, California
ADAM H. PUTNAM, Florida              STEPHEN F. LYNCH, Massachusetts
C.L. ``BUTCH'' OTTER, Idaho          ------ ------
EDWARD L. SCHROCK, Virginia                      ------
JOHN J. DUNCAN, Jr., Tennessee       BERNARD SANDERS, Vermont 
JOHN SULLIVAN, Oklahoma                  (Independent)


                      Kevin Binger, Staff Director
                 Daniel R. Moll, Deputy Staff Director
                     James C. Wilson, Chief Counsel
                     Robert A. Briggs, Chief Clerk
                 Phil Schiliro, Minority Staff Director

    Subcommittee on Government Efficiency, Financial Management and 
                      Intergovernmental Relations

                   STEPHEN HORN, California, Chairman
RON LEWIS, Kentucky                  JANICE D. SCHAKOWSKY, Illinois
DOUG OSE, California                 MAJOR R. OWENS, New York
ADAM H. PUTNAM, Florida              PAUL E. KANJORSKI, Pennsylvania
JOHN SULLIVAN, Oklahoma              CAROLYN B. MALONEY, New York

                               Ex Officio

DAN BURTON, Indiana                  HENRY A. WAXMAN, California
             Bonnie Heald, Staff Director and Chief Counsel
                Dan Costello, Professional Staff Member
                          Chris Barkley, Clerk
                     Michell Ash, Minority Counsel


                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on November 19, 2002................................     1
Statement of:
    Forman, Mark A., Associate Director, Information Technology 
      and E-Government, Office of Management and Budget; James B. 
      Lockhart III, Deputy Commissioner and Chief Operating 
      Officer of Social Security, Social Security Administration; 
      Kenneth M. Mead, Inspector General, Department of 
      Transportation; Richard D. Pethia, Director, Cert 
      Coordination Center; and Robert F. Dacey, Director, 
      Information Security, U.S. General Accounting Office.......     4
Letters, statements, etc., submitted for the record by:
    Dacey, Robert F., Director, Information Security, U.S. 
      General Accounting Office, prepared statement of...........    57
    Forman, Mark A., Associate Director, Information Technology 
      and E-Government, Office of Management and Budget, prepared 
      statement of...............................................     8
    Horn, Hon. Stephen, a Representative in Congress from the 
      State of California, prepared statement of.................     3
    Lockhart, James B., III, Deputy Commissioner and Chief 
      Operating Officer of Social Security, Social Security 
      Administration, prepared statement of......................    19
    Pethia, Richard D., Director, Cert Coordination Center, 
      prepared statement of......................................    39
    Taylor, Eugene K., Jr., Acting Chief Information Officer, 
      U.S. Department of Transportation..........................    28

 
 COMPUTER SECURITY IN THE FEDERAL GOVERNMENT: HOW DO THE AGENCIES RATE?

                              ----------                              


                       TUESDAY, NOVEMBER 19, 2002

                  House of Representatives,
  Subcommittee on Government Efficiency, Financial 
        Management and Intergovernmental Relations,
                            Committee on Government Reform,
                                                    Washington, DC.
    The subcommittee met, pursuant to notice, at 10 a.m., in 
room 2154, Rayburn House Office Building, Hon. Stephen Horn 
(chairman of the subcommittee) presiding.
    Present: Representatives Horn and Lewis.
    Staff present: Bonnie Heald, staff director; Henry Wray, 
senior counsel; Dan Daly, counsel; Dan Costello, professional 
staff member; Chris Barkley, clerk; Ursula Wojciechowski, staff 
assistant; Michelle Ash, minority counsel; and Jean Gosa, 
minority clerk.
    Mr. Horn. This hearing of the Subcommittee on Government 
Efficiency, Financial Management and Intergovernmental 
Relations will come to order.
    Federal agencies rely on computer systems to support 
critical operations that are essential to the health and well-
being of millions of Americans. National defense, emergency 
services, tax collection and benefit payments will all rely on 
automated systems and electronically stored information. This 
technology has greatly streamlined government operations. Yet 
without proper security measures, Federal computers are highly 
vulnerable to cyber attacks. These attacks are dramatically 
increasing in volume and sophistication. Last year the number 
of cyber attacks rose 71 percent above the previous year. In 
addition, they are more complex, affecting government and 
nongovernment computers alike.
    Earlier this year, a British computer administrator 
penetrated 100 U.S. military computers, shutting down networks 
and corrupting data at the National Aeronautics and Space 
Administration and at the Pentagon. Equally disturbing, the 
hacker successfully attacked these sensitive systems by using 
software that was readily available on the Internet. Threats 
such as this demand that the Federal Government move quickly to 
protect its critical computer systems.
    This is the subcommittee's third annual report card and we 
are now sending it out and we'll go into questions on it later. 
This subcommittee will be--this was the third annual report 
card, and we have been grading executive branch agencies on 
their computer security efforts. I am disheartened to announce 
that again this year the government has earned an overall grade 
of F for its computer security efforts. Despite the 
administration's welcomed focus on this important problem, 14 
agencies scored so poorly that they earned individual grades of 
an F. The Department of Transportation lags at the bottom of 
the scorecard, earning an appalling 28 points out of a possible 
100 on the subcommittee's grading systems.
    At the top end of the report card, I am pleased to note 
that the Social Security Administration continues to be a 
shining example of sound leadership and focused attention 
toward solving this important problem. Earning a score of 82, 
the Social Security Administration's grade goes from a C-plus 
to a B-minus. This agency was the first to become Y2K compliant 
in 1999, and I have no doubt that it will also be the leader in 
the government's effort to protect its critical computer 
systems. Hopefully, the Department of Transportation and all 
other failing agencies will benefit from the experience and 
expertise of today's witnesses.
    September 11, 2001 taught us that we must be prepared for 
attack. We cannot allow government operations to be compromised 
or crippled because we failed to heed that lesson.
    [The prepared statement of Hon. Stephen Horn follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.001
    
    Mr. Horn. I'd ask the vice chairman, Mr. Lewis of Kentucky, 
if you'd like to have an opening statement, why----
    Mr. Lewis. Thank you, Mr. Chairman. Well, I just want to 
say one thing. At the end of this term, the American taxpayer 
will be losing a man that has been in the front lines of 
looking out after their interest and putting pressure on the 
government to be efficient and to use taxpayer dollars wisely. 
And, Mr. Chairman, it certainly will, again, be a sad day for 
the American taxpayer and it'll be a sad day for all of us to 
see you retire, but thank you for your great service.
    Mr. Horn. Thank you very much, Ron. That's nice of you. 
You've been a good partner.
    I'm now going to bring in the witnesses and their 
assistants and we'll have them take the oath. This is an 
investigative committee and that's the way we operate. If 
you'll stand and raise your right hands. And your assistants 
behind you, the clerk will note all of the names there and put 
in the hearing record.
    [Witnesses sworn.]
    Mr. Horn. The clerk will note and take the names. Thank 
you.
    And we will now start with the presentation, and the 
presentation is simply down the agenda line, and we start with 
Mark A. Forman, Associate Director, Information Technology and 
E-Government, Office of the President's Management and Budget.
    Mr. Forman, we're glad to see you again.

 STATEMENTS OF MARK A. FORMAN, ASSOCIATE DIRECTOR, INFORMATION 
 TECHNOLOGY AND E-GOVERNMENT, OFFICE OF MANAGEMENT AND BUDGET; 
JAMES B. LOCKHART III, DEPUTY COMMISSIONER AND CHIEF OPERATING 
  OFFICER OF SOCIAL SECURITY, SOCIAL SECURITY ADMINISTRATION; 
       KENNETH M. MEAD, INSPECTOR GENERAL, DEPARTMENT OF 
TRANSPORTATION; RICHARD D. PETHIA, DIRECTOR, CERT COORDINATION 
 CENTER; AND ROBERT F. DACEY, DIRECTOR, INFORMATION SECURITY, 
                 U.S. GENERAL ACCOUNTING OFFICE

    Mr. Forman. Good morning, Mr. Chairman and Mr. Lewis. 
Before I begin, I would also like to acknowledge the 
significant role that you've played in the last decade on IT 
issues. Through your leadership we've all witnessed a 
substantial increase in attention and efforts to improve the 
Federal Government's management of information technology. 
You've captured the attention of senior policy officials across 
agencies, challenged administrations, and, as a result, have 
helped focus on an understanding of the serious issues, 
particularly IT security, financial management and the year 
2000 conversion. Thank you for your work in these areas.
    I also want to acknowledge the work of my lead security 
analyst, Glenn Schlarman, who will be leaving OMB to work at a 
department at the end of the year. Glenn has led OMB's work in 
cyber security and related information policy since the mid-
1990's and deserves much credit for the progress made in this 
area by Federal agencies.
    Mr. Chairman, we all know that our Federal Government's IT 
security problems are serious and pervasive. However, I'm 
pleased to report today that while problems persist, several 
agencies are demonstrating progress due in large part to your 
leadership.
    Since the last hearing in March, a number of achievements 
have been made toward improving the Federal Government's IT 
security: First, the combination of the Security Act reporting 
requirements, OMB's reporting instructions, and agency plans of 
actions and milestones have resulted in a substantial 
improvement in the accuracy and depth of information provided 
to Congress relating to IT security. In addition to IG 
evaluations, agencies are now providing the Congress with data 
from agency POAMs, the plans of action and agency performance 
against uniform measures.
    Second, OMB developed and issued objective IT security 
management performance measures which were the basis for the 
most recent agency reports and plans of action.
    Third, we developed a governmentwide assessment tool based 
primarily on the National Institute of Standards and 
Technology's technical guidance and the GAO's Federal 
Information Systems Control Audit Manual.
    Fourth, to ensure successful remediation of security 
weaknesses throughout an agency, every agency must now maintain 
a central process through the CIO's office to monitor agency 
compliance.
    Fifth, we have developed additional guidance on reporting 
IT security costs.
    Sixth, several agencies have demonstrated mature IT 
security management practices.
    Seventh, governmentwide on-line IT security training and 
course work is being made available and used.
    And, eight, deployment of cross-agency E-authentication 
capabilities is occurring.
    As we move into the second year of actual reforms built 
around the Government Information Security Reform Act and based 
primarily on agency and IG reports submitted in September, 
integration of security into agency budget processes and 
recently updated and submitted IG security plans of action and 
milestones, OMB has conducted an initial assessment of the 
Federal Government's IT security status. Due to the baseline of 
agency IT security performance identified last year, we are now 
in a position to more accurately determine where progress has 
been made and where problems remain.
    Having objective performance measurements has improved the 
quality process, and I'd like to say there are five good news 
items we've found in our review:
    First, more departments are exercising greater oversight of 
their bureaus.
    Second, at many agencies, program officials, CIOs, and IGs 
are engaged in working together.
    Third, the inspectors general have greatly expanded their 
work beyond financial systems and related programs and their 
efforts have proved invaluable to us in the process.
    Four, more agencies are using their plans of action and 
milestones as authoritative management tools to ensure program 
assistant level IT security weaknesses, once identified, are 
tracked and corrected.
    And, fifth, OMB's conditional approval or disapproval of 
agency IT security programs has resulted in senior executives 
at most agencies paying greater attention to IT security.
    The bad news is that as we predicted in our previous 
testimony, the more IT systems that agencies and IGs review, 
the more security weaknesses we're finding. Our initial 
analysis reveals that while progress has been made, there 
remain several significant weaknesses:
    First, many agencies find themselves faced with the same 
security weaknesses year after year. They lack system level 
security plans and certification. Through the budget process 
OMB is assisting agencies in prioritizing and reallocating 
funds to address these problems.
    Second, some IGs and CIOs have vastly different views of 
the state of the agency security programs. Although some 
agencies have already acted to address more rigorous findings, 
OMB will highlight such discrepancies in our feedback the 
agency has.
    Third, many agencies are not adequately prioritizing their 
IT investments, and therefore are seeking funding to develop 
new systems while significant security weaknesses exist in 
their legacy systems. OMB will assist agencies in 
reprioritizing their resources through the budget process.
    I'd like to talk a little bit about six common weaknesses 
we identified in the IT security report to Congress last year:
    First, lack of agency senior management attention to 
security. In addition to conditionally approving or 
disapproving agency IT security programs through private 
communication between OMB and each agency head, we have used 
the President's Management Agenda Scorecard to continue to 
focus attention on serious IT security weaknesses. Through the 
scorecard, OMB and senior agency officials are monitoring 
agency progress on a quarterly basis.
    Second, nonexistent IT security performance measures, as I 
referenced earlier, also address the performance of officials 
charged with implementing specific requirements of the Security 
Act. These measures are mandatory and represent the minimum 
matrix against which agencies must track and measure 
performance and progress.
    Third, poor security education awareness. As in my 
testimony, the administration's electronic government 
initiative called E-Training will incorporate additional 
security courses, and of course agencies are using traditional 
classroom-style training.
    While OMB can and will continue to assist agencies with 
their efforts in addressing the security weaknesses, but the 
responsibility and the ability to fix these weaknesses 
ultimately lies with the agencies.
    I'd like also to address some additional areas for 
attention. OMB, the President's Critical Infrastructure 
Protection Board, Federal agencies, and others are addressing a 
number of other significant IT security issues. The 
administration strives to assure that disruptions of the 
Federal IT systems are infrequent, of minimal duration, 
manageable, and cause the least damage possible. In this 
regard, we're essentially addressing two types of threats: 
organized and ad hoc.
    We'll assure that Federal agencies undertake effective 
systems management practices with tools and training to ensure 
timely deployment and continued maintenance of security of IT 
systems. But countering sophisticated organized threats is far 
more complex. The development of a governmentwide enterprise 
architecture is a central part of the administration's IT 
management and the electronic government efforts. Accordingly, 
the administration will use this to better prioritize and fund 
Federal Government security needs.
    I run through a number of other additional comments in my 
testimony. But let me conclude by saying, Mr. Chairman, again, 
I'd like to express the administration's appreciation for your 
untiring leadership on IT security and government IT management 
in general.
    Mr. Horn. Thank you.
    [The prepared statement of Mr. Forman follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.002
    
    [GRAPHIC] [TIFF OMITTED] T9165.003
    
    [GRAPHIC] [TIFF OMITTED] T9165.004
    
    [GRAPHIC] [TIFF OMITTED] T9165.005
    
    [GRAPHIC] [TIFF OMITTED] T9165.006
    
    [GRAPHIC] [TIFF OMITTED] T9165.007
    
    [GRAPHIC] [TIFF OMITTED] T9165.008
    
    [GRAPHIC] [TIFF OMITTED] T9165.009
    
    [GRAPHIC] [TIFF OMITTED] T9165.010
    
    Mr. Horn. And we will now move to the next witness, and 
then when we finish the witnesses, we will begin the 
questioning. We are delighted to have the Honorable James B. 
Lockhart, III, the Deputy Commissioner and Chief Operating 
Officer of Social Security, Social Security Administration.
    Mr. Lockhart. Thank you, Mr. Chairman and Mr. Lewis. Thank 
you for inviting me here today to discuss computer security at 
the Social Security Administration. Commissioner Barnhart and I 
believe that it is indeed a critical ``24x7'' issue. We 
recognize that creating an effective security program is not 
just a technical issue, but also an issue that demands the 
attention of top management.
    Today I would like to outline the challenges we face and 
the significant strides our agency has made to further 
safeguard information security. Our approach to computer 
security is forward-looking while focusing on continuous 
monitoring and continuous improvement. The systems challenges 
we face are substantial. In a typical workday we interact with 
about 500,000 people through our field offices, telephone 
network, and Internet services. To handle our workloads we rely 
on seven mainframe processors based in a national computer 
center and on more than 100,000 network-connected work stations 
in over 1,500 locations throughout the country. These computers 
process more than 35 million transactions a day.
    Our Chief Security Officer sets agency policy for 
information security. That position was recently elevated to 
report directly to the Chief Information Officer, who reports 
directly to the Commissioner and myself. The CIO reports to the 
Commissioner annually on the state of security in SSA, but in 
reality it's really a regular agenda item at all our executive 
staff meetings and also at the Executive Internal Control 
Committee which I chair.
    We have made President Bush's management agenda including 
E-government and a specific security measure part of our new 
Senior Executive Service Performance System. We have also 
incorporated a performance measure in our annual performance 
plan. Systems security has been integrated into our systems 
development life cycle for more than 15 years. However, in the 
last year we've begun a number of improvements to ensure that 
the security program remains responsive to evolving technology 
and vulnerabilities.
    Systems intrusions are one major area of concern. Social 
Security uses a variety of proactive measures plus individual 
testing--independent testing and evaluation of security 
controls to detect and prevent attempted intrusions. For 
example, we use state-of-the-art software that registers, 
restricts, and records user access to data. It also determines 
what function a person can do once they have access to the 
data. Passwords are changed every 30 days. The software allows 
Social Security to audit usage and provides a means to 
investigate allegations of misuse. At least once a month we 
also scan every work station, telephone, and system platform 
for compliance.
    Social Security's commitment to information security is 
really shared throughout the whole organization. It is really 
part of the Social Security culture that is reinforced through 
training and frequent communications. Frontline employees know 
to contact the agencywide help desk when a virus or intrusion 
is suspected. The help desk quickly contacts the ``first 
response group,'' comprised of both senior management and 
technical staff, who can rapidly mobilize appropriate 
resources.
    Social Security has a strong critical infrastructure 
protection process to assure Agency business processing 
function despite catastrophes. The program includes project 
matrix reviews, audits risk assessments, remediation plans and 
related training.
    Congress has greatly helped to raise awareness of 
information security. The Government Information Security 
Reform Act of 2000 furthered the agenda of systems security by 
providing for an assessment and reporting mechanism. We 
completed our annual security self-assessment in September of 
this year. We actually hired an independent technology 
consulting firm to look at our self-assessment, and they 
concurred with our self-rating and were impressed with our 
security program. Social Security's inspector general's review 
stated that we met the GISRA requirements and made improvements 
since last year. However, as we all know, there is always room 
for further improvement.
    In conclusion, Commissioner Barnhart and all of us at 
Social Security recognize that system security is not a onetime 
task but an ongoing mission. We know we must be vigilant to 
ensure that personal records remain secure, taxpayer dollars 
are protected, and public confidence in Social Security is 
maintained.
    I would also like to thank you, Mr. Chairman, for your work 
over the years in improving awareness of the importance of not 
only system security, but also a wide range of program 
stewardship issues such as financial accounting and reporting 
debt collection and Y2K. I can assure you that we will continue 
to work with this subcommittee to help protect the information 
security of the American people for which we are stewards. I 
will be happy to answer any questions later.
    Mr. Horn. Thank you. And I will hope that there will be 
excellent people in this, both for the minority and the 
majority. So thank you. Keep the heat on this subcommittee and 
vice versa.
    Mr. Lockhart. Yes Mr. Chairman.
    [The prepared statement of Mr. Lockhart follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.011
    
    [GRAPHIC] [TIFF OMITTED] T9165.012
    
    [GRAPHIC] [TIFF OMITTED] T9165.013
    
    [GRAPHIC] [TIFF OMITTED] T9165.014
    
    [GRAPHIC] [TIFF OMITTED] T9165.015
    
    [GRAPHIC] [TIFF OMITTED] T9165.016
    
    Mr. Horn. And we now have a longtime friend of this 
committee, the Honorable Kenneth M. Mead, Inspector General, 
Department of Transportation.
    Mr. Mead. Thank you, Mr. Chairman, Mr. Lewis. Like my 
colleagues and Mr. Lewis, I would like to start by just saying 
thank you for so many things over the years. This hearing is--I 
suppose the words almost certainly would apply here--one of the 
last hearings that you'll be conducting in this capacity. And 
you've truly been a champion of good government. I think most 
recently--the successful transition to Y2K was a triumph of the 
oversight practices of this committee and your stewardship--but 
it's the full range of management issues, that inspector 
general community will miss you for.
    I mentioned Y2K. Actually, computer security has a lot of 
similarities with the Y2K experience. If you stop and think 
about it, Y2K involved a process where you first had to 
inventory your systems. You had to identify the 
vulnerabilities. Then you had to do a cost-effective risk 
analysis of what holes needed to be plugged and you had to set 
priorities. A big difference, of course, is that in Y2K we had 
a date certain to meet. No waivers from anybody. It was bound 
to happen. Those were the marching orders.
    Here the date is a little less fuzzy, but I think we need 
to move forward with the same sense of vigor because of the 
importance of the area.
    I'd like to summarize where DOT has been, what progress has 
been made, and what it needs to do to secure its critical 
systems. And the bulk of my testimony is based on the report we 
recently issued under GISRA. OMB has it. You have it. The 
Secretary has it. And we're pleased with the Departments' 
response. DOT's information security program remains a material 
weakness, as reported last year, and we're going to recommend 
that it be reported as such again this year.
    I must say that under Secretary Mineta's leadership, DOT 
has made a strong commitment for improvement and there is 
noticeable progress that I can specify, but they have a long 
way to go. A notable example of the progress has been that DOT 
significantly enhanced defense against intrusions from the 
Internet. FAA upgraded increased background collection on its 
employees.
    But there are six areas that DOT needs to focus on and here 
they are: First and foremost, as in most things, establish 
leadership. DOT does not have a CIO, Chief Information Officer. 
And, in fact, in the 6 years since the Clinger-Cohen Act was 
passed, we've had a CIO for 18 months of that period, and we 
don't have one now. I should say that it's not for want of 
active recruiting. But we need one. And, Mr. Chairman, it's not 
only a case of just having a CIO, someone with that title. The 
DOT CIO Office, in our judgment, does not have sufficient 
authority or controls over the operating divisions' information 
technology budgets or performance. You know, DOT is set up--we 
have about 9 or 10 agencies: FAA, Coast Guard, the Federal 
Highway Administration, so forth and so on. But the operating 
divisions generally have not in the past been held accountable 
to answer to the CIO. This will be evidenced in several of the 
other points I'm going to illustrate here.
    A second area is securing computer systems against 
unauthorized intrusions. Several years ago when we reported to 
this committee that DOT did not have firewall security. 
Intruders could easily gain access to DOT computers systems 
from the Internet. Two years ago, we testified that the 
firewall security was not strong enough and there were 
unsecured ``back doors'' to access DOT computers. Since then, 
DOT has enhanced its firewall security against unauthorized 
intrusions from the Internet which are referred to as the 
``front door.'' But, despite repeated directives from the 
Agency's CIO office, there are still a significant number of 
unsecured ``back doors.'' What are back doors? Back doors are 
dial-up modems. They are non-DOT computers that are connected 
to those of DOT's, in many cases, by the hundreds of 
contractors that DOT has. We think that's a significant risk 
area.
    Third, reporting cyber incidents. DOT needs to do a better 
job in analyzing reporting major cyber incidents. Last year 
they reported 25,000 incidents. But most of those were not 
analyzed or stratified for degree of seriousness. And most of 
them, my guess is, were innocent acts of somebody misusing a 
password or whatever. We also found, though, that 3 of 10 major 
incidents we had went unreported to the Federal Computer 
Incident Response Center. We think that needs to be 
strengthened.
    Fourth, protect E-government services. DOT needs to better 
protect its public Web sites from being attacked. In our audit 
work, we identified 450-odd vulnerabilities throughout DOT. 
Forty percent of them were at FAA, and the Federal Highway 
Administration had 113 of them. Of the 450-odd vulnerabilities, 
Mr. Chairman, we would rank about 80 of them as being very 
serious, meaning that they could allow attackers to take 
control over DOT Web sites. DOT, I should note, promptly 
corrected the vulnerabilities we identified.
    Fifth area, check contractors' employees background. DOT 
still needs to do more in this area. I'm happy to report that 
FAA has made progress. I believe it was at a hearing before 
this and a couple of other congressional committees where this 
was a major problem 3 years ago. Our tests now indicate that 
about 84 percent of FAA contractor employees have received 
background checks versus just 23 percent 2 years ago. But still 
the delta between that 84 percent and 100 percent is too 
significant, in my view. Unfortunately, other DOT agencies have 
not made as much progress and their compliance rate rose only 
from 13 percent to 14 percent.
    And, finally, a major task is to get all DOT's 561 mission-
critical systems certified for adequate security. The current 
date for doing that is set at December 2005. This challenge is 
particularly similar to Y2K. Right now, we have completed the 
security assessment--not we, the DOT, of 123 of 561 systems. 
They have a long way to go. And I'm a little concerned about 
the date of December 2005 being several years away. I'd like to 
see this process be accelerated but it's going to require top 
management commitment to put the pressure on.
    And finally, Mr. Chairman, I'd like to say a word about the 
role for inspector general and GAO. And I think this is alluded 
to in Mr. Forman's written statement. I'm concerned that too 
much reliance is being placed on the inspector generals and GAO 
to identify vulnerabilities. As I noted, we identified 450-odd 
of them. Those were plugged when we identified them. But you 
don't want to rely on your inspector generals or GAO to 
identify all the vulnerabilities. Inspector generals are fairly 
small operations. We're supposed to audit. We are not in the 
business of running the security program. I'm pleased to report 
that I think under Secretary Mineta's leadership this is 
beginning to change at DOT, but it needs to change in a much 
larger way. Thank you.
    Mr. Horn. Thank you, and we appreciate the thoughts you 
have there and we'll get to that a little later.
    [The prepared statement of Mr. Taylor follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.017
    
    [GRAPHIC] [TIFF OMITTED] T9165.018
    
    [GRAPHIC] [TIFF OMITTED] T9165.019
    
    [GRAPHIC] [TIFF OMITTED] T9165.020
    
    [GRAPHIC] [TIFF OMITTED] T9165.021
    
    [GRAPHIC] [TIFF OMITTED] T9165.022
    
    [GRAPHIC] [TIFF OMITTED] T9165.023
    
    [GRAPHIC] [TIFF OMITTED] T9165.024
    
    Mr. Horn. We now have Richard D. Pethia, and he is the 
Director of the CERT Coordination Center of Carnegie Mellon, 
and you've been very helpful to this subcommittee over the last 
decade and a half. And you might want to put on the record, 
what does CERT mean? And we would be glad to hear from you.
    Mr. Pethia. Thank you. Mr. Chairman and members of the 
subcommittee, thank you for the opportunity to testify on 
computer security issues. And Mr. Chairman, thank you 
especially for helping us all focus on this important IT-
related topic.
    My perspective comes from the work that we do at the CERT, 
the Computer Emergency Response Team, where since 1988 we have 
handled over a 170,000 separate computer security incidents and 
catalogued more than 8,000 computer vulnerabilities. During 
that time, the Internet has changed dramatically and computers 
have become such an integral part of American government and 
business that computer-related risks cannot be separated from 
national defense, general safety, health business and privacy 
risk. Valuable government and business assets along with 
personal information, critical services, are now at risk over 
the Internet. Our increasing dependency on these network 
systems is being matched by increasing the number of attacks 
aimed at those systems.
    The CERT Coordination Center alone, one of only over 200 
incident response teams globally, has seen a dramatic increase 
in the number of incidents reported over just the last 4 years, 
from 3,700 in 1998 to over 53,000 in 2001; and at the current 
reporting rates, 2002 will top 100,000 separate incidents. 
These attacks are aimed at systems across government and 
industry, and have led to loss and compromise of sensitive 
data, loss of productivity, system damage, financial loss, and 
loss of reputation and customer confidence. Virus and worm 
attacks alone have resulted in hundreds of millions of dollars 
of loss in just the last 12 months.
    Most threatening of all is the link between cyber space and 
physical space. Supervisory control and data acquisition 
systems are used to control power grids, water treatment and 
distribution systems, oil and chemical refineries, and other 
physical systems. Increasingly, these control systems are being 
connected to communications links and networks to reduce 
operational costs by supporting remote maintenance and remote 
control functions. These systems are potential targets of 
individuals bent on causing massive disruption and physical 
damage. This is not theory. Actual attacks have caused major 
operational problems in Australia, for example, where attacks 
against sewage plants have led to the release of hundreds of 
thousands of gallons of sewage sludge.
    The Internet has become a virtual breeding ground for 
attackers. Intruders share information about vulnerable sites, 
vulnerabilities in the technology and attack tools. Internet 
attacks are difficult to trace. The protocols make it easy for 
attackers to hide their identity and location on the network. 
The number of cyber attackers that have been identified and 
prosecuted is minuscule compared to the number of security 
incidents that are reported on an ongoing basis.
    Our systems are vulnerable. Last year we received 2,400 
vulnerability reports, reports of weaknesses in pieces of 
software, and we expect to receive over 4,300 reports by the 
end of this year. These vulnerabilities are caused by security 
weak design and development practices. With this number of 
vulnerabilities, fixing vulnerable systems is deemed difficult. 
System and network administrators are in a hard spot. It is 
often months or years before patches are implemented on the 
vulnerable computers, and we often receive reports even years 
after the fact of attacks of vulnerabilities that have been in 
fact known for 2 or 3 years.
    And at the same time, the attack technology is advancing. 
Today, intruders use worm technology and other automated 
methods to reach tens of thousands of computers in minutes, 
where it once took weeks or months.
    Working our way out of this vulnerable position will 
require a multipronged approach:
    First, higher quality products. Good software engineering 
practices can dramatically improve our ability to withstand 
attacks. The solution is going to require a combination of 
virus-proof software, reducing implementation errors by at 
least two orders of magnitude over today's levels, and 
requiring that vendors ship products with high security default 
configurations. We encourage the government to use its buying 
power to demand such higher-quality software.
    Acquisition processes must place more emphasis on security 
characteristics, and we suggest using code integrity clauses 
that hold vendors more accountable for defects in their release 
products. Acquisition professionals should be trained in 
current government security regulations and policies, but also 
in the fundamentals of security concepts and architecture. It's 
important that these people understand not only how to work 
within the letter of the law but also the spirit of the law to 
get the quality of software that we require in our national 
systems.
    Also needed is wider adoption of security practices. Senior 
management attention here is important. Senior management must 
increase its involvement with visible endorsement of security 
improvement efforts and the provision of the resources needed 
to implement the required improvements. For the long term, 
research is also essential to seek fundamental technological 
solutions and preventive approaches. Needed in the long term is 
a unified and integrated framework for all information 
assurance analysis, rigorous methods to quantifiably assess and 
manage risks, quantitative techniques to determine the cost/
benefit of risk mitigation strategies, and simulation tools to 
analyze the cascade effects of attacks, accidents, and failures 
across interdependent systems.
    The Nation as a whole requires more qualified technical 
specialists. Government scholarship programs that have started 
are a good step in the right direction, but they need to be 
expanded over the next 5 years to build the university 
infrastructure we need for the long-term development of trained 
security professionals.
    Also needed is more awareness and training for all Internet 
security users, with special emphasis paid to students in grade 
schools who can begin to understand the ethics of use of these 
wide area networks as they understand ethics in other kinds of 
situations.
    In conclusion, security incidents are almost doubling each 
year, and attack technology will continue to evolve to create 
attacks that are even more virulent and damaging. Solutions are 
not simple but must be pursued aggressively to allow us to keep 
our information infrastructures operating at acceptable levels 
of risk. We can make significant progress by making changes in 
software design and development practices, giving more 
management support to risk management activities, increasing 
the number of trained system managers and administrators, and 
improving the level of knowledge of all users, and increasing 
research under secure and survivable systems. Thank you.
    [The prepared statement of Mr. Pethia follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.025
    
    [GRAPHIC] [TIFF OMITTED] T9165.026
    
    [GRAPHIC] [TIFF OMITTED] T9165.027
    
    [GRAPHIC] [TIFF OMITTED] T9165.028
    
    [GRAPHIC] [TIFF OMITTED] T9165.029
    
    [GRAPHIC] [TIFF OMITTED] T9165.030
    
    [GRAPHIC] [TIFF OMITTED] T9165.031
    
    [GRAPHIC] [TIFF OMITTED] T9165.032
    
    [GRAPHIC] [TIFF OMITTED] T9165.033
    
    [GRAPHIC] [TIFF OMITTED] T9165.034
    
    [GRAPHIC] [TIFF OMITTED] T9165.035
    
    [GRAPHIC] [TIFF OMITTED] T9165.036
    
    [GRAPHIC] [TIFF OMITTED] T9165.037
    
    [GRAPHIC] [TIFF OMITTED] T9165.038
    
    [GRAPHIC] [TIFF OMITTED] T9165.039
    
    Mr. Horn. Thank you. I'd like to still know what CERT is. 
And I've looked through here. You've got all sorts of things 
that you could put in there. But, you know, is it the Center on 
Readiness and Training and so forth?
    Mr. Pethia. Computer Emergency Response Team.
    Mr. Horn. OK. Good enough. You've got a busy type, and we 
thank you for all the things you've done for us and the various 
people in this town. So thank you for having that very fine 
university in that very fine CERT Coordination Center.
    Mr. Horn. We now go to the last presenter, Robert F. Dacey, 
Director, Information Security, U.S. General Accounting Office, 
and headed by the Controller General of the United States. And 
you and your staff have done a marvelous position every year, 
helping us look at this material when they come in to the 
Office of Management and Budget. So, Director Dacey.
    Mr. Dacey. Mr. Chairman and Mr. Lewis, it is a pleasure to 
be here this morning. And before providing my testimony, 
however, I would like to thank you personally, Mr. Chairman for 
your sustained and dedicated efforts to improving Federal 
information technology management especially in the areas of 
Y2K and information security, and, from my prior experience, 
your extreme interest in improving financial management 
throughout the Federal Government. Your tireless vigilance has 
resulted in increased attention to these important areas and 
has stimulated many positive results.
    As you requested, I will briefly summarize my written 
statement. Federal agencies rely extensively on computerized 
systems and electronic data to support their missions. If these 
systems are inadequately protected, resources such as Federal 
payments and collections could be lost or stolen. Computer 
resources could be used for unauthorized purposes or to launch 
attacks on others. Sensitive information such as taxpayer data 
and proprietary business information could be inappropriately 
disclosed or browsed or copied for purposes of espionage or 
other types of crime. Critical operations such as those 
supporting national defense and emergency services could be 
disrupted. Data could be modified or destroyed for purposes of 
fraud, deception, or disruption. And agency missions could be 
undermined by embarrassing incidents that result in diminished 
confidence in their ability to conduct operations and to 
fulfill their fiduciary responsibilities.
    As Mr. Pethia pointed out, the risks are dramatically 
increasing over the years and have been. There are a lot of 
reasons for this which he discussed and I would like to again 
highlight. First of all, with its greater complexity and 
interconnectivity of systems, including within Federal systems 
and between Federal systems and other systems in many cases, 
trusted relationships exist between these systems which allow 
open access if someone breaks into one of the systems.
    Second, standardization of systems hardware and software, 
which combined with known vulnerabilities create significant 
exposures.
    Third, the increased volume, sophistication, and 
effectiveness of cyber attacks, which combines with the readily 
available intrusion or hacking tools and limited capabilities 
to detect such attacks.
    And, fourth, the development of cyber attack capabilities 
by other nations, terrorists, criminals, and intelligence 
services. In addition to the threat of external attacks, the 
disgruntled insider is also a significant threat because such 
individuals often have knowledge that allows them to gain 
restricted access and inflict damage or steal assets.
    While both the threat and ease of cyber attack are 
increasing, our most recent analysis of reports issued since 
October 2001 continues to show significant, pervasive 
weaknesses in Federal unclassified computer systems that put 
critical Federal operations and assets at risk. We have 
reported on the potentially devastating consequences of poor 
information security since September 1996 and have identified 
information security as a high risk area since 1997.
    Our chart, which is on the right here, illustrates the 
significant weaknesses that were reported for each of the 24 
agencies included in our review, which covers the six major 
areas of general controls; that is, those areas that cover 
either all or a major portion of an agency's information 
systems and help to ensure their proper operation.
    As the chart shows, most agencies had significant 
weaknesses in many or all of the control areas, and efforts to 
expand and improve information security may result in 
additional significant deficiencies being identified. Also, all 
agencies had weaknesses in security program management which 
can often lead to weaknesses in other control categories.
    At the same time, a number of actions to improve 
information security are underway, both at an agency- and 
governmentwide level. Some of these actions may require time to 
fully implement and address all of the significant weaknesses 
that have been identified.
    Implementation of Government Information Security Reform, 
commonly known as GISRA, is proving to be a significant step in 
improving Federal agency information security. We are pleased 
to note that Congress has recently passed legislation to 
continue and improve these efforts. In its fiscal 2001 report 
to Congress on GISRA, OMB acknowledged the information security 
challenges faced by the Federal Government and highlighted six 
common security weaknesses, which Mr. Forman earlier discussed. 
Highlighting weaknesses through GISRA reviews, evaluations, and 
reporting helps agencies to undertake corrective actions. Also 
many agencies reported that first-year implementation has 
resulted in increased management attention and created a 
baseline for future reviews.
    In addition, GISRA implementation has resulted in important 
actions by the administration, which, if properly implemented, 
should continue to improve information security in the Federal 
Government. Mr. Forman previously highlighted these actions in 
his testimony and some of the new actions they are taking. In 
addition, the President has taken broader actions in the areas 
of homeland security and critical infrastructure protection 
that also can lead to improvements in Federal information 
security.
    In addition to these actions, GAO believes that there are a 
number of important steps the administration and agencies 
should take to ensure that information security receives 
appropriate attention and resources and that known deficiencies 
are addressed. These steps include: Delineating the roles and 
responsibilities of the numerous entities involved in Federal 
information security and CIP or Critical Infrastructure 
Protection; providing more specific guidance on controls 
agencies need to implement; obtaining adequate technical 
expertise to select, implement, and maintain controls 
allocating sufficient resources for information security; and 
continuing research and development efforts to find new ways to 
manage information security better.
    Mr. Chairman, Mr. Lewis, this concludes my statement. I'll 
be pleased to answer any questions that you have at this time.
    [The prepared statement of Mr. Dacey follows:]

    [GRAPHIC] [TIFF OMITTED] T9165.040
    
    [GRAPHIC] [TIFF OMITTED] T9165.041
    
    [GRAPHIC] [TIFF OMITTED] T9165.042
    
    [GRAPHIC] [TIFF OMITTED] T9165.043
    
    [GRAPHIC] [TIFF OMITTED] T9165.044
    
    [GRAPHIC] [TIFF OMITTED] T9165.045
    
    [GRAPHIC] [TIFF OMITTED] T9165.046
    
    [GRAPHIC] [TIFF OMITTED] T9165.047
    
    [GRAPHIC] [TIFF OMITTED] T9165.048
    
    [GRAPHIC] [TIFF OMITTED] T9165.049
    
    [GRAPHIC] [TIFF OMITTED] T9165.050
    
    [GRAPHIC] [TIFF OMITTED] T9165.051
    
    [GRAPHIC] [TIFF OMITTED] T9165.052
    
    [GRAPHIC] [TIFF OMITTED] T9165.053
    
    [GRAPHIC] [TIFF OMITTED] T9165.054
    
    [GRAPHIC] [TIFF OMITTED] T9165.055
    
    [GRAPHIC] [TIFF OMITTED] T9165.056
    
    [GRAPHIC] [TIFF OMITTED] T9165.057
    
    [GRAPHIC] [TIFF OMITTED] T9165.058
    
    [GRAPHIC] [TIFF OMITTED] T9165.059
    
    [GRAPHIC] [TIFF OMITTED] T9165.060
    
    [GRAPHIC] [TIFF OMITTED] T9165.061
    
    [GRAPHIC] [TIFF OMITTED] T9165.062
    
    [GRAPHIC] [TIFF OMITTED] T9165.063
    
    [GRAPHIC] [TIFF OMITTED] T9165.064
    
    [GRAPHIC] [TIFF OMITTED] T9165.065
    
    [GRAPHIC] [TIFF OMITTED] T9165.066
    
    [GRAPHIC] [TIFF OMITTED] T9165.067
    
    [GRAPHIC] [TIFF OMITTED] T9165.068
    
    [GRAPHIC] [TIFF OMITTED] T9165.069
    
    [GRAPHIC] [TIFF OMITTED] T9165.070
    
    [GRAPHIC] [TIFF OMITTED] T9165.071
    
    [GRAPHIC] [TIFF OMITTED] T9165.072
    
    [GRAPHIC] [TIFF OMITTED] T9165.073
    
    [GRAPHIC] [TIFF OMITTED] T9165.074
    
    Mr. Horn. The vice chairman, Mr. Lewis, would like to take 
a look at some of these, and I want him here because he's the 
only member of this full committee and the subcommittee of Ways 
and Means. That's a very lofty committee and goes back to the 
first--1789. And they also have to do with tax administration. 
And I'm hoping with him being on Ways and Means that we can get 
our debt collection law, which Mrs. Maloney and I put together 
in 1996--and it's going great right now. It's just that's for 
nontax. And now we'd love to have you, Ron, as the--if you can 
sneak in at night to get them to get the debt collection.
    And when I looked at that--and that's when I asked the 
then-President, how about getting a CEO, because we're not 
getting anywhere, and IRS in one pot had $100 billion sitting 
there to be collected. When I counseled that one, they said, 
Oh, oh, there's one other one, easier; $60 billion. And we're 
looking for money in this country? Let's get it done. And you 
will be a hero, Ron. And good luck.
    Mr. Lewis. Thank you, Mr. Chairman. We could use some extra 
money right now.
    Mr. Horn. Yep.
    Mr. Lewis. Mr. Forman, the OMB has issued guidelines 
stating that agencies must include security procedures in their 
budget requests for information technology projects. They do 
not--the OMB has said it will not fund the project. Has the OMB 
refused any funding for this reason?
    Mr. Forman. Yes, we did last year. There will of course be 
some more feedback we'll give to the agencies. Generally the 
approach--and we do this with a business case--is to refuse 
funding if an agency does not have good justification on a 
number of the components, security being one of them.
    There are a number of programs last year that we put on the 
high-risk list for fiscal year 2003 where security was the 
predominant problem, and so we spent quite a few months working 
with the agency to address the security problems. I'd say 
generally--I can't say for a fact it's in every case--but 
generally the agencies would rather work through their security 
problems than not get funding, so that incentive structure 
seems to work.
    Mr. Lewis. Very good. Thank you.
    Excuse me, I get the opportunity to give you some more 
questions. The Security Act requires that agency corrective 
action plans address all known vulnerabilities. If agency plans 
fail to include all known vulnerabilities, what action will the 
OMB take?
    Mr. Forman. We, through both last year's guidance and then 
this year's most recent guidance, have taken a comprehensive 
approach. That's one of the reasons that we believe so strongly 
in having both a CIO's report and an audit followup process 
leveraging the IGs. The ultimate approach, therefore, when we 
get the reports and the submission is to compare the two sets 
of data. Also use the GAO data and work via the budget process 
to ensure that remediation occurs.
    Lets say, as I pointed out in my testimony, one of the 
recurring problems that we've seen is agencies' desires to 
invest in new IT and at the same time claim that they can't 
remediate legacy systems problems. There's a tradeoff to be 
made. Obviously, if a legacy system is only going to exist for 
5 or 6 months, one may not invest in a total security overhaul, 
and there are other ways to protect the system. But there are 
too many instances still where we see agencies not doing what I 
consider the nuts and bolts here.
    A corrective action plan has to include some certification 
and accreditation of the legacy systems. And so again we are 
making very clear to the agencies that we're simply not going 
to fund new investments and short remediation on accreditation 
certification. I think you'll see that's a much bigger focus 
this year for us when the report comes in in the February 
timeframe.
    Mr. Lewis. Based on the OMB's analysis if the performance 
measures required in the Government Information Security Reform 
Act Report, it accurately measures the agency's progress in 
securing their critical computer systems. Does it?
    Mr. Forman. The--I think there are a couple of issues to 
consider. First of all, I'd say yes; but it's at a high 
management level. And, of course, one of the things that the 
chairman has worked so hard on for many years I think is coming 
to fruition. We've got secretaries and deputy secretaries now 
who are focusing on security. In fact, within the White House, 
all the way up to the President, people are focused on cyber 
security now. There's a difference, though as we get into the 
details. And I think as my colleague from GAO has laid out very 
clearly, it's time to get into the nuts and bolts. And program 
management now comes much more to the forefront.
    So we too are going to shift our focus on that and onto a 
lot of nuts and bolts. At the same time, I don't think you can 
ignore the fact that the vulnerability and threat picture has 
shifted. So there are a couple of types of threats. One, I 
would consider the hacker threat that we addressed in the 
testimony. And in there we're making much heavier reliance on 
FedCert and increasing their capabilities, the patch management 
services contract that I alluded to. And by leveraging XML and 
some of the easier reporting technologies to reduce the burden 
and literally allow for electronic-type reporting of incidents 
so you don't have to have a person in the process per se, we 
can make that a seamless process and we'll move forward in 
that.
    The organized threats are going to take a different level 
of response and a different approach to that, I think, than 
what we're viewing in hackers. While I can't get into, 
obviously, much of the discussions going on, I think you're 
probably aware that the deadline for comments on the cyber 
strategy is today. But what I can say is that regardless of 
what happens, we know we have to tighten up the continuity of 
business operation planning again, as Mr. Dacey alluded to. 
It's better, but this is very similar to the Y2K issue. And 
before September 11 last year, I'd say very few of the agencies 
had been maintaining the continuity of operations plan. So that 
too has become a big focus for us.
    Mr. Lewis. One more question. The OMB's 2001 Report to 
Congress required by the Government Information Security Reform 
Act highlighted six common weaknesses of Federal agencies. Have 
you noted any significant improvements in these areas?
    Mr. Forman. As I alluded to in my testimony, yes, although 
it's not as governmentwide as we would like to see in all the 
areas. Some agencies are making marked progress. We have some 
discrepancies based on our initial view, versus the chairman's 
scorecard. But what I'd say is that the most marked increase is 
in the senior manager, the secretary and deputy secretary 
focus, and that, without a doubt, is uniform now across the 
board, as I think you heard from Deputy Secretary Lockhart and 
also others on the panel.
    Mr. Lewis. Thank you.
    Mr. Horn. Thank you. Let's talk about Commissioner 
Lockhart's work and how that goes about. And would it be 
possible, Mr. Forman, that OMB might have various types of 
teams brought together of different Cabinet departments so that 
you could go out--and the word ``accreditation'' was mentioned 
a little while ago. And if we had a team like that needed some 
help, would that be useful to OMB?
    Mr. Forman. Well, there are some teams in the Federal 
Government that do get involved in a range of security reviews: 
obviously, the National Institution for Standards and 
Technology, Department of Energy, and I believe some other 
departments. There's a fruitful source of this support in the 
private sector. The Interior Department, for example, has 
engaged a company to help them with accreditation and 
certification. This capability is a type of service that is 
exactly as you laid out. It's project based. It's team based. 
And I don't know that it's inherently governmental. There are 
clearly a set of government rules and regulations, but they're 
also industry practices. It gets down to things like what's the 
proper way to install a certain type of software or a certain 
server; is it outside or inside the firewall? And my preference 
would actually be that rather than buildup huge teams within 
the government that were forever trying to work across 
traditional silos, that we would increase our reliance or 
continue our reliance on the private sector teams. I know that 
companies, as us, have a growing demand for that type of 
service.
    Mr. Horn. Commissioner Lockhart, would you be willing to 
let some of your best people for a while go in other parts of 
the executive branch?
    Mr. Lockhart. Well, Mr. Chairman, we do have some very good 
people and we have some very big challenges. Now, would we very 
much like to work with the rest of the government and we're 
trying to, through mechanisms like the President's Management 
Council which I serve on, trying to go across government and 
work together.
    I guess I would agree with Mr. Forman that--and we use this 
extensively. We use a lot of private sector expert technology 
and consulting firms to do this kind of activity. We work with 
them. We would be happy to share our expertise, but we have a 
lot of needs. Even though we have good grades from you, we 
still have a long ways to go. So I would like to keep them 
internally, if we could.
    Mr. Horn. Well, I can realize that. But it seems to me, you 
don't have to do it all the years, but get in there and help 
them.
    Mr. Lockhart. Well, certainly we are involved in the CIO 
group. We do share best practices, and we will continue to do 
that. We learned from other departments, and hopefully they 
learned from us.
    Mr. Horn. With Social Security and with your being on the 
council--aren't you? And that includes all CIOs?
    Mr. Lockhart. Well, the council I referred to is President, 
Managing Council, which is the Deputy Secretary, Deputy 
Commissioner.
    Mr. Horn. And that is your equivalent for Social Security?
    Mr. Lockhart. Right.
    Mr. Horn. And what I am wondering about, when I hear there 
is no CIO in one place, Mr. Forman, do we have any more that 
are missing CIOs?
    Mr. Forman. Departments that are missing CIOs?
    Mr. Horn. Yes.
    Mr. Forman. Yes, we do. I thought we had gotten a full 
cadre, but we seem to run up against the inevitable situation 
in government where people stay in new jobs for around 18 
months. And so we are working through getting some new folks.
    What I would say is that we do seem to get good talent in 
these jobs, as people are retiring or leaving for other 
opportunities, finding good people to fill in; and I will give 
you an example on that. I think one of the most important ones 
here is the security liaison in the CIO counsel, and that's a 
CIO that essentially works with the different committees--we 
have three major committees, the Workforce Skills, the Best 
Practices Committee, and the Architecture Committee--and fuses 
security focus into those committees.
    Ron Miller, who had been the CIO at FEMA, moved over to 
work on the transition team. FEMA was able to promote a deputy 
that he had recruited, a very talented and capable person, Rose 
Parks, to their C IO. But meanwhile, we quickly, because of the 
importance of this, wanted to make sure we had a solid CIO for 
that liaison, and so we picked Van Hitch, who is the CIO at the 
Justice Department.
    Now, Justice is--one of the differences of opinion I would 
have with your scorecard, I think they made good progress 
there. But Van also was a recent hire from the private sector. 
When he was hired into the government, he came in with--and 
this was one of the early ones--Attorney General anointing the 
CIO as having the responsibility that was originally envisioned 
under the Klinger-Cohen Act.
    So we are working through the inevitable rotation, and 
there are some success stories there as well.
    Mr. Horn. Now, CFOs, are we short them in some of the 
agencies and departments?
    Mr. Forman. That, I am not prepared to address.
    Mr. Horn. Anybody here looking, stealing people from one 
place to the other? Well, let us get it in the record; and, 
without objection, it will be put in at this point.
    I would just like to know the degree to which Chief 
Financial Officers, what relation do they have to help in this 
situation and work with the Chief Information Officer? And I 
would like to hear how that--because part of the problem here 
is who is getting what part of the pie to get the cyber 
situation.
    Mr. Lockhart. I can answer from the Social Security 
standpoint. I think we find that working relationship extremely 
important between the CFO, the CIO, and the Systems Group. And 
they work very closely; they are all part of the senior 
management team of Social Security. We work closely in a very 
integrative fashion on the budget process; we work on the 
fiscal security, as well as computer security, together. And I 
think that teamwork has really helped and been part of our 
success, in that we have people extremely devoted to the agency 
and to our mission; and, you know, partially that is because 
since almost day 1 of Social Security, we have been concerned 
about personal security, personal privacy. That was our first 
regulation. And so it is really infused in our culture, and 
that includes the CFO, the CIO, the Systems Group, and really 
the 65,000 people of Social Security.
    And so that is one of the important ways that we have 
tackled this.
    Mr. Horn. I was heading just for you, the Inspector 
General. And you have got a council, too. And so what is 
happening that IGs, you are doing, for example on the financial 
management part of your working? You are the one that can go 
outside and put in the accounting aspects of it, and I would be 
curious how much the I Gs can help the C IO so they can get the 
resources they need.
    Mr. Mead. I think the Inspector General concept is really 
key to helping both the CIO and the CFO functions fully 
blossom. And the creatures we call Inspectors Generals, have a 
very peculiar reporting relationship. By law, we are to report 
to the Secretary and the Congress to keep each currently and 
fully informed.
    Inspectors Generals are that part of the agency that are 
responsible for auditing. They see things happening much 
earlier than other outside oversight agencies might be able to; 
and you are able to effect proactive change. And I think that 
it is important that you have a collaborative relationship with 
the CIOs and CFOs in these agencies.
    And I would say, for example, that in the Department of 
Transportation, the CFO is also the Assistant Secretary for 
Budget, which means that CFO has clout. When the Assistant 
Secretary for Budget speaks, she is also speaking with her CFO 
hat.
    We have turned the situation around on the financial 
statements at DOT. For almost 8 or 9 years running, they got a 
disclaimer, and now they have greatly improved their financial 
situation.
    The situation with the Chief Information Officer is a bit 
different because the Chief Information Officer doesn't have 
any line authority over much of anything. And I point that out 
in contradiction to the Chief Financial Officer construct.
    Mr. Forman. If I can add to that, I think that it is 
important to understand the implications there on a couple of 
fronts.
    First of all, when we talk about the President's management 
agenda and the five scorecards, there are a lot of 
interrelationships, and the one that is important here is 
between the financial management scorecard and the e-government 
score. Generally--and we went through this in this last 
quarter--when there is a material weakness related to the 
security program, the agency is going to get a double zinger. 
They will get it on the management scorecard and they will get 
it on the e-government scorecard.
    What the public sees is the scores. What the President sees 
is the detail behind the scores, and that includes the name of 
the person who is responsible for it. So they will see the 
zinger on the two scores with the CIO, or whoever the e-
government lead is for that department; and the CFO, or whoever 
is the financial management lead for that department.
    It is important, therefore, I think, that we continue to 
have computer security linked with being a financial material 
weakness.
    The other thing that you alluded to, though we did go 
through this almost a year ago, a situation where a CFO said, 
Oh, OMB will forget about the security issues; it is not a big 
deal. And that CFO learned that was a career-threatening 
comment. This is extremely important to the White House. And 
that--I think that word has gotten around to the other CFOs 
now.
    Mr. Horn. There is a CFO in the executive forces of the 
executive branch where OMB is there and a whole group of 
agencies. Is that CFO still there?
    Mr. Forman. That is a good question. Again, I don't know 
for a fact that person is still in their job.
    Mr. Horn. Well, we put it in there before the current 
President, and it was--we tried to do it with the previous 
President. And they said no, no, we don't want that. And I 
said, hey, wait a minute. This will be for the next President. 
Oh, no problem, they said, let them do it. Good heavens.
    Now, I am just curious, because we do need a CFO and a CIO. 
Now, who is the CIO that helps your colleagues in the executive 
office of the President?
    Mr. Forman. Well, I am not sure that we have the formal 
or--the formal anointment of a CIO. Our CIO, who had been your 
CIO here in the House, was promoted to the Office of 
Administration. So his deputy moved up as at least the acting 
CIO. And I think--as you know, we have worked fairly closely 
with the Appropriations staff to make sure that the executive 
office of the President is being held to the exact same 
standard that we are holding all the other agencies to. That is 
a commitment. You know, if you are going to hold other agencies 
accountable, you have to start by holding yourselves 
accountable. So we have done that.
    I will say that--and I don't know our results on our 
security review yet, but I will say, as the user, primary user, 
I have had more things stripped from e-mails by our firewall, 
which is one of the signs I know. We don't experience many--
much down time. And we are ultimately a prime target in the 
hacker community. So we have extensively strong firewalls and 
an exceedingly risk-adverse IT security policy that is employed 
to fight firewalls and other tools.
    Mr. Horn. Is there a question on this particular?
    Mr. Lewis. No.
    Mr. Horn. Go ahead.
    Mr. Lewis. There is one question that I wanted to get to, 
and I have to leave in just a second.
    Mr. Mead, the Federal Aviation Administration, does the 
Federal Aviation Administration have a tested contingency plan 
to ensure that it can continue to operate its air traffic 
control system if hackers were to successfully attack? That is 
important to all of us.
    Mr. Mead. I will give this in a two-part answer.
    First, a decision was made earlier this year, based on a 
report we issued, with recommendations that the air traffic 
control system would not be tied in any way to the Internet. 
There was a proposal from FAA that has been percolating from 
1999 to 2000 period that they would have a system that, in 
theory, would be insulated from the Internet, but we felt it 
would be vulnerable.
    A high-level decision was made this year, that would not be 
the case. Therefore, the air traffic control system cannot be 
hacked through directly from the Internet. And I think that was 
a very good decision; although it is going to cost some money, 
it is worth it.
    Second, the air traffic control system, if one part of it 
were to go down for some reason, other elements of it can pick 
up the operations for a short period of time. We do think, as 
reported in our GISRA report, that for the longer term FAA 
needs a more robust contingency plan. But for the shorter term, 
we think they have a good one.
    In addition, as I noted in our testimony, the background 
checks on people have improved dramatically over the last 
couple of years. The principal exposure we have on the AT C 
system is not from private attackers; it is insiders or 
contractors. That is where the attention needs to be focused.
    But for the short term, I can give you good assurances that 
we are in decent shape. For the longer term, we need to pay 
more attention. And that is what we reported to OMB and the 
Secretary.
    Mr. Lewis. Thank you.
    Thank you, Mr. Chairman.
    Mr. Horn. Thank you. Appreciate it.
    Let us just have a couple with Mr. Mead, the Inspector 
General. And the Security Act directs the agency's Chief 
Information Officer to develop and maintain an agency-wide 
information security program; yet, the Department of 
Transportation has not had a Chief Information Officer since 
January 2001.
    Why has this been allowed to continue, and who has taken on 
the responsibility in lieu of the Chief Information Officer?
    Mr. Mead. Why has it happened? It has not been for want of 
recruiting. They did have a candidate; that fell through for 
one reason or another. They are now vetting other candidates. 
But I have got to say that I think that the importance of the 
position needs to be recognized more vigorously. If you were 
talking about the FAA Administrator, the Assistant Secretary 
for Budget, or the Deputy Secretary, those positions would not 
be allowed to go vacant for such a long period of time.
    We will have a Chief Information Officer. I think it will 
take probably 2 or 3 more months. But we really need one.
    You know, this year, Mr. Chairman, OMB did something I 
think was quite good. They brought together the management side 
of OMB, the budget side, at very senior levels--the Inspector 
General, the budget people, the Chief Financial Officer. And 
they went over their range of material weaknesses that needed 
to be addressed. And missing, of course, was our Chief 
Information Officer because we didn't have one.
    Instead--and here is the answer to the second part of your 
question--we had the acting Chief Information Officer who has 
taken on that position frequently, given that over the last 6 
years we have had a Chief Information Officer for only 18 
months.
    Mr. Horn. And you haven't seen a problem. Is that it? Or--
--
    Mr. Mead. No. I have seen a problem, and the problem is two 
fold at DOT. One, the CIO does not have line authority over 
budgets. Two, the CIO does not have input into the performance 
appraisals of the Chief Information Officers of the various 
operating administrations. You need to have those two elements.
    We did have a Chief Information Officer for 18 months 
during the last administration, and we still had problems. We 
had problems largely because the operating administrations did 
not feel accountable to that CIO. And right now you have 
Secretary Mineta and Deputy Secretary Jackson doing the street 
work to get attention paid to information security. And they 
are doing a good job, but they have a lot of other things to 
do, too.
    Mr. Horn. Mr. Forman, are there other CIOs that do not have 
any--looking at, in terms of the budget? Or is it at the upper 
level of the Deputy Secretary?
    Mr. Forman. Well, obviously, especially in this era we want 
the secretaries and deputy secretaries to focus on improving 
the quality of the cyber security posture at the departments.
    But I have to agree with Mr. Mead; where we have seen 
progress, there has been clear action taken to empower the CIO. 
We did some of that in the budget process last year. Obviously, 
our focus on capital planning and enterprise architectures is 
specifically for that purpose, but also other Secretaries, the 
Attorney General. So, where there is a Secretary or where we 
are working with the Secretaries make it clear that the CIO is 
fully empowered, we see progress.
    Now, I would say transportation is one where there is a 
less-than-powerful CIO. I think, though, we have--whether it is 
OMB or if you talk to the Secretary or Deputy Secretary, all 
agree they need a powerful CIO. You run into an interesting 
situation then, trying to recruit someone, because you know 
that first person there is going to be one that is going to 
take on some very longstanding cultural issues, political 
issues, both internal and relationships between operating 
administrations and the Congress. And it does take, I have 
found, a concerted effort in working with this committee, with 
the Appropriations committees, with the leadership of that 
department and OMB, to make that change occur. And that is 
really tough absent a burning document or crisis like the 
situation at Interior.
    Mr. Horn. Well, we will move to the Carnegie Mellon expert 
here. And in your testimony, you state that the number of 
reported incidents continues to rise. Mr. Mead stated that the 
Department of Transportation has reported more than 25,000 
incidents in 2002, although all may not have been intrusions. 
Meanwhile, some agencies, such as the Department of Housing and 
Urban Development, have reported no incidents.
    Given your expertise on this subject, how would you explain 
this disparity?
    Mr. Pethia. Two reasons that I can think of. One of them is 
that often organizations, both in the government and in the 
private sector, shy away from reporting incidents because they 
don't want the little black mark that goes next to their name 
that says there is a possibility of a security problem. We 
certainly see a lot of that in the private sector. Concerns 
over loss of confidence in the organization make people 
reluctant to want to report.
    The second reason is that very often I think a lot of these 
incidents go not just unreported but undetected. We know that 
intrusion detection technology is only moderately effective. We 
know that many organizations don't have active programs in 
place to monitor their systems and monitor their networks to 
look for signs of intrusion.
    So I think it is a combination of both, organizations that 
don't want to report because they are concerned about 
embarrassment, but also, all too often, the case that these 
incidents go undetected.
    Mr. Horn. You expressed concern about the vulnerabilities 
associated with the supervisory control and data access 
systems. Can you give us a specific example of the result if 
one of these systems which controls some of the Nation's 
critical infrastructure were successfully attacked?
    Mr. Pethia. The example that was in my testimony was a case 
that was reported from Australia where it was actually a 
disgruntled employee who decided to affect the operations of a 
sewage control system, and in fact, hundreds of thousands of 
gallons of sludge were dumped out into the environment causing 
the environmental impact of that. You can hypothesize certainly 
other kinds of incidents where, very simply, things like oil 
stops flowing, natural gas stops flowing, power isn't delivered 
to certain parts of the country, hydroelectric dams are 
suddenly releasing water into river valleys where the level of 
water is not expected.
    So I think this is an area where we have to begin to 
understand and pay more attention to the fact that the cyber 
world and the physical world are now tightly connected. And we 
often think about physical events and cyber events as separate 
kinds of things, but now that we are living in a situation 
where we have to pay attention to terrorists, people that want 
to disrupt our society, I think we have to, all of us, have a 
better understanding of how the cyber world and the physical 
world are connected, how physical attacks--how the impact of 
those attacks can be amplified by cyber attacks. So, for 
example, if there were to be a physical attack on one of our 
cities disrupting the communications systems that, at the same 
time, would slow the response to that kind of an attack, it 
would slow emergency services.
    And similarly, we can see how physical attacks can 
exacerbate the cyber attacks as well. And that is an area of 
work that I think--you know, now that we are beginning to get 
some of the basics in place, I think we need to look beyond 
just cyber alone and look at the connection between cyber and 
physical.
    Mr. Forman. Mr. Chairman, if I may address a key point in 
that. You know, we track data on intrusions, and we see the 
numbers of thousands of intrusions. And while I am sure that is 
important, the issue that has long existed is the internal 
threat. And the corollary to that is, you have to know what you 
do once you intrude. You have to know what a piece of data is. 
Breaking into an Oracle or an I BM DB2 data base doesn't get me 
anywhere if I don't have a copy of that somewhere on my 
computer and know what that data structure is. Otherwise, all I 
have done is revealed a string of, who knows what.
    So it is not as--I don't believe, as simple as saying the 
number of intrusions have gone up and therefore there is a real 
problem here. You have to have some insight about what you are 
doing in order to say there is a real vulnerability or threat.
    Mr. Horn. Any thoughts on that comment?
    Mr. Pethia. I think that is certainly true. The great 
majority of what we see out there are what I often call 
``recreational hacking attacks,'' hackers are out looking for 
things to explore or out to prove some kind of a political 
point who are not really bent on doing damage. But I think as 
we become more reliant on this technology and as we 
interconnect more and more of our systems, the people who are 
serious about causing damage, or the people who are serious 
about taking advantage of us for their personal profit, the 
criminals and the terrorists, will begin to move more and more 
into this space.
    And I agree with Mark, you certainly can't attack a system 
and do an awful lot of damage unless you do know something 
about it. But we do know that our systems are being surveilled, 
we know that they are constantly being probed, we know that 
networks are being mapped. We know that there are people out 
there who are working very hard to understand how our systems 
are configured and how they are put together. And so I think a 
lot of the thing we have to pay attention to is the insider 
threat. But an awful lot of outsiders are working hard to 
become as knowledgeable as the insiders, and we can expect to 
see those kinds of attacks in the future.
    Mr. Horn. Well, along that line of someone with your 
extensive knowledge of Federal operations, what are the most 
important actions Federal agencies must take to improve their 
computer security?
    Mr. Pethia. I am very happy to see GISRA and the effects 
that it is beginning to have. I think the steps that are 
outlined there are exactly the right ones for agencies to go 
through right now. But as Mark said, Mr. Forman, earlier in his 
testimony, as we are now beginning to get some of these high-
level things in place, it is time to get down into the details, 
the nuts and the bolts.
    And that is why I often speak about the need for more 
trained professionals, more knowledge about security, security 
issues, because this risk management action--as we begin to get 
the senior level attention, as we begin to get security plans 
in place, as we begin to go through an annual process, now it 
is time to implement those corrections that are needed; and 
that requires knowledgeable people. And so I think the next 
step is for agencies to have a real understanding of exactly 
why these vulnerabilities are serious, and then to put into 
effect the right kind of implementations and monitor those 
implementations for effectiveness over time.
    Mr. Horn. Mr. Dacey, based on your analyses of the last 2 
years of agency reports required by the Government Information 
Security Reform Act, do you believe that the Federal Government 
is making progress in its efforts to secure the government 
computer systems?
    Mr. Dacey. Yes, Mr. Chairman, I do believe they are making 
progress. There are many actions under way both, as I said, at 
a governmentwide level and agency level; and I would 
distinguish some of those actions. I think some of them were 
challenging, but longer-lasting actions will take some time to 
fully implement. We have talked about some of these here this 
morning.
    Putting in an effective security management program, I 
think is key, because oftentimes in doing our audits, we find 
that maybe the agency in fact fixed some of the specific 
weaknesses on the specific systems we audited, which is only a 
small portion of the agency systems, and yet we find the same 
types of incidents and problems occurring in other systems 
within the agency; and in fact have seen on several occasions 
the same weaknesses occur as new operating systems are 
installed and the same changes aren't made to those new 
operating systems that were fixed on the old ones.
    So I do think security management is key. I think we are 
seeing some fundamental changes taking place. We talked earlier 
today, the Honorable Mr. Lockhart had talked about SSA and 
their efforts to monitor their systems and put together a 
program to really highlight to executive management what is 
going on and really to probe their own systems and understand; 
and we are seeing some efforts in that arena as well.
    We are seeing responsibilities changing--VA recently moved 
the responsibilities for security and all of the budget 
decisions to the CIO similar to what we talked about. And I 
know there are a number of agencies, although I don't know 
which today, that is still an issue--but we have seen where 
that is happening, it is starting to make fundamental changes 
to the core, because what we really need is a structure of 
management that can address these problems.
    We talk about vulnerabilities that are showing up with a 
magnitude of about a 12 or 13 a day, on average, and I am sure 
that is increasing. Mr. Pethia might update us on that. But it 
really calls for a fundamental structure; and it is a 
management challenge rather than a technical one.
    I do agree we need to address some of the technical issues. 
I think with the bill that Congress recently passed to provide 
some funding for research and development and education are two 
key areas that will help address some of those problems. But--I 
do think those are the issues, but I do think there are 
improvements. I think there need to be more, though.
    And again getting back to the other discussion, some of the 
nuts and bolts, we know on one hand there is a big risk, 
because there are a lot of hacker tools and a lot of known 
vulnerabilities that exist. On the other hand, we need to take 
that information and take it back to our own systems and say, 
well, we know what kind of things that the hackers might 
attack; we need to make sure that our systems are prepared to 
address those areas.
    So there is a lot of progress, but we also have got to keep 
in mind that the risk, I think, is dramatically increasing. We 
are not dealing in a static risk environment. I think it is 
increasing; I think it will be a continuing challenge to make 
sure that those improvements keep pace, or in fact we need to 
outpace the increase in the risk to make progress, real 
progress.
    Mr. Horn. What lessons can be learned from those agencies 
that are successfully improving their computer security?
    Mr. Dacey. I think Mr. Lockhart addressed some of those 
issues in terms of security management.
    We issued a guide in 1998 which really laid out a lot of 
the key issues. And GISRA was fundamentally based on some of 
the same principles, and your grades which you put up today are 
also based on security management concepts. And that is putting 
in place a key function responsible for computer security at a 
level in the agency that has the senior management's attention. 
That is a key aspect. Making sure you have got risk 
assessments, understanding what those risks are.
    I know there are some governmentwide efforts now through 
NIST to develop standardized guidance for certification and 
accreditation that are now in draft and lay out three risk 
levels; and they intend to go further and define minimum 
controls for those risk levels, as well as techniques that can 
be used to assess them.
    So we really have a structure that is starting to take 
place to assess the risks. I think those agencies that have 
gone ahead and done that, that are far advanced in the 
certification and accreditation process, have been able to 
demonstrate a better knowledge of their systems and in fact 
inventory their systems, which is something that is in the 
Federal Information Security Management Act, the fundamental 
process to make sure agencies have all their systems identified 
so they can begin that risk assessment process. And agencies 
like S SA, I think have done a reasonable job of trying to 
identify those systems and manage them. So that is important.
    The second area is making sure you have the necessary 
controls. I think with some of the NIST efforts--that may go to 
help. I think it is a promising action that could help, because 
right now each agency is deciding on their own on what the 
controls they need to implement, and there isn't a constancy. 
And if we have that, as we talked about in testimony, I think, 
in July, there can be some constancy in training as well as 
tools developed to help people do what they need to do.
    The third area is security awareness. I think a lot of 
agencies are now putting together programs to make sure that 
the employees are aware. Computer security is fine, but if 
someone can call up somebody in the agency and they willingly 
give up their password or use passwords that aren't very 
secure, that really endangers the whole system, not only that 
system, but anything it is connected to in a trusted 
environment. So I think that is another area where we have seen 
progress.
    And the last area is really in the monitoring, and we are 
starting to see some agencies, such as Social Security, go 
outside to really have someone come in and help them test their 
systems to see if they are secure. I think that is a key 
component that has been long missing, but we are starting to 
see a lot of activity in that regard.
    Also, as part of the certification and accreditation 
process, NIST is working on developing standards for 
accrediting entities that would do that.
    I think one of the important elements, if we are going to 
proceed in this effort--and I think it is important--is to 
ensure some consistency in the types of testing of controls 
that are carried out, because right now there is a wide 
variation in the quality and extent of the procedures that may 
be used by the private sector. And I think bringing those to 
some consistency will be important.
    So I think those are all aspects that, where agencies have 
done those kind of things and put responsibility in the CIO 
position, we are starting to see some fundamental changes. But 
again, those will take some time to come to fruition and for 
all the significant weaknesses we talked about to be 
identified.
    Last, those significant weaknesses that I said in my 
testimony will likely increase, because I think we are still 
finding more of them, and as those get identified, hopefully 
those will get addressed as well, and we will get the numbers 
down.
    Mr. Horn. In the help GAO and you have given us, to what 
degree are the agencies having very realistic, adequate 
contingency plans to recover their critical operations without 
a significant loss in their ability to conduct their mission?
    Mr. Dacey. Based upon our review in the chart, we 
identified 20 agencies that had one or more significant 
weaknesses in contingency planning. And I think that is 
particularly important, because we were looking at report 
issued since September or after September of last year. And so 
that is a critical area. And I know a lot of agencies have been 
trying to address that, but again, to get back to fundamental 
issues: Do you know your systems? What they are? In some cases, 
we still struggle with that when we do our audits and go in, 
ask for inventories and structures of networks, we oftentimes 
don't get up-to-date pictures of what the agency has; and they 
need that.
    Second, we have seen where there are plans, they may not be 
complete and assets properly prioritized, and probably one of 
the most important elements missing in many is really a 
comprehensive testing. Again, some agencies are doing that, but 
unless you comprehensively test this process--and I mean 
frequently; I don't know, there is no definite frequency, but 
with some degree of frequency--you don't know if it is going to 
work in case you have to employ it.
    I know there are a lot of lessons learned based upon the 
effects of September 11 on the private sector, which we have 
had in prior testimonies before this committee. I think those 
are important lessons. Some of the more successful entities in 
the private sector had fairly extensive disaster recovery 
programs, as well as regular drills.
    I do remember one of them, in fact, having practiced what 
happens if senior management, who makes the key decisions, 
isn't available to talk to. And, in fact, they practiced that, 
and that is what happened on September 11. They were busy 
evacuating lower Manhattan. The people who don't make day-to-
day decisions had to make them, and they had prepared to do 
that by prior exercises.
    So I think there are a lot of challenges still in that 
area, and in post-September 11 situations, particularly as Mr. 
Pethia pointed out, the increasing threats for intentional 
damage that might occur.
    Mr. Horn. Are there any things that we have not brought up 
that would be useful in terms of getting a better type of a 
score in the last year or 2 more years, and there wouldn't be a 
lot of Fs all over that place? Let us see how many could be in 
Social Security, and that would help.
    Mr. Mead. I would like to see some tighter milestones. 
Having gone through the Y2K experience at Transportation, where 
we have a lot of operational systems like air traffic control 
or search and rescue, I think there is a very important value 
in having a date that everybody is marching toward. And the 
beauty of Y2K--it may be in hindsight, if I could use that word 
was that it had an unwaiverable date. It was certain to occur, 
and the agency heads and all the staffs knew that they were 
marching to get that done. And a serious computer security 
incident would get our attention, it might come too late.
    Mr. Horn. Mr. Dacey.
    Mr. Dacey. I would like to echo Mr. Mead's comments. I 
think one of the key areas that we have indicated in some of 
our prior reports and testimonies, both for Federal information 
and security and critical infrastructure protection, is the 
need to establish deadlines and goals.
    I know one of the efforts that OMB has put forward as a 
result of last year's GISRA report is requiring all major 
agencies to undergo a project matrix review, which would 
identify significant assets of the agency and go about to 
identify interdependencies and come out with a plan to remedy 
those, any risks that they identified.
    One of the challenges there though is, it has now taken a 
fair amount of time to get through that, and I don't know how 
many agencies have finished the first step. I know--Social 
Security has, I believe, already done that and is moving on in 
the second step.
    But I think one of the challenges is, when does the 
government expect these actions to be--some of these key 
actions to be completed? And I think that is an important part 
of setting--again, a deadline helps to solidify what resources 
you need to get to that deadline. I think that could be 
beneficial.
    Mr. Horn. I want to thank our witnesses today and the vice 
chairman, Mr. Lewis. And I am heartened by the administration's 
attention to this urgent problem. However, I am confident that 
the sustained pressure by the Office of Management and Budget, 
the General Accounting Office, and the Committee on Government 
Reform in the Congress, Federal agencies will continue to make 
strides to protect these vital systems.
    We must solve this problem, and we must solve it quickly. 
The American people desire to know that the information they 
share with the Federal Government is protected. They must also 
be assured that the government services they rely on will not 
be interrupted.
    I want to thank the subcommittee staff that has worked on 
this with a number of you. Bonnie Heald, the staff director, 
put your hand up; don't be shy around this place. Henry Wray, 
senior counsel; he is down working--he was very--working in 
terms of three bills we had the last night of this Congress, 
and they are about to go to be signed by the President. Counsel 
Dan Daly; Dan Costello, professional staff; the majority clerk, 
Chris Barkley; and staff assistant, Ursula Wojciechowski.
    And then the detailee from the General Accounting Office 
has spent a lot of time on this. She is working here with my 
left hand and your right; and we are delighted with the General 
Accounting Office, and Elizabeth Johnston has done a wonderful 
job. I hope we can keep her longer, although I don't know; GAO 
might want her back, or at least put a chain on her. So she has 
done a great job.
    And on the minority staff we have Michelle Ash, counsel, 
and Jean Gosa, the minority clerk. And they have done a 
wonderful job at every hearing I have done.
    I thank the court reporters, Christina Smith and Desirae 
Jura. Thank you very much.
    And, with that, we are adjourned.
    [Whereupon, at 11:41 a.m., the subcommittee was adjourned.]
    [Additional information submitted forthe hearing record 
follows:]

[GRAPHIC] [TIFF OMITTED] T9165.075

[GRAPHIC] [TIFF OMITTED] T9165.076

[GRAPHIC] [TIFF OMITTED] T9165.077

[GRAPHIC] [TIFF OMITTED] T9165.078

[GRAPHIC] [TIFF OMITTED] T9165.079

[GRAPHIC] [TIFF OMITTED] T9165.080

[GRAPHIC] [TIFF OMITTED] T9165.081

[GRAPHIC] [TIFF OMITTED] T9165.082

[GRAPHIC] [TIFF OMITTED] T9165.083

[GRAPHIC] [TIFF OMITTED] T9165.084

