b'<html>\n<title> - CYBER SECURITY CHALLENGES AT THE DEPARTMENT OF ENERGY HEARING BEFORE THE SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS OF THE COMMITTEE ON ENERGY AND COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED NINTH CONGRESS SECOND SESSION JUNE 9, 2006 Serial No. 109-107 Printed for the use of the Committee on Energy and Commerce Available via the World Wide Web: http://www.access.gpo.gov/congress/house U.S. GOVERNMENT PRINTING OFFICE 29-892 WASHINGTON : 2006</title>\n<body><pre>[House Hearing, 109 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n                    CYBER SECURITY CHALLENGES AT THE \n                          DEPARTMENT OF ENERGY\n\n\n                               HEARING\n\n                             BEFORE THE\n\n               SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n                               OF THE \n\n                      COMMITTEE ON ENERGY AND \n                              COMMERCE\n\n                      HOUSE OF REPRESENTATIVES\n\n\n                     ONE HUNDRED NINTH CONGRESS\n\n                           SECOND SESSION\n\n\n                            JUNE 9, 2006\n\n                         Serial No. 109-107\n\n        Printed for the use of the Committee on Energy and Commerce\n\n\n\n\n\nAvailable via the World Wide Web:  http://www.access.gpo.gov/congress/house\n\n\n                    U.S. GOVERNMENT PRINTING OFFICE\n29-892                      WASHINGTON : 2006\n_____________________________________________________________________________\nFor sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; DC area (202) 512-1800 Fax: (202) 512-2250  Mail: Stop  SSOP, Washington, DC 20402-0001\n\n\n                   COMMITTEE ON ENERGY AND COMMERCE\n                      JOE BARTON, Texas, Chairman\nRALPH M. HALL, Texas                      JOHN D. DINGELL, Michigan\nMICHAEL BILIRAKIS, Florida                  Ranking Member\n  Vice Chairman                           HENRY A. WAXMAN, California\nFRED UPTON, Michigan                      EDWARD J. MARKEY, Massachusetts\nCLIFF STEARNS, Florida                    RICK BOUCHER, Virginia\nPAUL E. GILLMOR, Ohio                     EDOLPHUS TOWNS, New York\nNATHAN DEAL, Georgia                      FRANK PALLONE, JR., New Jersey\nED WHITFIELD, Kentucky                    SHERROD BROWN, Ohio\nCHARLIE NORWOOD, Georgia                  BART GORDON, Tennessee\nBARBARA CUBIN, Wyoming                    BOBBY L. RUSH, Illinois\nJOHN SHIMKUS, Illinois                    ANNA G. ESHOO, California\nHEATHER WILSON, New Mexico                BART STUPAK, Michigan\nJOHN B. SHADEGG, Arizona                  ELIOT L. ENGEL, New York\nCHARLES W. "CHIP" PICKERING,  Mississippi ALBERT R. WYNN, Maryland\n  Vice Chairman                           GENE GREEN, Texas\nVITO FOSSELLA, New York                   TED STRICKLAND, Ohio\nROY BLUNT, Missouri                       DIANA DEGETTE, Colorado\nSTEVE BUYER, Indiana                      LOIS CAPPS, California\nGEORGE RADANOVICH, California             MIKE DOYLE, Pennsylvania\nCHARLES F. BASS, New Hampshire            TOM ALLEN, Maine\nJOSEPH R. PITTS, Pennsylvania             JIM DAVIS, Florida\nMARY BONO, California                     JAN SCHAKOWSKY, Illinois\nGREG WALDEN, Oregon                       HILDA L. SOLIS, California\nLEE TERRY, Nebraska                       CHARLES A. GONZALEZ, Texas\nMIKE FERGUSON, New Jersey                 JAY INSLEE, Washington\nMIKE ROGERS, Michigan                     TAMMY BALDWIN, Wisconsin\nC.L. "BUTCH" OTTER, Idaho                 MIKE ROSS, Arkansas                       \nSUE MYRICK, North Carolina\nJOHN SULLIVAN, Oklahoma\nTIM MURPHY, Pennsylvania\nMICHAEL C. BURGESS, Texas\nMARSHA BLACKBURN, Tennessee               \n\n                    BUD ALBRIGHT, Staff Director\n                   DAVID CAVICKE, General Counsel\n     REID P. F. STUNTZ, Minority Staff Director and Chief Counsel\n\n\n               SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\nED WHITFIELD, Kentucky, Chairman          BART STUPAK, Michigan\nCLIFF STEARNS, Florida                      Ranking Member\nCHARLES W. "CHIP" PICKERING,  Mississippi DIANA DEGETTE, Colorado\nCHARLES F. BASS, New Hampshire            JAN SCHAKOWSKY, Illinois\nGREG WALDEN, Oregon                       JAY INSLEE, Washington\nMIKE FERGUSON, New Jersey                 TAMMY BALDWIN, Wisconsin\nMICHAEL C. BURGESS, Texas                 HENRY A. WAXMAN, California\nMARSHA BLACKBURN, Tennessee               JOHN D. DINGELL, Michigan\nJOE BARTON, Texas                           (EX OFFICIO)                            \n  (EX OFFICIO)\n\n\n                                CONTENTS\n\n\n                                                                     Page\nTestimony of:\n     Friedman, Hon. Gregory, Inspector General, U.S. Department of \n          Energy\t                                              12\n     Podonsky, Glenn S., Director, Office of Security and \n          Safety Performance Assessment, U.S. Department of Energy    19\n     Pyke, Jr., Thomas N., Chief Information Officer, U.S. \n          Department of Energy\t                                      48\n     Brooks, Hon. Linton, Under Secretary of Energy for \n          Nuclear Security and Administrator, National Nuclear \n          Security Administration, U.S. Department of Energy\t      52\n     Garman, Hon. David K, Under Secretary for Energy, \n          Science, and Environment, U.S. Department of Energy\t      56\nAdditional material submitted for the record:\n     Pyke, Jr., Thomas N., Chief Information Officer, U.S. \n          Department of Energy, response for the record\t              73\n     Podonsky, Glenn S., Director, Office of Security and \n          Safety Performance Assessment, U.S. Department of \n          Energy, response for the record\t                      74\n     Friedman, Hon. Gregory, Inspector General, U.S. \n          Department of Energy, response for the record\t              76\n\n                      CYBER SECURITY CHALLENGES AT THE \n                             DEPARTMENT OF ENERGY\n\n\n                             FRIDAY, JUNE 9, 2006\n\n                           HOUSE OF REPRESENTATIVES,\n                      COMMITTEE ON ENERGY AND COMMERCE,\n               SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS,\n                                                          Washington, DC.\n\n\n        The subcommittee met, pursuant to notice, at 10:42 a.m., in \nRoom 2123 of the Rayburn House Office Building, Hon. Ed \nWhitfield [Chairman] presiding.\n        Present:  Representatives Whitfield, Bass, Walden, Burgess, \nBlackburn, Barton (Ex Officio), Stupak, DeGette, and Inslee. \n        Staff Present:  Mark Paoletta, Chief Counsel for Oversight and \nInvestigations; Dwight Cates, Professional Staff Member; Tom \nFeddo, Counsel; Matt Johnson, Legislative Clerk; and Chris \nKnauer, Minority Investigator.\n        MR. WHITFIELD.  This meeting will come to order.  \n        Once again, I apologize to you all for the delay, but there were \na few items that came up at the last minute that we needed to \ndiscuss.  \n        Today, we are going to have a hearing on the review of cyber \nsecurity challenges at the Department of Energy; and today\'s \nhearing will focus on ongoing challenges to secure DOE\'s \nunclassified network as well as the Department\'s efforts to address \nspecific cyber security weaknesses that have been identified by the \nDepartment of Energy Inspector General and the Office of Security \nand Safety Performance Assurance.  \n        This is not a new issue for the subcommittee.  In April of 2001, \nthis subcommittee held a hearing to review the security of \ngovernment computer systems.  At that hearing, Mr. Glenn \nPodonsky, who is the Director of DOE\'s Office of Security and \nSafety Performance Assurance, provided a demonstration of cyber \npenetration techniques used to gain access to the DOE unclassified \nnetwork.  \n        In the 5 years since that hearing, there has been a worldwide \nsurge in the number of identified cyber security vulnerabilities as \nwell as a surge in malicious cyber activity designed to exploit \nthose vulnerabilities.  In fact, looking back at our April, 2001, \nhearing, I think we could consider that period as the good old days, \ncompared to the challenges that we face today.  All indications \npoint to a continually evolving cyber threat environment where \nmalicious activity will continue to increase in complexity.  \n        A recent report from Simtek Corporation points out that \ncomputers based in the United States account for 31 percent of all \ncyber attacks.  Ranked second is the rapidly increasing cyber threat \noriginating from China.  According to a March, 2006, report from \nSimtek, attacks originating in China last year increased by \n153 percent.  According to Simtek, these attacks from China are a \nlikely sign that more attackers have become active within the \ncountry.  \n        In response to the growing cyber threat, it is critical that DOE \ndevelop and maintain a robust cyber security posture to defend \nagainst unauthorized penetrations into its unclassified network.  A \ncomprehensive cyber security effort at DOE is particularly \nchallenging due to the large number of systems maintained by the \nDepartment and their geographical dispersion.  \n        In a recent portion, Mr. Podonsky noted that DOE\'s approach \nto cyber security does not provide the degree of structure, direction \nand management involvement necessary to support effective \ndecision making and program implementation.  \n        To emphasize this point, last year, Mr. Podonsky conducted an \nunannounced internal red team penetration test that successfully \ngained control of a DOE site network.  From there, the red team \nexploited existing network interconnections to gain control of \nseveral other DOE site networks.  This internal performance test \nidentified previously unsuspected vulnerabilities.  \n        In response to these alarming findings, the DOE Office of the \nChief Information Officer has worked in conjunction with NNSA \nand DOE program officers to develop a revitalization plan to \nrevitalize the DOE\'s cyber security posture.  \n        The committee staff has reviewed the Chief Information \nOfficer\'s revitalization plan, and it does appear to be \ncomprehensive.  When implemented, the revitalization plan should \nresolve many of the Department\'s cyber security weaknesses, or at \nleast that\'s our hope.  Unfortunately, based on a recent update from \nthe Department, progress on many of the corrective actions in the \nrevitalization plan have already fallen behind schedule.  \n        Although the unclassified network does not contain classified \ninformation, it does contain sensitive and confidential information.  \nIn some cases, important research at the national laboratories are \ninitiated and developed on unclassified networks until they reach a \nstage of development that requires them to be classified.  These \nand other sensitive unclassified information require the best \nprotection.  \n        I would also note that approximately 75 percent of the DOE \ncomputer systems are actually operated by contractors.  Thus, in \norder to successfully address the Department\'s cyber security \nchallenges, the Department will need to have each of its \ncontractors on board.  \n        We look forward to hearing today from Mr. Tom Pyke, the \nDepartment\'s CIO, as well as Under Secretary Linton Brooks and \nUnder Secretary David Garman on the steps they are taking to \nimprove cyber security.  \n        We plan to conduct as much of this hearing as possible in an \nopen public format.  However, we know that at some point we are \ngoing to move the hearing into Executive Session where we can \ndiscuss sensitive information.  \n        One of the pieces of information that came to our knowledge \njust last night that raises serious concerns for all of the members of \nthe subcommittee relates to the fact that the personnel files, \nincluding Social Security numbers, of 1,500 Federal and contract \nemployees at DOE, were exfiltrated by an unknown hacker.  The \npoint that really upsets us in the committee about this is that this \ninformation was known somewhere within the Department of \nEnergy 8 months ago and yet, from the information that we have, \nthat information was not shared with the Secretary of Energy \nhimself, and was not shared with the CIO.  \n        Of course, Mr. Brooks will be with us on the second panel, as \nwell as others, and we will be asking some questions about this.  \nBut we are going to have to go into Executive Session to get into \nany detail on that issue because of the classified information.  \n        But I do want to just reiterate the fact that this alleged breach \noccurred 8 months ago within the Department of Energy and \npersonnel files of 1,500 DOE employees has been obtained by \nsome unknown hacker and is of great concern to all of us.  \n        With that, I recognize the gentleman from Michigan, Mr. \nStupak.  \n        [The prepared statement of Hon. Ed Whitfield follows:]\n\nPREPARED STATEMENT OF THE HON. ED WHITFIELD, CHAIRMAN, \nSUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS\n\n        This hearing will come to order.  Today we will review the \nstatus of cyber security at the Department of Energy and the \nNational Nuclear Security Administration.  Today\'s hearing will \nfocus on ongoing challenges to secure DOE\'s unclassified \nnetwork, as well as the Department\'s efforts to address specific \ncyber security weaknesses that have been identified by the DOE \nInspector General and the Office of Security and Safety \nPerformance Assurance.\n        This is not a new issue for the Subcommittee.  In April of 2001 \nthis Subcommittee held a hearing to review the security of \ngovernment computer systems.  At that hearing, Mr. Glenn \nPodonsky - who is the Director of DOE\'s Office of Security and \nSafety Performance Assurance - provided a demonstration of \ncyber-penetration techniques used to gain access to the DOE \nunclassified network.  In the five years since that hearing there has \nbeen a worldwide surge in the number of identified cyber security \nvulnerabilities as well as a surge in malicious cyber activity \ndesigned to exploit those vulnerabilities.  In fact, looking back at \nour April 2001 hearing, I think we could consider that period as \n"the good old days" compared to the challenges we face today.\n        All indications point to a continually evolving cyber threat \nenvironment where malicious activity will continue to increase in \ncomplexity.  A recent report from Symantec Corporation points out \nthat computers based in the United States account for 31% of all \ncyber attacks.  Ranked second behind the US is the rapidly \nincreasing cyber threat originating from China.   According to a \nMarch 2006 report from Symantec, attacks originating in China \nlast year increased by 153%.  According to Symantec, these attacks \nfrom China are "likely a sign that more attackers have become \nactive within the country."   \n        In response to the growing cyber threat, it is critical that DOE \ndevelop and maintain a robust cyber security posture to defend \nagainst unauthorized penetrations into its unclassified network.  A \ncomprehensive cyber security effort at DOE is particularly \nchallenging due to the large number of systems maintained by the \nDepartment, and their geographical dispersion.  In a recent report, \nMr. Podonsky noted that DOE\'s approach to cyber security "does \nnot provide the degree of structure, direction, and management \ninvolvement necessary to support effective decision-making and \nprogram implementation."\n        To emphasize this point, last year Mr. Podonsky conducted an \nunannounced internal "red team" penetration test that successfully \ngained control of a DOE site network.  From there, the red team \nexploited existing network interconnections to gain control of \nseveral other DOE site networks.  This internal performance test \nidentified previously unsuspected vulnerabilities.  \n        In response to these alarming findings, the DOE Office of the \nChief Information Officer has worked in conjunction with NNSA \nand DOE programs offices to develop a "revitalization plan" to \nrevitalize the DOE cyber security posture.  The Committee staff \nhas reviewed the CIO\'s revitalization plan, and it appears \ncomprehensive.  When implemented, the revitalization plan should \nresolve many of the Department\'s cyber security weaknesses.  \nUnfortunately, based on a recent update from the Department \nprogress on many of the corrective actions in the revitalization plan \nhave already fallen behind schedule.\n        Although the unclassified network does not contain classified \ninformation, it does contain sensitive and confidential information.  \nIn some cases important research at the national laboratories are \ninitiated and developed on unclassified networks until they reach a \nstage of development that requires them to be classified.  These \nand other sensitive unclassified information require the best \nprotection.  I would also note that approximately 75% of DOE\'s \ncomputer systems are actually operated by contractors.  Thus, in \norder to successfully address the Department\'s cyber security \nchallenges, the Department will need to have each of its \ncontractors on board.  \n        I look forward to hearing from Mr. Tom Pyke, the \nDepartment\'s Chief Information Officer, as well as Under \nSecretary Linton Brooks and Under Secretary David Garman on \nthe steps they are taking to improve cyber security.  \n        I plan to conduct as much of this hearing as is possible in an \nopen, public format.  However, I expect that at some point we will \nmove the hearing into executive session where we can discuss \nsensitive information.  I look forward to hearing from the \nwitnesses and I yield back the balance of my time.   \n\n        MR. STUPAK.  Thank you, Mr. Chairman; and thank you for \nholding this hearing.  \n        Today\'s hearing is on a subject that most people don\'t think \nabout and, quite frankly, take for granted.  Nonetheless, the issue \nof cyber security can have profound consequences to the Nation\'s \nnational security if not handled competently and aggressively.  \n        The issue of cyber security is a matter that this subcommittee \nhas examined for years.  How Federal agencies and departments \nprotect sensitive systems and the information they contain from \nmalicious hackers or foreign agents is something that we should all \nbe concerned about.  \n        The Department of Energy has literally hundreds of thousands \nof computers and a myriad of networks that can all serve as \npotential vectors for external threats.  These computers and \nnetworks, both classified and unclassified, hold very sensitive \ninformation on a range of issues.  These systems must be protected \nwith vigor.  Failure to do so can result in huge losses of critical \ndata, including data related to national security.  \n        Mr. Chairman, what we will hear today, however, is a mixed \nreport card.  On one hand, we will hear that improvements in \nsecuring this information have been made and continue to be \nmade.  However, we will also hear that significant progress is still \nneeded on behalf of the DOE Chief Information Office to better \nsecure the Department\'s key systems.  \n        The Department of Energy Inspector General and DOE\'s \nDirector of Office of Security and Safety Performance Assurance \nhave both found considerable weaknesses in key DOE systems.  \nBoth of these entities in various audits and red teaming \nexaminations have determined as recently as last year that DOE \nsystems, particularly those networks which contain unclassified \ninformation, are entirely too vulnerable.  We will hear from both \noffices that, while DOE strives to close these weaknesses against \noutside threats, more must be done and it must be done soon.  \n        Mr. Chairman, I do note that this hearing will be conducted \npartially in open session and partially in closed session.  I support \nthis approach because it is only during the closed session that we \nwill be able to discuss the details of where DOE has failed to \nsecure key systems in the past and where the Department remains \nvulnerable today.  I believe that a vigorous discussion in the closed \nsession will underscore what many of us know, which is that \nsignificantly more attention must be paid to this important area.  \n        Mr. Chairman, I do look forward to the testimony from the \nexcellent witnesses we have before us today.  I look forward to \ncontinuing to work with you to explore additional ways to secure \nDOE key information systems.  \n        As many have noted in their testimony, the threats of DOE \ninformation systems have never been greater, and those threats \ncontinue to grow in sophistication and intensity every day.  I \nconcur with those statements based on what I have seen through \nthis investigation, and I underscore the need to hold the \nDepartment accountable in this regard.  \n        Mr. Chairman, I look forward to hearing from our witnesses.  \nYou mentioned about the exfiltrated information, and I look \nforward to going into closed session to discuss it.  I really would \nlike to know why it takes 8 to 9 months for this committee, which \nhas jurisdiction and has taken a great interest for a number of years \non this issue, that we once again are about 8 to 9 months behind \nwithout any proper notification.  \n        MR. WHITFIELD.  Thank you, Mr. Stupak.  \n        At this time, I recognize the gentleman from Texas, Dr. \nBurgess, for his opening statement.  \n        MR. BURGESS.  Thank you, Mr. Chairman.  I will be brief, \nbecause I am anxious to get to the testimony of the witnesses, and \nmuch of the information we have had prior to this hearing we only \ngot this morning.  \n        But we live in a dangerous world, and there are clever enemies \nboth within and without our country.  Our national security has \nbecome the most important issue facing the Nation, and indeed it is \nour most important job here in the United States Congress.  We \nmust do everything within our power to ensure that we do not \nbecome victims of terrorism again.  \n        Our committee has a very important responsibility to the \nAmerican public, and I am glad that we are conducting the \noversight of the nuclear facilities.  As terrorists become more and \nmore sophisticated, we must continue to implement and maintain \ncomprehensive measures to secure our safety.  \n        Mr. Chairman, I welcome the fact that you are holding so much \nof this hearing in open session.  You are to be commended for that.  \nI do understand the necessity for holding a portion of this hearing \nin closed session.  \n        I am concerned about the reported lack of safety and security \nsurrounding some of our nuclear facilities.  As we have recently \nlearned, there have been instances where cyber attacks could have \nbeen avoided if simple security controls such as security patches \nand passwords had been implemented.  \n        While many cyber problems cannot be cured by a patch or \npassword, it\'s astonishing the agency responsible for so many of \nour national security measures could have overlooked the simplest \nof solutions.  It is no wonder that Inspector General Gregory \nFriedman has given the Department of Energy an unsatisfactory \nassessment during its recent evaluation under the Federal \nInformation Security Management Act.  \n        I am encouraged by the assessment, I am encouraged by the \nDepartment of Energy\'s revitalization plan, and Mr. Stupak \npointed out that is part of a mixed report card, but I am encouraged \nby the revitalization plan, and I look forward to discussing this \nissue in more detail.  \n        Again, Mr. Chairman, I thank you for calling this crucial \nhearing; and we will discuss all of these issues in more detail later \nthis morning.  Thank you.  \n        MR. WHITFIELD.  Thank you, Dr. Burgess.  \n        At this time, I will recognize the full committee Chairman, Mr. \nBarton of Texas, for his opening statement.  \n        CHAIRMAN BARTON.  Thank you, Mr. Chairman.  I am going to \nsubmit my formal statement for the record.  \n        I think it is a very important hearing.  I have just learned of \nsomething within the last 15 minutes that makes it even more \nimportant.  I am attempting to touch base with the Secretary of \nEnergy and consult with Mr. Dingell, but we have got some major \nproblems, and if the Administration won\'t do something about it, \nthis committee, I hope, will.  \n        So thank you for holding this hearing.  \n        MR. WHITFIELD.  Thank you, Chairman Barton. \n\t[The prepared statement of Hon. Joe Barton follows:] \n\nPREPARED STATEMENT OF THE HON. JOE BARTON, CHAIRMAN, \nCOMMITTEE ON ENERGY AND COMMERCE\n\n\tThank you for holding this hearing, Mr. Chairman.  I think this \nmay be one of the most important hearings we will have on DOE \nsecurity matters.  \n\tOver the past several years the Subcommittee has held multiple \nhearings on the status of physical security at DOE sites.  We \nreviewed whether the Department has enough guards and guns to \nprotect our nuclear facilities, but the threat from threat posed by \nmalicious intruders on the internet is a growing security problem, \nand its a problem that DOE needs to more attention on.\n\tIf left unattended, cyber security weaknesses at DOE could \nallow malicious individuals, hackers, or even groups backed by \nnation-states to penetrate DOE and gain access to sensitive \ninformation.  We know the hackers are out there and we know \ntheir attacks have caused damage to DOE networks.  We also \nknow that thousands of attempts to beat DOE cyber security occur \nliterally every day.  \n\tRecent penetration testing conducted by DOE\'s Office of \nSecurity and Safety Performance Assurance showed that DOE has \nplenty of work to do to convince me that its computer networks are \nsecure.  I understand that the Department has responded to these \nrecent findings with a comprehensive plan to improve cyber \nsecurity across the weapons complex.  \n\tThe Department\'s new comprehensive plan probably identifies \nseveral good solutions to address cyber security problems.  \nHowever, I am concerned with DOE\'s ability to follow through \nwith its implementation plans.  \n\tDue to extensive network interconnections that exist between \nDOE sites, a comprehensive cyber security program will require \ncoordinated teamwork among very different DOE sites and \nprograms that have not worked well together in the past.  A strong \ncentral policy on cyber security will also require NNSA to operate \nless like an autonomous agency, and work more closely with DOE \npolicy and oversight programs.  \n\tIt is important that the Office of Security and Safety \nPerformance Assurance and the DOE Inspector General continue \nto oversee DOE\'s implementation of corrective actions.   Ongoing \nsite inspections and unannounced network penetration testing by \nthese offices will provide a good indication of whether DOE has \nsuccessfully implemented better cyber security protections.  I \nthank the Chairman and I yield back. \n\n        MR. WHITFIELD.  At this time, recognize the gentlelady from \nTennessee, Mrs. Blackburn, for her opening statements.  \n        MRS. BLACKBURN.  Thank you, Mr. Chairman.  I, too, will be \nsubmitting my statement for the record.  \n        I want to thank the witnesses that are joining us today, and I \nwant to thank you for working with us.  It is an imperative that our \nconstituents, the American people, know that they can trust this \nGovernment; and when there are items that cause that distrust, \nwhen there are actions that occur from the bureaucracy that \nencourage distrust, it is of tremendous concern to us.  \n        So I thank you for your willingness to be here and to work with \nus; and, with that, I yield back. \n        MR. WHITFIELD.  At this time, I recognize Mr. Walden of \nOregon, who is Vice Chairman of the committee, for his opening \nstatement.  \n        MR. WALDEN.  Thank you very much, Mr. Chairman.  \n        I am deeply concerned about the vulnerability we continue to \nsee in our data files not only in this agency but across this \nGovernment, and I think this committee is doing its due diligence \nalong with those on this first panel to figure out how to fix those \nproblems.  \n        I am also deeply disturbed about the loss of employee records.  \nSome 1,800 employees, I understand, have had their records \ncompromised or taken in a breach of security; and it troubles me \neven more that it maybe has been 8 months and they still don\'t \nknow.  \n        That lack of notification is problematic.  It seems to be \nsymptomatic across the Government and raises very serious issues \nin this Member\'s mind about notification systems to the highest \nlevels of the Government, and by that I mean up at least to the \nSecretary\'s office as well as in consultation with the Congress.  \n        I also am concerned about--not necessarily in this agency, \nperhaps, although we may learn more in closed session, but in \nother agencies about people who have access to data both in and \nout of the Government and especially those inside the Government, \nwhat kind of background checks we do.  \n        We have had a policy in the Government of encouraging \npeople, for example, to telecommute, and yet in a discussion I had \nwith a Cabinet Secretary earlier this week, he pointed out we don\'t \ndo background checks on those people.  So in the name of energy \nconservation and employment morale, we open up our systems to \npeople who work from home.  They are able to access systems that \nmay give them access to very important data; and who knows what \ncross pressures they are under and what they could do with that \ndata, those employee records or Social Security numbers, with \nidentification theft being so rampant and so expansive and so \ntroubling for people in America today.  \n        I think we have got to look across the Government, not just at \nthis agency, especially at this agency because of its security issues, \nbut also across the rest of the Government and definitely for a \nbetter cyber security policy than we are seeing today.  \n        So, Mr. Chairman, I appreciate your leadership on this issue; \nand I look forward to delving into why these records were \naccessed, why people weren\'t notified, why the Secretary himself \nwas not notified for, apparently, many months.  \n        So I yield back, and I appreciate your work and that of our staff \non this issue.  \n        MR. WHITFIELD.  Thank you, Mr. Walden.  \nAt this time, recognize the gentleman from New Hampshire, \nMr. Bass.  \n        MR. BASS.  Mr. Chairman, I thank you for holding this hearing.  \nI have no opening statement.  Look forward to hearing from our \nwitnesses.  \n        MR. WHITFIELD.  Thank you.  \n        That concludes the opening statements.  \n        I want to welcome the first panel, the Honorable Gregory \nFriedman, who\'s the Inspector General at the Department of \nEnergy, and Mr. Glenn Podonsky, who is the Director of the Office \nof Security and Safety Performance Assessment at the Department \nof Energy.  \n        As you all know, this is an Oversight and Investigations \nhearing, and it is our policy to take testimony under oath.  Do \neither of you have any difficulty testifying under oath?  Do you \nhave legal counsel that you would like to introduce?  \n        Okay.  Then if you would both stand up and raise your right \nhand.  \n        [Witnesses sworn.]\n        MR. WHITFIELD.  Thank you very much.  You are now under \noath.  \n\nTESTIMONY OF THE HONORABLE GREGORY FRIEDMAN, INSPECTOR GENERAL, U.S. \nDEPARTMENT OF ENERGY; AND GLENN S. PODONSKY, DIRECTOR, OFFICE OF SECURITY AND \nSAFETY PERFORMANCE ASSESSMENT, U.S. DEPARTMENT OF ENERGY  \n\n        MR. WHITFIELD.  Mr. Friedman, I recognize you for your \nopening statement of 5 minutes. \n \tMR. FRIEDMAN.  Mr. Chairman and members of the \nsubcommittee, I am pleased to be here at your request to testify on \ncyber security issues at the Department of Energy.  \n        The Department, which spends over $2 billion each year on \ninformation technology, has a current inventory of approximately \n800 information systems.  These systems process highly classified \nnational security information as well as sensitive operational and \nfinancial data.  The need to protect these systems is of paramount \nconcern to the Department and to the Office of Inspector General.  \n        My office has a proactive program to assess the effectiveness \nof the Department\'s cyber security strategy.  We perform the \nannual cyber security evaluation required under the Federal \nInformation Security Management Act, commonly referred to as \nFISMA, and other reviews that focus on potential vulnerabilities in \nthe information technology arena.  In addition, our technology \ncrimes unit regularly, and I am pleased to report successfully, \ninvestigates malicious attacks on Department information \ntechnology resources.  \n        In today\'s testimony I would like to highlight continuing \nchallenges identified through our work in these areas.  \n        During our 2005 FISMA evaluation, we noted systemic \nproblems that exposed the Department\'s critical systems to an \nincreased risk of compromise.  Specifically, the Department had \nnot yet established a complete inventory of networks, applications, \nor external interfaces.  Many sites had not completed or properly \nperformed certification and accreditation of all their major \nsystems.  The Department had not resolved problems with critical \nsecurity controls such as access authority, segregation of duties, \nand configuration management.  Contingency plans, necessary to \nensure that information systems could continue or resume \noperations in the event of an emergency or malicious intrusion \nevent, had not been completed in certain critical areas.  Finally, \nDepartment elements did not always report cyber security incidents \nto law enforcement officials as required.  \n        Similarly, our audit of the Department\'s 2005 consolidated \nfinancial statements identified network vulnerabilities, weaknesses \nin access controls, and other unclassified systems security \nshortcomings.  In the aggregate, these problems increase the risk of \nmalicious destruction or alteration of data.  Further, in many cases, \ncontractors were not required to comply with the full complement \nof Federal cyber security directives.  \n        In our law enforcement role, my office aggressively pursues \nthose who have attempted to compromise or inflict damage on the \nDepartment\'s computer systems.  We have successfully \ninvestigated a number of intrusions, working closely with \nDepartment of Justice prosecutors and the FBI and in cooperation \nwith external law enforcement agencies such as New Scotland \nYard and the Royal Canadian Mounted Police.  \n        Because of frequent intrusion attempts, it is critical that strong \nsecurity controls be implemented.  Our investigations, however, \nhave revealed problems with the deployment of basic controls such \nas those related to password administration.  In three separate \ninvestigations, we determined that Department of Energy systems \nwere compromised after hackers took advantage of password \nvulnerabilities.  In all three cases, individuals pled guilty to \ncriminal charges in connection with their activities.  Sentencing \nincluded incarceration, probation, and home detention.  \n        We are currently conducting reviews to focus on three key \nelements of cyber security: the Department\'s System Certification \nand Accreditation Process; Cyber and Computer Forensic Analysis \nCapabilities; and its Security Configuration and Vulnerability \nManagement Program.  \n        As part of our ongoing FISMA evaluation, we also intend to \ndetermine if the Department has taken action to prevent \ncompromises similar to those that recently occurred at the \nDepartment of Veterans Affairs.  \n        The Department has informed us that, as a result of the \nconcerns raised by our office, it has initiated actions to strengthen \nits cyber security program.  In particular, under the direction of \nSecretary Bodman and Deputy Secretary Sell, the Department has \nimplemented a number of countermeasures to reduce network \nvulnerabilities and embarked on a revitalization initiative that will \nfocus high-level management attention on cyber issues.  These \nefforts, if fully and timely implemented, should improve the \nDepartment\'s cyber security posture.  \n        However, let me be very clear, much remains to be done.  The \nOffice of Inspector General is committed to fulfilling its \nresponsibility by continuing to conduct a wide range of reviews to \nidentify opportunities for improvement in cyber security and to \ninvestigate intrusion attempts on the Department\'s systems and \nnetworks.\n        Mr. Chairman, this concludes my statement; and I would be \npleased to answer any questions that you or the members of the \nsubcommittee may have.  \n        MR. WHITFIELD.  Thank you, Mr. Friedman. \n        [The prepared statement of Hon. Gregory H. Friedman \nfollows:] \n\nPREPARED STATEMENT OF HON. GREGORY FRIEDMAN, INSPECTOR \nGENERAL, U.S. DEPARTMENT OF ENERGY\n\n        Mr. Chairman and members of the Subcommittee, I am pleased \nto be here at your request to testify on cyber security issues at the \nDepartment of Energy.    \n        The Department of Energy, which spends over $2 billion each \nyear on information technology (IT), has a current inventory of \napproximately 800 information systems, including up to 115,000 \npersonal computers; many powerful supercomputers; numerous \nservers; and, a broad array of related peripheral equipment.  These \nsystems process operational, financial, and highly classified \nnational security data.  The need to protect this data and the related \nsystems is of paramount concern to the Department and to the \nOffice of Inspector General (OIG).\n        As is widely recognized both in the private and public sectors, \nthe threat of intrusion or damage to information networks and \nsystems continues to grow as cyber-related attacks become more \nsophisticated.  The media regularly carries stories about malicious \nintrusions and compromises of sensitive data.  Within the \nDepartment of Energy complex, on a regular basis, hackers attempt \nto intrude or cause damage to the Department\'s networks and \nsystems.  Cyber security threats of this sort reinforce the need for \nan aggressive Departmental program of controls and safeguards to \nprotect against any compromise of vital data.  \n        The Office of Inspector General has a proactive program to \nassess the effectiveness of the Department\'s cyber security \nstrategy.  For the last four years, the OIG has categorized \ninformation technology and systems security as one of the \nDepartment of Energy\'s most significant management challenges.   \nThis was based on internal control weaknesses identified as part of \nthe Inspector General\'s regular evaluation of the Department\'s \ncyber security program.  These reviews include the annual \nevaluation required under the Federal Information Security \nManagement Act (FISMA) and other cyber security-related \nreviews focusing on high-risk activities.  In addition, the OIG\'s \ntechnology crimes unit, with its highly trained special agents, \nregularly and successfully investigates malicious attacks on \nDepartment systems.  \n        In today\'s testimony I would like to highlight continuing \nchallenges identified through our work in cyber security.  I will \noutline results from completed activities and criminal \ninvestigations, and discuss ongoing review efforts. \n\n2005 FISMA Evaluation\n        The purpose of the Federal Information Security Management \nAct of 2002 was to elevate attention to the issue of information \ntechnology security within the Federal sector.  Under FISMA, each \nagency is required to develop, document, and implement an \nagency-wide program to provide security for the information and \nsystems that support core operations.  It also requires that agency \nInspectors General conduct an annual independent evaluation of \ntheir Department\'s unclassified cyber security program and \npractices.  At the Department, the evaluation is performed in \nconjunction with our annual Audit of the Department\'s Financial \nStatements and leverages testing of information technology \ncontrols performed on individual site and Department-wide \nfinancial systems.  \n        Last year, as part of this evaluation, we conducted reviews at \n27 sites, which, depending upon the location, included \nexaminations of the Department\'s compliance with information \nsystem-related laws and regulations; tests of general and \napplication controls; and, vulnerability and penetration testing.  We \nalso incorporated information gathered by and conclusions reached \nby KPMG, our financial statement contractor; reports issued by the \nGovernment Accountability Office; inspection results obtained \nfrom the Department\'s Office of Independent Oversight; and, other \ninternal studies.  \n        Our 2005 review noted systemic cyber security problems that \nexposed the Department\'s critical systems to an increased risk of \ncompromise.  Specifically:\n\t<bullet> The Department had not yet established a complete \ninventory of information systems; nor, had it identified all \nof the existing interfaces between internal and external \nsystems and networks.  These tasks are critical to planning \nand implementing protective efforts.\n\t<bullet> Many sites had not completed or properly performed \ncertification and accreditation of all their major and general \nsupport systems.  This process verifies that the \nDepartment\'s systems are secure for operation and enables \nprogram officials to address high-risk issues through cost-\neffective mitigation strategies.   \n\t<bullet> The Department had not resolved noted problems with \ncritical security controls such as access authority, \nsegregation of duties, and configuration management.  \nThese safeguards and controls are designed to protect \ncomputer resources from unauthorized modification or loss \nand to prevent fraudulent activities.  \n\t<bullet> Contingency plans, necessary to ensure that systems could \ncontinue or resume operations in the event of an \nemergency, disaster, or malicious intrusion event, had not \nbeen completed for certain critical systems.\n\t<bullet> Department elements did not always report cyber security \nincidents to law enforcement officials, as required.  Failure \nto report these occurrences jeopardizes the timely \ninvestigation and resolution of these matters.\n\n        Similarly, our Audit of the Department of Energy\'s 2005 \nConsolidated Financial Statements (DOE/OAS-FS-06-01, \nNovember 2005) noted network vulnerabilities; weaknesses in \naccess controls; and, other security shortcomings in the \nDepartment\'s unclassified computer information systems.  These \nshortcomings increased the risk that malicious destruction, \nalteration of data, or other unauthorized processing could occur.  \nAs a result, "Unclassified Network and Information Systems \nSecurity" was designated as a reportable condition.  An \nInformation Technology Management Letter, which detailed 25 \nsite-specific vulnerability findings, was issued as part of the 2005 \nFinancial Statement Audit Report.  \n\nCriminal Investigations and Internal Control Weaknesses\n        As part of its law enforcement mission, the OIG aggressively \npursues those who have attempted to compromise or inflict \ndamage on the Department\'s computer systems.  In this role, we \nhave successfully investigated a number of intrusions with both \nnational and international connections.  We work closely with \nDepartment of Justice prosecutors and the Federal Bureau of \nInvestigation in pursuing these matters and have worked on \nspecific cases with external law enforcement agencies such as New \nScotland Yard and the Royal Canadian Mounted Police. \n        Because the Department has to deal with frequent intrusion \nattempts that could compromise systems, it is critical that strong \nsecurity controls are implemented and appropriately executed.  Our \ninvestigations have revealed problems with the deployment of \ncontrols in certain areas; for example, we have observed, in past \ninvestigations, a number of internal control weaknesses related to \npoor password administration.  In one investigation, we determined \nthat employees of a United States-based computer security \ncompany compromised unclassified Department of Energy and \nother government systems.  Company officials were able to gain \naccess to scientific data from a Headquarters system through the \nuse of hacker tools that exploited a password vulnerability.  Three \nindividuals pled guilty in connection with those activities.  \n        During another criminal investigation, we determined that two \nindividuals within the United States gained access to an \nunclassified website belonging to Sandia National Laboratory, part \nof the Department of Energy\'s national laboratory network.  They \nwere able to gain access by exploiting a default password.  These \nindividuals pled guilty and have been sentenced in connection with \ntheir activities.   In yet another investigation, an individual \ncompromised a network at the Fermi National Laboratory, again \nby taking advantage of problems with weak password \nadministration.  The hacker, who pled guilty to his activities, used \nthe system as his personal storage site to host illegal software - \ncreating the ability for others to download the intruder\'s data from \nthe Department\'s systems.        \n\nOngoing Reviews\n        As noted previously, the Department invests over $2 billion \neach year for information technology throughout its complex.  It is \nessential, especially given the size of the resource commitment, \nthat all IT and cyber security initiatives be economic and efficient.  \nTo address this concern, we perform focused reviews on \ninformation technology-related areas.  Over the course of such \nwork, we have identified millions of dollars in potential savings in \nfindings related to enterprise architecture, enterprise licensing, and \nIT support services.  \n        The OIG is currently conducting comprehensive reviews \ndirected at three key elements of cyber security: the Department\'s \nSystems Certification and Accreditation Process; its Cyber and \nComputer Forensics Analysis Capabilities; and, its Security \nConfiguration and Vulnerability Management Program.\n\n           Systems Certification and Accreditation Process\n        Systems certification and accreditation is an essential step in \nverifying that the Department\'s systems are secure for operation.  \nAs noted previously, we identified multiple problems with the \ncertification and accreditation process at certain sites; and, as a \nconsequence, we initiated a review to determine whether the \nDepartment\'s systems have been appropriately certified and \naccredited for operation.  \n\n          Cyber and Computer Forensics Analysis Capabilities\n        An ongoing effort is examining whether the Department had \nformally developed and implemented a unified, effective, and \nefficient means of analyzing and acting on information related to \nmalicious attacks or intrusions.  As part of this audit, we are \nfollowing up on problems with cyber incident reporting previously \nidentified by the OIG in 2003.  \n\n          Security Configuration and Vulnerability Management\n        Building on findings in prior years and on the work already \ncompleted by our financial statement auditor, an audit team is \nexamining operating systems and applications.  This effort will \ndetermine, among other things, whether minimum security \nconfiguration standards have been established and implemented at \nHeadquarters and Department field sites.  \n\nStatus of the 2006 Office of Inspector General FISMA Evaluation\n        The Office of Inspector General is currently conducting the \n2006 evaluation of the Department\'s Cyber Security Program.  \nThis Department-wide effort includes site-level evaluations - \nconsisting of vulnerability and penetration testing and general and \napplication controls testing - at eight sites: the NNSA Service \nCenter in Albuquerque; Los Alamos National Laboratory; Sandia \nNational Laboratories; the Chicago Operations Office; Argonne \nNational Laboratory; the Kansas City Plant; the Y-12 Plant; and \nthe National Energy Technology Laboratory.  We are performing \nfollow-up reviews at 12 additional sites.  We are also specifically \nevaluating corrective actions and new initiatives begun this year by \nthe Office of the Chief Information Officer.  \n        As you are no doubt aware the Department of Veterans Affairs \n(VA) recently experienced the loss of sensitive personal data for \nmillions of Veterans and, apparently, a large number of active duty \npersonnel.  This has understandably raised concerns about identity \ntheft and related problems.  My colleague, the Inspector General \nfor the VA, has initiated several probes into this matter.  As part of \nour ongoing FISMA evaluation, we intend to determine if the \nDepartment has taken action to prevent compromises similar to \nthose which recently occurred at the VA.\n\n\n\nConclusion\n        The Department has informed us that, as a result of the \nconcerns raised by our office, it has initiated actions to strengthen \nits cyber security program.  In particular, under the direction of \nSecretary Bodman and Deputy Secretary Sell, the Department has \nimplemented a number of countermeasures to reduce network \nvulnerabilities and embarked on a revitalization initiative that will \nfocus high-level management attention on cyber issues.  These \nefforts are promising and, if fully implemented, should help \nimprove the Department\'s cyber security posture.  While the \nDepartment is moving aggressively in this area, much remains to \nbe done.  As the House of Representatives Committee on \nGovernment Reform has recognized for the past three years \nthrough its ratings of Federal agencies\' cyber security programs, \nsignificant weaknesses continue to exist at the Department of \nEnergy.   \n        The threat to the Department\'s systems is constantly evolving \nas hackers develop new and increasingly sophisticated tools and \ntechniques.  The potential for harm is not limited to malicious \ninternet-based attacks, but also includes other efforts by internal \nusers to gain access to resources or information to which they are \nnot entitled.   Constant vigilance is required to establish and \nmaintain a defensive posture that is sufficient to prevent or quickly \ndetect problems.  The Office of Inspector General is committed to \nfulfilling its responsibilities by continuing to conduct a wide range \nof reviews to identify opportunities for improvement and \ninvestigate intrusion attempts on the Department\'s systems and \nnetworks. \n        Mr. Chairman, this concludes my statement and I would be \npleased to answer any questions.\n\n        MR. WHITFIELD.  At this time, Mr. Podonsky, you are \nrecognized for your opening statement of 5 minutes.\n        MR. PODONSKY.  Thank you, Mr. Chairman and members of \nthe committee, for inviting me to testify regarding the status of the \nDepartment of Energy\'s cyber security programs.  \n        Like all Federal agencies, the Department faces a constant \nchallenge to identify, evaluate, and apply cyber security measures \nthat will establish an appropriate protection posture for information \nand information systems in this ever-changing cyber threat \nenvironment.  \n        Both the Secretary and Deputy Secretary have demonstrated \nexceptionally strong leadership in making cyber security one of the \nDepartment\'s highest priorities.  The Department\'s new CIO is \nleading a revitalization effort designed to implement needed \nimprovements across the Department\'s programs and sites.  \n        Before discussing the status of the Department\'s cyber \nsecurity, I would like to take a moment and give you a brief \noverview of my office responsibilities with respect to cyber \nsecurity.  \n        Within the Office of Independent Oversight, the Office of \nCyber Security Evaluation executes one of the most aggressive and \nsophisticated cyber security corporate oversight programs in the \nentire Federal government that allows the Department to \nproactively identify and address weaknesses.  The cornerstone of \nour cyber security oversight is a rigorous penetration testing \nprogram that includes announced external and internal penetration \ntesting of DOE networks, unannounced remote penetration testing \nor red teaming, which emulates the sophisticated external hacker \nexploding weak links to the network, and continuous scanning of \nall DOE Internet protocol addresses to identify vulnerabilities to \nInternet-based threats.  \n        In addition to this testing, we conduct assessments of key \nmanagement processes such as risk management, certification and \naccreditation, and configuration management.  While our technical \ntesting provides a good snapshot of the effectiveness of the \nnetworks of cyber security posture, the programmatic evaluation of \nmanagement processes provides an assessment of the strength and \ndirection of the cyber security program.  \n        Results of our independent oversight activities have identified \nweaknesses that lead us to conclude that the Department\'s \nunclassified information assets have been operating at an elevated \nlevel of risk for compromise and disruption, given today\'s threat \nenvironment.  \n        The effectiveness of the unclassified cyber security program \nhas varied across the Department and is often dependent on the \nknowledge and initiative of key network personnel utilizing \nexpert-based approaches.  This in some cases has led to a lack of \nrigorous processes necessary for a solid program foundation.  \n        Our oversight activities, however, have also found that some \nDOE organizations have developed mature cyber security \nprograms for their own classified computers that include \nwell-constructed security controls.  We have seen progress in \naddressing identified cyber security concerns.  \n        The sharing of lessons learned from our red team testing as \nwell as the high level of focus on cyber security by DOE senior \nofficials has raised the awareness within the DOE cyber \ncommunity in increased expectations and threats.  \n        In contrast to the unclassified program, our independent \noversight activities indicate that the classified cyber program is \nproviding an adequate level of protection.  \n        In response to the independent oversight findings, especially \nthe recent penetration testing that I referred to as the red team \ntesting, the Deputy Secretary directed my office to also lead an \neffort to develop a comprehensive plan of action to remedy \nexisting management and operational technical weaknesses at the \nDepartment\'s unclassified cyber security program.  Our office, \ntogether with the Office of the CIO, led a team of departmental \ncyber security professionals to develop a plan of action and remedy \nthese long-standing weaknesses.  These recommendations, issued \nby the team in what we call the Cyber Security Project Team \nSummary Report and Plan of Action, represent the consensus of \nsenior representatives from the Office of the CIO, NNSA, SSA, \nand others and put us on a path of improving cyber security \nthroughout the Department.  \n        The revitalization efforts the Department has taken on shows \nmany initial steps to upgrade cyber security and improve the \nposture.  Our new CIO has proactively developed a cyber security \nrevitalization plan that includes in its appendix the \nrecommendations from the CSPT.  The revitalization plan is an \nimportant next step in the difficult process to define a cyber \nsecurity management and operational framework that can \ninstitutionalize yet be responsive to the dynamic world of cyber \nthreats.  \n        The line managers responsible for implementing the technical \ncontrols necessary to reduce the risk are taking immediate actions \nwhere feasible, but must carefully evaluate a balance for the need \nfor any additional controls with their site-specific mission \nrequirements, threat environment, and resource limitations.  \n        In conclusion, the Office of the CIO and the program offices \nwe believe have laid the necessary groundwork to build a \nresponsive program that will begin to assure that our information \nand information systems are adequately protected.  We have \nalready seen improvements in this area and continue to be \ncautiously optimistic that historic systemic problems with \ndepartmental cyber security processes will be addressed.  \n        Individual sites in both Under Secretaries for ESC and NNSA \nare working to reevaluate the need for improved security measures \nbased on their mission requirements and accepted risk management \nprinciples.  \n        Our office will continue to implement an aggressive schedule \nof internal and external penetration and performance testing and \nuse the results of those tests to aid the Office of the CIO program \noffices and site managers in maintaining a protection posture that \nproactively manages and anticipates new and emerging threats and \nthe use of new technologies by our adversaries.  \n        Mr. Chairman, this concludes my testimony.  \n        MR. WHITFIELD.  Thank you very much, Mr. Podonsky. \n        [The prepared statement of Glenn S. Podonsky follows:] \n\n\n\nPREPARED STATEMENT OF GLENN S. PODONSKY, DIRECTOR, \nOFFICE OF SECURITY AND SAFETY PERFORMANCE ASSESSMENT, \nU.S. DEPARTMENT OF ENERGY\n\n<GRAPHICS NOT AVAILABLE IN TIFF FORMAT>\n\n        MR. WHITFIELD.  I notice that in your testimony you said there \nwas an elevated level of risk for compromise on this unclassified \nmaterial.  That\'s basically your statement regarding the DOE \nsystem at this time?  \n        MR. PODONSKY.  Yes, sir.  That was based upon our red team \neffort.  Since that red team effort, there have been corrective \nactions that are under way, but, nevertheless, we still have serious \nconcerns.  \n        MR. WHITFIELD.  Now I\'m assuming that there are many \nhackers around the world that would have the expertise and \nsophistication of your red team, is that correct?  \n        MR. PODONSKY.  Yes, sir.  Our red team, many of whom sit \nbehind me in this hearing room, are really quite technically \ncompetent in what they do.  However, we are aware that there are \nothers that are equally as competent and perhaps even more so.  \n        MR. WHITFIELD.  So not casting any aspersions on their \nexpertise, there are a lot of other people out there that would be as \ncompetent as they are.  \n        MR. PODONSKY.  Yes, sir, I would say that\'s an accurate \nstatement.  \n        MR. WHITFIELD.  On April 15th, 2001, we had a hearing of this \nsubcommittee, and your staff demonstrated at that time cyber \npenetration techniques that penetrated a single DOE computer and \nfrom that computer you gained complete and utter control over the \nentire system.  \n        Now I understand that during a recent November 2005 red \nteam network penetration test, you again successfully gained \ncontrol over a DOE site network; and from there your team used \nnetwork interconnections to gain control over the computer \nsystems at several other DOE sites.  Is that true?  \n        MR. PODONSKY.  That is true.  You are describing our red team \neffort.  \n        MR. WHITFIELD.  Now based on the degree of access privileges \nyour red team obtained during this cyber security penetration test \nlast fall, would you describe that they had utter control over the \nsystem?  \n        MR. PODONSKY.  What the red team was able to demonstrate \nafter a very long and protracted test is that we had access to \nsensitive data, which could be including financial or personal data.  \nWe could have had access to have the ability to impersonate or \nmonitor departmental executives.  We had the ability to impact the \navailability of integrity of computer-serving business functions.  \nWe had the ability to launch aggressive denial service attacks.  \n        We basically--in the parlance of cyber security, we had domain \ncontrol.  \n        MR. WHITFIELD.  You had domain control.  \n        How would you gauge DOE\'s overall efforts with respect to \ncyber security over the 5 years since the subcommittee\'s April \n2001 hearing?  \n        MR. PODONSKY.  Mr. Chairman, it is easy for us to say the \nfollowing, and that is the Department is moving far too slow to our \nliking.  But we are not the ones who have to fix the problems, so \nwe are out there identifying the problems.  \n        But given today\'s emerging threats that are continuous, we feel \nthat, since the 2001 hearing, that while there are a lot of steps that \nthe Department is taking and is currently taking, including in \nresponse to our most recent red team, we do think that there is a \nsense of urgency that must be represented.  As the Deputy \nSecretary and the Secretary, and I know the two Unders feel, that \nwe need to keep on moving, and I believe the CIO feels that way \nas well.  \n        MR. WHITFIELD.  In your November 2005 report, you noted \nthat previously secretarial-led initiatives launched in 2004 and \n2005 to improve DOE cyber security posture had been largely \nunsuccessful in effecting needed improvements.  Is that still your \nview on that?  \n        MR. PODONSKY.  It is a varied success story.  There are \ndifferent sites that are being more aggressive, and I said--and I \nwould like to iterate the point--we\'re guardedly optimistic that the \nnew CIO will be much more aggressive in working together with \nthe line offices and the under secretaries to fix the problems that \nhave been identified.  \n        MR. WHITFIELD.  So, as you said, your responsibility is to \nexploit these weaknesses and make them known to the CIO and the \nSecretary and others at the Department of Energy.  \n        MR. PODONSKY.  That\'s part of our responsibilities, yes, sir.  \n        MR. WHITFIELD.  It\'s their responsibility to make the network \nmore secure so that your red team and others cannot infiltrate.  \n        MR. PODONSKY.  That\'s correct, sir.  \n        MR. WHITFIELD.  Now when you do a report, you certainly \ngive that report to the Secretary, the CIO, and others, I\'m \nassuming.  Do you all generally sit down and go over in some \ndetail about exactly how you were successful?  \n        MR. PODONSKY.  Yes, sir.  We have a very good partnership \nwith the CIO office in working together in finding ways to solve \nsome of the problems we are finding, but we what we call validate \nour report findings so we make sure that what we find is \ntechnically accurate, and when we report that forward to the \nvarious managers we want to make sure that--we are not there to \nfix the problems but we at least work with them to identify ways \nthat they might pursue.  \n        MR. WHITFIELD.  Mr. Friedman, in your testimony, you stated \nthat the Department did not always report cyber security incidents \nto law enforcement officials as required; and your staff has \ninformed us that DOE has failed to report as many as 50 percent of \nall reportable cyber attacks to the appropriate authorities.  Can you \nexplain why DOE has failed to report these incidents and why it is \nimportant that these incidents be reported?  \n        MR. FRIEDMAN.  Mr. Chairman, let me take the second part of \nyour question first.  \n        The reporting of these incidents, number one, gives law \nenforcement the opportunity to track down those who are \nresponsible for the malicious attack, bring them to justice, and set \nan example for others, which hopefully leads to prevention of \nindividuals in the future attempting to do the same thing.  \n        Number two, it allows for trends analysis.  \n        Number three, it allows us to determine whether similar sorts \nof intrusions or attempts at destruction are occurring at other \nlocations so that we can assist the Department and make \nrecommendations for corrective actions, patches, fixes to prevent \nthat from happening.  So we think it\'s extremely important that \nthese issues be reported and be reported promptly.  \n        In terms of why it\'s not happening, tragically, Mr. Chairman, I \ndon\'t have a good answer.  I wish I did.  We ask, we probe, we try \nto find out.  I think to some degree it is individuals who think that \nthey can fix it internally; therefore, there is no need to bring in an \noutsider; people who may not fully comprehend the gravity of the \nsituation.  But I really don\'t have a satisfactory answer to your \nquestion.  \n        MR. WHITFIELD.  That\'s a rather large percentage, 50 percent.  \n        MR. FRIEDMAN.  That\'s correct.  \n        MR. WHITFIELD.  That is one of the disturbing things about an \nagency as big as DOE.  I mean, the Secretary may not even be \naware of that.  Hopefully, the Chief Information Officer would be \naware of that and take some steps to deal with it.  That is another \nissue.  \n        I\'m sorry?  \n        MR. FRIEDMAN.  I apologize, Mr. Chairman.  We have reported \nthat issue on several occasions.  It is a repeat finding.  So it\'s not as \nthough this is a one-time finding.  This has been a pattern that we \nhave seen.  Now it\'s gotten better in our view, but it\'s still a \nproblem.  \n        MR. WHITFIELD.  That\'s another thing that\'s so disturbing to us \nfrom this perspective about this breach regarding these personnel \nfiles.  Although we don\'t have all the facts about this, the fact that \nit was known to someone in the Department 8 months ago and the \nSecretary was unaware of it until maybe a day ago or maybe today, \nthe CIO was not aware of it.  It\'s unbelievable that 1,500 personnel \nfiles could be compromised with Social Security numbers, and the \nimpact that that could have on those individuals is quite disturbing.  \nI am sure you would agree with that.  \n        MR. FRIEDMAN.  I would.  \n        MR. WHITFIELD.  I would ask this to Mr. Friedman and Mr. \nPodonsky.  In the written testimony of Under Secretary Garman, \nhe states that, "While we are not yet where we need to be, I believe \nwe are far better off than we were a year ago."  I would just ask \nyou, do you agree with that statement or do you have enough \ninformation to disagree with it?  \n        MR. FRIEDMAN.  Well, let me say I think there certainly have \nbeen improvements.  The number of findings we have had in the \n2005 FISMA report are less than we had 4 years ago.  So there \ncertainly have been improvements.  \n        Your colleagues on the House Government Reform Committee \nhave given the Department an F in cyber security in this arena as a \nresult of their evaluation.  So I think that there is a great deal more \nto be done as I testified.  \n        MR. WHITFIELD.  I mean, there is no excuse for a Department \nhaving an F in cyber security.  \n        Mr. Podonsky.  \n        MR. PODONSKY.  Mr. Chairman, I would answer your question \nin terms of the red team.  If we were to launch the red team today, \ncould we have the same access that we had during the last year?  \nAnd I would say that we could gain access but we would not be \nable to have domain control.  \n        So there have been some very distinguished changes that have \ncome about, and that is important.  As long as you have any system \nconnected to the Internet, we are going to have vulnerabilities.  Not \njust our agency but the entire Federal government, legislative arm \nincluded, needs to be very mindful of the capabilities that are out \nthere and the availability, that people can come into our networks \nwithout our knowledge and pretty much, if we don\'t have the \ncontrols in place, have access to our records.  \n        The Department from my point of view is that it has gotten \nbetter, but, as Mr. Friedman has stated and I have stated, there\'s a \nlong way to go.  \n        MR. WHITFIELD.  Thank you.  \n        At this time, I recognize the gentleman from Michigan.\n        MR. STUPAK.  Thank you, Mr. Chairman.  \n        Mr. Podonsky, you said you had domain control when you did \nyour red team exercise in November of 2005.  Would that domain \ncontrol allow you to go anywhere you wanted to go?  \n        MR. PODONSKY.  At the time that we were in the network, the \nanswer to that is yes, within the unclassified network.  That meant \nthat we were able to get passwords, that meant that we were able to \ngo from one account to another account.  Perhaps if we stayed \nlonger--and this is a supposition on our part--we make it a policy \nnot to damage anything when we go in.  \n        MR. STUPAK.  If it\'s unclassified, in fact you have passwords \nand others, what\'s sensitive about it, then?  \n        MR. PODONSKY.  You potentially have financial records, \npersonnel files.  Anything that is contained in the unclassified \narena.  \n        MR. STUPAK.  Did your red team in November 2005 try to go \ninto the classified areas?  \n        MR. PODONSKY.  We did, and we were not successful.  \n        MR. STUPAK.  You indicated that you thought that DOE was \nstill moving too slowly in cyber security, in response to an answer \nto the Chairman.  What in your estimation or your group\'s \nestimation would make DOE move faster in this area.  What will it \ntake?  Where is it lacking?  \n        MR. PODONSKY.  As I stated in the other question, it\'s easy to \nbe on the side of criticizing.  I asked my cyber colleagues what \nwould it take to fix this, and we talk about segmentation, \nsegmentation of systems.  We talk about encryption, encryption of \nall the data.  We talk about putting more tools out there for \nchanging passwords on a more frequent basis; tools out there to \nmonitor the perimeter so that we can make sure that we at least \nknow when somebody is coming in.  Even though we can\'t stop \nthem, we can at least know they are in the system.  \n        We believe the CIO is starting to move in that direction.  When \nI talk about impatience for the solution, it is because we have been \ninspecting the Department for a number of years and we have been \nseeing a lot of the repeat findings, as Mr. Friedman also talks about \nin his office.  Some of those steps are some of the steps we would \nlike to see done more rapidly.  \n        MR. STUPAK.  In response to the Chairman, you said your job \nis not to fix the problem but to make suggestions or give them \nideas on how they can be fixed, like monitor and change pass \ncodes more often.  Is that advice ignored?  \n        MR. PODONSKY.  I think a better characterization of the office \nis that we are like the internal GAO.  We identify the problems, \nmake recommendations.  But clearly the program offices have to \nprioritize their mission and their functions on how they are going \nto accept those recommendations.  We don\'t personally or \nprofessionally believe that we have been ignored; it\'s just it hasn\'t \nalways been the highest of priorities until the most recent 2 years.  \n        MR. STUPAK.  Doesn\'t seem like a priority until something \noccurs.  I can\'t help think out loud, and I think my colleagues \nwould join me; we learned about the latest breach recently, and \nthat\'s probably only because we had this hearing.  It seems like \naction occurs only when this Committee on Oversight and \nInvestigations actually has a hearing and is willing to start pushing \non some of these issues.  That\'s not a question, so let me ask you a \nquestion.  \n        Is there anything in the unclassified network that you were in \nin November of 2005 that could somehow impact national \nsecurity?  You say you were bouncing around in the unclassified \narea, but by having domain control could you impact national \nsecurity?  \n        MR. PODONSKY.  I think that hypothetically that anything is \npossible once you start delving into the systems.  For example, \nthere may in fact be some information that is not yet classified, \nthen later becomes classified, so that you always have that \npossibility.  \n        MR. STUPAK.  One of the things you could do, I thought you \nsaid, was denial of service.  That could impact national security, \ncould it not?  \n        MR. PODONSKY.  Yes, sir.  \n        MR. STUPAK.  Especially when we\'re dealing with cyber \nsecurity.  \n        Mr. Friedman, and maybe Mr. Podonsky, the cyber security, \nmost employees at DOE--or most, I should say, of DOE\'s budget \nis for private contractors.  They probably have more private \ncontractors than any other Department in the Government.  Cyber \nsecurity, is that left mostly to private contractors?  \n        MR. FRIEDMAN.  To put some context, Mr. Stupak, as best we \ncan determine the numbers, the Department spends about $140 \nmillion a year on cyber security, and it is quite clear that the vast \nmajority of the money is spent by contractors; 85 to 90 percent of \nthe Department\'s budget is spent by contractors.  So as a \nconsequence, although it\'s slightly disproportionate when it comes \nto cyber security, that rule of thumb applies reasonably well in this \ncontext.  \n        MR. STUPAK.  Here are the points I\'m having problems with.  I \nhave been on this committee for 10 years and it seems like, \nunfortunately, with DOE we\'re always here talking about things \nwe would rather not be talking about.  \n        What control do you really have, or even this committee, over \ncontract employees?  You\'re a government agency, contract \nemployees working for us.  We really can\'t, unless you fire this \nindividual or hold that individual accountable.  How do you bring \naccountability, then, in your cyber security if 80 to 90 percent of it \nis contracted out?  How do you get the things done that have to be \ndone like you said, no contract with law enforcement, 50 percent \nstill not being reported.  Where does the accountability come in, \nthen, in a system that is, in my estimation, sort of fragmented?  \n        MR. FRIEDMAN.  As I think the Chairman alluded to in his \nopening statement, I think it was the Chairman, this is an \nincredibly complex agency with a lot of stovepipes, and those have \nto be broken down so that the policy is clear; it is communicated \nclearly to the Federal officials and communicated clearly to \ncontractors as well.  \n        One of the points I indicated in my testimony and we\'ve \nreported on is the fact that there is not a complete flow-down of all \nthe Federal requirements to the contractors in their current \ncontracts.  We believe that is a part of the problem.  \n        But to answer your fundamental question, Mr. Stupak, it seems \nto me that contractor accountability means truly holding their feet \nto the fire, and that means having meaningful reductions in their \naward fees if there are problems; and ultimately, if they are not \ncorrected, not continuing their service to the Department of \nEnergy.  \n        I think until tough action is taken and the action is manifest to \nthe contractors as a result of a lack of commitment to cyber \nsecurity, it seems to me that there will not be significant \nimprovement in that regard.  \n        MR. STUPAK.  In the position that you have been in for some \ntime now, and before this committee many times, have you seen \nthat accountability, have you seen holding their feet to the fire, \nhave you seen contracts be terminated?  I mean, I sit here and I \nthink of Los Alamos and how many times I have been through that \nsituation.  We re-awarded the contract to the same folks that have \nbeen unaccountable for so long before this committee.  \n        MR. FRIEDMAN.  In part it seems to me it takes commitment on \nthe part of the Secretary and Deputy Secretary.  And I don\'t mean \nto denigrate any of their predecessors, but it\'s quite obvious that \nSecretary Bodman and Deputy Secretary Clay Sell are invested in \nthis issue; and it seems to me the tone at the top with regard to \ncyber security is extremely important.  They set the agenda, and if \nthey pursue the course that they have initiated, it seems to me that \nwe will see a meaningful difference.  \n        MR. STUPAK.  Meaningful difference we haven\'t seen yet.  \nThat\'s what I\'m trying to get at.  \n        Mr. Podonsky, since you mentioned the Deputy Secretary, that \nyou were directed by the Deputy Secretary to do more work in this \narea, you said--I think it\'s on page 5 of your testimony--who is that \nDeputy Secretary?  \n        MR. PODONSKY.  Deputy Secretary Sell.  \n        MR. STUPAK.  I have no further questions at this time.  \n        MR. WHITFIELD.  Thank you, Mr. Stupak.  \nAt this time I recognize Dr. Burgess of Texas for 10 minutes.  \n        MR. BURGESS.  Thank you, Mr. Chairman.  \n        Seems like we are hearing all too often: Veterans \nAdministration lost data on 27 million veterans, the IRS lost data \non 291 employees.  These are emerging types of threats that are \noccurring.  And while, Mr. Podonsky, I respect the cleverness and \nthe clever minds that you have working for you on the red team, \nthere also seem to be nimble, clever minds working on the other \nside as well, so it\'s a constant battle, struggle, to keep up with what \nthe other side is able to produce.  \n        What role does the imposition of encryption software play in \nall of these--in a general form in all of these things that we have \nheard about in recent weeks about theft of sensitive computer data, \nnot just the Department of Energy but throughout the various \nFederal agencies?  \n        MR. PODONSKY.  From our perspective, the encryption of data \nwould make the loss of information virtually less of a concern.  It \nis an issue that Mr. Pyke, our current CIO\'s predecessor two CIOs \nback, had introduced.  \n        Again, as I said in previous questions I have answered today, \nit\'s easy for us to say I don\'t know what the cost would be.  But \nfrom our way of thinking, the cost can\'t be as high as the loss of \ndata.\n        MR. BURGESS.  That was going to be my next question.  You \nmentioned sequestration and encryption.  How expensive are these \ntechnologies to put into place?  I guess you have already answered \nthat.  You don\'t know.  \n        MR. PODONSKY.  I don\'t know, but I would iterate the point it \ncan\'t be more expensive than the loss of the data that we are \ntalking about here.  \n        MR. BURGESS.  I have a strong notion that you are correct and I \nhope this committee explores that to some degree.  Apart from the \nexpense, or if the expense could be modified or met, would you \nfeel that it would be the position of the Department of Energy to \nrapidly deploy this type of protection?  \n        MR. PODONSKY.  That would be up to the senior managers, the \ntwo Unders and CIO, but that would be our recommendation.  \n        MR. BURGESS.  Up to the managers and the two Under \nSecretaries?  \n        MR. PODONSKY.  Actually the three Under Secretaries now, as \nwell as the CIO.  \n        MR. BURGESS.  Mr. Friedman, do you have any thoughts about \nencryption software and its implementation and its cost?  \n        MR. FRIEDMAN.  We do.  We don\'t have a benchmark but it\'s \nnot quite as costly as we thought it might have been.  As a matter \nof fact, in response to the problem at the Department of Veterans \nAffairs, as auditors, inspectors, and investigators, we travel \nextensively.  We have laptops, we\'re all over in the Department of \nEnergy complex.  \n        We have a policy in which we, number one, substantially \ncontrol the information that our auditors, inspectors, and \ninvestigators can carry with them.  Number two, when they leave \nthe DOE complex, the information that they carry with them, \nregardless of what form, either has to be in a locked box, safe, or \nequivalent, or must be encrypted.  \n        So we are moving on that internally, and I have shared the \npolicy and procedures that we\'ve implemented with the \nDepartment CIO.  \n        MR. BURGESS.  Does technology exist so that if a laptop is \nstolen and they log on to the Internet, that its location can be \nidentified or the hard drive could be destroyed?  \n        MR. FRIEDMAN.  I am not expert enough, Mr. Burgess, to give \nyou a good answer on that, but I will tell you we have experienced \nsimilar situations, stolen or lost laptops in the Department of \nEnergy over time.  So the suggestion--\n        MR. BURGESS.  We have had hearings on that.  \n        MR. FRIEDMAN.  So, the suggestion you are making is not \nwithout merit.  I don\'t know technically whether it\'s possible.  \nThere are others who might have to answer that question.  \n        MR. BURGESS.  Mr. Podonsky.  \n        MR. PODONSKY.  My staff was whispering in my ear saying \nyou could probably find it, and the technology is out there.  \n        MR. BURGESS.  Let me ask you a question about sequestration \nbecause I\'m not familiar with that at all; sequestration meaning \nwithin the vast domain of unclassified data on the Department of \nEnergy site to keep people from going from one area to another?  \n        MR. PODONSKY.  You compartmentalize.  You \ncompartmentalize one group from another.  I\'m not saying this is \nthe way it is, but just for illustrative purposes, if you have science \nlabs that want to talk to one another, well, have them have a \nnetwork where they can just talk to each other and not bring their \nnetwork into the overall DOE domain, as you will, because then if \nthey are talking to each other and they get compromised, then they \nmight have an entry into other parts of the Department.  \n        So the more separation you can make among systems, we think \nyou are going to have a greater security and prevention of people \njust roaming through your network, and that\'s an overstatement of \nroaming through, but that\'s going back to what we felt we were \ndoing during the red team.  \n        MR. BURGESS.  It is frustrating to be here on the dawn of the \nInformation Age, where so much power is available to us from \ninformation, and have to put up these barriers from our scientists.  I \nknow, for example, the sequencing of the human genome would \nnever have been possible without the Internet, with scientists \ntalking rapidly across the Internet, and now that--perhaps that \nscientific inquiry may be stifled because of having to \ncompartmentalize for security reasons.  Just a personal note:  It\'s \nextremely frustrating.  \n        We had a hearing or markup yesterday on security in medical \nrecords and the irony of wanting to expand the HIPAA protections \non one hand because of what happened at the VA, and, on the \nother hand, wanting to keep the data available to researchers at the \nUniversity of Madison.  It\'s extremely frustrating, and I hope the \nbright minds behind you on the red team can figure out ways to \nkeep the bad guys out but yet let our scientists continue to \ncommunicate as they need to.  \n        MR. FRIEDMAN.  You make a very good point.  I mean, in the \nrole that I play, of course, efficiency and effectiveness of \nDepartment operations are of paramount concern.  Striking a \nbalance between appropriate levels of security and cyber security \nand yet not impeding the operations of the Department is a very \nsignificant conundrum that we face every day, and it is going to \ntake some really bright minds to figure out a way of doing both.  I \nthink that is ultimately where we need to be.  You make a very \ngood point.  \n        MR. BURGESS.  Thank you.  On sequestration, encryption, we \nare already spending $140 million a year, but things like using the \nsecurity patches provided by software vendors, changing \npasswords, that is pretty low tech and pretty inexpensive.  I \nunderstand those simple procedures weren\'t always followed.\n        MR. FRIEDMAN.  As I indicated in my testimony, I cite three \ninvestigations where the individuals involved were incarcerated \nand pled guilty to the charges, in which password vulnerabilities in \neach of the cases were the approximate cause or set up an \nenvironment in which the malicious attempts could occur.  \n        MR. BURGESS.  Mr. Podonsky, you testified in response to a \nquestion by the Chairman that your red team now could still gain \naccess but not domain control, whereas a year ago domain control \nwas a possibility, for people to come into the networks without \nyour knowledge.\n        Can we, sitting on the committee, be completely satisfied that \ndomain control is something that could not be gained by either the \nred team or the bad guys seeking access into our systems?  \n        MR. PODONSKY.  No.  I think the only comfort that all of us can \nhave as Americans is that we continue to put up more barriers to \nmake it more difficult.  But the more sophisticated the hackers \nbecome the more challenging it is for us.  So when I answered that \nquestion it was based on our capabilities right now plus what we \nknow that the CIO and the cyber security community are doing.  It \nwould be much more difficult for us to do that.  But since this is a \ncontinuously evolving technology I don\'t think that we can make a \ndefinitive statement that it could not happen again.  \n        MR. BURGESS.  In the limited time I have left here--this is an \nobservation.  We are in the 21st century, but I can remember \n10 years ago or more a very popular singer was shot down in \nCorpus Christi, Texas, and taken to the hospital.  People on the \nhospital staff who did not have a direct responsibility for that \npatient\'s care who accessed that patient\'s data were in fact \ndismissed from the hospital staff.  They were fired.  \n        This is 10 years before HIPAA.  So even back in the early \'90s \nwe had the systems in place in that hospital--at least I remember \nreading the news reports--that could identify and locate those \nindividuals.  It\'s just striking to me that we sit here now with all of \nthe advances that have been made in computer technology and we \ndon\'t even seem as sophisticated as that small hospital in Corpus \nCristi, Texas, 10 or 12 years ago.  Is that a valid observation?  \n        My time is up, Mr. Chairman.  I\'ll yield back. \n        MR. WHITFIELD.  Thank you, Dr. Burgess.  \n        At this time, I recognize the full committee Chairman for \n10 minutes.  \n        CHAIRMAN BARTON.  I want to thank Ms. DeGette so I can go \nout of order.  I have got to go give a briefing in about 10 minutes.  \nI appreciate her consideration.  \n        Mr. Podonsky, who do you report to at the Department of \nEnergy?  \n        MR. PODONSKY.  My office and I report to the Deputy \nSecretary.\n        CHAIRMAN BARTON.  And he reports to the Secretary of \nEnergy.  \n        Does your office have any authority or oversight over the \nNational Nuclear Security Administration. \n        MR. PODONSKY.  We do conduct oversight within the NNSA, \nyes.\n        CHAIRMAN BARTON.  You conduct oversight. \n        MR. PODONSKY.  Oversight of environment, safety, health, \nsafeguard security --\n        CHAIRMAN BARTON.  What does that mean, you "conduct \noversight?"  \n        MR. PODONSKY.  We conduct inspections of the operational \nsites within the NNSA.\n        CHAIRMAN BARTON.  And, Mr. Friedman, as Inspector \nGeneral, you have oversight within your purvey over the entire \nDepartment; and that would also include the National Nuclear \nSecurity Administration, would it not?  \n        MR. FRIEDMAN.  That\'s correct, Mr. Chairman.\n        CHAIRMAN BARTON.  I am going to ask you some questions, \nMr. Podonsky.  I\'m not an expert on what\'s classified and what\'s \nnot, so if I ask you something that requires an answer that\'s \nclassified, you just say so.  \n        But my understanding is that, as Director of the Office of \nSecurity and Safety Performance Assessment, you oversee the \nimplementation of certain exercises that test the security systems \nof the Department, is that correct?  \n        MR. PODONSKY.  Yes, sir.  We actually conduct performance \ntesting and physical security as well as in cyber security.\n        CHAIRMAN BARTON.  And I am told that in one of those \nperformance assessment tests, your team was able to penetrate \nsome of the security systems of the Department, is that correct?  \n        MR. PODONSKY.  We have had that success in our performance \ntesting on numerous occasions.  \n        With specifics to this hearing, we had long, protracted red \nteaming tests where we were emulating the same as a hacker \nwould do; and we penetrated throughout the national training \ncenter in Albuquerque and the service center there.\n        CHAIRMAN BARTON.  I am also led to believe that when that \nred team was successful that those results were reported to the \nappropriate officials in the Department.  That included the \nSecretary and the Deputy Secretary, is that correct?  \n        MR. PODONSKY.  Yes, sir.\n        CHAIRMAN BARTON.  Now I am also told that, after that report, \nthere was a discovery that the security system had been breached \nfor real, is that correct?  \n        MR. PODONSKY.  Yes, sir.  And that we would be better off to \ngo in more detail in a closed session.\n        CHAIRMAN BARTON.  But it\'s not classified that there was a \nreal breach. \n        MR. PODONSKY.  No, sir.\n        CHAIRMAN BARTON.  Okay.  Now who should have been told \nof that and when should they have been told and who was \nresponsible for the telling?  \n        MR. PODONSKY.  Relative to the information sharing, the \nSecretary, the Deputy Secretary, the Administrators for both ESE \nand NNSA should have been told immediately.\n        CHAIRMAN BARTON.  Immediately. \n        MR. PODONSKY.  Immediately.\n        CHAIRMAN BARTON.  The Secretary of Energy should have \nbeen told immediately. \n        MR. PODONSKY.  Absolutely.\n        CHAIRMAN BARTON.  What would the penalty be or should the \npenalty be if the Secretary were not told immediately of such a \nbreach of security?  \n        MR. PODONSKY.  I can\'t speak on behalf of the Secretary, but, \nwere I in that position, I would be looking for accountability for \nthe individuals that didn\'t tell me.\n        CHAIRMAN BARTON.  All right.  That\'s all the questions I have \nat this point in time.  Thank you, Mr. Chairman.  \n        MR. WHITFIELD.  At this time, I\'ll recognize Ms. DeGette of \nColorado.\n        Ms. DeGette.  Thank you very much, Mr. Chairman.  \n        Like the full committee Chairman, I am looking forward to \nprobing some of these issues, Mr. Podonsky, more in depth in \nexecutive session.  So let me just ask a few questions of my own.  \n        Does the DOE have its own firewalls?  \n        MR. PODONSKY.  Yes, ma\'am, it does.  \n        Ms. DeGette.  Are those firewalls sufficient to protect DOE \ndata from hackers and other breaches?  \n        MR. PODONSKY.  In many cases the answer is yes.  When we \ndid our penetration testing, we used the weakness of the human \nelement.  Any time you have people involved, you have different \nways that you can penetrate, whether it be through attachments to \ne-mail or whether it\'s through the way we did it, with using a disk \nthat we mailed through the U.S. mail.  And once you get inside, \nbecause somebody was not aware that they were exposing the \nDepartment vulnerability by clicking on to something, then you \nhave let somebody through the firewall but you didn\'t go directly \nthrough the perimeter itself.\n        Ms. DeGette.  What kinds of precautions can be put in place, in \naddition to what we have now, aside from beefing up the firewalls \nto stop the kind of breaches you\'re testifying about?  \n        MR. PODONSKY.  A major effort which is currently under way \nby the CIO\'s office, Tom Pyke, is making everybody aware of the \nvulnerabilities that exist out there.  And that may seem very \nsimplistic, but it really isn\'t because people sitting at their own \ndesktop sometimes get a false sense of security, not knowing that \nthey are potentially exposed when they open up e-mail.  So \nawareness is a very big part.\n        Ms. DeGette.  That\'s all well and good, and I am very \nsupportive of it, but, of course, that relies then on human nature to \nprotect against these breaches.  Are there any additional \ntechnological precautions that we can put in place to protect \nagainst people going around in the ways that you have described?  \n        MR. PODONSKY.  Yes, ma\'am.  Earlier, before you came in, I \ntalked about doing encryption of information throughout so that if \ninformation was obtained, then it would be protected by the fact \nthat it was encrypted.  We talked about segmentation, putting \npeople into different networks so that not everybody is connected \nto one another.  There are tools out there also that routinely change \npasswords so that people can\'t just break a password and have \naccess to your files.  So there\'s a lot of technology out there that \ncould be a employed.\n        Ms. DeGette.  Is it being applied?  \n        MR. PODONSKY.  In some instances, it is starting to be applied.\n        Ms. DeGette.  Do you think it could be applied more \naggressively?  \n        MR. PODONSKY.  I answered earlier to your colleagues.\n        Ms. DeGette.  I am sorry.  I came in late. \n        MR. PODONSKY.  Because I am repeating myself.  I am just--\nthe answer is, for us who do not have to implement the fixes, \nnothing is going fast enough.  So it is easy for us to make those \nstatements.  But, yes, ma\'am, we believe it could be more \naggressive; and we are optimistic that the Secretary and the Deputy \nSecretary and the Under Secretary and the CIO are looking to be \nmore aggressive in this area.\n        Ms. DeGette.  Mr. Friedman, you noted in your last--I \napologize if I am being redundant again, but you noted in your last \nassessment of DOE\'s cyber security program you found systemic \nproblems that exposed the Department\'s critical systems to \nincreased risk of compromise.  Which systemic failures troubled \nyou and why?  \n        MR. FRIEDMAN.  Firewall issues, incomplete inventory of \ncomputers and computer systems and networks, inadequate \ncertification and accreditation processes--all of which are \nextremely important in creating the safest environment possible.  \nPassword authorization problems.  Some very basic things.\n        Ms. DeGette.  Why did those failures trouble you?  \n        MR. FRIEDMAN.  Well, they led us to conclude that the overall, \noverarching Department of Energy structure in cyber security is \nriskier than is satisfactory.\n        Ms. DeGette.  And without going into classified information, \nwould you say some of those problems that you identified led to \nthe breaches that we\'re going to be talking about in a few minutes \nin Executive Session?  \n        MR. FRIEDMAN.  I would prefer not to answer that question in \nthis environment, if you don\'t mind.\n        Ms. DeGette.  Mr. Chairman, I yield back the balance of my \ntime. \n        MR. WHITFIELD.  Thank you, Ms. DeGette.  \n        At this time, the gentleman from Washington, Mr. Inslee, is \nrecognized for 10 minutes.  \n        MR. INSLEE.  Thank you.  \n        Just looking at some of the history that\'s gone on here, I just \nwondered from a budgetary standpoint what has gone on in the last \n2 years with DOE in response to these identified difficulties that \nhave been experienced.  We\'ve seen penetration by this testing \nsystem.  We\'ve seen identification by DOE of the need to respond \nto some of these.  From a budgetary standpoint, has there been a \ncommitment of resources to solving these problems or is this just \nsort of an overlay, that management has said we are going to give \nan overlay of your current responsibilities and everyone is going to \nhave to increase, or has there been a budgetary response to this \nproblem?  \n        MR. PODONSKY.  Mr. Inslee, while I am not involved with the \nbudgetary process for cyber security, I can tell you that we have \nseen a substantial increase in the CIO\'s budget and the \ncentralization of the responsibilities for the CIO.  So we do \nbelieve, from an independent oversight perspective, that the \nDepartment is applying resources to fix the problem, as opposed to \njust reports.  \n        MR. INSLEE.  Mr. Friedman, do you have any comment?  \n        MR. FRIEDMAN.  At this point, from our vantage point, as \ncarefully as we\'ve tried to look at this, I cannot correlate dollar for \ndollar increases in the cyber security budget with enhancements \ntaking place.  The problem is more environmental, if I may put it \nthat way, than a shortage of resources.  \n        Although I will say that when we talked to contractor personnel \nin the field, and we had a discussion earlier about the structure of \nDOE and the importance of the contractors, we do hear a number \nof complaints that there are things that they say they cannot do \nbecause the funds simply are not available.  I have not verified that \nindependently.  \n        But, as I indicated earlier, the Department spends between two \nand two and a half billion dollars a year on information technology \nin the Department of Energy, Mr. Inslee, and we have a cyber \nsecurity budget of about $140 million a year, so significant \nresources are being devoted to this problem.\n        MR. INSLEE.  Is there value to be added by increasing \nfrequency of these external controlled attacks, if I can call it, that \nour own good guys are attacking our DOE?  Is that done with \nadequate frequency or aggressiveness?  Should it be done more \noften to try to solve this problem?\n        MR. PODONSKY.  Sir, since my office is responsible for \nconducting the majority of these penetration testings for the \nSecretary, I would tell you that we believe we are doing it on an \nappropriate frequency.  Could it be more aggressive?  We have \nbecome more aggressive in the last 2 years.  But, at the same time, \nwe also recognize that, as we continue to find the problems, the \nDepartment also has to catch up with fixing those problems.  \n        From a standpoint of independent oversight, I would say there \ncould be diminishing returns if we are constantly attacking the \nDepartment in ways that they don\'t have time to fix it.  There \ncould be an unintended consequence of never getting to the bottom \nof getting all of the problems fixed.\n        MR. INSLEE.  Listening to your answers to Chairman Barton\'s \nquestions about who should be notified when there are breaches, I \nsuspect when we go to our closed hearing we are going to find \nnon-compliance with the expectations that you suggested.  What \ncould Congress do to see to it that if there is non-compliance with \nthose expectations that you enumerated, what could we do to see to \nit that somebody cracks the whip on this problem?  What would \nyou suggest?  \n        MR. PODONSKY.  I think you are doing it right now by having a \nhearing.  \n        MR. INSLEE.  I would hope so.  I am not sure that we are as \nomnipotent that you might think on a hearing. \n        MR. PODONSKY.  Depends on if you are sitting up here or up \nthere.  \n        MR. INSLEE.  Okay.  Thank you very much. \n        MR. WHITFIELD.  Thank you, Mr. Inslee.  \n        One other question I\'d like to ask you, Mr. Friedman.  Of the \ntotal computer systems at DOE, it is my understanding that 75 \npercent of those computer systems are controlled by contractors.  \nSo when we talk about improving cyber security at DOE we \ncertainly have to have contractors on board, and it is my \nunderstanding from information we have that during last year\'s \nInspector General\'s audit of the computer systems you determined \nthat several contractors have refused to comply with the DOE \ncyber security requirements because they said it\'s not in the \ncontracts.  Is that correct?  \n        MR. FRIEDMAN.  That\'s correct, Mr. Chairman.  \n        Specifically, there are requirements that have been established \nunder the FISMA statute, which I described earlier.  Also, there are \nOMB requirements and extremely important benchmarks that have \nbeen established by the National Institute of Standards and \nTechnology that are government-wide.  Unfortunately, they have \nnot been incorporated in a lot of the contracts as a flow-down; and, \nas a consequence, when we have talked to the contractor people \nwho, as you correctly characterize, control many of these systems, \n75 percent may be right.  I don\'t quibble with that.  I don\'t know if \nthat\'s the precise number.  They push back and say we don\'t have \nto do that, and the reason we don\'t have to it\'s not specifically \nrequired in our contract.  \n        That gets to sort of a fundamental concern we have with regard \nto governance in the Department of Energy.  There are a number of \nproposals to change the way we govern our contractors; and I am \nconcerned that if we relax too many of the specifics when we have \nproblems, the contractors come back to us and say, well, you didn\'t \nspecifically require me to do X, Y, and Z.  Therefore, I don\'t feel \nthe need to comply.  \n        MR. WHITFIELD.  Well, in your discussions with the \nappropriate people at DOE who have jurisdiction over these \ncontracts, are you satisfied with their explanations as to why they \nare not requiring --\n        MR. FRIEDMAN.  Well, the CRD, which is the contractor \nrequirement document, which is incorporated in the contract, is \nvery general and basically says use prudent judgment and be \nresponsible.  However, the situation is much more complex than \nthat, and requires prudent judgment in the way you institute the \ncyber security program.  \n        But the specifics presently are missing.  We have raised that \nissue with Department managers on a number of occasions, and I \nthink the response has been less than overwhelming.  Hopefully, \nperhaps as a result of this hearing and your interest and the interest \nof the subcommittee, there will be more active participation in this \nprogram. \n        MR. WHITFIELD.  They certainly have the authority to require \nthat these security requirements be met, correct?\n        MR. FRIEDMAN.  Well, I am not sure at this point whether, \nunless there was agreement on both sides, it wouldn\'t be a \nunilateral change to the contract.  It would require a contractor \ncommitment.  However, for a new contract, certainly they could be \nmade. \n        MR. WHITFIELD.  If I am offering a contract and you\'re \nresponding, then I want what I want.\n        MR. FRIEDMAN.  Correct. \n        MR. WHITFIELD.  So, obviously, that\'s something we are going \nto continue to look at.  Because that is ridiculous that that not be \nrequired and in these contracts unless there is some overwhelming \nreason why it should not be done.  \n        Anyone else?  Okay.  Okay.  Well, that concludes the \ntestimony of the first panel.  \n        Now, Mr. Friedman, we genuinely appreciate you being with \nus today.  It is my understanding you have an obligation that you \nhave to go off to.  So we would ask Mr. Podonsky to please stay.  \n        We do intend to go into Executive Session as soon as we finish \nwith the second panel, and there are three witnesses on the second \npanel.  So we don\'t anticipate it will take us too long.  But we do \nwant to hear their testimony.  We have some questions for them.  \nSo thank you for being with us, and we look forward to seeing you \nin Executive Session.  \n        MR. FRIEDMAN.  Let me say I appreciate your indulgence, and I \napologize.  My Principal Deputy, Herb Richardson, is here.  He \nspeaks for me eloquently, and he will participate in the subsequent \nsession. \n        MR. WHITFIELD.  We look forward to seeing Mr. Richardson \nthere.  Thank you.  \n        Okay, first panel is dismissed.\n        At this time, I\'d like to call up the second panel.  \n        On the second panel, we have Mr. Tom Pyke, who is the Chief \nInformation Officer at the Department of Energy.  We have the \nHonorable Linton Brooks, Administrator for the National Nuclear \nSecurity Administration; and we have the Honorable David \nGarman, Under Secretary for Energy, Science and Environment at \nthe Department of Energy.  \n        I want to welcome all of you.  We appreciate your being with \nus on this important subject matter.  \n        As you know, this is the Oversight and Investigations \nSubcommittee, and it is our tradition to take testimony under oath.  \nDo any of you object to testifying under oath?  Do any of you have \nany legal counsel that you would like to be with you?  If you \nwould raise your right hand.\n        [Witnesses sworn.]\n        MR. WHITFIELD.  You are now under oath.\n\nTESTIMONY OF TOM PYKE, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY; \nTHE HONORABLE LINTON BROOKS, ADMINISTRATOR, NATIONAL NUCLEAR SECURITY \nADMINISTRATION; AND THE HONORABLE DAVID K. GARMAN, UNDER SECRETARY FOR ENERGY, \nSCIENCE, AND ENVIRONMENT, U.S. DEPARTMENT OF ENERGY  \n\n        MR. WHITFIELD.  Mr. Pyke, I\'ll recognize you for your \n5-minute opening statement. \n        MR. PYKE.  Good afternoon, Mr. Chairman.  My name is Tom \nPyke.  I am the Chief Information Officer of the Department of \nEnergy.  I am pleased to be here today to share with the committee \na summary of the actions that the Department of Energy has taken \nto strengthen our cyber security posture.  \n        The Department of Energy takes cyber security very seriously.  \nOur senior management team is working together to ensure that we \nare taking all appropriate actions to protect our information \nsystems as well as the information processed on these systems.  \nWe are taking a risk-based approach, managing the overall risk and \nthe risk that still remains after all appropriate managerial and \ntechnical controls have been applied.  This risk is sometimes called \nresidual risk.  \n        The Department\'s cyber security program is guided by the \nFederal Information Security Management Act, known as FISMA, \nincluding its emphasis on certifying and accrediting every \ninformation system before it is placed into operation.  We are also \nguided by the actions and products of the Committee on National \nSecurity Systems and by the National Industrial Security Program \nOperating Manual for national security systems. \n        Based on a risk assessment and a system security plan, each \nsystem has controls applied to ensure availability, confidentiality, \nand integrity of each system and the information on that system.  \nThese controls are tested to ensure they are working properly.  \nAfter the controls are applied, a statement of the residual risk is \npresented to an accrediting official.  This official makes the \ndetermination for the system to become operational based on the \nresidual risk evaluation, taking into account the role of the system \nin supporting the agency\'s mission. \n        I would like to point out to the committee that there is no such \nthing as no risk and no such thing as perfect cyber security.  \nWell-informed judgments have to be made as to the nature and \namount of protection that is to be applied to each system and \nnetwork, and that is a fundamental part of the certification and \naccreditation process.  We are also guided in managing cyber \nsecurity by the Office of Management and Budget with its policy \nand by guidance issued by the National Institute of Standards and \nTechnology.  \n        Our cyber security program responds to risk assessments \nconducted within the bounds of our assessment of the current \nthreats to our system.  The threat to our systems from outside our \nperimeter as well as from insiders is continually increasing.  The \nhackers and others intent on harming our systems or obtaining \ninformation from our systems are becoming smarter in their \nattacks.  The threat is especially challenging given the \nvulnerabilities in off-the-shelf operating systems and application \nsoftware that we must use to support our mission.  This software is \nvery complex, and vulnerabilities are continually identified over \nthe lifetime of that software.  \n        Although software vendors prepare and distribute software \npatches after vulnerabilities are identified, there is always a delay \nin preparing and distributing these software patches, creating a \nwindow of opportunity for attacks despite best efforts to maintain \nsecure system configurations and despite best efforts to apply the \nsoftware patches in a timely way.  \n        I should also point out that software patches need to be tested \nfirst before they\'re applied to our systems to ensure they do not \ninterfere with the systems\' ability to meet mission requirements. \n        Our cyber security posture is bolstered by the testing we do \nduring the certification and accreditation process as well as by \nsystematic continuous vulnerability testing.  \n        We also benefit significantly from the testing that the \nDepartment\'s Office of Inspector General conducts as a part of its \nfinancial and FISMA reviews, and we are also fortunate to have \nwithin the Department the Office of Security and Safety \nPerformance Assurance, which conducts the red team attacks that \nyou have been hearing about and penetration testing on our \nsystems and networks to identify vulnerabilities as well as \nperforming cyber security assessments and evaluations that are of \ngreat help to us.  \n        The Department of Energy has extensive expertise in the area \nof cyber security, and we are devoting substantial resources to this \nimportant area.  The challenge in managing cyber security is for us \nto prioritize our efforts using a risk-based approach as we \nimplement all the parts of a balanced cyber security program.  We \nneed to be smart about how to apply our cyber security resources, \nboth in what we do and in the relative priority we give to the \nvarious parts of this effort.  \n        When I came on board at Energy at the end of November of \n2005, the Department had recognized the cyber security challenge \nit faced.  I have personally given cyber security the highest priority \nin the management of the Department\'s information technology.  \nAt that time, we had available a recently prepared Cyber Security \nProject Team report that you heard about earlier.  We had that in \nhand.  That summarized some of the kinds of action that needed to \nbe taken to improve our cyber security posture.  \n        At the direction of the Secretary and the Deputy Secretary, I \nled the development of the Department of Energy Cyber Security \nRevitalization Plan, which now provides the basis for the \nDepartment cyber security program.  The plan was developed \nunder the oversight of an executive committee, which I chair, and \nwhich has as members the Under Secretaries, including the \nAdministrator of the National Nuclear Security Administration, \nAmbassador Brooks, and the Under Secretary for Energy, Science, \nand Environment, Mr. David Garman, as well as the new Under \nSecretary for Science, Dr. Ray Orback, the Director of the Office \nof Security and Safety Performance Assurance, the Administrator \nof the Energy Information Administration, and a representative of \nthe Department\'s Power Map Marketing Administration.  \n        We have a Cyber Security Working Group that reports to this \nhearing committee that has coordinated the development of the \nRevitalization Plan and is actively involved now in coordinating \nthe implementation of the plan.  \n        In developing the Revitalization Plan, we went "back to \nbasics," guided by FISMA and OME policy.  We considered the \nDepartment\'s mission and the way the Department is structured, \nand we considered the cyber security risks currently faced by the \nDepartment.  We factored into the plan the recommendations from \nthe Cyber Security Project Team report.  \n        Under the Revitalization Plan, my office, the Office of the \nChief Information Officer, develops top-level cyber security \npolicy, to be issued by the Deputy Secretary.  Our office issues \nguidance on issues--\n        MR. WHITFIELD.  Mr. Pyke, excuse me for interrupting, but \nyou have gone about 2 minutes over the 5 minutes.  If you \nwouldn\'t mind summarizing; we do have your testimony in its \nentirety, and I would appreciate it. \n        MR. PYKE.  After we had this top-level policy, the Under \nSecretary established policies and implementation plans for this \npart of the Department consistent with that policy and guidance; \nand the plan provides a basis for long-term strength in cyber \nsecurity in the Department, with the significant beginning to be \naccomplished in the next 12 months.  We\'ve already issued initial \nguidance in the critical certification and accreditation area. \n        I should say that it has been very important for us to continue \nto adjust our priorities and implement the Revitalization Plan based \non our assessment of risk.  For example, during the last 3 months, \nwe have given special attention to improving our ability to respond \nto increasingly more sophisticated cyber attacks.  The resources \nrequired to do so have necessitated changes in our schedule or our \ninitial schedule for completing some other parts of the \nrevitalization effort.  \n        We would like to assure the committee, to which we have \nprovided our current schedule, that we are working very hard and \ndiligently in our area; and we are attempting to accelerate the \ncompletion of as many products as possible to the extent that we \nare able to do so. \n        MR. WHITFIELD.  Thank you very much, Mr. Pyke.\n        [The prepared statement of Thomas N. Pyke, Jr. follows:]\n\nPREPARED STATEMENT OF THOMAS N. PYKE, JR., CHIEF \nINFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY \n\n        Good afternoon, Mr. Chairman.  My name is Tom Pyke.  I am \nthe Chief Information Officer of the Department of Energy.  I am \npleased to be here today to share with the Committee a summary of \nthe actions the Department of Energy is taking to strengthen its \ncyber security posture.\n        The Department of Energy takes cyber security very seriously.  \nOur senior management team is working together to ensure that we \nare taking all appropriate actions to protect our information \nsystems and the information processed on these systems.  We are \ntaking a risk-based approach, managing the overall risk and the \nrisk that still remains after all appropriate managerial and technical \ncontrols have been applied, often called residual risk.\n \tThe Department\'s cyber security program is guided by the \nFederal Information Security Management Act (FISMA), \nincluding its emphasis on certifying and accrediting every \ninformation system before it is placed into operation, by the \nCommittee on National Security Systems (CNSS ), and by the \nNational Industrial Security Program Operating Manual \nestablished by Executive Order 12820 for national security \nsystems.  Based on a risk assessment and a system security plan, \neach system has controls applied to ensure availability, \nconfidentiality, and integrity of each system and the information on \nthat system.  These controls are tested to ensure they are working \nproperly.  After the controls are applied, a statement of the residual \nrisk is presented to an accrediting official.  This official makes the \ndetermination for the system to become operational based on this \nresidual risk evaluation and the role of the system in supporting the \nAgency\'s mission.\n        I would like to point out to the Committee that there is no such \nthing as "no risk" and no such thing as perfect cyber security.  \nWell-informed judgments have to be made as to the nature and \namount of protection that is to be applied to each system and \nnetwork, and that is the nature of the certification and accreditation \nprocess.  We are also guided in managing cyber security by Office \nof Management and Budget (OMB) policy and by guidance issued \nby the National Institute of Standards and Technology (NIST).\n        Our cyber security program responds to risk assessments \nconducted within the bounds of our assessment of the current \nthreat to our systems.  The threat to our systems from outside our \nperimeter and from insiders is continually increasing.  The hackers \nand others intent on harming our systems or obtaining information \nfrom our systems are becoming smarter in their attacks.  The threat \nis especially challenging given the vulnerabilities in off-the-shelf \noperating system and applications software that we must use to \nsupport our mission.\n        This software is very complex, and vulnerabilities are \ncontinually identified over the lifetime of that software.  Although \nsoftware vendors prepare and distribute software patches after \nvulnerabilities are identified, there is always a delay in preparing \nand distributing these software patches, creating a "window" for \nattacks despite best efforts to maintain secure system \nconfigurations and despite best efforts to apply the new software \npatches in a timely way.  I should also point out that software \npatches need to be tested first before being applied to our systems \nto ensure that they do not interfere with the systems\' ability to \nmeet mission requirements.\n        Our cyber security posture is bolstered by the testing we do \nduring the certification and accreditation process, and by \nsystematic, continuous vulnerability testing.  We also benefit from \nthe testing that the Department\'s Office of Inspector General \nconducts as part of its financial and FISMA reviews, and we are \nalso fortunate to have within the Department the Office of Security \nand Safety Performance Assurance, which conducts Red Team \nattacks and penetration testing on our systems and networks to \nidentify vulnerabilities, and performs cyber security assessments \nand evaluations.\n        The Department of Energy has extensive expertise in the area \nof cyber security, and we are devoting substantial resources to this \nimportant area.  The challenge in managing cyber security is for us \nto prioritize our efforts using a risk-based approach as we \nimplement all the key parts of a balanced cyber security program.  \nWe need to be smart about how we apply our cyber security \nresources, both in what we do and in the relative priority we give \nto the various parts of this effort.\n        When I came on board at Energy, at the end of November \n2005, the Department had recognized the cyber security challenge \nit faced, and I have given cyber security the highest priority in the \nmanagement of the Department\'s information technology.  We had \na recently prepared Cyber Security Project Team report in hand at \nthe time that summarized the kinds of actions needed to be taken to \nimprove our cyber security posture.\n        At the direction of the Secretary and the Deputy Secretary, I \nled the development of a Department of Energy Cyber Security \nRevitalization Plan, which now provides the basis for the \nDepartment\'s cyber security program.  This plan was developed \nunder the oversight of an Executive Steering Committee, which I \nchair, and which has as members our Under Secretaries, the \nAdministrator of NNSA and the Under Secretary for Energy \nScience, and Environment, as well as the Director of the Office of \nScience, the Director of the Office of Security and Safety \nPerformance Assurance, the Administrator of the Energy \nInformation Administration, and a representative for the \nDepartment\'s Power Marketing Administrations.  We have a \nCyber Security Working Group that reports to the Steering \nCommittee that has coordinated the development of the \nRevitalization Plan and is actively involved now in coordinating \nimplementation of the Plan.\n        In developing this Revitalization Plan, we went "back to \nbasics," guided by FISMA, OMB policy, and NIST guidance.  We \nconsidered the Department\'s mission and the way the Department \nis structured, and we considered the cyber security risks currently \nfaced by the Department.  We factored into the Plan the \nrecommendations from the Cyber Security Project Team report.\n        Under the Revitalization Plan, the Office of the Chief \nInformation Officer (OCIO) develops top-level cyber security \npolicy, to be issued by the Deputy Secretary.  OCIO issues \nguidance on implementing cyber security management, \nDepartment-wide, working with the Cyber Security Working \nGroup in doing so.  Our office also leads the charge for awareness \nby everyone in the Department of the importance of each person\'s \nrole in cyber security, and provides oversight of the entire \nDepartment-wide cyber security program.  We also regularly \nadvise senior Department management of evolving threats and the \nbest protection strategies to employ in implementing cyber security \nprotections.\n        Each of the Under Secretaries establishes policies and \nimplementation plans for their part of the Department, consistent \nwith the overall Departmental policy and guidance.  They each \ntailor their implementation to meet the needs of their respective \nprograms.  OCIO works with the entire Department in preparing \nreports of cyber security status, as required under FISMA, and \nOCIO also conducts compliance reviews relative to policy and \nguidance to ensure that adequate protection of our information and \ninformation systems is in place.  The Office of the Inspector \nGeneral and the Office of Security and Safety Performance \nAssurance each conduct appropriate oversight reviews and testing \nthat help ensure that the cyber security program is working as \nintended.  The results of these reviews are expected to continue to \nbe very important inputs to the Department as we continue to \nimprove our cyber security program. \n        The Revitalization Plan identifies five high priority activities: \ncertification and accreditation; use of an enterprise defense-in-\ndepth strategy, providing layered protection from the perimeter of \nour networks to our users; asset management, to ensure that all \ninformation technology assets are identified and managed well \nwith secure configuration controls and timely software updates; \nnetwork interconnection and segmentation; and education and \nawareness.  The major components of the revitalization process are \nidentified as: planning, based on a common understanding of risk \nand threat, to ensure that cyber security is integrated through \nbusiness practices and Under Secretarial missions; cyber security \npolicy and guidance; architecture and technology that supports \nDepartment-wide implementation; common services that support \nthe entire Department, including incident management, education \nand awareness training, and asset management tools and support; \nand performance measurement, providing a clear and consistent \nmeans to measure the cyber security status of the Department.\n        The Plan is intended to provide a basis for a long-term, \nstrengthened cyber security program, with a significant beginning \nto be accomplished in the first twelve months, by February 2007.  \nThe highest priority activities, based on risk, are receiving \nattention and resources first, even as detailed planning and \nimplementation continues throughout the Department.  We have \nalready issued revised certification and accreditation guidance, and \nwe have initiated a corporate asset management process.  Network \nsegmentation plans have been developed and implementation has \nbegun.  We have organized a Department-wide cyber forensics \nteam that is responding daily to cyber attacks, with excellent \nresults.  Cyber security awareness for all employees has been jump \nstarted with special bulletins containing detailed guidance, \nfocusing on social engineering attacks, against which everyone\'s \nparticipation is essential.\n        The Secretary has said that "revitalizing our cyber security \nprogram is the best way to ensure that we continue to protect our \nDepartment\'s assets and the nation," and he has charged the \nDepartment\'s leadership to commit ourselves to this task.   We are \nall working together to move as quickly as we can to improve the \nDepartment of Energy cyber security posture, and I believe our \nprogress is now being felt through an improved ability to thwart \nattacks and to bring all the necessary resources to bear quickly and \neffectively as needed.  We understand that cyber security is a \nnever-ending process, and we are committed to maintaining a high \nlevel of vigilance to ensure that the Department is able to carry out \nits mission without disruption caused by cyber threats.   I would be \npleased to respond to any questions you may have. \n\n        MR. WHITFIELD.  Mr. Brooks, you are recognized for 5 \nminutes. \n        MR. BROOKS.  Thank you, Mr. Chairman.  As Mr. Pyke\'s \nstatement made clear, we have to focus on and use a risk-based \napproach.  And the highest risk, of course, would be compromised \nclassified material.  I recognize the hearing is focused primarily on \nthreats to unclassified material, but it is important to note that we \nhave to focus on both.  I am confident that our classified material is \nsecure, but we need to focus on both unclassified and classified. \n        I\'d like to highlight several specific actions that we are taking \nto strengthen cyber security.  First--and this does apply to \nclassified--is the conversion to diskless work stations.  We will be \ncompleting that by the end of 2008.  About 45 percent of our \nclassified work stations are operating without disks, and that will \nincrease our ability to transmit both classified and other forms of \nsensitive information around the Department.  \n        Secondly, we are working on continuous asset monitoring \nsystems.  That lets us improve real-time security monitoring of \nboth classified and unclassified networks and lets us increase the \nefficiency and the accuracy of our reporting.  \n        Several of the members of the committee have stressed the \nvery large number of computers that we have spread out over a \nvery large number of organizations.  If we do not have a solid \nhandle on what we have, no management system will work.  And \nwe have spent, with Mr. Pyke\'s organization, the last 18 months \ntesting and evaluating a series of offerings.  We\'ve selected a \ncustomized architecture and last week our Pantex plant became the \nfirst DOE site to successfully implement the system.  \n        Third, we are giving increasing attention to deployment of \nencryption for secure communication over unclassified networks.  \nThe fragmented nature of the Department means that we \nsometimes act inefficiently, so we\'ve worked together with \nMr. Pyke\'s organization to combine our licenses into a single \nagreement for various commercial encryption software to save \nabout a million dollars.  \n        In addition, we are implementing encryption on laptops in a \nway similar to that described by the Inspector General. \nFourth, we\'re working hard on training.  Training and \nawareness are the keys to everything else.  Mr. Pyke sets the \nexample by conducting training at pop-up meetings, and at the \nsenior leadership meetings of the Department, and we\'re \nattempting to emulate that in a variety of ways.  In addition to \nthese, we\'ve developed a comprehensive set of policies to \nstandardize configuration that gives our individual sites a uniform \nset of risk management tools.  We are trying to use our metrics not \njust to feed in to the various reports that Mr. Pyke mentioned, but \nto improve internally.  We are developing continuity of operation \nplans and we are continuing to focus on inventory. \n        Working with Mr. Pyke, we are making good progress--that is \na statement about the progress, not about where we are--toward \nboth better management of risk and more efficient use of \nresources.  I believe every member of the Department\'s leadership \nis committed to both improving cyber security and to the security \nof our information.  \n        The following is not in my prepared statement.  I know we will \nbe talking about this more in the classified closed session.  But I do \nwant to note that the personnel information which he referred to is \nnot what we would normally call personnel files.  It is a list of \nnames, and Social Security numbers.  I don\'t mean to minimize the \nseriousness, but it might very well have been something else, but \nthat\'s what it was and we can talk about that in more detail in the \nclosed session.  \n        Thank you, sir. \n        MR. WHITFIELD.  Thank you.  \n        [The prepared statement of Hon. Linton Brooks follows:] \n\nPREPARED STATEMENT OF THE HON. LINTON BROOKS, UNDER SECRETARY OF ENERGY FOR \nNUCLEAR SECURITY AND ADMINISTRATOR, NATIONAL NUCLEAR SECURITY \nADMINISTRATION, U.S. DEPARTMENT OF ENERGY\n\n        Good morning, Mr. Chairman, thank you for the opportunity to \nappear before you today in support of the Department\'s efforts to \nstrengthen our cyber security.\n        The National Nuclear Security Administration Act (NNSA) \nestablished the NNSA within the Department of Energy (DOE) \nwith the mission to strengthen the United States\' security through \nthe military application of nuclear energy and by reducing the \nglobal threat from terrorism and weapons of mass destruction.  As \nAdministrator, one of my duties is the security of NNSA\'s \ninformation systems and networks.\n        NNSA is responsible for the majority of the classified networks \nwithin the Department and we take this responsibility very \nseriously.  Our classified networks receive our highest priority and \nwe have taken all possible steps to ensure their security.  I am \nconfident of the security of our classified systems and networks \nand to date we have been successful in preventing any breach in \nsecurity.  However, we must maintain constant vigilance over the \nsystems entrusted to us and it is essential that we continue the \nimprovements underway to upgrade the infrastructure and improve \nintegration across the Federal complex.  Only by doing so can we \nensure the long-term cyber security of the nuclear weapons \ncomplex.\n        NNSA is dependent upon information and upon the systems \nthat create, process, store, and communicate information to carry \nout our missions.  But the management of the security for these \nsystems must rely on a comprehensive understanding of systems, \nin depth analyses of every new attack, and a timely determination \nof the best approach to mitigate the efforts of intruders.  Doing so \nrequires a substantial commitment of resources-- both financial and \nintellectual-and a coordinated effort across all elements of the \nDepartment. \n        I look to Mr. Tom Pyke, Chief Information Office (CIO) for \nthe Department, to integrate our Departmental efforts.  NNSA \nsupports the Federated approach and is applying that approach \nacross the NNSA complex.  We have engaged each of our \nlaboratories, plants, sites and offices in assessing the priorities that \nmust be addressed in the future.  These priorities are based on the \nrisks at each site, as each site has different types of information it \nmust protect and transmit. \n        Cyber security threats are increasing in complexity and number \nand we are working to strengthen our cyber security posture.  We \ncontinue to monitor all aspects of cyber security throughout the \nNNSA complex and to apply risk management to balance cyber \nsecurity issues with available budget resources.  NNSA, with \nleadership from the CIO, is working closely with the Office of \nSecurity and the Office of Counterintelligence to maintain \nawareness of cyber security threats.  We are jointly working to \nmaximize our efforts and resources to ensure a secure environment \nfor the transmission and storage of our information.  \n        Today, I would like to highlight four specific efforts that \nbenefit the department and strengthen cyber security throughout \nthe weapons complex: \n        Diskless Workstation Upgrades:  Plans are in place to convert \nthe department\'s classified workstations to diskless operations. The \nplans support the completion of the conversion effort by the end of \nFY 2008 and as of the end of April 2006 over 45% of the \nDepartment\'s classified workstations were operating without disks. \nThe ultimate success of the effort is tightly linked to the ability of \nthe Integrated Cyber Security Initiative (ICSI) to implement a \ngateway to permit non-weapons data - both DOE and other agency \ndata - to traverse the Department utilizing the Enterprise Secure \nNetwork.  Development work on the gateway, including a \nconnection to SIPRNet, is expected to begin in FY 2007.\n        Continuous Asset Monitoring System (CAMS):  CAMS has \ntwo overarching objectives: 1) to improve security monitoring of \nDOE\'s and NNSA\'s networks (both classified and unclassified) in \nnear real-time as well as software patch management; and 2) to \nincrease the efficiency and accuracy of congressionally-mandated, \nasset-based reporting. A joint NNSA-DOE team invested almost \n18 months testing and evaluating multiple vendors\' offerings with \nthe goal of selecting a common solution for both classified and \nunclassified operational environments, to minimize cost and \nstandardize the system administration.  To meet the Agency\'s long \nterm reporting obligations, a customized architecture was selected \nconsisting of hardware, software and process solutions which will \nbe implemented across the Department and will include all NNSA \nsites, labs, plants and offices.  \n        Encrypted Communication:  With the support of Congress, we \nhave accelerated deployment of enterprise encryption for secure \nauthentication and communication.  We fully support the \nDepartment\'s move to purchase encryption software. Currently, \nNNSA and DOE have multiple contracts. An agreement is being \nnegotiated where these licenses will be combined into a single \nagreement and upgraded to a new thin client version.  New licenses \nwill be purchased at a reduced rate as needed.  This combined \narrangement will ultimately save the Department over one million \ndollars in licensing and maintenance costs.\n        Cyber Security Training: NNSA has partnered with DOE in a \ntraining working group that evaluates products and vendors \ntraining programs for all positions in the management and use of \ncomputing assets.  Training for our cyber security professionals is \nalso key to raising awareness and acceptance of assessing and \nprioritizing cyber security risks at all sites.  \n        NNSA has also developed a comprehensive set of cyber \nsecurity policies that standardize the configuration of many of our \nsystems and assists in fully documenting the risks associated with \nthe certification and accreditation of our computing assets.   The \npolicies we have directed fully implement national and federal \npolicies in a graded risk management approach.  Site managers \nnow have a uniform risk acceptance based process for assessing \nrequirements and for implementing their cyber security programs. \n        NNSA is moving forward on multiple fronts to strengthen and \nensure a safe information technology working environment.  We \ncontinue to report our Office of Management and Budget (OMB) \ncyber security metrics and actively use this information to improve \nprogram control and evaluation.  We continue to develop our \ncontinuity of operations plans as required by Departmental \ndirectives.  We have established a working group to improve our \ncyber security by establishing security configurations for each of \nthe computer systems in use across our federal and contractor sites.  \nNNSA is teaching classes in cyber security policy implementation \nthat expand on the DOE information as required for our weapons \ncomplex.  Finally, we continue to support the Department to \nimprove the inventory of our information systems. \n        Mr. Chairman, we are working diligently to maintain a secure \nenvironment for our information and that of the Department.  We \nare moving ahead, we are making progress, and with the Federated \napproach, and we will be able to better manage risk and the \nefficient use of resources.\n        I look forward to your questions. Thank you.   \n\n        MR. WHITFIELD.  Mr. Garman.\n        MR. GARMAN.  Mr. Chairman, members of the committee, as \nyou have heard from the others, cyber threats are on the rise and I \ncannot tell you that we can fully guarantee the protection of all of \nthe data that resides on the system or our systems themselves.  \nMoreover, given the evolving and dynamic nature of the threat, I \nbelieve it\'s unlikely that we will ever be fully satisfied with our \ncyber security posture.  However, the fact that we cannot achieve \nabsolute enduring protection against all cyber threats must not \ndeter us from undertaking serious sustained efforts to improve our \ncyber security posture.  \n        The Secretary and the Deputy Secretary have made cyber \nsecurity a priority shortly after they came to the Department.  They \ngrasped the challenges that confronted us.  They recruited a new \nChief Information Officer.  They established a Cyber Security \nExecutive Steering Committee, on which I serve, along with the \nothers you see here and more.  We\'ve established the Cyber \nSecurity Working Group comprised of information technology and \ncyber security specialists to assist us in our responsibilities.  \n        During the ensuing months we have developed and issued a \ncyber security revitalization plan that we are currently \nimplementing, to put it bluntly and--you mentioned this earlier, \nMr. Chairman--it is my view that we are not yet where we need to \nbe.  But I believe we are far better off than we were a year ago as a \nconsequence of these actions by the Secretary, the Deputy \nSecretary and the Chief Information Officer.  \n        In addition to stressing the importance of cyber security to the \nassistant secretaries and office directors that report to me, I have \nmet with the cyber security information and technology personnel \nwho report to them to discuss and understand the particular \nchallenges that they face.  We\'ve also recently detailed a cyber \nsecurity expert to my office to assist me in implementing the plan \nand identifying best practices for replication.  \n        In addition to the efforts embodied in the Security \nRevitalization Plan, we\'ve engaged in a number of activities that \nimproves the Department\'s ability to protect our data.  For \nexample, in 2005 the Office of Science initiated a cyber security \nsite assistance visit program.  Cyber security specialists from the \nOffice of Science, together with inspectors from the Office of \nSecurity and Safety Performance Assurance, are conducting, as we \nspeak, cyber security reviews at various sites and national \nlaboratories.  These visits are helping sites to identify and \nremediate potential weaknesses and risks and establish a consistent \ncyber security baseline.  \n        To date, the Office of Science has conducted 10 such visits and \nwill shortly expand coverage to facilities outside of their purview. \n        The Office of Environmental Management, meanwhile, has \nalso made significant process in reengineering its own cyber \nsecurity oversight process.  That office has developed several \ncyber security management applications, such as intrusion \ndetection, monitoring capability, allowing them to identify \nforeign-based cyber attacks launched against EM facilities from \nthe Internet, and risk assessment management systems which \nautomate cyber security risk assessments in support of their \ncertification and accreditation responsibilities.  Those are just some \nexamples of our programs of active cyber security programs, and \nall are working collaboratively to implement relevant portions of \nthe cyber security revitalization program plan at headquarters and \nin the field.  \n        Now, this is very important.  We know that this is not a quest \nfor an end point where we declare success but, rather, a continuous \nprocess where we strive to get ahead and stay ahead of our \nadversaries.  Just as we welcome the efforts of the Inspector \nGeneral, the Office of Security and Safety Performance Assurance, \nand others to test and evaluate our success in this regard on an \nongoing basis, we also welcome the efforts of this subcommittee as \nwe work to manage cyber security risks in a cost-effective and \nresponsible manner.  \n        This concludes my testimony and I would, of course, be \npleased to respond to any questions you have either today or in the \nfuture.  Thank you, Mr. Chairman. \n        [The prepared statement of Hon. David Garman follows:] \n\n\n\nPREPARED STATEMENT OF HON. DAVID K. GARMAN, UNDER SECRETARY FOR ENERGY, \nSCIENCE, AND ENVIRONMENT, U.S. DEPARTMENT OF ENERGY\n\n        Mr. Chairman and Members of the Committee, I appreciate \nthis opportunity to discuss the Department\'s efforts to strengthen \nour cyber security posture.\n        We recognize the importance of providing adequate protection \nto our systems and our data, given the criticality of those systems \nand data to supporting our mission as well as the sensitivity of \nmuch of the data in our possession. As such, we continue to assess \nand evaluate our cyber security posture as it relates to the threat.\n        Cyber security threats are on the rise.  I cannot assert that we \ncan fully protect all our data on our systems today; however, we \ntry.  Moreover, given the evolving and dynamic nature of the \nthreat, it is unlikely that we will ever be fully satisfied with our \ncyber security posture.  However, we must not allow the fact that \nwe cannot achieve absolute, enduring protection against all cyber \nthreats to deter us from undertaking serious, sustained efforts to \nimprove our cyber security posture.\n        The Secretary and Deputy Secretary have made cyber security \na priority.  Shortly after they came to the Department, they grasped \nthe challenge that confronted us.  They recruited a new Chief \nInformation Officer (CIO).  They established a Cyber Security \nExecutive Steering Committee on which I serve, along with the \nAdministrator for the National Nuclear Security Administration, \nthe CIO, and others.  We have established a Cyber Security \nWorking Group comprised of information technology and cyber \nsecurity specialists to assist us in our responsibilities.  During the \nensuing months, we have developed and issued a Cyber Security \nRevitalization Plan that we are currently implementing.\n        To put it bluntly, while we are not yet where we need to be, I \nbelieve we are far better off than we were a year ago.  \n        In addition to stressing the importance of cyber security to the \nAssistant Secretaries and Program Directors who report to me, I \nhave met with the cyber security and information technology \npersonnel who report to them to discuss the particular challenges \nthat they face.  We have also recently detailed a cyber-security \nexpert to my office to assist me in implementing the plan and \nidentifying best practices for replication.\n        Therefore, in addition to the efforts embodied in the Cyber \nSecurity Revitalization Plan, we have engaged in a number of \nactivities that improve the Department\'s ability to protect its data. \n        For example, in 2005, our Office of Science initiated a cyber \nsecurity Site Assistance Visit (SAV) Program. Cyber security \nspecialists from the Office of Science, together with inspectors \nfrom the Office of Security and Safety Performance Assurance, are \nconducting cyber security reviews at various sites and national \nlaboratories. These visits are helping sites to identify and remediate \npotential weaknesses, accept risks, and establish a consistent cyber \nsecurity baseline. In addition, these visits serve to provide training \nto a cadre of cyber security personnel and help identify best \npractices.  To date, the Office of Science has conducted ten such \nvisits and will shortly expand coverage to facilities outside the \npurview of the Office of Science.\n        The Office of Environmental Management (EM) has also made \nsignificant progress in re-engineering its cyber security \nmanagement oversight process.  EM has developed several cyber \nsecurity management applications such as an Intrusion Detection \nMonitoring capability, allowing them to identify foreign-based \ncyber attacks launched against EM facilities from the Internet, and \na Risk Assessment Management System, which automates cyber \nsecurity risk assessments in support of their certification and \naccreditation responsibilities. \n        Those are just some examples.  All of our programs have active \ncyber security programs in place, and all are working \ncollaboratively to implement relevant portions of the Cyber \nSecurity Revitalization Plan at Headquarters and in the Field.  We \nknow this is not a quest for an end point where we declare success, \nbut rather, a continuous process where we strive to get ahead, and \nstay ahead of our adversaries.  \n        Just as we welcome the efforts of the Inspector General, the \nOffice of Security and Safety Performance Assurance, and others \nto test and evaluate our success in this regard, we welcome the \nefforts of this subcommittee as we work to manage cyber security \nrisk in a cost- effective and responsible manner.\n  \tThis concludes my testimony.  I would be pleased to respond to \nany questions you might have, either today or in the future.  \n\n        MR. WHITFIELD.  Thank you very much and we appreciate \nyour testimony.  And, of course, it\'s not the purpose of this \nsubcommittee to be critical all the time, but we do take our \noversight responsibilities seriously and the information that I think \nall of us could agree to in many ways is that there is a lot still \nlacking on cyber security at DOE, and some people say that they \nmay have one of the worst systems in the Government, but we may \nor may not agree with that.  \n        But, Mr. Pyke, I know you have only been there since \nNovember of 2005, and you and Mr. Garman referred to the \nRevitalization Plan of 2006, and I know a great emphasis has been \nplaced on that.  But in reviewing the plan, we had noticed that six \nof the corrective actions that were suggested out of many had \nalready passed their dates, and the one on cyber risk assessment \nwas supposed to have been completed on April 6th; and it\'s not \ncompleted and no new date has been set.  The DOE incident \nmanagement was scheduled to be completed in May of 2006.  It\'s \nnot completed and no new date has been set. \n        And I know that\'s easy for us to just pinpoint a few areas \nwhere you have not met your plan, but what do you have to say \nabout that, Mr. Pyke?  I mean, these evidently were not that \ncomplicated because they were going to be completed in a couple \nof months.  And now that it\'s already gone over, and you are not \nmeeting the goal.  \n        MR. PYKE.  Mr. Chairman, as stated in my oral comments, my \nopening statement, it is essential that we continually adjust our \npriorities based on our current reassessment of risks.  We have \nadjusted and will continue to adjust or prioritize our schedule for \ncompleting the large number of products.  We made a lot of \nprogress in the incident management area that will lead to a strong \nincident management guidance document and, as I said earlier, we \nhave had to deal with increasingly sophisticated attacks and larger \nnumber of attacks over the last 3 months.  And I can assure you \nthat we have learned from handling those attacks and we have \nalready adjusted our incident management processes within the \nDepartment in a positive direction.  \n        Likewise on risk assessment we are learning in the process, the \nproducts when they are produced will be strong, and we do intend \nto continue to adjust our schedule, as is indicated, and we believe \nwe are being responsible in doing that. \n        MR. WHITFIELD.  So you are setting priorities in a different \nway than what it was originally set at?  \n        MR. PYKE.  Yes, sir. \n        MR. WHITFIELD.  Now, Mr. Brooks had mentioned in his \nopening statement that we all view any breach to be a serious \nissue, particularly when personnel information is obtained by \nunauthorized sources outside the Government.  We also understand \nthe national security issues involved.  \n        But I want to ask you, Mr. Pyke--you are the Chief Information \nOfficer--when did you first become aware that the information of \n1,500 people had been obtained by a third party?  \n        MR. PYKE.  Two days ago, sir. \n        MR. WHITFIELD.  Two days ago. \n        MR. PYKE.  Although since I arrived at the Department and \nwas informed of the kinds of attacks that we are under on a \ncontinuing basis, and I should say we were attacked several \nhundred thousand times each day by folks from outside the \nDepartment attempting to break through our perimeter.  The \nparticular system that was involved here was protected by a \nfirewall, and was protected by intrusion detection software.  It had \nother protective software; and despite that, a very sophisticated \nattack succeeded, and we are dealing with a very difficult situation \nwhich we\'ll expand on in Executive Session. \n        MR. WHITFIELD.  What is your understanding as to when \nsomeone at DOE was first aware of this information being \nobtained?  \n        MR. PYKE.  I do not know--\n        MR. WHITFIELD.  You found out 2 days ago. \n        MR. PYKE.  And that was about the time when a determination \nwas--to my knowledge, when the first determination was placed in \nblack and white on paper that this had happened after an extensive \ninvestigation.  That\'s my understanding. \n        MR. WHITFIELD.  Mr. Brooks, when did you find out?  \n        MR. BROOKS.  Late September. \n        MR. WHITFIELD.  Now, this was--\n        MR. BROOKS.  Now, with the recognition that, as Mr. Pyke \nsays, this has been an ongoing event, but late September is when I-\n-\n        MR. WHITFIELD.  That\'s when you first found out that the \ninformation on 1,500 individuals had been obtained by an outside \nparty. \n        MR. BROOKS.  Yes, sir. \n        MR. WHITFIELD.  Did you feel like you had an obligation or \nresponsibility to report it to the Secretary or the CIO?  \n        MR. BROOKS.  The CIO builds the wall.  Once somebody gets \nover the wall, it is a counterintelligence issue or potential \ncounterintelligence issue.  Pretty much whenever I say the words \ncounterintelligence, whatever I say next is a closed session issue.  \n        There was a problem with fragmented responsibility--and as far \nas I can tell now, I was not aware, frankly, that the Secretary and \nthe Deputy had not been informed.  And as far as I can tell, this is \none of the consequences of the split counterintelligence \norganization, which the Administration has submitted legislation to \ncorrect.  It\'s a very important question, but I\'d like to go into it \nmore in closed session because I am afraid that the specifics could \nbe in the areas we shouldn\'t talk about. \n        MR. WHITFIELD.  And, Mr. Garman, when did you become \naware the first time?  \n        MR. GARMAN.  June 7th. \n        MR. WHITFIELD.  June the 7th.\n        MR. GARMAN.  Two days ago. \n        MR. WHITFIELD.  Okay. \n        MR. BROOKS.  In fairness, I should point out to the best of my \nknowledge all of the people involved are under my responsibility \nand not his.\n        MR. WHITFIELD.  And it is my understanding that the Secretary \ndid not know about this until a couple of days ago.  Is that your \nunderstanding, or do you know?  \n        MR. BROOKS.  I think that\'s right. \n        MR. WHITFIELD.  Okay.  Who informed you about this breach, \nMr. Brooks, or is that something--\n        MR. BROOKS.  The Director of the NNSA counterintelligence \norganization. \n        MR. WHITFIELD.  Okay.  I have no other questions.  \n        Mr. Stupak.\n        MR. STUPAK.  Yes, thank you.  \n        Mr. Brooks, whose responsibility is it to inform the Secretary?  \n        MR. BROOKS.  That sounds like such an obvious, clear \nquestion, and I believe that one of the things we are learning from \nthis is the answer isn\'t as clear as it should have been.  Because we \ntreat these things as a counterintelligence issue under our current \nstructure, which we proposed legislation to fix, you can get two \nanswers to that.  It appears to me that each of the parts assumed \nthat the other person was involved.  That\'s a preliminary \nassessment because I, just as the Secretary just learned about this \nthis week, I just learned this week that the Secretary didn\'t know.  \n        MR. STUPAK.  So who are the two people who were supposed \nto inform the Secretary?  \n        MR. BROOKS.  We have under the present system an Office of \nCounterintelligence for the Department and an Office of Defense \nNuclear Counterintelligence for the NNSA.  I am not trying to be \nunresponsive, but I am really worried that in trying to answer that \nquestion I am going to go into areas that I don\'t want to go, about \nwhere the data was and whose data it was and what we think \nhappened.  I\'d like to save that for the closed session if I may, sir.  \n        MR. STUPAK.  Don\'t you have any responsibility to tell the \nSecretary?  \n        MR. BROOKS.  I certainly wish I had, now that I know that \nnobody else did. I think that there are a number of us who in \nhindsight should have done things differently on informing.  As far \nas I can tell in terms of responding to the cyber incident, that was \nnot done well.\n        MR. STUPAK.  Who should have notified this committee?  \n        MR. BROOKS.  Um, I am not sure, sir; and part of our problem \nis I can\'t answer that question.\n        MR. STUPAK.  Will you get the answer to us?  \n        MR. BROOKS.  Yes, sir.  I will.\n        MR. STUPAK.  Why does it take the VA when they have a \nbreach, 26.5 million people\'s information has been obtained, they \nlet us know in about 3 weeks.  It\'s been at least 8 months and DOE \ndoesn\'t let us know. \n        MR. BROOKS.  I\'ll find out, sir.\n        MR. STUPAK.  You didn\'t hold anyone accountable for this. \n        MR. BROOKS.  When I figure out what was done wrong and by \nwho, if anybody, then I\'ll be able to answer that.  I am really \nreluctant to answer it in the absence of fully understanding what \nhappened.\n        MR. STUPAK.  If you said to the Chairman you are going to \nbuild this wall, right, to protect our cyber security, right?\n        MR. BROOKS.  Yes, sir.\n        MR. STUPAK.  Don\'t you think you should have told Mr. Pyke, \nwho is your Chief Information Officer, about this?  \n        MR. BROOKS.  Mr. Pyke was not in the Department at the time \nthis incident happened.\n        MR. STUPAK.  Mr. Pyke has been there for some time.  You \nhave known since late September.  So when were you going to tell \nyour Chief Information Officer, who is supposed to know how to \nbuild that wall.  How does he build the wall if you withhold \ninformation from him?\n        MR. BROOKS.  I will let Mr. Pyke speak for himself on what he \nknows.  He is very familiar with the specifics of the--more familiar \nthan I with the specifics of the incident.\n        MR. STUPAK.  I thought he testified it was only 2 days ago \nwhen Mr. Pyke found out. \n        MR. BROOKS.  What the content of the data was, but you \nprotect the data without regard to its content, and whatever is \nsitting on a system.\n        MR. STUPAK.  If he doesn\'t know where the contact is, he \ndoesn\'t know where the hole in the wall is. \n        MR. BROOKS.  I\'ll defer to Mr. Pyke.  \n        MR. STUPAK.  Before I go there, did you tell your previous CIO \nofficer, then, that you knew since September--Mr. Pyke\'s been \nhere a couple of months--did you tell the other CIO officer?  \n        MR. BROOKS.  I did not.  It was my understanding at the time \nthat the organizations had shared that information, but I\'ll have to \nanswer that for the record, Mr. Stupak.\n        MR. STUPAK.  Okay.  Mr. Pyke. \n        MR. PYKE.  Soon after I arrived at the Department of Energy, I \nwas briefed on the current state of cyber security, including a \nnumber of very sophisticated attacks that were being made, which \nwill be the subject of discussion in closed session today.  \n        MR. STUPAK.  Were you told--\n        MR. PYKE.  I said a few minutes ago the so-called breach was \nin the context of very sophisticated attacks that went through full \nprotective measures that were state of the art at the time, and that \nfor the most part the Government, and the private sector are state \nof the art today.  We\'re fortunate in having still additional \nprotective measures in place without which we would not know \nabout this incident.  We\'ll discuss that in closed session.  I did not \nknow until June 7th, 2 days ago, that a particular file had been \nexfiltrated or sent out during one of those attacks. \n        MR. STUPAK.  How do you protect the information in that file if \nyou don\'t know the file has been breached?  How do you know if \nyour security system--how do you know why--if your security \npatches are working if you don\'t know which file or which \nnetwork has been breached?  How do you protect that file, then?  \n        MR. PYKE.  We protect all files, in part depending on the nature \nof the system, the risk associated with it, the data and the function \nof the particular system.\n        MR. STUPAK.  Obviously it didn\'t work here. \n        MR. PYKE.  We don\'t necessarily need to know the actual \ncontent of the file to provide appropriate protection.\n        MR. STUPAK.  How do you protect what you don\'t know you \nlost?  How do you protect something after it is lost?  \n        MR. PYKE.  Sir, as a part of our cyber security program, we \napply a wide-range management and technical means in order to \nprotect the data.  \n        MR. STUPAK.  I understand all of that, but how do you protect \nsomething if you don\'t know it\'s lost?  \n        One part knew you lost it 8 months ago, you knew you lost it 2 \ndays ago.  How do you protect it if you don\'t know it is lost?  How \ndo you know your system is working properly if you don\'t know \nit\'s lost?  \n        MR. PYKE.  We\'ll discuss the details in closed session, sir.  The \ndetermination that anything might have been lost was a long \ncomplex process.  It deals with the state of the art of cyber security \nprotection.\n        It\'s not a simple case.\n        MR. STUPAK.  It\'s not a simple case of having to know the \ninformation that was lost.  It\'s a simple case of you\'re supposed to \nhave a security system.  It was breached.  It\'s not necessarily the \ninformation which, you know--it is the fact that you were breached \nand no one tells you for 8 months; and what the information is and \nthe extent of that security, that\'s a different issue.  The issue is you \nhave the responsibility for cyber security.  Something was \nbreached, you don\'t even know about it. \n        MR. PYKE.  Mr. Stupak, it would have been very helpful for my \njob to know that that file had been breached and had gone outside.  \nHowever, one of the things I learned--in fact, one of the reasons I \ncame to the Department of Energy was to try to strengthen cyber \nsecurity because it was receiving, like many organizations, \nincreasingly sophisticated attacks which in part resulted in the loss \nof this file.\n        MR. STUPAK.  Maybe we should start with information sharing \nbetween each part of DOE.  \n        Yes, sir.  Mr. Brooks. \n        MR. BROOKS.  We can go into this in a little more detail, but I \nbelieve that we have given you a misunderstanding.  It is \nMr. Pyke\'s systems that told us about the file.  We have a better \nanswer than we have given you, although not a perfectly \nsatisfactory answer, but I really need to do this in closed session, \nsir.\n        MR. STUPAK.  Okay. \n        MR. WHITFIELD.  Mr. Burgess.  \n        MR. BURGESS.  Thank you, Mr. Chairman.  I think we are \nprobably all anxious to get to closed session now, so I\'ll be pretty \nbrief.  I wanted to ask a few more questions about the issues that \ncame up to the previous panel on sequestration on the encryption.  \n        Neither member of the other panel really could address what \nthe cost would be for going to a fully sequestered and encrypted \nsystem.  Does anyone on this panel have a concept of the cost \ninvolved, the budgetary requirement to go to a system that employs \nfull encryption sequestration?  \n        MR. PYKE.  Mr. Burgess, segmentation of networks and \nsequestering data, if you like, as well as encryption are two \ntechniques that are already being applied within the Department in \nprotecting data as a part of the total package of cyber security \nprojections.  As you heard earlier, we make extensive use of \nencryption software appropriate for protecting information, and we \ndo plan to expand that use.  The issue here is not one of resources.  \nIn fact, in terms of resources, although we can always use more in \ncyber security, it\'s a question of applying the resources in a \nprioritized way and smart way.  We are expanding our use of \nencryption.  We\'ve already used some of it in terms of \nsegmentation.  We have taken significant steps to segment our \nnetworks in the last several months, and we are continuing to do \neven more of that.\n        MR. BURGESS.  Are you satisfied that you are doing all you can \nto rapidly deploy encryption throughout your Department?  \n        MR. PYKE.  I am never satisfied, sir.  We always are working, \nattempting to work faster and to get more protections in place as \nquickly as we can.  \n        MR. BURGESS.  Mr. Chairman, I think in the interest of going \ninto closed session, I am going to yield back.  I have some other \nquestions. \n        MR. WHITFIELD.  Ms. DeGette from Colorado.\nMs. DeGette.  I\'ll be brief as well.  I want to ask, Ambassador \nBrooks, you said you knew about this breach 8 months ago, \ncorrect?  \n        MR. BROOKS.  Yes, ma\'am.\n        Ms. DeGette.  Did you inform the 1,500 people who were \ntargets of this breach that their data had been breached, their \ninformation had been breached?  \n        MR. BROOKS.  This is going to sound like a strange answer.  I\'d \nlike to answer that in closed session.  The answer is no.  I\'d like to \nanswer why in closed session.  \n        Ms. DeGette.  I was going to say I don\'t think that\'s classified \nwhether you informed them or not.  And so you\'ll talk about why \nin the closed session.  \n        Do you have concerns about the safety of those individuals?\n        MR. BROOKS.  No, ma\'am.\n        Ms. DeGette.  And I suppose you\'ll tell me about that in closed \nsession, too. \n        MR. BROOKS.  Yes, ma\'am.  I will.\n        Ms. DeGette.  I am going to wait until closed session. \n        MR. WHITFIELD.  Mr. Inslee?  No.  \n        Mr. Walden is recognized.  \n        MR. WALDEN.  Thank you, Mr. Chairman.  \n        Mr. Pyke, we\'ve learned in testimony from the Inspector \nGeneral\'s Office that as many as 50 percent of the cyber security \nincidents at DOE were not reported to law enforcement officials, \nwhich is a requirement.  What\'s been done to ensure that all \nreportable cyber security incidents at DOE are reported to the \nauthorities?  \n        MR. PYKE.  Mr. Walden, we have policies and procedures in \nplace that require reporting of incidents and we have criteria that \nwe apply, that are supposed to be applied, throughout the \nDepartment for determining which would be reported within the \nDepartment as well as to outside law enforcement as necessary.  \nWhenever anything happens like that, when we become aware of it \nas part of our compliance monitoring of our policies, we take \naction in order to shore it up.  I\'ve been pleased with the amount of \nincident reporting that I\'m aware of, for example, in this fiscal year \nit--we have seldom learned of incidents after the fact that should \nhave been reported. \n        MR. WALDEN.  So what you\'re saying is what the Inspector \nGeneral reported to us is no longer the case. \n        MR. PYKE.  What I am saying is the trend is in the right \ndirection, and I believe the people are being more diligent in \nreporting of incidents.  \n        MR. WALDEN.  So the Inspector General indicated 50 percent \nof the cyber security incidents were not reported to law \nenforcement.  What would you say that percentage is today, then?\n        MR. PYKE.  Sir, I have no idea.  I am aware of only a very \nsmall number of cyber security incidents that we\'ve learned about \nsignificantly after the fact, beyond the reporting requirements, and \nthat have been entered in and reported at that time.  It is hard to \ntell--it is hard to know what you don\'t know.  And I am afraid--and \nI agree with the Inspector General that folks may have a tendency \nto try not to report things because they think there might be a \nstigma associated with reporting incidents.  In a number of cases \nthese incidents occurred despite all the proper protections being \nprovided.  I do not know how many incidents are not being \nreported. \n        MR. WALDEN.  It could be the 50 percent the inspector \nreferences.  \n        MR. PYKE.  I believe based on the data I do have of what we\'ve \nlearned after the fact of incidents that should have been reported, I \nhave seen a relatively small number of such incidents.  \n        MR. WALDEN.  The data on these individuals, 1,500 individuals \nwho work for the Department of Energy, that was taken, can you \ndescribe for us the content of those data?  Social Security numbers; \nwere they personnel files, personal addresses?  \n        MR. BROOKS.  They did not have personal addresses.  May I \nconsult with somebody for a moment?  \n        MR. WALDEN.  Certainly.  \n        MR. BROOKS.  Name, Social Security number, a code which \nindicates who they worked for, a second code which indicates if \nthey were a subcontractor, the majority of these are contractor \nemployees; a code which either had the letter L or Q, the level of \nclearance, those are the two DOE clearances; and a column called \nstatus, which in every case said "continue."  What this appears to \nhave been was the list of routine people being processed for update \nof clearance.  \n        There was no home information, there was no personnel \nfile-type information, there was no health information.  There was \nnothing that would, from the paper, let you know where these \npeople lived or worked.  Although the particular code that is not \nparticularly sensitive, it\'s just a way you put that in smaller boxes.  \n        MR. WALDEN.  With other search engines--\n        MR. BROOKS.  That\'s the information.  \n        Ms. DeGette.  Will the gentleman yield?  \n        Ambassador Brooks, if somebody got that information from \nyour file; your name, your Social Security number, your security \nclearance, everything else, and Mr. Walden is right, you can just \ngo on other search engines, but even if you didn\'t, wouldn\'t you be \na little concerned if nobody told you that for 8 months?  \n        MR. BROOKS.  Of course I would.  \n        Ms. DeGette.  Thank you.  \n        MR. WALDEN.  Reclaiming my time.  \n        What is the protocol for your agency where you have a breach \nof personnel records?  Are you required to notify the individuals \nwithin a certain period of time, or do you have any rules or \nregulations?  \n        MR. BROOKS.  We have no formal rules.  This is an issue of \ngood management and our obligation to people.  It\'s not an issue \nof regulation, as far as I can tell.  I want to be very clear.  There is \na reason we have waited and I will talk about that more in closed \nsession.  I don\'t want to suggest, and I apologize to your colleague \nif I may have suggested, that I don\'t think this is important.  We \nhad a reason for doing what we have done.  \n        MR. WALDEN.  We look forward to hearing that, obviously, in \nthe closed session.  \n        I guess the other part of this though, does anybody get in \ncontact with, for example, the credit agencies to make sure that \nthese people\'s data, that somehow they aren\'t becoming victim of \nsome sort of ID theft?  \n        MR. BROOKS.  The practice of the Federal government has \nbeen to notify individuals and provide them a mechanism for \nverifying that on their own.  Individuals have certain legal rights, \nand the Department will follow the standard practice.  \n        MR. WALDEN.  I suppose, Mr. Garman, you are the Deputy \nSecretary, correct?  \n        MR. GARMAN.  No, sir.  I am the Under Secretary for Energy \nand Environment.  \n        MR. WALDEN.  So do you have jurisdiction over the personnel \nside of this?  Does anybody have jurisdiction over this issue?  \n        MR. BROOKS.  I think to the extent that anybody does, I do, \nalthough there are legal implications.  \n        MR. WALDEN.  I spent some time with the Secretary of Veteran \nAffairs listening to him describe what his agency went through, \nand how he responded to protect the veterans, and the meeting with \nthe security agencies, or, excuse me, the credit rating bureaus.  His \nfirst goal, he told me, was to protect the veterans and their records.  \n        MR. BROOKS.  My understanding is that was somewhat more \nextensive data.  \n        MR. WALDEN.  Of course it was.  In the millions, we know \nthat.  \n        MR. BROOKS.  I mean, on each individual.  \n        MR. WALDEN.  I see what you\'re saying.  But when it comes to \nin terms of identity theft, my name and my Social Security number \ngets somebody probably a cup of coffee or two and can really mess \nup my credit.  \n        Given your cyber ability, do you have any knowledge that \nanybody has manipulated this data, or do you track that?  \n        MR. BROOKS.  To the best of my knowledge.  I\'d rather not go \nbeyond what I\'m about to say in open session.  To the best of my \nknowledge, we have absolutely no evidence that anybody has done \nanything with this.  I have a little bit of a basis for that statement, \nnot a huge basis.  I will talk more in closed session.  \n        MR. WALDEN.  Mr. Pyke, it\'s my understanding that many of \nthe successful computer intrusions at DOE could have been \navoided if they applied available network security patches and use \nof effective passwords.  However, the failure to apply security \npatches and the use of common passwords continues to be a \nproblem at the Department of Energy.  \n        I understand 2 months ago several employees at DOE were \ntargeted with an e-mail that successfully infected their computers \nwith the Trojan Horse program that would have been prevented if \nDOE had provided current security patches.  Can you tell us how \nyou\'ll ensure that security patches and effective passwords will be \nimplemented?  \n        MR. PYKE.  Mr. Walden, we are working to improve the way \nsoftware patches are tested first and then distributed and applied to \nall systems, as I mention in my statement, and we learn from each \nincident, each experience that we have.  Fortunately, the software \npatch protection is, again, one way of protecting systems, and in \nthat particular case we were able to protect the systems and the \ndata using other cyber security techniques that were applied at that \ntime.  \n        MR. WALDEN.  In the Department of Interior a Federal judge \nhas interceded because of the lack of security in some of their data \nfiles and has from time to time literally shut down the entire e-mail \nand network system for the Department of Interior.  It seems to me \nthe Department of Interior has far less critical data to the country\'s \nsecurity perhaps in some areas than your agency.  \n        MR. PYKE.  Sir, you are right on target.  System security \nconfiguration and system software patch management are key parts \nof cyber security.  \n        MR. WALDEN.  So you can understand our concern, and we \nshare yours, and hopefully together we can get this cleaned up.  \n        MR. WHITFIELD.  Thank you, Mr. Walden. \n        Mr. Inslee.  \n        MR. INSLEE.  No questions.  \n        MR. WHITFIELD.  Mr. Barton.\n        CHAIRMAN BARTON.  Thank you, Mr. Chairman.  I apologize \nfor having to leave.  I had to go give a presentation at a conference, \nso I missed some of it.  Some of what I say or ask I am sure is \ngoing to be redundant, but it probably won\'t hurt to have it said \nagain.  \n        Mr. Pyke, what are your duties as Chief Information Officer at \nthe Department of Energy?  \n        MR. PYKE.  Mr. Chairman, I am responsible for the \nmanagement of information technology throughout the \nDepartment, including ensuring that good management practices \nare provided, that standards are applied in the appropriate way, that \ncapital investment decisions relative to information technology are \nbeing made in a systematic way, and using all necessary \ninformation.  \n        I am responsible for operations of headquarters systems, and \nincreasingly we are putting into place standardized systems with \nstrong cyber security for everyone associated with headquarters, \nand, very importantly, I am responsible for cyber security for the \nDepartment.  \n        CHAIRMAN BARTON.  So even though it says information, you \nare not responsible for disseminating information, you are \nresponsible for basically coordinating and protecting the \ninformation from falling into the wrong hands; that includes cyber \nsecurity.  \n        MR. PYKE.  Yes, sir.  \n        CHAIRMAN BARTON.  What is the interrelationship with your \nposition and the National Nuclear Security Administration and Mr. \nBrooks?  Do you all have a co-equal, or is he in his own little \nsphere?  How does that work?  \n        MR. PYKE.  If I may address that relative to cyber security.  As \na part of the revitalization effort I have led over this last 6 months, \nwe have established a structure, working together with the under \nsecretaries and with me, in which our office establishes top-level \npolicy.  We issue guidance, and we work with the under secretaries \nas they apply that policy and guidance in a way appropriate to each \nof the parts of the organization that they are responsible for.  \n        They adapt it, they apply it.  They are responsible to take into \naccount the risk associated with each of their organizations in \ndetermining how best to apply the top-level guidance.  \n        CHAIRMAN BARTON.  In your conduct of your office, if you \nfound something askance in Mr. Brooks\' administration, can you \ntell him he has to do something?  You can inform, advise, but I \ndon\'t believe --\n        MR. PYKE.  We are partners, for example, in the area of cyber \nsecurity.  We each have a part of the role to carry out, and I can \ncertainly advise him if I learn of something. \n        CHAIRMAN BARTON.  The short answer is no.  You can\'t make \nhim do anything.\n        MR. PYKE.  No, sir. \n        CHAIRMAN BARTON.  Mr. Brooks, how long have you been the \nAdministrator in NNSA?  \n        MR. BROOKS.  Since 2003.  I was acting as Administrator for \nseveral months before that.  \n        CHAIRMAN BARTON.  Now, my understanding is as \nAdministrator, you are the number one manager at that agency; is \nthat correct?  \n        MR. BROOKS.  Yes, sir.  \n        CHAIRMAN BARTON.  And you\'re supposed to know everything \nthat\'s going on; is that correct?  \n        MR. BROOKS.  Conceptually, yes, sir.  \n        CHAIRMAN BARTON.  Conceptually.  Who do you report to, if \nanybody?  \n        MR. BROOKS.  I report through the Deputy Secretary to the \nSecretary.  \n        CHAIRMAN BARTON.  Report through the Deputy Secretary to \nthe Secretary.  \n        MR. BROOKS.  Yes, sir.  \n        CHAIRMAN BARTON.  How often do you meet with either or \nboth of those gentlemen?  \n        MR. BROOKS.  Daily, every other day.  It varies.  The average \nis probably once or twice a day.  Some days much more, some \ndays not.  \n        CHAIRMAN BARTON.  When you are having these daily or \nevery-other-day meetings, is there a formal agenda, kind of a \nroutine agenda, and then special events?  Is it informal, whatever \nyou want to talk about or they want to talk about?  \n        MR. BROOKS.  Normally it\'s informal.  Normally it\'s on a \nparticular topic that one or the other of us wants to talk about.  We \nalso collectively, the leadership of the Department, meet with the \nSecretary every Monday morning, and that is a go-around-the-\ntable.  We also have another weekly meeting once again involving \nthe leadership of the Department with the Deputy Secretary that \ndoes have a structured agenda.  \n        CHAIRMAN BARTON.  Now, are there any classifications of \ninformation that you have access to that they don\'t?  Are they \ncleared to know any and everything that you know?  \n        MR. BROOKS.  Yes.  I am trying to think through some of the \nintelligence compartments.  Yes, there is nothing that I am cleared \nto know that they are not cleared to know.  \n        CHAIRMAN BARTON.  Now, it is public knowledge, at least in \nthis hearing room, unfortunately outside the hearing room, that \nback in September we know from the testimony of the prior \nwitnesses that Mr. Podonsky and his group conducted a red team \nexercise that penetrated some of the security protections at the \nDepartment of Energy, and you were made aware of that at that \ntime; is that not correct?  \n        MR. BROOKS.  That\'s correct.  \n        CHAIRMAN BARTON.  Now, we also know that subsequent to \nthat there was a real penetration of your administration.  \n        MR. BROOKS.  That\'s correct.  \n        CHAIRMAN BARTON.  And you were informed of that in \nSeptember.  \n        MR. BROOKS.  That\'s correct.  \n        CHAIRMAN BARTON.  And you meet with the Secretary or the \nDeputy Secretary almost every day, and yet apparently you didn\'t \ntell them about that.  \n        MR. BROOKS.  That\'s correct.  \n        CHAIRMAN BARTON.  Now, for probably the third or fourth \ntime, why not?  \n        MR. BROOKS.  I\'m choosing my words carefully, and we can \nexpand on this in the closed session.  The Department has treated \nthese intrusions once they happen as counterintelligence issues.  \nThe Department has a fragmented counterintelligence organization \nwhich it has submitted legislation to correct.  It appears that each \nside of that organization assumed that the other side had made the \nappropriate notification to the Deputy Secretary.  \n        CHAIRMAN BARTON.  That\'s hogwash.  You report directly--\n        MR. BROOKS.  Correct.  \n        CHAIRMAN BARTON. --to the Secretary.  You meet with him or \nthe Deputy every day.  You are the number one manager in the \nDepartment for these issues.  You had a major breach of your own \nsecurity in your own--I mean, I don\'t know how much we are \nsupposed to say in public about this, and yet you didn\'t inform the \nSecretary.  To say that somebody else is responsible begs the \nintelligence of this committee.  \n        I mean, I don\'t know what to say other than it will be my \nstrong recommendation after I have had a consultation with the \nRanking Member Mr. Dingell that you be removed from your \noffice as expeditiously as possible.  And I mean like 5:00 o\'clock \nthis afternoon if it\'s possible.  \n        I don\'t see how you could meet with the Secretary every day \nfor the last 7 or 8 months and not inform him of a serious, serious \nbreach of security.  \n        I\'m going to ask you another question.  Do you think the \nPresident of the United States knows?  How would he know if you \nhaven\'t told the Secretary?  \n        MR. BROOKS.  The Secretary was aware of the incident, but not \nof the specific content.  \n        CHAIRMAN BARTON.  The Secretary told me personally, \npersonally, that he didn\'t know about this until 2 or 3 days ago.  \n        MR. BROOKS.  That\'s my understanding as well.  \n        CHAIRMAN BARTON.  We\'re going to go into closed session.  I \ndon\'t know how we can function in a democracy if those \nresponsible as appointed by the President of the United States \ndon\'t do their duty to report what\'s under their responsibility to the \nPresidential appointees that they are supposed to report to.  I don\'t \nknow how we function.  \n        If I were you, sir, I would strongly consider your resignation \nbeing tendered to the President and Secretary of Energy today.  \nAgain, I haven\'t spoken yet directly with Mr. Dingell, so my \nofficial act, I am not sure what official--I am not going to do \nanything that he and I are not together on, but I think it\'s \nunconscionable that we have been operating since September with \na security problem of this magnitude, and those responsible for \nprotecting the integrity of the United States of America at the \nhighest level haven\'t been notified, because if your explanation is \nto be believed, there was some sort of a mixup, and you weren\'t \nsure who was supposed to do it.  \n        You should have at least notified the Secretary that somebody--\nwhat you knew, and then you should have worked to clear up any \nbureaucratic problems with these other officials.  \n        MR. BROOKS.  Yes, sir, I obviously should have done that.  I \nthought he had been notified because of this confusion I referred \nto, and obviously I was wrong.  I should have made sure he knew it \nhimself as we gained the information which came to us over time.  \n        CHAIRMAN BARTON.  Mr. Garman, you are the Under \nSecretary.  Do you have any direct report on this, or are you out of \nthe chain of command on this one?  \n        MR. GARMAN.  I am out of the chain on this incident, and I \nwould offer this--\n        CHAIRMAN BARTON.  When did you find out about it?  \n        MR. GARMAN.  Two days ago.  But having said that, let me add \nthat I knew and the Secretary knew and a lot of people in this room \nknew that the Department faces the same endemic problem that \nevery agency in the Government faces, and that is we are under \nattack in the cyber world on a daily basis, and that these attacks--\n        CHAIRMAN BARTON.  Do you think the way to prevent future \nattacks is for somebody like Mr. Brooks to not inform the \nappropriate Presidentially appointed officials in the Department of \nEnergy when an attack has been successful?  \n        MR. GARMAN.  I am not going to get drawn into that, \nMr. Chairman.  \n        CHAIRMAN BARTON.  Your position is stick your head in the \nsand, don\'t worry about it.  That\'s what you just said.  \n        MR. GARMAN.  No, sir.  Let me be clear about this.  I think one \nof the other elements that has not been vetted in this hearing is the \nchange that is underway at the Department.  By your line of \nquestioning of Mr. Pyke, and I don\'t want anybody to leave this \nroom with the impression, or the public, in the public session of \nthis hearing, that the responsibility for cyber security rests on Mr. \nPyke\'s shoulders alone.  What we are doing is transitioning and \nmaking it crystal clear to every program manager, every office \ndirector and every under secretary that they are responsible.  It is a \nline management responsibility for cyber security.  \n        I would argue from my vantage point that this has not always \nbeen clear inside the Department of Energy, and that when I was a \nlower-level--\n        CHAIRMAN BARTON.  But is the answer to not report when \nthere is a breach?  If something were to happen within your \npurview at the Department of Energy, you have jurisdiction or \nmanagement responsibility for the National Laboratories, or some \nof them, if there were a security breach of this magnitude at \nHanford, would you not report it to the Secretary of Energy if you \nknew?  \n        MR. GARMAN.  Sir, there is still, and let me--there is much I do \nnot know about this incident. \n        CHAIRMAN BARTON.  I\'m not asking what you know right now, \nI\'m asking just fundamental.  If I am responsible for this \ncommittee, for the management of this committee as Chairman, \nand I know that something bad happens, one of my staffers \nembezzles money, somebody does something that\'s illegal, I do \nsomething about it and report it to the Speaker.  I don\'t just stick \nmy head in the sand.  \n        MR. GARMAN.  No, sir.  That\'s not what I am suggesting.  \n        CHAIRMAN BARTON.  I am appalled that nobody seems too \nconcerned about this but the Members of Congress.  I mean, it\'s \njust another day at the office, I guess; luckily only 1,500 were \nstolen.  \n        Mr. Chairman, we\'re going to be in Executive Session here \nquickly, I assume.  \n        MR. WHITFIELD.  Yes, sir, Mr. Chairman.  As soon as you \nfinish your line of questioning.  \n        CHAIRMAN BARTON.  I just want to reinforce, Mr. Brooks, I am \ngoing to recommend, subject to Mr. Dingell, that you be removed.  \nI think you would do the country a service if you resigned before \nyou have to be removed.  You have no credibility with me; none.  \nWith that, I yield back.  \n        MR. WHITFIELD.  The Chair would move at this time pursuant \nto clause 2(g) of rule 11 of the rules of the House the remainder of \nthis hearing will be conducted in Executive Session to protect the \ninformation that might endanger national security.  \n        Is there any discussion on the motion?  If there is no \ndiscussion, pursuant to the rule, a recorded vote is ordered.  Those \nwho favor, say aye.  \n        Those opposed, nay.  \n        Ayes appear to have it.  The ayes have it, and the motion is \nagreed to.  \n        We will reconvene in just a few minutes in Room 2218, and \nthat portion of our hearing will be closed to the public and open \nonly to our witnesses, the Members and staff to such Members, \nand witnesses who have appropriate clearances.  \n        The subcommittee will recess.  \n        [Whereupon, at 1:06 p.m., the committee proceeded in closed \nsession.] \n\n\n\nRESPONSE FOR THE RECORD OF THOMAS N. PYKE, JR., CHIEF \nINFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY\n\nQUESTIONS FROM REPRESENTATIVE BLACKBURN  \nSUBMITTED TO MR.  PYKE\n\nQ1.\tHas your office examined security systems that other \ncountries use to protect critical information systems?  If \nyes, how could we apply these systems to our networks?  \n\nA1.\tThe Department of Energy relies on cyber security \nguidance issued by the National Institute of Science and \nTechnology, which we are informed, includes the results of \ninternational collaboration by NIST through which best \npractices internationally are factored into NIST\'s guidance, \nwhich, in turn is applied to protect DOE systems and data.\n\n\nQ2.\tIn the hearings on the DATA bill, I discussed the \npracticality of the PGP program that was very effective, \nefficient, and freely distributed during the 1990s.   Can this \nprogram or a similar one be used for password protection \nwith DOE\'s systems?\n\nA2.\tDOE uses several encryption techniques to protect \npasswords stored within DOE IT systems, consistent with \nNIST guidance.  DOE also uses commercial encryption \nsoftware to encrypt some emails and their attachments and, \nincreasingly, to encrypt some files stored on laptop and \nother computers.  DOE uses Pretty Good Privacy (PGP) as \nwell to ensure the integrity of some information when it is \nstored or transmitted.\n\n\nQ3.\tAlthough DOE has not inventoried all their information \nsystems, can you give this committee an approximate \nnumber of types of existing systems?\n\nA3.\tThe Department\'s Program Offices report having a total of \n827 information systems, of which 403 systems are \nclassified systems.\n\n\nQ4.\tDoes any DOE facility have their computer system \ninstalled with EMP protection?\n\nA4.\tThe Department has no computer systems installed with \nEMP protection at this time.  \n\n\nRESPONSE FOR THE RECORD OF GLENN S. PODONSKY, DIRECTOR, \nOFFICE OF SECURITY AND SAFETY PERFORMANCE ASSESSMENT, \nU.S. DEPARTMENT OF ENERGY\n\nQUESTIONS FROM REPRESENTATIVE BLACKBURN \nSUBMITTED TO MR. PODONSKY\n\nQ1.\tHow often do the different departments within DOE \ntalk/work together on Cyber Security?\n\nA1.\tThe Office of Security and Safety Performance Assurance \n(SSA) provides comprehensive information and analysis \nregarding the effectiveness, vulnerabilities, and trends of \nDOE cyber security programs, primarily through its Office \nof Cyber Security Evaluations, within the Office of \nIndependent Oversight.  In so doing, SSA regularly works \nwith the other programs within DOE on cyber security \nissues on a near continuous basis. In addition to \nparticipating in the Cyber Security Working Group \n(CSWG) at both the principals and guidance levels, the \nOffice of Cyber Security Evaluations has daily contact with \nkey OCIO cyber security staff members to support a \nnumber of initiatives, ranging from reviewing proposed \npolicy and guidance to participating in reviews of technical \nproposals.  In some instances, where SSA has unique \ntechnical capabilities, the OCIO has requested assistance in \nevaluating the effectiveness of network management tools \nassociated with such matters as patch management, \nautomated log reviews, and host based intrusion prevention \nsystems. In these cases SSA has been able to support the \nOCIO without compromising its independent oversight \nrole.  With respect to the other program offices, the Office \nof Cyber Security Evaluations has routine contact with \ncyber security staff personnel due to the nature of planning, \nconducting, and reporting announced and unannounced \ninspections, Site Assistance Visits (SAVs), and other \nspecial reviews. Numerous other less formal contacts occur \nweekly with respect to requests for information, sharing of \nideas and passing on of lessons learned.  In carrying out its \ninspection role, SSA personnel also have routine contact \nwith a wide variety of field personnel which enables \nsharing of important information.\n\nThe DOE CIO frequently meets with the Secretary and the \nDeputy Secretary and other senior management to discuss \nthe Department\'s cyber security program and steps being \ntaken to maintain a sound defense-in-depth risk managed \nposture for protecting the Department\'s information and \ncomputing systems.  The CIO chairs the Cyber Security \nExecutive Steering Committee, the members of which \ninclude the Under Secretaries and the Director of SSA.  \nThe CIO also has regular meetings with the Directors of the \nOffice of Intelligence and SSA.\n\nThe cyber security staff in the DOE OCIO has routine and \nfrequent interactions with the cyber security staff of each of \nthe Under Secretary organizations, the Power Marketing \nAdministrations, the Energy Information Administration, \nand elements of the Office of Intelligence.  The OCIO \ncyber security staff also has routine interactions with \nrepresentatives of the DOE laboratories and production \nfacilities through the Cyber Security Working Group \n(CSWG).\n\n\nQ2.\tHow long will it be before the revitalization process is \nfinished? How much will it cost to finish it?  \nA2.\tThe DOE CIO reports that the implementation of the \nDepartment\'s Cyber Security Revitalization Plan is well \nunderway, and much will be accomplished in FY 2006.  \nMost of the longer term actions will have been substantially \nachieved by the end of FY 2007, although improving \nDOE\'s cyber security posture is a long term, continuing \neffort.  The Department is covering the cost of \nrevitalization through the current cyber security activities \nand funding embedded within each IT investment \ndepartment-wide.  These costs are estimated to be $295 \nmillion in FY 2007 as documented in the BY 2007 DOE \nExhibit 53 IT Portfolio report.\n\n\nQ3.\tHow long did it take to do the Cyber Security Project Team \nSummary Report? How much of this report has been put \ninto action? What is your timeline to address the concerns \nin the report?\n\nA3.\tSSA was directed by the Deputy Secretary of Energy to \nlead a team to develop a plan of action to remedy existing \nunclassified cyber security problems throughout DOE on \nOctober 5, 2005.  The Cyber Security Project Team (CSPT) \nwas then formed with members drawn from SSA, the \nOffice of the Chief Information Officer (OCIO), the \nNational Nuclear Security Administration (NNSA), and the \nOffice of the Undersecretary for Energy, Science, and \nEnvironment (ESE).  The CSPT delivered the Summary \nreport on November 7, 2005. On November 25, 2005, the \nDeputy Secretary of Energy issued a memorandum \nconcurring with the recommendations and directing the \ndevelopment of implementation plans to address them.\n\nThe recommendations identified in the CSPT have been \nintegrated into the Cyber Security Revitalization Plan, \napproved by the Deputy Secretary on March 6, 2006.  The \nrecommendations are being addressed in the guidance \nbeing issued as part of the revitalization effort and in the \ncyber security architecture and strategic plans being \ndeveloped by the department-wide team participating in the \ndevelopment and deployment of the revitalization plan.  \nThe initial revitalization plan forecast completion of the \npolicy, guidance, architecture elements within 12 months.  \nHowever, the Department is working to accelerate this \ndevelopment and deployment.  Many of the DOE sites have \nadopted many of the recommendations as best practices and \nhave begun implementing them in a manner consistent with \nthe revitalization plan. \n\n\n\nRESPONSE FOR THE RECORD OF HON. GREGORY FRIEDMAN, \nINSPECTOR GENERAL, U.S. DEPARTMENT OF ENERGY\n\nRESPONSE FROM THE DEPARTMENT OF ENERGY \nINSPECTOR GENERAL TO CONGRESSWOMAN \nMARSHA BLACKBURN\n\nQuestion: You said that GAO was looking at the Oak Ridge Y-\n12 plant. Can you provide me an update on the evaluation of \nits safety systems to my office?\n\nAfter speaking with Rodney Bacigalupo, a member of your staff, it \nwas clarified that you were seeking an update on the Office of \nInspector General\'s (OIG) 2006 Federal Information Systems \nManagement Act evaluation, which includes a review of the Y-12 \nfacility. The OIG\'s review is ongoing and we expect to complete \nour work in mid-September 2006. Following its completion, we \nwill furnish you with a copy of our report and, if desired, can brief \nyou or your staff on the results of our work at Y-12.\n\x1a\n</pre></body></html>\n'