[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
63-238 PDF
2010__
2010
A REVIEW OF CONTINUING SECURITY CONCERNS AT DOE'S NATIONAL LABORATORIES
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS
OF THE
COMMITTEE ON ENERGY AND COMMERCE
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 25, 2008
__________
Serial No. 110-152
Printed for the use of the Committee on Energy and Commerce
energycommerce.house.gov
?
U.S. GOVERNMENT PRINTING OFFICE
63-238 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON ENERGY AND COMMERCE
JOHN D. DINGELL, Michigan, JOE BARTON, Texas
Chairman Ranking Member
HENRY A. WAXMAN, California RALPH M. HALL, Texas
EDWARD J. MARKEY, Massachusetts FRED UPTON, Michigan
RICK BOUCHER, Virginia CLIFF STEARNS, Florida
EDOLPHUS TOWNS, New York NATHAN DEAL, Georgia
FRANK PALLONE, Jr., New Jersey ED WHITFIELD, Kentucky
BART GORDON, Tennessee BARBARA CUBIN, Wyoming
BOBBY L. RUSH, Illinois JOHN SHIMKUS, Illinois
ANNA G. ESHOO, California HEATHER WILSON, New Mexico
BART STUPAK, Michigan JOHN SHADEGG, Arizona
ELIOT L. ENGEL, New York CHARLES W. ``CHIP'' PICKERING,
GENE GREEN, Texas Mississippi
DIANA DeGETTE, Colorado VITO FOSSELLA, New York
Vice Chair ROY BLUNT, Missouri
LOIS CAPPS, California STEVE BUYER, Indiana
MIKE DOYLE, Pennsylvania GEORGE RADANOVICH, California
JANE HARMAN, California JOSEPH R. PITTS, Pennsylvania
TOM ALLEN, Maine MARY BONO MACK, California
JAN SCHAKOWSKY, Illinois GREG WALDEN, Oregon
HILDA L. SOLIS, California LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas MIKE FERGUSON, New Jersey
JAY INSLEE, Washington MIKE ROGERS, Michigan
TAMMY BALDWIN, Wisconsin SUE WILKINS MYRICK, North Carolina
MIKE ROSS, Arkansas JOHN SULLIVAN, Oklahoma
DARLENE HOOLEY, Oregon TIM MURPHY, Pennsylvania
ANTHONY D. WEINER, New York MICHAEL C. BURGESS, Texas
JIM MATHESON, Utah MARSHA BLACKBURN, Tennessee
G.K. BUTTERFIELD, North Carolina
CHARLIE MELANCON, Louisiana
JOHN BARROW, Georgia
BARON P. HILL, Indiana
DORIS O. MATSUI, California
_________________________________________________________________
Professional Staff
Dennis B. Fitzgibbons, Chief of
Staff
Gregg A. Rothschild, Chief Counsel
Sharon E. Davis, Chief Clerk
David L. Cavicke, Minority Staff
Director
7________________________________________________________________
Subcommittee on Oversight and Investigations
BART STUPAK, Michigan, Chairman
DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois
CHARLIE MELANCON, Louisiana Ranking Member
Vice Chairman ED WHITFIELD, Kentucky
HENRY A. WAXMAN, California GREG WALDEN, Oregon
GENE GREEN, Texas TIM MURPHY, Pennsylvania
MIKE DOYLE, Pennsylvania MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois MARSHA BLACKBURN, Tennessee
JAY INSLEE, Washington JOE BARTON, Texas (ex officio)
JOHN D. DINGELL, Michigan (ex
officio)
C O N T E N T S
----------
Page
Hon. Bart Stupak, a Representative in Congress from the State of
Michigan, opening statement.................................... 1
Hon. John Shimkus, a Representative in Congress from the State of
Illinois, opening statement.................................... 3
Hon. Gene Green, a Representative in Congress from the State of
Texas, opening statement....................................... 5
Hon. Marsha Blackburn, a Representative in Congress from the
State of Tennessee, opening statement.......................... 5
Hon. John D. Dingell, a Representative in Congress from the State
of Michigan, opening statement................................. 6
Prepared statement........................................... 8
Hon. Michael C. Burgess, a Representative in Congress from the
State of Texas, opening statement.............................. 9
Witnesses
Gregory H. Friedman, Inspector General, U.S. Department of Energy 11
Prepared statement........................................... 13
Glenn S. Podonsky, Chief Health, Safety, and Security Officer,
U.S. Department of Energy...................................... 15
Prepared statement........................................... 18
Gregory C. Wilshusen, Director, Information Security Issues;
Accompanied by Allison Bowden, Senior Auditor, Government
Accountability Office.......................................... 33
Prepared statement........................................... 35
Bradley A. Peterson, Chief and Associate Director, Defense
Nuclear Security, National Security Administration............. 72
Prepared statement........................................... 75
Thomas N. Pyke, Jr., Chief Information Officer, U.S. Department
of Energy...................................................... 90
Prepared statement........................................... 92
Linda R. Wilbanks, Ph.D., Chief Information Officer, National
Nuclear Security Administration, U.S. Department of Energy..... 96
Prepared statement........................................... 75
Stanley J. Borgia, Deputy Director for Counterintelligence,
Office of Intelligence and Counterintelligence, U.S. Department
of Energy...................................................... 97
Prepared statement........................................... 100
Michael R. Anastasio, Ph.D., Director, Los Alamos National
Laboratory..................................................... 104
Prepared statement........................................... 106
George H. Miller, Ph.D., Director, Lawrence Livermore National
Lab............................................................ 131
Prepared statement........................................... 132
Thomas O. Hunter, Ph.D., President and Laboratories Director,
Sandia National Laboratory..................................... 138
Prepared statement........................................... 141
Submitted Material
Letter of September 1, 2008, from Terry D. Turchie to Mr. Dingell 165
Letter of September 28, 2007, from Thomas P. D'Agostino to Mr.
Turchie........................................................ 169
Article, ``Scientist accused of selling rocket data to China,''
The Associated Press........................................... 170
Chart entitled ``Total DOE Foreign National
Assignees,''``Scientist accused of selling rocket data to
China,'' The Associated Press.................................. 171
CRS Report, July 28, 2008........................................ 186
A REVIEW OF CONTINUING SECURITY CONCERNS AT DOE'S NATIONAL LABORATORIES
----------
THURSDAY, SEPTEMBER 25, 2008
House of Representatives,
Subcommittee on Oversight and Investigations,
Committee on Energy and Commerce,
Washington, D.C.
The subcommittee met, pursuant to call, at 10:09 a.m., in
room 2123, Rayburn House Office Building, Hon. Bart Stupak
(chairman of the subcommittee) presiding.
Present: Representatives Stupak, Green, Inslee, DeGette,
Dingell (ex officio), Shimkus, Burgess, and Blackburn.
Staff Present: Scott Schloegel, John Sopko, Chris Knauer,
Steve Futrowsky, Joanne Royce, Kyle Chapman, Alan Slobodin,
Peter Spencer, and Whitney Drew.
OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Stupak. This meeting will come to order. Today we have
a hearing entitled, ``A Review of Continuing Security Concerns
at Department of Energy's National Labs.'' We'll start with
opening statements. I'll begin.
Today we'll hear from several independent sources about
security problems that continue to plague the Department of
Energy's nuclear weapons labs. We'll also hear from DOE
officials responsible for the operations of the labs and then
we'll hear from the lab directors who will tell us what they're
doing to address the shortcomings.
The Department of Energy's nuclear weapons labs are home to
some of the country's most sensitive secrets and the country's
most dangerous nuclear materials. These labs--Sandia, Los
Alamos, and Lawrence Livermore--employ the world's most
brilliant scientific minds, but they've also been home to some
very serious security breaches.
Los Alamos has historically been our most challenged of the
three labs. This is the 14th hearing our subcommittee has held
into security problems at Los Alamos over the past 8 years.
We've also requested numerous Government Accountability Office
investigations, which have resulted in countless
recommendations for improvements at Los Alamos. Thankfully, the
LANL has implemented several changes that appear to be
improving the physical security posture. Our staff was
encouraged by many of the changes they saw at the lab with
regard to physical security, and these views appear to be
echoed by the GAO and the Office of Independent Oversight
Reports. We remain optimistic, but guarded, that Los Alamos
will continue to improve.
Unfortunately, at the same time that physical security at
Los Alamos was improving, Lawrence Livermore National Lab was
actually regressing. Earlier this year the Department of
Energy's Office of Independent Oversight conducted a force-on-
force exercise at Lawrence Livermore which, according to GAO
testimony, resulted in the lab receiving, and I quote, ``the
lowest possible ratings for protective force performance and
for physical protection of classified resources,'' end of
quote. While we are told by lab officials that they have made
numerous changes to their security force and procedures to
correct the problems, we expect to learn exactly why or what
led to the failures and what corrective measures have been put
in place to ensure that they will not occur again.
Physical security is just one component to keeping our
nuclear secrets safe. The most recent vulnerability is that a
host of unauthorized sources are trying to exploit our lab's
cyber networks. The Department of Energy's cyber networks are
attacked millions of times each month by individuals ranging
from a high school kid looking for a challenge, to the most
sophisticated adversaries who are seeking very specific
information.
Today, we will hear concerns about the Department of
Energy's cyber security posture from three government entities.
First, the Government Accountability Office will discuss
their report detailing shortcomings of the unclassified
computer network at Los Alamos National Lab. Moreover, they
will document how highly sensitive--but unclassified--
information on the Department's network may possibly be pieced
together and could become classified information which would be
``a valuable target for foreign governments, terrorists and
industrial spies.''
Second, DOE's Office of Independent Oversight will tell us
about how a small team of their cyber attack experts, known as
a ``Red Team,'' were able to hack into and gain full
administrative control over two of the Department of Energy's
science lab computer systems. This same team was also able to
gain a foothold into part of the weapons labs computer systems.
Third, we will hear from the DOE's Inspector General, who
will discuss their recent report outlining the vulnerabilities
in the Department's unclassified cyber security program and its
need to improve management and controls. They will document
that ``since the end of fiscal year 2007, the Department has
experienced a 45 percent increase in reported cyber security
incidents.'' In addition, we will hear from the DOE's Associate
Director of Counterintelligence that DOE networks have picked
up an increased tempo of potential adversarial activity, and in
some cases, sensors have documented ``well over 400 million
such indicators of hostile activity every month.''
Make no mistake about it, cyber security at our Nation's
energy labs should be of paramount concern to Congress and the
American public. The sophistication of our adversaries when it
comes to cyber attack is significant. But if the Department of
Energy, and all the Federal Government for that matter, does
not heed the warning set forth by these independent reports, we
will put our Nation further at risk. Much is being done to
protect our sensitive information but much more needs to be
done.
We began this Congress by holding a hearing into the
security concerns at Los Alamos National Lab. We're ending this
Congress with yet another hearing into security concerns at the
Department of Energy's labs.
All too often we find that security improves at the DOE
while Congress, the GAO and the inspector general or the Office
of Independent Oversight is shining a light on them. However,
far too often labs slip back into their own ways and have yet
another security relapse.
The Department can be sure that as long as I am chairman of
this subcommittee there will be a constant light shining on
them to ensure they are doing all they can to protect our
Nation's nuclear materials and secrets.
That is the end of my opening statement. I next turn to Mr.
Shimkus, the ranking member, for his opening statement, please.
OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF ILLINOIS
Mr. Shimkus. Thank you, Mr. Chairman. I recognize your
valiant effort to fight this cold and turning from a baritone
to a bass, it really is Chairman Stupak, and I'll testify to
that. But thanks for soldiering on, and thanks for this
hearing.
There are few topics the subcommittee will examine as
important to our national security as those concerning the
security of our national weapons labs. And although I am new to
this committee, the Oversight and Investigation Subcommittee
has done it for years, and the committee's responsibility has
been well noted. And there are few topics where we have been as
frustrated as those that concern the security at the labs.
Today's hearing serves as a progress report on work
requested by the bipartisan committee and subcommittee
leadership. Our requests were prompted by a series of physical
and cyber security debacles at Los Alamos National Laboratory
and poor performance at Lawrence Livermore National Laboratory
in an April 2008 DOE physical security evaluation.
We will hear from the Government Accountability Office this
morning on two topics, one concerning physical security and the
other one concerning cyber security on the unclassified
computer network. The GAO details areas of accomplishment, but
also identifies continued significant concerns. Of these
concerns, the most troubling involve the cyber threats to what
is called the ``yellow network,'' the lab's protected
unclassified network. The yellow network serves as a backbone
for lab operation and its research mission. However, both the
GAO and DOE Independent Office of Health, Safety and Security
have identified particular vulnerabilities with the security of
the yellow network.
Action is needed to improve the security of the yellow
network, but what corrective actions is to take place is based
on a risk assessment and risk management. Do DOE and NNSA know
or will they know soon exactly what information is on the
yellow network? Will DOE and NNSA be willing to identify
information that needs special protection? And will they be
able or willing to implement corrective actions?
Are there any recommendations or corrective actions that
they believe would be too costly, time consuming or disruptive
to implement? If so, what evidence supports that belief? And
does it outweigh the cost to national security? Striking that
balance is a challenging task.
There are about 13,000 users of the network at Los Alamos,
including cleared foreign nationals, some from sensitive
nations of concern for security officials. We will hear this
morning that the network fire walls deflect more than 10
million cyber probes every month and that threats to cyber
defenses are rapidly escalating in number, sophistication and
complexity.
And what is the information on this network? It is not
classified, but it is sensitive and can have an impact on
national security. Panelists will detail some of the categories
for us which, GAO reports, presents a valuable target for
foreign governments, terrorists and industrial spies.
How robust is network security especially when probed by
the most sophisticated adversaries? Have any of the probes
succeeded? And if they have, what has been lost? What may be
lost? These critical questions underscore the findings of GAO
that more needs to be done to protect the network. And if we
cannot be satisfied that network protections can safeguard
fully the information of these ever-more sophisticated attacks
and soon, what other options can we pursue for information
security? The answer to this will not be easy, and it involves
striking the balance between mission and security, but we have
to find an answer.
This GAO testimony provides just the starting point for the
security issues we will discuss this morning. When coupled with
the government audits and evaluations, the testimony raises
important questions that apply not only to the overall security
posture at Los Alamos, but at Lawrence Livermore National
Laboratory and Sandia National Laboratories as well as labs
overseen in Washington.
I look forward to hearing the perspective of the lab
directors with us on the second panel, as well as from DOE and
the National Nuclear Security Administration officials also on
the second panel. I will want to hear their answers to the
questions I pose about enhancing the security of the yellow
network.
We should identify measures and indicators for progress on
improving security going forward as rapidly as possible. We
also have to ensure that any measures for security can be
sustained for the long term with sufficient flexibility to
respond to emerging threats.
And finally we have to recognize the human factor at work
here; this means the researchers, the security people and the
management. I understand there appear to be two cultures at the
lab with different priorities, the research academic culture
and the security culture. These solutions need to reflect that
reality as well as reconcile the differences.
Thank you, Mr. Chairman.
Mr. Stupak. Thank you, Mr. Shimkus.
Mr. Green for an opening statement, please.
OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TEXAS
Mr. Green. Thank you, Mr. Chairman. And I'll make my
statement relatively brief.
I hate to sound like a broken record over these last few
years, but it's the subcommittee's 14th hearing on security
issues facing the Department of Energy's national labs. I hope
that today we can finally show some progress towards securing
the critical infrastructure and information of our weapons
labs. With the emerging threats facing our Nation, we cannot
afford more empty promises of change.
Los Alamos, Livermore and Sandia house America's most
sensitive and top secret weapons development programs. The only
thing not secret about these labs is that there are security
vulnerabilities.
In September 2006, the subcommittee learned how simple it
was for a contract employee to remove a USB ThumbDrive
containing hundreds of pages of classified documents. Just this
year, after a mock terrorist attack by DOE at Livermore, we
learned how easily lab security could be compromised through
their ill-trained workforce and protective strategy.
Sometimes I think we have to say enough is enough. I do not
want to sit through future congressional hearings where we must
piece together how a perpetrator gained access to classified
nuclear weapons design information from our labs because we did
not have the resolve to correct the lab security deficiencies
today.
The testimony from this morning's hearing will show that
some progress has been made. For example, Los Alamos National
Lab has drastically reduced the number of removable electronic
media and eliminated thousands of classified nuclear weapons
parts and reduced the number of bulk-type rooms and areas
containing special nuclear material. These efforts should be
commended. But when we are protecting information critical to
the national security of the United States, incremental action
is notable but not sufficient.
We in Congress owe it to the American people to ensure that
weapons labs are safe and secure. And if the Department of
Energy or their labs are not up to the task of providing the
highest level of protection, Congress must be willing to make
the tough choices to protect our national interests.
And again I thank you, Mr. Chairman, for continuing these
hearings. I look forward to the testimony, and I yield back my
time.
Mr. Stupak. Thanks, Mr. Green.
Mr. Stupak. Ms. Blackburn for an opening statement, please.
OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF TENNESSEE
Ms. Blackburn. Thank you, Mr. Chairman. As has been stated,
we have had several hearings on the issue of problems with the
national labs, and with the accountability or the lack thereof
with the labs. It is frustrating to us to see a reticence to
make any changes. And I think it is also frustrating to our
constituents because now more than ever they are paying close
attention to energy issues, to how the Department of Energy is
working, to security issues or lack thereof of security.
And I think that today, as you come before us and as we
hold this hearing, and as we are in the midst of this financial
crisis, many people are very concerned about a proposed plan to
give the Secretary of the Treasury a blank check to bail out
Wall Street. And what we're hearing is, they don't trust
government. And we know that that lack of trust is going to,
therefore, be reflected onto each and every department and
agency of the Federal Government. And I think that it amplifies
some of the lack of accountability and the hesitancy that we
have seen from some of our government agencies and from you.
And the problems with these labs are more--they're just
more symptoms of what many people believe to be an incompetence
of the bureaucracy in the Federal Government, that you have
gotten too big and too unwieldy and too out of control for your
own good and definitely for the taxpayers' good.
If these government-run labs cannot protect classified and
sensitive information and material, then Congress must begin to
discuss alternatives to the current operating procedures that
will solve the problems. It would be interesting to know what
your best practices are and what your timeline is for meeting
those best practices.
Mr. Chairman, I think that protecting that classified
material and that sensitive data is one of the key
responsibilities of government. And if it does not, then our
Nation faces serious risk in the area of breaches of security.
Congress should put forward initiatives. We are going to
take the lead on this. If you cannot and will not, then we
will. We'll take the lead that will increase transparency, that
will demand accountability on behalf of the taxpayers that are
footing the bill for this.
And it's not only for you. It is for the entire Federal
Government. So as my grandmother would have said, You are on my
last nerve; and I hope that you're going to be willing to work
with us and increase some accountability and some transparency.
And Mr. Chairman, I will yield back the balance of my time.
Mr. Stupak. I thank the gentlewoman.
Mr. Dingell, chairman of the full committee, for an opening
statement, please.
OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN
CONGRESS FROM THE STATE OF MICHIGAN
Mr. Dingell. Mr. Chairman, good morning. And thank you for
your vigorous leadership in the matters before us. And I want
to thank you also for holding another important hearing on the
distressing state of security at our Nation's weapons labs.
This will be the 14th hearing we've held on this topic over
the last 8 years. It was the topic of our first oversight
hearing in the 110th Congress and today it may well be one of
the last of this Congress.
I feel a little bit like Sisyphus or like Heracles when he
was confronted with the Augean Stables. We have before us an
agency which has been totally incapable of addressing problems.
Back in the days when I was chairman of the Subcommittee on
Oversight and Investigations 20-some years ago, we had
hearings. We found a huge problem with regard to security at
our Nation's labs. We found that they turned off the sprinkler
systems because they didn't want to wet their computer systems.
We found they had vehicles, emergency vehicles, that would not
start.
We found them with employees in charge of security who did
not have the ability physically to participate in the
suppression of penetration of those facilities. We found that
the tests and the efforts to assure that the Agency could
respond to security challenges were carefully cooked by
informing the people beforehand what was going to happen so
that the drill could take place in the most favorable of
circumstances. And we found, curious enough, they still were
not able to do the job that had to be done.
We found that there were stings with regard to controlled
substances which were suppressed. We found dissipation of
public resources and scientific equipment amounting to millions
of dollars. We found losses of equipment. And we found
inability to keep track of government property.
We found the Agency had to go lightly on their drills
because employees charged with security were having heart
attacks as a result of having to defend these facilities. It
was a situation worthy of the Grand Duchy of Graustark. And it
was indeed a situation which would have been humorous were it
not for the fact that it was so sad and so dangerous.
I will not burden my colleagues with further details of the
events that this committee has had the distressful experience
of disclosing over the years. But classified information has
disappeared. Drug users have obtained clearances. Sensitive
information is being uncovered in drug raids. And promises are
made and continually broken to improve security by every
administration that has been before this committee.
After our last hearing this hearing asked the Government
Accountability Office to conduct a comprehensive review of
ongoing security issues at Los Alamos National Lab. Today we're
going to hear the results of that work as a result, as well as
the results of a number of audits and studies by the Department
of Energy's inspector general and its Office of Independent
Oversight.
These conclusions are mixed, and I must say that I achieve
a small measure of comfort by finding that they're mixed. And
at least they are not, for a change, all bad. While GAO found a
number of ongoing concerns at Los Alamos National Laboratory
that deserved the attention of the committee, they also found
some evidence of improvement for which we rejoice, enough to
make me slightly optimistic that the lab's security is in some
way improving.
This improvement must be tempered, however, by GAO's
warning that security at DOE labs appears to be cyclical. I'm
not quite sure what that means, but it may relate to the fact
that from time to time this committee has hearings to find out
how the matter progresses. Indeed, however, it is not clear to
me or, I suspect, anybody else how Los Alamos intends to ensure
that these problems will not reoccur.
Unfortunately, we will also learn today that while Los
Alamos has improved security, another critically important DOE
weapons lab, Lawrence Livermore National Laboratory, has not.
In April of 2008, DOE's Office of Independent Oversight
completed an evaluation review of security at Livermore. The
results, quite frankly, were shocking and sufficiently serious
that we can only discuss the specific details in our closed
session this afternoon.
I'd like to observe that we have before us identified major
problems with key aspects of Livermore's protective strategy,
including malfunctioning equipment, inadequate staffing,
insufficient training of the protective workforce. And while we
understand that many of these shortcomings are being addressed,
or at least we're so informed, the OIO findings are so
troubling that we must learn more about how DOE allowed this to
happen and what they're doing to prevent a recurrence.
Lastly, today, we will hear from an even bigger problem
facing these labs and DOE as a whole. And that is the threat
from cyber attacks, a new and increasingly serious danger. At
our request, GAO conducted a comprehensive review of Los
Alamos's unclassified cyber network; and the results of the
review highlight the need for significant security improvements
to protect sensitive information on Los Alamos's unclassified
network.
As noted by the GAO, the information on this network
presents a valuable target for foreign governments, terrorists
and industrial spies. And it's an interesting thing that this
kind of threat enables people to do the kind of penetration of
our national security simply sitting in their living room,
working with their computers.
This problem, however, is not unique to Los Alamos. All of
DOE's labs are facing cyber security challenges. We're going to
hear testimony that the labs are virtually naked to concerted
cyber attacks, especially by assault from persistent or funded
and dedicated assailants right in there, terrorists or foreign
governments.
Given the sensitivity of these facilities and the people
who work there, we need to learn how DOE is working to correct
this problem and when we may expect that it will, in fact, be
corrected.
Mr. Chairman, under your leadership I know that this
committee is going to continue its examination into cyber
security in the next Congress and to broaden it to include all
departments and agencies within our jurisdiction. Because the
potential consequences of this situation are very, very
serious, I expect that this will be one of our most important
oversight priorities next year.
And I want to thank you for the work and the leadership
that you have done and shown, and express my hope that I will
be able to work with you again on this very important matter.
Thank you, Mr. Chairman.
Mr. Stupak. Thank you, Mr. Dingell.
[The prepared statement of Mr. Dingell follows:]
Prepared Statement of Hon. John D. Dingell
Mr. Chairman, thank you once again for holding another
important hearing on the state of security at our Nation's
weapons labs. This will be the fourteenth hearing we have held
on this subject over the last eight years. It was the topic of
our first oversight hearing for the 110th Congress, and today
it may conclude this Subcommittee's hearings for this Congress.
I will not bore my colleagues with all the gory details of
security misadventure and mishap that this Committee has
uncovered over those 8 years-of classified information
disappearing, of drug users obtaining clearances, of sensitive
information being uncovered in drug raids, and of promises made
and continually broken to improve security.
Rather, after our last hearing, this Committee asked the
Government Accountability Office (GAO) to conduct a
comprehensive review of ongoing security issues at Los Alamos
National Lab. Today we will hear the results of that work as
well as the results of a number of audits and studies by the
Department of Energy's Inspector General and its Office of
Independent Oversight.
Their conclusions are mixed. While GAO found a number of
ongoing concerns at Los Alamos National Laboratory that deserve
our attention, they also found evidence of some improvement-
enough to make me cautiously optimistic that lab security is in
some ways improving. However, this improvement must be tempered
by GAO's warning that security at DOE labs appears cyclical,
and it is not clear how Los Alamos intends to ensure these
problems will not reoccur.
Unfortunately, we will also learn today that while Los
Alamos has improved security at another critically important
DOE weapons lab--Lawrence Livermore National Laboratory--has
not.
In April 2008, DOE's Office of Independent Oversight (OIO)
completed an evaluation and review of Livermore's security
posture. The results were shocking and so serious that we can
only discuss the specific details in our closed session this
afternoon.
Let me just say that they identified major problems with
key aspects of Livermore's protective strategy, including
malfunctioning equipment, inadequate staffing, and insufficient
training of its protective workforce. While we understand that
many of these shortcomings are being addressed, the OIO
findings are troubling, and we must learn how DOE allowed this
to happen and what they are doing to prevent a reoccurrence.
Lastly, today we will hear of an even bigger problem facing
these labs, and DOE as a whole, and that is the threat from
cyber attacks. At our request, GAO conducted a comprehensive
review of Los Alamos' unclassified cyber network, and the
results of this review highlight the need for significant
security improvements to protect sensitive information on Los
Alamos' unclassified network. As noted by GAO, the information
on this network presents ``a valuable target for foreign
governments, terrorists, and industrial spies.''
Unfortunately, this problem is not unique to Los Alamos.
All of the DOE labs are facing cyber-security challenges. We
will hear testimony that the labs are virtually naked to
concerted cyber attacks-especially by assault from persistent,
well-funded, and dedicated assailants. Given the sensitivity of
these facilities and the people who work there, we need to
learn how DOE is going to correct this problem.
I would urge this Subcommittee to continue its examination
into cyber security in the next Congress and broaden it to
include all departments and agencies within our jurisdiction. I
expect this may be one of our most important oversight
priorities next year and look forward to working with you on
this matter.
----------
Mr. Stupak. Mr. Burgess for an opening statement, please.
OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE
IN CONGRESS FROM THE STATE OF TEXAS
Mr. Burgess. Thank you, Mr. Chairman. This does seem like
deja vu all over again, doesn't it?
We've had hearings in the past and we've established some
serious lapses in security and managerial oversight at Los
Alamos National Laboratory. Indeed, we went through an entire
process with those Requests for Proposals as to whether or not
the management of the lab should change.
I took a trip out to Los Alamos in July of 2005. I just
wanted to see for myself on the ground. I have got to say, I
was impressed by the work being done; I was impressed by the
dedication of the employees. But as we continued to hear after
that, even after the evaluation and even though there was no
management change, but there was promise of some changes, we
still heard the reports of things that weren't quite right.
Through all of those hearings, we always heard that things
at Sandia, things at Lawrence Livermore were the gold standard,
and that's what we should aspire to. But now we have got a GAO
report that say significant problems exist in physical and
electronic security at Lawrence Livermore as well. So the
security of these agencies may have made some progress in
strengthening some of the security weaknesses at Los Alamos--
and I think that's still in question.
The NNSA needs to be more consistent with their progress in
other facilities. Gaps in the physical protection of classified
documents, but especially the electronic uses of both
classified and unclassified, but sensitive; this committee
should maintain persistent oversight until these problems are
corrected.
I am concerned with the cyber security weaknesses and lab
policies towards the physical protection of computers, portable
storage devices and other sensitive areas in the labs. It seems
like we've been through this before at Los Alamos, and I guess
I have to wonder why we're not learning the lessons as they're
given to us.
It's taken for granted that almost any enterprise
undertaken in life will involve a computer, a cell phone, a
BlackBerry or some other electronic device. It's also a near
certitude that an ill-meaning person or persons can attempt to
illegally access electronic systems and devices for a variety
of reasons, none of which are good. The rapid advancements in
technology make the nature of the threat to our electronic
systems one that is constantly evolving, therefore we need to
be flexible on the committee, but we need to be vigilant.
In 2002, Congress passed the Federal Information Security
Management Act to protect our critical information
infrastructure. This was before I was elected. And I do wonder
if our Federal agencies, particularly the Department of Energy,
are in compliance with this important law. It's a dangerous
time. Our national security secrets should be closely held,
closely guarded; and they should stay our national secrets.
The Office of Inspector General has noted that our nuclear
labs and Department of Energy work information systems are
compromised. I will look forward to working with the chairman
of this subcommittee and the chairman of the full committee to
ensure that our nuclear secrets do not fall into the wrong
hands.
And I will yield back the balance of my time.
Mr. Stupak. I thank the gentleman. We have our first panel
before us. Let me introduce them if I may:
Mr. Gregory Wilshusen, who is the Director of Information
Security Issues at the U.S. Government Accountability Office.
And you're accompanied by Ms. Allison Bowden of the GAO. And
you are senior auditor, correct? OK. Mr. Glenn Podonsky, who is
the Chief Health, Safety and Security Officer in the Office of
Health Safety and Security of the Department of Energy; and the
Honorable Gregory Friedman, who is the Inspector General at the
Department of Energy.
Welcome to all of our witnesses.
It's the policy of this committee to take all testimony
under oath. Please be advised you have a right by the Rules of
the House to be advised by counsel during your testimony. Do
any of you wish to be advised by counsel during your testimony?
Everybody indicating ``no.'' Therefore, I will ask you to
stand, raise your right hand and take the oath.
[Witnesses sworn.]
Mr. Stupak. Let the record reflect that the witnesses have
answered in the affirmative to the oath. They are now under
oath.
Mr. Stupak. We will begin with opening statements.
Mr. Friedman, let's start with you. If you don't mind, pull
that mic up. And you are recognized for 5 minutes. If you have
a longer statement, it will be submitted for the record. So if
you would begin, please.
STATEMENT OF GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S.
DEPARTMENT OF ENERGY
Mr. Friedman. Thank you, Mr. Chairman and members of the
subcommittee. I'm pleased to be here today at your request to
testify on matters relating to security at the Department of
Energy's national defense laboratories. These laboratories,
which are part of the National Nuclear Security Administration,
process some of the Department's most sensitive information,
information which is critical to the Nation's defense.
Since 2002, the Office of Inspector General has categorized
information security as one of the Department's most
significant management challenges. In April of 2007, I
testified before this subcommittee on the special inquiry
conducted by my office regarding a diversion of classified data
from the Los Alamos National Laboratory, an event made possible
in large part by cyber security-related weaknesses.
The Office of Inspector General has continued its efforts
in this area by conducting a number of cyber security reviews
throughout the Department, including NNSA and its national
defense laboratories. Early this year we conducted an extensive
review of the process to certify and accredit classified
national security information systems. Simply stated,
certification and accreditation is a critical management tool
used to recognize and address risks by ensuring that cyber
security controls are in place.
Our findings relative to the NNSA and its laboratories
revealed a number of weaknesses. In particular, we found,
first, critical security functions had not been adequately
segregated, providing the opportunity for systems security
officers to gain access and modify systems without review or
approval.
Secondly, risks associated with classified and unclassified
systems operating in the same environment had not always been
adequately evaluated.
Third, the system security plans omitted information on
hardware such as servers, network printers, and scanners, a
condition paralleling one of our concerns relating to the
diversion of classified material at Los Alamos.
And finally, contingency plans outlining actions necessary
to resume operations in the event of a disaster were not always
developed or they were incomplete.
These weaknesses occurred, in part, because the NNSA had
not been fully successful in ensuring its laboratories
implemented the Department's updated cyber security
requirements. For example, two laboratories completed their
certification and accreditation process using outdated
requirements, leaving a number of systems vulnerable to control
weaknesses. In addition, headquarters and field site officials
had not effectively reviewed security plans to ensure that they
were accurate and adequately addressed system risks.
In our recently issued Federal Information Security
Management Act evaluation, we identified a number of weaknesses
that exposed unclassified systems to an increased risk of
compromise.
We found, first, two of the three defense labs had not yet
completed certification accreditation of certain business
systems, a deficiency first reported in 2006.
Mandatory security controls were not included in systems
security plans at one laboratory.
All three laboratories had not completed implementation of
the federally mandated standard desktop configuration.
Computer incident reports did not always include
information needed for implementing--needed for reporting to
law enforcement and for subsequent analysis for trending.
And at one laboratory vulnerabilities were identified that
may have allowed unsupervised foreign visitors to
inappropriately access the site's intranet.
We found that NNSA had not in a timely manner incorporated
Federal and departmental cyber security requirements into its
policies and guidance. In addition, NNSA also had not
effectively completed reviews and performance monitoring,
activities essential for evaluating the adequacy of cyber
security operations.
Our evaluations reveal a mixed picture. The Department and
NNSA have improved their cyber security efforts, yet weaknesses
still exist. Additional action is necessary to protect systems
and the information they contain from increasingly
sophisticated and persistent attacks.
Since the end of fiscal year 2007, as has been referred to
earlier in the opening statements, the Department has
experienced a 45 percent increase in reported cyber security
incidents. This significant increase demonstrates the need for
sustained action in securing the Department's information
systems.
Our work suggests that there are some recurring challenges
that NNSA should consider as it moves forward. Specifically,
NNSA should implement in a timely manner all relevant Federal
departmental cyber security requirements, strengthen the
management and review process by better monitoring field sites
to ensure adequacy of cyber security program performance and,
finally, ensure that all outstanding cyber security weaknesses
are corrected in a timely manner.
The Office of Inspector General recognizes well the
importance of cyber and physical security and we are committed
to continuing our work in these areas.
Mr. Chairman, this concludes my statement. I would be
pleased to answer any questions you may have.
Mr. Stupak. Thank you Mr. Friedman.
[The prepared statement of Mr. Friedman follows:]
Statement of Gregory H. Friedman
Summary
Since 2002, the Office of Inspector General (OIG)
has categorized information security as one of the Department
of Energy's (Department) most significant management
challenges. While incremental improvements have been made to
improve security and reduce risks to systems and data,
additional work needs to be done.
The OIG recently issued a report on the
certification and accreditation of the Department's national
security information systems. Our review disclosed that
weaknesses exist in the areas of risk management, security
planning, and contingency planning. In addition, the National
Nuclear Security Administration (NNSA) had not been fully
successful in ensuring that its laboratories implemented the
Department's updated, strengthened policies designed to protect
national security information systems.
A Fiscal Year 2008 review of the Department's
unclassified cyber security program identified opportunities
for improvements in areas such as certification and
accreditation of systems, systems inventory, contingency
planning and segregation of duties.
The problems identified occurred because NNSA had
not revised and implemented, in a timely manner, policies and
guidance incorporating Federal and Departmental cyber security
requirements. NNSA also had not effectively completed review
and performance monitoring activities essential for evaluating
the adequacy of cyber security operations.
Since the end of Fiscal Year 2007, the Department
has experienced a 45 percent increase in reported cyber
security incidents. This significant increase demonstrates the
need for sustained action in securing the Department's
information systems.
Statement
Mr. Chairman and members of the Subcommittee, I am pleased
to be here at your request to testify on matters relating to
cyber security at the Department of Energy's (Department)
national defense laboratories. These laboratories, which are
part of the National Nuclear Security Administration (NNSA),
possess and process some of the Department's most sensitive
information; information which is critical to the Nation's
defense.
Background
The Office of Inspector General (OIG) has a long-standing,
proactive program to assess the effectiveness of the Department
of Energy's cyber security strategy. Since 2002, the OIG has
categorized information security as one of the Department's
most significant management challenges. In April of 2007, I
testified before this Subcommittee on the special inquiry
conducted by my office regarding a diversion of classified data
from the Los Alamos National Laboratory; an event made
possible, in large part, by cyber security related weaknesses.
The OIG has continued its efforts in this area by conducting a
number of cyber security reviews throughout the Department,
including NNSA and its national defense laboratories - Los
Alamos, Lawrence Livermore, and Sandia.
Review of National Security Information Systems
In response to our special inquiry on the diversion of
classified data at Los Alamos, the Department initiated a wide
range of actions to address cyber security weaknesses related
to classified systems. For instance, the Department updated and
strengthened its national security information systems policy
for segregation of duties and system access techniques.
Earlier this year, we conducted an extensive review of the
process to certify and accredit classified national security
information systems at the NNSA laboratories. Certification and
accreditation (C&A) is a critical part of the risk management
process and is vital to understanding and mitigating cyber-
related vulnerabilities. This process is designed to ensure
that systems are secure prior to beginning operation and that
they remain so throughout their lifecycle. It includes formal
steps to: (1) recognize and address risks, (2) determine
whether system security controls are in place and operating
effectively, and (3) ensure that changes to systems are
adequately tested and approved. Our findings relevant to the
NNSA and its national defense laboratories revealed that:
Critical security functions had not been
adequately segregated, providing the opportunity for system
security officers to gain access and modify systems without
review or approval, creating an environment in which controls
could be manually overridden;
Risks associated with classified and unclassified
systems operating in the same environment had not always been
adequately evaluated. This weakness - exacerbated by the lack
of segregation of duties - increased the risk that classified
information could be transferred to unclassified systems;
Users at one laboratory were allowed to manually
change passwords, a practice specifically prohibited by the
Department and one which rendered passwords on classified
systems more susceptible to compromise;
At the same laboratory, a number of security plans
were not reviewed and approved by a Federal official, depriving
NNSA of the opportunity to ensure that all risks to the systems
were addressed;
System security plans omitted information on
hardware such as servers, network printers and scanners, the
presence of which could have created a security vulnerability
and enabled the unauthorized processing, diversion or theft of
classified material. This condition paralleled one of our
concerns related to the diversion of classified information at
Los Alamos; and,
Contingency plans outlining actions necessary to
resume operations in the event of a disaster were not always
developed or were incomplete.
The Department had strengthened policies designed to
protect national security information systems in response to
our recommendations following the Los Alamos incident. However,
NNSA had not been fully successful in ensuring that its
laboratories implemented these updated and stronger
requirements. For example, two laboratories completed their C&A
process using outdated requirements, leaving a number of
systems vulnerable to control weaknesses such as the lack of
segregation of duties and strong authentication techniques. In
addition, Headquarters and field site officials had not
effectively reviewed security plans to ensure that they were
accurate and that they adequately addressed system risks.
Review of Unclassified Systems
The OIG has also devoted substantial resources to
evaluating security measures designed to protect the
Department's unclassified information systems and data. The
Federal Information Security Management Act requires that
agency Inspectors General conduct an annual independent
evaluation of their Department's unclassified cyber security
program and practices. Our recently issued Fiscal Year (FY)
2008 evaluation revealed a mixed-picture: on one hand, the
Department had made incremental improvements in its
unclassified cyber security program. For example, various sites
had taken action to address weaknesses we identified during our
FY 2007 evaluation by strengthening configuration management,
updating policy, and incorporating cyber security performance
requirements into management and operating contracts. However,
a number of weaknesses that exposed systems to an increased
risk of compromise still existed within the Department. This
specifically included NNSA and its national defense
laboratories. In particular:
Two of the three defense laboratories had not yet
completed certification and accreditation of certain business
systems, a deficiency we first reported in FY 2006;
System security plans at one laboratory did not
include mandatory security controls. Such information is
necessary for management to determine that all system risks
have been fully considered and that mitigating controls are in
place;
At one laboratory, unneeded computer services had
not been disabled on over 40 servers that hosted publicly
accessible websites. These services, which in a number of
instances could be accessed without the use of passwords or
other authentication techniques, increased the risk of
malicious damage to the servers and the networks on which they
operated;
All three laboratories had not yet completed the
deployment of the Federally-mandated standard desktop
configuration, an action that when implemented is intended to
significantly enhance cyber-related controls;
Computer incident reports did not always include
information needed for reporting to law enforcement and for
subsequent analysis for trending. Further, reported information
was not always shared with other Department elements; and,
At one laboratory, vulnerabilities were identified
that may have allowed unsupervised foreign visitors to
inappropriately access the site's intranet. Such practices, if
exploited, could have permitted those individuals to probe the
laboratory's network for vulnerabilities, implant malicious
code, or remove data without authorization.
Issues Requiring Continuing Attention
While NNSA has taken steps to address a number of
weaknesses identified in the past, additional action is
necessary to protect systems and the information they contain
from increasingly sophisticated and persistent attacks. Since
the end of FY 2007, the Department has experienced a 45 percent
increase in reported cyber security incidents. This significant
increase demonstrates the need for sustained action in securing
the Department's information systems.
Our work suggests that there are some recurring challenges
that NNSA should consider as it moves forward. Specifically,
NNSA should:
1. Implement, in a timely manner, all relevant Federal and
Departmental cyber security requirements;
2. Strengthen the management review process by better
monitoring field sites to ensure the adequacy of cyber security
program performance; and,
3. Ensure that all outstanding cyber security weaknesses
are corrected in a timely manner.
To achieve the recommended reforms as promptly as possible,
NNSA should establish firm schedules with specific
implementation timeframes and benchmarks.
Ongoing Inspector General Efforts
Both cyber and physical security continue to be pressing
management challenges. For that reason, the Office of Inspector
General has ongoing activities to examine information
technology and systems security, implementation of physical
security technology upgrades, protection of sensitive
unclassified information, and accounting for nuclear materials
in the hands of domestic licensees.
Mr. Chairman, this concludes my statement and I would be
pleased to answer any questions you may have.
----------
Mr. Stupak. Mr. Podonsky, please, for your opening
statement.
STATEMENT OF GLENN S. PODONSKY, CHIEF HEALTH, SAFETY AND
SECURITY OFFICER, U.S. DEPARTMENT OF ENERGY
Mr. Podonsky. Chairman Stupak, Ranking Member Shimkus and
members of the subcommittee, I want to thank you for inviting
me to testify today on the status of the security and cyber
security programs at the Department of Energy's three weapons
laboratories.
As the Department's Chief Health, Safety and Security
Officer, my office and I have a direct interest in the levels
of rigor and effectiveness at which these laboratories and all
DOE sites implement the Department's security requirements.
In the area of physical protection and the protection of
special nuclear material, the HSS Office of Independent
Oversight conducted a comprehensive security inspection this
past spring at Lawrence Livermore National Laboratory and just
recently completed an inspection at Los Alamos National
Laboratory. While there were a number of identified weaknesses,
most notably at Lawrence Livermore, reports of progress
indicate that they are aggressively addressing identified
deficiencies. We will validate the effectiveness of these
corrective actions when we conduct a follow-up inspection in
the spring.
The results of our evaluations indicate that the systems in
place to protect classified matter at these laboratories are
generally adequate and in compliance with expectations, but
there are residual issues that must be addressed. In the area
of cyber security, threats to DOE and NNSA cyber security
defenses continue to escalate both in terms of the number of
attacks and in the sophistication and complexity of those
attacks.
Mr. Chairman, DOE, along with many other government
agencies and corporate organizations, are experiencing a broad
range of cyber security threats that we must protect against on
a continuous basis. Our interconnected society and dependency
on the rapid exchange of vast quantities of electronic
information exposes all of us to cyber threats similar to those
faced by DOE and NNSA. I believe the entire U.S. Government is
at a crossroads on how we protect sensitive information.
Our independent oversight inspections have identified
numerous positive attributes of the classified cyber security
programs at each of the weapons laboratories, and while there
are some deficiencies that need to be addressed, the classified
cyber security program throughout DOE remains strong.
Unclassified cyber security presents a different challenge.
The primary threats to our unclassified networks used to be
directed at our perimeter defenses, and as a result, the
Department directed significant effort toward strengthening its
network perimeter through implementation of fire walls and
intrusion detection systems. However, as external network's
defenses have grown stronger, our adversaries have shifted
strategies and most attacks today are less direct.
Many new network penetrations now occur as a result of an
authorized user activating malicious software program commonly
used known as a Trojan horse or some form of social
engineering. Once a user activates a malicious program, a
communication channel is established to the adversary system,
essentially ignoring the otherwise effective fire wall.
In January of 2005, my office added to our existing
inspection program an unannounced network testing process
commonly referred to as ``red teaming'' to provide a more
rigorous evaluation of this new threat environment. Red teaming
evaluates the strengths and weaknesses and security controls,
as well as the Department's ability to detect and disseminate
information about attacks and how it addresses the attacks.
Our most recent red team activity, conducted with only six
cyber specialists and in under 90 days, resulted in our ability
to take full control of two site networks and one small site
office network. Our red team was able to download a very large
quantity of data in gigabytes, 40,000 documents, some of which
were sensitive without being detected.
Additionally, with this access, we installed our own
malicious programs on a number of laptop computers. As these
laptops were legitimately connected to other networks through
authorized accounts, we were able to see these networks and to
browse the information on them, thus demonstrating our ability
to migrate through the Department into sensitive networks.
While there has been moderate improvement in the
unclassified cyber security arena, including better
segmentation of computer networks and improved vulnerability
scanning, we continue to identify problems in fully
implementing some fundamental security controls at DOE and NNSA
sites. For example, while some sites within NNSA have improved
their process for controlling outbound network connections,
many other sites have not fully implemented mechanisms to
prevent malicious software programs from sending sensitive
unclassified information to sources outside their networks.
The DOE Chief Information Officer and the Under Secretaries
have made progress in recent years with respect to developing
new policy and governance model to implement these new
policies. This governance model essentially enables each Under
Secretary to determine how they will implement departmental
requirements through their programmed cyber security plans. Our
inspections, however, have continued to demonstrate that some
fundamental cyber security requirements are not consistently
implemented throughout the Department.
We don't want to underestimate the work that has already
taken place. Some sites, especially within NNSA, have addressed
many of these issues. However, the Department continues to
identify successful penetrations of our networks.
To protect sensitive information more effectively, we need
to enhance certain aspects of departmental policy to include
requiring encryption of sensitive information stored on all
computers, implementing a more robust program cyber security
plan and review process by the DOE's Office of the CIO to
ensure that the plans are meeting expectations and revisiting
some of the risk decisions that have been made with particular
emphasis on the evolving threat environment.
Additionally, we need to continue to educate our users
regarding the threats involved with opening attachments and
running programs from untrusted sources. We should implement
authenticated gateways for all outbound Internet access to
reduce the ability for automated programs to establish pathways
to external systems, as we did with our red team. We should
also more efficiently analyze suspicious activities across the
network. Finally, we need to do a better job of keeping
attackers who manage to gain access to sensitive information on
our systems from sending that data outside our network
perimeters as well as limit their ability to migrate to other
areas of the site's network.
Mr. Chairman, my office and I believe this subcommittee and
DOE share the same goal of ensuring that our national security
assets are well protected and also share the concern when the
protection effectiveness falls below our standards. However,
the Department and the laboratories have additional work to do
to ensure that protection of the classified information they
possess in both physical and electronic form.
I cannot stress strongly enough our belief that we need to
get back to the basics of risk management to identify which
information needs special protection, to determine appropriate
protection measures to apply to that information, and then we
need to ensure that the protection measures are actually
implemented.
Thank you, Mr. Chairman.
Mr. Stupak. Thank you, Mr. Podonsky.
[The prepared statement of Mr. Podonsky follows:]
[GRAPHIC] [TIFF OMITTED] T3238.001
[GRAPHIC] [TIFF OMITTED] T3238.002
[GRAPHIC] [TIFF OMITTED] T3238.003
[GRAPHIC] [TIFF OMITTED] T3238.004
[GRAPHIC] [TIFF OMITTED] T3238.005
[GRAPHIC] [TIFF OMITTED] T3238.006
[GRAPHIC] [TIFF OMITTED] T3238.007
[GRAPHIC] [TIFF OMITTED] T3238.008
[GRAPHIC] [TIFF OMITTED] T3238.009
[GRAPHIC] [TIFF OMITTED] T3238.010
[GRAPHIC] [TIFF OMITTED] T3238.011
[GRAPHIC] [TIFF OMITTED] T3238.012
[GRAPHIC] [TIFF OMITTED] T3238.013
[GRAPHIC] [TIFF OMITTED] T3238.014
[GRAPHIC] [TIFF OMITTED] T3238.015
Mr. Stupak. Mr. Wilshusen, your opening statement, please,
sir.
STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION
SECURITY ISSUES; ACCOMPANIED BY ALLISON BOWDEN, SENIOR AUDITOR,
GOVERNMENT ACCOUNTABILITY OFFICE
Mr. Wilshusen. Chairman Stupak, Ranking Member Shimkus and
members of the subcommittee.
Mr. Stupak. Is your mic on, sir? Just pull it up a little
bit, if you don't mind.
Mr. Wilshusen. Can you hear me now? OK.
Chairman Stupak, Ranking Member Shimkus and members of the
subcommittee, I am pleased to be here today to testify on
physical and cyber security at the Los Alamos National
Laboratory or LANL, one of three national laboratories operated
by the National Nuclear Security Administration that designs
and develops nuclear weapons for the U.S. stockpile. I am
joined by Allison Bowden, a GAO senior analyst specializing in
physical security.
A basic management objective for any organization is to
protect the assets and resources that support its critical
operations from theft, unauthorized access, use, modification,
destruction or disruption. It is especially critical for
national laboratories, such as LANL, that possess and process
special nuclear material, nuclear weapons parts and highly
sensitive and classified information.
A successful physical or cyber attack on LANL could have
devastating consequences for the site, its surrounding
communities and the Nation's security. Because of these risks,
LANL needs effective physical and cyber security programs.
Today I will summarize our recently completed work on physical
and cyber security at Los Alamos and share our preliminary
observations on physical security at the Lawrence Livermore
National Laboratory.
Mr. Chairman, LANL is improving its physical security. It
is implementing over two dozen initiatives to reduce,
consolidate and better protect its classified assets. It has
reduced the physical footprint of the laboratory by closing
unneeded facilities, although this initiative is focused more
on reducing maintenance costs than addressing facility
security.
Other challenges remain. Significant physical security
problems related to nuclear weapon part storage, inadequate
self-assessments and complete corrective action plans have been
fully addressed--or have not been fully addressed at the time
of our review.
In addition, LANL's ability to sustain security
improvements over the long term is unproven because its
approach is for sustaining progress contained weaknesses in the
early stages of development. For example, a system intended to
track long-term improvements would not be fully completed for 3
to 4 years.
Furthermore, the Los Alamos site office, which is
responsible for overseeing security at LANL, may not have
enough staff or the proper training to provide effective
security oversight.
To help strengthen LANL's physical security program, GAO
recommended, among other things, that LANL develop a
comprehensive strategic plan for addressing identified
weaknesses and improving program effectiveness.
At Lawrence Livermore our preliminary observations on
physical security indicate that its self-assessment and
performance-assurance testing programs need improvement and
that NNSA and the Livermore site office have not always
provided effective security oversight. Both Livermore and the
site office have actions under way that are intended to improve
these deficiencies. However, similar to LANL, sustaining
improvements may be a continuing challenge.
Turning to cyber security--and in reports being released
today, Mr. Chairman, we note that Los Alamos has implemented
numerous measures to enhance cyber security, but weaknesses
remain that impair the laboratory's ability to sufficiently
protect the confidentiality, integrity and availability of
sensitive information on the unclassified network. At the time
of our site visits, LANL had vulnerabilities in several
critical areas, including, identifying and authenticating users
of the networks, encrypting certain sensitive information,
monitoring compliance with security policies, implementing and
testing software patches, and planning for contingencies when
the network services are disrupted. A key reason for these
weaknesses is that the laboratory had not fully implemented its
cyber security program to ensure that controls were effectively
established and maintained.
In addition, the number of foreign nationals who have
access to the unclassified network, including about 300, as of
May 2008, from DOE's designated sensitive countries, had raised
concerns amongst some laboratory and NNSA officials because of
the sensitive information contained on the network.
To enhance cyber security over the unclassified network, we
are making a total of 52 recommendations to improve LANL's
program activities, correct specific control weaknesses, and
ensure a clear and consistent strategy for determining resource
requirements based on risk.
In summary, LANL has taken steps to improve its physical
and cyber security programs, but more remains to be done. Until
known deficiencies are adequately addressed and improvements
sustained over the long term, sensitive and classified
resources will remain at increased and unnecessary risk.
Mr. Chairman, we'd be happy to answer any questions.
Mr. Stupak. Thank you.
[The prepared statement of Mr. Wilshusen follows:]
[GRAPHIC] [TIFF OMITTED] T3238.016
[GRAPHIC] [TIFF OMITTED] T3238.017
[GRAPHIC] [TIFF OMITTED] T3238.018
[GRAPHIC] [TIFF OMITTED] T3238.019
[GRAPHIC] [TIFF OMITTED] T3238.020
[GRAPHIC] [TIFF OMITTED] T3238.021
[GRAPHIC] [TIFF OMITTED] T3238.022
[GRAPHIC] [TIFF OMITTED] T3238.023
[GRAPHIC] [TIFF OMITTED] T3238.024
[GRAPHIC] [TIFF OMITTED] T3238.025
[GRAPHIC] [TIFF OMITTED] T3238.026
[GRAPHIC] [TIFF OMITTED] T3238.027
[GRAPHIC] [TIFF OMITTED] T3238.028
[GRAPHIC] [TIFF OMITTED] T3238.029
[GRAPHIC] [TIFF OMITTED] T3238.030
[GRAPHIC] [TIFF OMITTED] T3238.031
[GRAPHIC] [TIFF OMITTED] T3238.032
[GRAPHIC] [TIFF OMITTED] T3238.033
Mr. Stupak. Ms. Bowden, would you care to make an opening
statement?
Ms. Bowden. No, sir.
Mr. Stupak. OK. Let's begin our questioning then. Let's go
10 minutes and move it along.
Mr. Wilshusen, let me ask you this: I'm glad to hear that
Los Alamos is doing better. This committee has really been on
their case, because we have had so many hearings concerning
their physical security. So we're pleased to see that.
We've asked in the past that GAO take a look at the need
for a Los Alamos. In other words, there's a lot of redundancy
in our labs. Is it necessary to keep that--is that
investigation or report by GAO ongoing, looking at the physical
assets of Los Alamos and is it needed?
Ms. Bowden. Yes, Mr. Chairman. We have finished the first
part of that review, which was the report that was issued on
physical security in June 2008. And we are just beginning the
second phase of that review, which will take a comparative look
at infrastructure across the nuclear weapons complex.
Mr. Stupak. OK. Thanks.
Well, let me ask you this, Ms. Bowden, if I may. One of the
concerns you raised in reporting on Los Alamos' physical
security structure, that it seemed to be cyclical in nature.
I'm glad to see that they're improving. But the labs appear to
improve when we've had a mishap and they know they're under
scrutiny.
How do we make sure there are improvements in the physical
security, whether it's cyber or just physical security, unless
this committee or--unless there's an incident, it seems like
they regress. How do we break the cyclical nature of this?
Ms. Bowden. In our June 2008 report, we've recommended
specifically that NNSA effectively incentivize financially,
through newly established performance-based contracts,
effective incentives for physical security performance. They
get beyond compliance-oriented measures, but really look at the
effectiveness of the security programs at Los Alamos.
In addition, we believe that effective security oversight
through the NNSA site office will help address the
sustainability of improvements in security at the laboratory.
Mr. Wilshusen. Regarding cyber security, it will take
several things to make that happen. One, of course, is first
getting the current control situation up to snuff in terms of--
in particular, like implementing our recommendations over the
weaknesses in its present controls. But that's only as a point
certain.
It's also imperative that the Agency develop the processes
and the structure to ensure that these controls and its risks
are adequately assessed over time because the computing
environment changes. The cyber security environment is very
dynamic. There are constantly new threats, new technologies and
new business processes and functionality that are being added
to the unclassified networks and to any network, speaking
generally. And so it requires that the Agency sets up the
processes and effectively implements them over time.
Mr. Stupak. Well, let me ask you this: To the extent that
you can testify, you or Mr. Podonsky, in open session here,
what is the level of sophistication of these cyber attacks? And
I take it they're increasing in capability.
It's getting much more sophisticated these cyber attacks,
is it fair to say?
Mr. Wilshusen. Definitely, they're becoming more
sophisticated and they're also becoming more targeted. In the
past, many of the attacks were just through hackers or virus
writers that might throw out a virus across the Internet and
see what they might be able to infiltrate. Now attackers--and
they come from a variety of sources--more specifically target
their--well, they more specifically try to target their more
particular systems or individuals that they want to attack; and
they tailor that attack to try to encourage an individual to
open up an e-mail attachment or to provide sensitive
information, like personally identifiable information, or to go
to a Web site to which can then be downloaded malicious
software which can provide the opening to the attacker.
Mr. Stupak. Mr. Podonsky, I think you actually said in your
testimony that before instead of a straight-in attack, now they
use a different method or go through someone who will already
have access to it, get them to open an e-mail or whatever, and
then make the attack.
Mr. Podonsky. In my opening statement I did talk about the
sophistication of these attacks. And I'm sure in the closed
session we'll be able to talk with greater granularity.
However, I want to emphasize again, as I said in my opening
statement, while DOE is a target, so is the entire United
States Government.
Mr. Stupak. Sure.
Mr. Podonsky. And we need to be sensitive that these
attacks are very real, not only against our laboratories, but
against all of our agencies.
Mr. Stupak. Well, and in my testimony, I had mentioned that
tens of millions of attacks are taking place each month. Are we
at a point where the number of attacks have outpaced our
ability to defend against them, or to identify them when they
do occur?
Mr. Podonsky. In our opinion, from independent oversight,
we believe that there are things that we can do to help protect
some of the information that we have. But the reality is that
these attacks continue to be, as you point out, more
sophisticated and more numerous. And it's a constant,
continuous struggle for all of us.
Mr. Stupak. But you also mentioned in your testimony your
Red Team and how you're able to penetrate two of the DOE labs
and downloading a very large quantity--gigabytes, you said--of
information.
Can you expound further on what your Red Team did? And what
does this suggest about the capability of the Department of
Energy to thwart cyber attacks?
Mr. Podonsky. What I can say in open session, first, yes, I
would like to explain in greater detail in a closed session
what they actually did and the only reason I can say that is
because we do not want to confirm for hackers out there what
the successful practices are, because we've proven that within
the Department.
But suffice it to say that, as I said, with a very small
group of cyber security specialists, and in under, as I said,
90 days, we were able to take over the network of two of the
sites.
We believe that were we with more people--and I'm not
asking for more, but were we with more people and had we
pursued this for a longer period of time, there would have been
more vulnerabilities that we would have found.
Mr. Stupak. I think, Mr. Wilshusen, and I think, Mr.
Podonsky--I think you both mentioned it--the so-called yellow
network, if you will, or the unclassified network at the labs
is not sensitive enough to warrant major action to protect it.
But yet these unclassified networks can lead you to terribly
sensitive information; is that correct?
Mr. Wilshusen. Yes. Certainly the information on the yellow
network contains very sensitive information, including
unclassified controlled nuclear information, export control
information, and personally identifiable information about LANL
employees. This information has intrinsic value to attackers
and to--of various different types.
It can be--information from a network potentially can aid
our competitors, or provide a competitive advantage to--in the
commercial sector. It can also be a source for intelligence
gathering and possibly disruption for other adversaries.
And so certainly that information has value. And I think
that's indicative, in part, by the number of attempted probes
that occur at that site.
Mr. Stupak. Well, you mentioned maybe the commercial nature
of it. But what about national security? Does the information
contained in the unclassified network pose a danger from an
adversary by going through the yellow network or unclassified
network? Can you get to something where an adversary, from a
national security point of view, could penetrate and then cause
us problems?
Mr. Wilshusen. Well, I would say that the type of
information on that network could certainly aid intelligence
operations from other organizations. It's highly sensitive and
it could potentially lead to that, yes, sir.
Mr. Stupak. Well, what's your opinion? And on the network
access that's been provided to foreign nationals from both
sensitive and nonsensitive countries, do you think that's too
open to foreign nationals?
Mr. Wilshusen. Well, I think the issue relates to--it
really comes down to a risk and benefit decision; you know,
what is the risk of giving these individuals, particularly from
the sensitive countries, access to the unclassified network;
and then what's--first is, what is the benefit of giving them
access to it?
And once it's decided whether or not these individuals
should have access to it, it's incumbent then upon the
organization to ensure that--as it would for any user, to
ensure that the access granted to that individual is based on
the principle of least privilege, and that they're only given
the access that they need to do the job and no more, and that
that access is based on need to know.
Now, we've been informed that the NNSA has decided to
remove the access of all the foreign nationals from sensitive
countries, from the yellow network.
Mr. Stupak. OK. Because isn't it sort of like what we did
in Los Alamos? I mean, I think we had a hearing on it where
foreign nationals had access--many people thought too much--and
then they just pulled back for the foreign national to limit
the access at Los Alamos; am I correct?
Ms. Bowden or--do you know?
Mr. Wilshusen. You mean previously?
Mr. Stupak. Right.
Mr. Wilshusen. That I don't know, sir.
Mr. Stupak. OK.
Mr. Friedman, if I may ask one question. I don't want to
leave you out there. Maybe we'll get around the second time.
In your January 2008 you reported that the Department
failed to adequately address cyber security incidents,
coordinations and communications. In our next panel Dr.
Wilbanks will say just the opposite.
Why is there such a difference of opinion as to the
effectiveness of cyber security incident coordination and
communication? And why is this such a challenging area for the
Department? And who within the Department is really responsible
for collecting, reporting and disseminating cyber incident
information?
In other words, I guess, who is responsible for the
program? Why do we have such diverse views on how effective
they're being on the cyber security?
Mr. Friedman. Well, Mr. Chairman, I can't speak to Ms.
Wilbanks' testimony, and I'm not sure I can completely
understand the distinction.
The Department does have a fairly sophisticated system of
collection, both a NNSA system and a non-NSA system of
collection of these incidents, in part to report to law
enforcement, partially my office and others, and in part to do
trending analysis and best practices and to alert the various
facilities within the Department as to where the problems may
be, and trends they may see that may affect all of the
individuals.
What we found in the past is that these two entities, which
by the way are in the process of being consolidated, at least
in part, that they did not receive--we did not receive from
them all the information that we needed to have a quality
referral to law enforcement and we had to go back and get
additional information.
So the structure is in place along the spectrum. The
question is, is it as complete and comprehensive as it needs to
be and as responsive to the needs of law enforcement and to the
others throughout the Department?
Mr. Stupak. OK. I thank you. Before I yield to Mr. Shimkus,
you know, there has been this report or letter by Mr. Terry
Turchie, and Mr. Dingell brought it up more in his opening
statement. And I am sure you are going to be looking into that,
the comments made in the letter by Mr. Turchie as to
counterintelligence and the intelligence. Will your office be
looking at that?
Mr. Friedman. Is that directed to me?
Mr. Stupak. Yes.
Mr. Friedman. I first saw the letter from Mr. Turchie this
morning at 10 minutes to 8:00 and I hadn't seen it previously.
I had seen the report by the Congressional Research Service
about 5 or 6 months ago, which addresses many of the same
issues. We are certainly looking at it carefully and we will be
considering what the next step should be.
Mr. Stupak. We look forward to working with you on that,
because we are going to look at cybersecurity at all the
agencies under our committee's jurisdiction. So I just wanted
to let you know. Thank you.
Mr. Shimkus for questions, please.
Mr. Shimkus. Thank you, Mr. Chairman. Still being relative
new to the committee and the oversight, having been on the full
committee for a long time, I don't come with the years of
analysis and frustration that many members do in delving into
this.
But current events dictate internationally that if a cyber
red team, given a month and six to seven folks, can do great
mischief, it poses a question, what can a nation state do with
unlimited people and really unlimited dollars? In the
international arena we have seen it with Estonia, we have seen
it most recently in Georgia, not the State but the country.
So it begs the question, if there is information, whether
it is technical in nature or that can be combined on this
yellow network, that is, quote/unquote, sensitive and all these
words are--if it is sensitive, either personal information or
it can then be placed together to create other information,
that is I think a problem.
And also, if in this definition of sensitive information
and that information then runs the risk of--well, let me say it
this way. In a communication environment, as we talked about
before, you have got information available for doing the job,
there is risk entailed. Are we willing to take the risk? Are we
willing to assume the risk? I understand there is an open
green--kind of like a green system which we can go to the
general information on DOE, then the yellow system, and then
the more--the issue that is classified. How do we clean up the
yellow network so that the classified information isn't there
and it is not accessible through the other networks? And let me
go to Mr. Wilshusen first.
Mr. Wilshusen. Well, I think, first of all, with regard to
the information on the yellow network, classified information
is not authorized to be on that network. And so there has to be
a process that goes through to make sure that information that
is on that network is not classified. And so there is some
classification requirements on that to assure--determine
whether or not somebody that is on the yellow network can gain
access to the red network. Is that what you are asking?
Mr. Shimkus. Or green to yellow to red.
Mr. Wilshusen. Right. Well, we are--
Mr. Shimkus. And then is part of that the Trojan Horse part
of thing that you're talking about is accessing in and then
sleeping and then awakening and then moving through aspects?
Mr. Wilshusen. Right. We are, at the request of this
subcommittee and the full committee, reviewing the security
controls over the classified network at Los Alamos, too. So I
can't comment on that at this point in time. Our work is still
premature to make any type of preliminary information or
observations on the security controls over the red network.
However, with regard to the yellow network and the green
network, they were interconnected in the past, and that was one
of the issues that we have identified that weaknesses--even
though our work on this particular engagement focused on the
yellow network, we found that there were paths from the green
network into the yellow network.
Mr. Shimkus. And then I would ask if that was identified,
have those paths then severed that we know of today, that
interconnect--the interconnection, the ability to do that?
Mr. Wilshusen. You mean today is that capability, do those
weaknesses still exist?
Mr. Shimkus. And that is probably a question for Mr.
Friedman and Mr. Podonsky. But, again, I have been on the
telecommunications, the tech committee and stuff, but I think
the only way you can really--information gets compromised in
one or two ways. You either have hackers that can use the
system to move through, so you have to sever the connection. Or
you have actually humans who surreptitiously, illegally, as in
flash drives, grab information. And we know that has happened
in the past, too.
So that for security aspects, one would be sever the
connections on the green network so that it does not have? And
that is what you recommended. And the question would be to Mr.
Podonsky and I guess Mr. Friedman, your analysis. Has that
happened? And can it? Or can you not do the mission if you do
that?
Mr. Podonsky. So far, Congressman, we have never identified
any pathway from the green to yellow network. However, we
strongly believe that the yellow network that we are referring
to, which varies from lab to lab and site to site in terms of
what goes on there, the certification and accreditation process
that is part of the Department, and Mr. Friedman talked about,
is there to make sure that we look at some of this
sensitivities of these networks.
While my colleague from GAO mentioned that there is no
classified, or supposed to be, on the yellow network, the fact
of the matter is we do need a classification process for
classified information.
The labs also do need a sensitive process. We need better
controls. There is no doubt in our minds from the oversight
perspective that while the information is not classified but is
sensitive, that doesn't mean it is not valuable to somebody.
And that is what we are concerned about. But we also believe,
as I said in my opening statement as well as the written
testimony, that we believe there are things that we can do,
like encryption of the information that is on the network.
Mr. Shimkus. The yellow system, can they e-mail outside of
the system? If you are on the yellow network, can you e-mail to
like Berkeley or the country of Georgia? And if you can, is
that then a main pathway of concern?
Mr. Podonsky. Yes, it is. And they can. And one of the
things I mentioned, and I want to reiterate my point in my
opening statement, is that we need to make tighter controls on
making sure that if somebody who is unauthorized into the
yellow network cannot send the information out the way our red
team did. And there are mechanisms that can be used by the
Department to prevent that as best we can.
One of the other problems is at Los Alamos, for example--
and it is not unique to Los Alamos and it is not unique to DOE,
I can emphasize--is that when you have 25,000 individual
laptops or stand-alone computers and these people are cleared
to use those, there is also a trust factor. And we have seen at
all the sites within the Department sometimes that human factor
fails. So what we do need is we need systems in place to put
tighter controls.
Mr. Shimkus. I am just trying to do a comparable to our
systems here. We have the Web sites, we have the e-mails. There
are some firewalls that disallow individuals from e-mailing us
unless they kind of identify that they are from the
constituency, and there is a blocking portion of that. I am not
sure if that is off-the-shelf type--of probably not very--
because we really don't handle sensitive--it might be sensitive
politically or for other purposes, but not to the extent that
this is. This is of a concern.
So I would--that would be where I would follow up, is
trying to make sure that the individuals are well-screened and
we do the background checks. Foreign nationals is a concern.
And the risk, the whole question of risk and reward based upon
the available information and the work that foreign nationals
can do.
So, again, this is my first oversight investigation hearing
on this subject. I know this committee continues to be very
diligent. We have had really bad case scenarios in the past.
And I just pledge my support to the chairman to be engaged with
him as we move forward. And thank you for your time.
Mr. Stupak. I appreciate that. I appreciate the gentleman's
comments.
If I just may. On this yellow that you were talking about,
yellow network. Information out there may be unclassified. But
if I take a piece of yellow unclassified, put it with another
piece of yellow unclassified, put it together, that information
then could become classified. Is that?
Mr. Podonsky. If I can, Mr. Chairman. We call that the
mosaic effect. And I would say it is counterintuitive to think
that there is not a value of the information on the network. It
is speculative for any of us to say that it would actually fit
together and become classified. But irrespective of whether it
is classified, the sensitivity can be of extreme value to
people who mean to do harm to our Nation. It may not be in the
realm of national security information, but let me give you an
example.
We sometimes send things that's password protected. We'll
send a message, and then it will be followed up by another
message that has the password in it. So if--I am not from the
Intelligence Committee, but if somebody is vacuuming up all the
information they can, they can put those two together and get
that password protection. Again, it's not classified, but it's
sensitive enough that we need to have stronger controls in
place.
Mr. Stupak. Mr. Friedman.
Mr. Friedman. Mr. Stupak, first of all, the mosaic effect
is important. And you described it well, I think. But one of
the problems with the yellow network, and it's not--it's
understandable and it's the nature of the contents of the
network, is that--and if you recall, if I might divert you for
a second. In 2005 or 2006, we had the exfiltration of PII,
personally identifiable information, at the Albuquerque Service
Center, I believe.
One of the problems is that this information, while it may
not be classified, if it falls into the hands of the wrong
individual, that individual could conceivably be exploited by
an inappropriate source. So there are--it's sensitive
information that needs to be carefully protected.
Mr. Stupak. Mr. Dingell for questions, please.
Mr. Dingell. Mr. Chairman, I thank you. Mr. Chairman, first
I would like to insert in the record a letter received by me
from Mr. Terry D. Turchie, which pretty much speaks for itself
about the situation with regard to security at the Lawrence
Livermore National Weapons Laboratory. I will have some
questions about that after I finish my first set of questions
and perhaps some later time.
These questions, yes or no. Mr. Podonsky, in your testimony
you mentioned one of your most recent red teams was able to
penetrate the networks of two DOE labs. Is that correct?
Mr. Podonsky. That is correct, sir.
Mr. Dingell. Which were those?
Mr. Podonsky. They were two science labs.
Mr. Dingell. You don't want to identify them by name?
Mr. Podonsky. I am happy to identify those in executive
session, sir.
Mr. Dingell. Thank you. Mr. Podonsky, isn't it true that
your red team was able to download very large quantities; i.e.,
gigabytes, of data, some of which were sensitive, without being
detected by DOE authorities?
Mr. Podonsky. Yes, sir.
Mr. Dingell. Mr. Podonsky, you also indicated that the
level of access your team was able to quickly obtain over the
course of just a few months would have allowed you to change
data or otherwise corrupt a particular lab's cyber network.
Isn't that correct?
Mr. Podonsky. Yes, sir, it is.
Mr. Dingell. Mr. Podonsky, I am gathering what your red
team did to these labs' cyber networks has rather profound
security implications. Is that correct?
Mr. Podonsky. Yes, sir, it does.
Mr. Dingell. Mr. Podonsky, doesn't this suggest that the
DOE does not currently have sufficient capability regarding its
cyber defenses.
Mr. Podonsky. No, sir, it does not.
Mr. Dingell. What, in your words, does this exercise
suggest as to the capability of DOE and its labs to thwart
cyber attacks?
Mr. Podonsky. What it tells us, Mr. Dingell, is that we
have some of our sites that are inconsistent in their
application of DOE policies. We have some sites that perform
better. But, overall, the Department of Energy as the rest of
the government has to strengthen our cybersecurity networks.
Mr. Dingell. Mr. Podonsky, isn't it true that the addition
to the access your team gained at these two sites, by
installing your own malicious programs on a number of their
laptop computers your red team was able to make important
footholds into the networks of other facilities after these
laptops were legitimately connected to their respective
networks?
Mr. Podonsky. Yes, sir. That is correct.
Mr. Dingell. Mr. Podonsky, moreover, didn't additional
activity conducted by your red team demonstrate your team's
ability to possibly move around throughout a number of DOE
sensitive networks?
Mr. Podonsky. We believe that that would have been the case
if we had continued on with the activity.
Mr. Dingell. What more can you tell about that?
Mr. Podonsky. Well, we terminated our activity because we
were aware that there was actual infiltration in some of the
sites that we were looking at.
Mr. Dingell. Now, Mr. Wilshusen, yes or no again, please.
Some have suggested the information on the yellow unclassified
network at the labs is not sensitive enough to warrant major
action to protect it. This is a question that our chairman has
been raising on this. I gather you don't agree with that
statement.
Mr. Wilshusen. That is correct; I do not agree.
Mr. Dingell. Now, Mr. Wilshusen, in fact your reports say
that the information in the Los Alamos unclassified network
contains such information as Naval propulsion data, personally
identifiable information, unclassified controlled nuclear
information, and a host of other sensitive categories of
information. Is that correct?
Mr. Wilshusen. That would be those categories of
information. Yes.
Mr. Dingell. Could you mention any other categories that
should be addressed?
Mr. Wilshusen. Did you include our unclassified controlled
nuclear information?
Mr. Dingell. Yes.
Mr. Wilshusen. OK.
Mr. Dingell. Mr. Wilshusen, isn't it the case that your
report said that that kind of information a valuable target for
foreign governments, terrorists, and industrial spies?
Mr. Wilshusen. Yes.
Mr. Dingell. Mr. Wilshusen, I gather that GAO does not
believe, given your findings at the labs, the DOE as a whole is
sufficiently prepared for cyber attacks or cyber intrusions. Is
that correct?
Mr. Wilshusen. I would say that they are at increased risk.
Yes.
Mr. Dingell. And that would be a substantial risk?
Mr. Wilshusen. It could be. Yes, sir.
Mr. Dingell. Now, Mr. Podonsky again. Let's talk about--
let's talk about this. The Director of Los Alamos remarks in
his testimony that your offices draft audit report for August/
September recognizes that Los Alamos National Laboratory is
making progress in many security areas. Is that correct?
Mr. Podonsky. That is correct. They are making improvements
that we have not seen in 20 years.
Mr. Dingell. But I gather, however, that the lab is still
not out of the woods when it comes to physical security. Is
that correct?
Mr. Podonsky. There are areas that they need to improve
upon, but they have made quantum leaps from our last
inspection.
Mr. Dingell. Ms. Bowden, isn't it true that DOE's Office of
Independent Oversight found major concerns regarding Lawrence
Livermore's security capability in April of this year?
Ms. Bowden. Yes, sir.
Mr. Dingell. Ms. Bowden, in your testimony you say
concerning the exercise that, and I quote, ``Livermore received
the lowest possible rating for protective force performance and
protection of classified resources.'' Isn't that correct?
Ms. Bowden. Yes. That is what the Office of Independent
Oversight found.
Mr. Dingell. And, GAO, to the extent that you can identify
this in an unclassified setting, how did Lawrence Livermore get
into this position and what are the root causes?
Ms. Bowden. Well, in a general sense, and based on our
preliminary observations, because this work is ongoing, we
discussed that question with officials at the laboratory and
with officials--Federal officials at the site office. And there
are a number of factors that may have contributed, though we
will continue to work on this.
Those included focus--a focus shift on contract transition,
the declaration of the site as non-enduring for Category I
special nuclear material. And, in addition, frequent security
policy changes over the different design basis threats that had
been issued over a period of time.
Mr. Dingell. Thank you.
Mr. Podonsky, it was your claim that GAO referred to in
their testimony as doing the physical red teaming of Lawrence
Livermore. Is that correct?
Mr. Podonsky. Yes, sir.
Mr. Dingell. Mr. Podonsky, I have limited time so I know
you will speak quickly. But tell us how you believe Lawrence
Livermore got into the posture where it has performed so
poorly.
Mr. Podonsky. It's a mystery to us, Mr. Dingell, because we
have seen in our last inspection before the spring that they
were performing well. We do believe that a great contributor
is, as the GAO just mentioned, having to do with the contract
change-out.
Mr. Dingell. Ms. Bowden again, if you please. One of the
concerns you have raised in your report about Los Alamos's
physical security posture is the cyclical nature. What--that
is, the labs appear to improve when they have had a mishap and
know that they are under scrutiny. Is that correct?
Ms. Bowden. Yes, sir.
Mr. Dingell. Ms. Bowden again. What explains the root cause
of the cyclical nature of the security at the labs, and how can
we prevent this?
Ms. Bowden. In our report we have made several
recommendations that we think will address sustaining
improvements over time, the first of which is providing better
financial incentive for effective security performance in the
contract determinations for the award fees at the end of each
fiscal year. In addition, we feel it's important to ensure
adequate NNSA site office oversight of security on a consistent
basis at the laboratory.
Mr. Dingell. Mr. Chairman, because of the limited amount of
time, I request that this letter be inserted in the record, and
I would ask that our witnesses give us their comments on the
findings and the statements made in the letter, and I would ask
that the record be kept open so that that may be inserted into
the record at the appropriate fashion in time.
Mr. Stupak. Without objection. I would also note that it's
in our binder. So it will be made part of the record, Mr.
Chairman.
[The information appears at the conclusion of the hearing.]
Mr. Dingell. Thank you, Mr. Chairman.
This to Mr. Friedman. The Federal Information Security
Management Act requires that the Office of the Inspector
General conduct an independent annual evaluation to determine
whether the Department's unclassified cybersecurity program
properly protects its information systems. Is that correct?
Mr. Friedman. That is correct.
Mr. Dingell. Mr. Friedman, in 2008, your evaluation report
of the Department's unclassified security program states: The
Department continues to make, quote, incremental improvements
in this program. Yet, isn't it true that you have continued to
find ongoing concerns with DOE's cyber defense capability?
Mr. Friedman. That is correct.
Mr. Dingell. Mr. Friedman, in fact, isn't it correct that
your latest reports found the following over the past few
years: Unsolved issues surrounding risk assessments and
adequacy of security controls? Yes or no?
Mr. Friedman. You are correct, sir.
Mr. Dingell. Lack of centralized department-wide inventory
of information systems.
Mr. Friedman. That is correct.
Mr. Dingell. That is a fairly simple to do, isn't it, to
perform that particular act?
A failure of some sites to complete contingency disaster
plans.
Mr. Friedman. Correct.
Mr. Dingell. Failure of Department officials to implement
Federal and Department security requirements in a timely
manner.
Mr. Friedman. That is correct.
Mr. Dingell. Mr. Friedman, in your opinion, do these
weaknesses continue to exist?
Mr. Friedman. They--our reports are current. And the answer
to your question, Mr. Chairman, is that until we do another
review and see that they are not in effect, we will continue to
believe that they exist. Yes.
Mr. Dingell. Now, why do these security questions and
weaknesses continue to exist?
Mr. Friedman. That is one of the most perplexing questions
that I deal with every day, Mr. Chairman.
Mr. Dingell. It seems to be a leadership problem. Doesn't
it?
Mr. Friedman. Well, I would say this. The conclusions that
we reach after thinking about this over a great deal of time is
that the Department lacks the ability to close the game, in the
sense that a lot of good actions are initiated but they don't
get completed and implemented. And that seems to be a problem.
Mr. Dingell. Thank you.
Mr. Chairman, I appreciate your courtesy. Thank you.
Mr. Stupak. Thank you, Mr. Chairman.
Mr. Burgess for questions.
Mr. Burgess. Thank you, Mr. Chairman.
Let me ask a question to the GAO related to the management
of the money available for security. How much money have we
allocated for overseeing that security's implemented and
followed?
Ms. Bowden. In fiscal year 2007, it was about $188 million.
Mr. Burgess. And so that is not a huge sum by Washington
standards, but a significant sum, and the problems persist.
What sum is it going to take so that we get to the place we
want to be?
Mr. Wilshusen. That is a very difficult question to answer,
and I don't know if I can point to say this is the sum that is
needed. I think what I can say, though, is that the agency
needs to properly assess its risks and determine what policies
and procedures that they need to implement to cost effectively
reduce those risks to an acceptable level.
We have to remember that security is a risk management
problem; it's not a risk elimination or risk avoidance problem.
Because you can throw so much money at security and you can
lock down everything, but at the same time the costs would be
prohibitive as well as it will probably take a major hit on
productivity. So it's really a balancing act to determine how
much is necessary to secure the systems based on risk.
Ms. Bowden. And if I may clarify, the dollar figure was for
Los Alamos.
Mr. Burgess. But we are going to have--it will be budget
time again before we know it, and we are going to have to be
thinking through these things. At some point we are going to
need some advice from people like you as to whether or not we
are doing our job in providing you the resources; i.e., the
funds that you need to hire the personnel, to purchase the
software, to run the red teams, to make sure that things happen
the way that they are supposed to happen.
Mr. Wilshusen. Well, certainly what I will say, too, is
that for many of the recommendations that we are making in our
reports that are being released today, much of that would not
necessarily require additional acquisition of software devices.
It's more of a management issue, taking the security controls,
the devices that are presently there, and configuring them in
such a manner to make them more secure.
Mr. Burgess. We may come back to the management question in
just a moment. But is it also a matter of time?
Mr. Wilshusen. Yes, sir. Time is of--in our view, time is
of the essence in terms of taking the corrective actions to
improve the security over the unclassified network at Los
Alamos, because of the sensitive information it contains and
because of the risks associated with the weaknesses that we
have identified.
Mr. Burgess. Well, giving you more time may increase the
risk. Providing you more money, if you can do it in a shorter
period of time, in my mind at least, would be a reduction of
risk. I am just not sure how much. I am not sure how much
flexibility we should be willing to give on time for
implementation just because of the risk that is out there. I
mean, and it's not just you, but certainly your area is--it's
such a significant vulnerability that we really can't overlook
it.
A question, Mr. Podonsky, about the number of laptops. What
was the number that you told us, the number of laptops that may
move around?
Mr. Podonsky. I misstated. I was meaning the stand-alone
sets of computers, which I said were 25,000 users at Los
Alamos. And I used that example to answer Chairman Stupak's
questions about the vulnerability of the yellow network.
Mr. Burgess. What would be the correct figure for the
number of laptops that may move around in so-called trusted
circles within the lab?
Mr. Podonsky. I don't have that number. I would have to get
that number and get it back to you.
Mr. Wilshusen. One of the things that we've identified on
our review was that there are about 13,000 users. Now, this is
just on the unclassified networks, so I can't comment on all of
the networks at Los Alamos. But just for a scope. There are
about 13,000, a little bit over 13,000 users on the
unclassified network, and that network contained about 25,000
devices. And so those would include work stations, but also
routers, switches, and other types of devices.
Mr. Burgess. But as we have seen from these reports and
other areas, a misplaced laptop is a source of great
vulnerability. And all of us, you and us, are under great
scrutiny in that regard to make certain that these very
powerful and very useful devices--they can certainly increase
productivity but they really expose a great deal of
vulnerability if we are not careful. So I just wonder if we
shouldn't be a little bit more circumspect about the number of
devices that are actually out there with information.
I think it was on this panel that we heard about the
purchase of some of the equipment, which is proprietary
equipment, with USB ports that might be vulnerable to access.
And we sealed them up with JB Weld--which is a good Texas
product, so I am glad but we used J Weld, but it just seemed
like a significant oversight in the purchase of that equipment
to lead us to that degree of vulnerability. And then laptops
that can move around so easily and be left somewhere or stolen
or lifted, or even if someone did have an idea to do something
that they shouldn't be doing, it just makes it that much easier
for the person who has a criminal intent.
I guess, Mr. Podonsky, this is for you. On the issue of--I
think we've talked about this before on this subcommittee,
about this issue of encryption and sequestration. How is that
project going? Where are we with that? Can you develop that a
little bit for us on the sequestration and the equipment side?
Mr. Podonsky. What I can tell you--first, I am sure the
second panel can give you more clarity on how far they have
gone in that arena. But from our inspection process, we don't
feel that enough of the sites are encrypting the information
that needs to be encrypted. There is--
Mr. Burgess. Why is that?
Mr. Podonsky. Well, because the policy says it is preferred
that the information be encrypted. And we have learned over
time that unless there is a regimented language that says you
shall encrypt it, then using the word ``preferred'' becomes
accounting option. And we find that a little disturbing.
Mr. Burgess. Too much flexibility, in other words?
Mr. Podonsky. That is what we believe.
Mr. Burgess. Now, is there any problem with obtaining the
software or the type of software that is available? Is there a
satisfactory program that is out there that you all are using
for the encryption?
Mr. Podonsky. I believe the software is out there; but I
also understand that the process would be a little bit less
convenient when doing business.
Mr. Burgess. And what about the sequestration aspect of it?
Mr. Podonsky. I will have to defer to the CIOs.
Mr. Burgess. And I think it was your testimony where you
said the attacks were becoming more sophisticated, more
targeted. Are they also becoming more frequent?
Mr. Podonsky. Yes, sir, they are.
Mr. Burgess. And do we have a general idea of where they
are coming from?
Mr. Podonsky. I think that is a question that really should
be answered in the executive session.
Mr. Burgess. Fair enough. We will do that.
A question was asked about what caused the lower security
level at Livermore, and I think you answered, Mr. Podonsky. But
Ms.Bowden, do you have an opinion on that as well through your
study?
Ms. Bowden. I think we both agree that there was a shift in
focus to the contract, the management and operating contract
transition.
Mr. Burgess. And that is at Livermore?
Ms. Bowden. Yes.
Mr. Burgess. Because at Los Alamos, we had the contract
evaluation but we didn't change the contract. Correct? Do I
remember that correctly?
Ms. Bowden. The contractor was changed in 2006.
Mr. Burgess. At Los Alamos?
Ms. Bowden. Um-hmm.
Mr. Burgess. So when we talked about some of the leadership
problems as that, do you think that has been dealt with
satisfactorily?
Mr. Podonsky. Sir, I would like to answer that, having
inspected Los Alamos for the last 24 years. The answer is
absolutely we see a sea change that we haven't seen there
before. I just came back from the Los Alamos inspection
closeout for my independent oversight, and we have seen a lot
of improvements. We have seen commitments that we don't think
were just pabulum. And we believe it's because of the
accountability. We know that they are watching our enforcement
actions and compliance orders. We know that they are paying
attention to the inspections.
Mr. Burgess. And do you think that there's going to be a
way to extrapolate those successes to, say, the Livermore
facility?
Mr. Podonsky. I am sorry?
Mr. Burgess. Is there going to be a way to extrapolate
those successes to other facilities where we've fallen behind?
Mr. Podonsky. Based on the aggressiveness by which the
Livermore folks are addressing our very serious concerns from
the spring inspection, we are hopeful. But, again, the
sustainability is going to be an issue that we are going to be
watching.
Mr. Burgess. Very good.
Thank you, Mr. Chairman. I'll yield back.
Mr. Stupak. I thank the gentleman.
Ms. DeGette for questions.
Ms. DeGette. Thank you very much, Mr. Chairman.
I would like to follow up on some of the questions that Mr.
Dingell was asking. The first one being, on this yellow
network, the unclassified network, there is still sensitive
information. And everybody has agreed with that here today. And
the question is, what dangers do we have if people can access
that information? Because even though it's not classified, it
still is important. Mr. Dingell mentioned a couple of the
nuclear issues, but I just want to go through the list that the
GAO listed in their report because it's really kind of
shocking.
Business proprietary information. The nuclear information
he talked about. Export control information. The military
critical technology list. Confidential foreign government
information. And personally identifiable information, including
names, aliases, Social Security numbers, and biometric records
of employees, contractors, and visitors.
Now, a lot of this information if someone were to access it
would be criminal and even worse. This is not just completely
neutral information. And so I have some follow-up questions on
what is happening to try to preserve that information.
I guess my first question would be maybe to you, Mr.
Podonsky, is do you think that the labs or the DOE have the
technical expertise and resources to protect this information
that is currently residing on the unclassified networks?
Mr. Podonsky. Congresswoman DeGette, we do believe that the
technical expertise exists within the laboratory community as
well as with the rest of the Department. We do also believe
that the sensitivity--we share your concerns about the
sensitivity that is on the yellow network. That is why I have
said in my testimony and in my opening statement we do believe
tighter controls are necessary.
Ms. DeGette. Well.
Mr. Podonsky. If I might continue. As exemplified by our
red teaming effort, and we are not the most sophisticated red
teaming hackers in the world, but given our capabilities and
what we were able to do, that should give us all pause as to
what we need to do.
Ms. DeGette. I was going to ask that question in a minute,
because unlike my friend, our ranking member, I have been on
this committee for 12 years and I have been to Los Alamos and I
have been in these hearings and we have you guys down all the
time. And every time you come in, you say, you know, we have
these risks, we have these problems. It's always cropping up
some other place. So if we have got the expertise and
capability to do it, here's my simple question to you, why
aren't they doing it? Because you are right, it's not just the
yellow information, it's the red information.
Mr. Podonsky. I can give you an opinion from oversight as
to why the Department is not doing it.
Ms. DeGette. I would love that opinion.
Mr. Podonsky. And our opinion is it's not always been the
highest of priorities from different administration to
different administrations. I would also say--
Ms. DeGette. But we have had this administration now--do
you mean Washington administration or lab administration?
Mr. Podonsky. No. Washington administration.
Ms. DeGette. Well, we have had this administration 8 years.
Mr. Podonsky. In 2000, ma'am, we came to the floor of this
hearing room and gave a demonstration, a live demonstration of
how we could crack codes of passwords.
Ms. DeGette. I remember it. I was there.
Mr. Podonsky. So we know that these problems exist.
Ms. DeGette. So why--we have had this administration 8
years. Is your testimony today that it has been a low priority
for this administration? Yes or no?
Mr. Podonsky. No, ma'am.
Ms. DeGette. Then why haven't we done it?
Mr. Podonsky. I don't have a complete answer for you
because I am not within the CIO's office. That is in the next
panel. But from our perspective, we have written reports on
this very subject multiple times.
Ms. DeGette. I am frankly, with all due respect, I am not
particularly interested in the written reports. I am interested
in when are we going to do this. If we have got the technical
ability to do it, if we've identified the problem, then how
quickly could we solve the problem if appropriate attention
were given? Anybody can answer that if you know the answer.
Mr. Podonsky. I don't know what my colleagues on the panel
think, but I think this is a problem that can be solved.
Ms. DeGette. No. How soon can it be solved?
Mr. Podonsky. As soon as the resources are applied.
Ms. DeGette. OK. So it's a resource question. That goes
back to Dr. Burgess' question, which is, what kind of resources
are we talking about here?
Mr. Podonsky. We're talking about dedicated people within
the cyber community to solve the problems.
Ms. DeGette. How many dedicated people? How much money?
Mr. Podonsky. I would have to--without just giving it off
the top of my head, I couldn't tell you that. But I think that
we have--
Ms. DeGette. Do you know that?
Mr. Podonsky. I believe we have it in the Department. We
have the technical intellectual capabilities and we have the
resource capability to make the changes.
Ms. DeGette. All right. So if you could supplement your
answer within 30 days, I would appreciate it, telling us what
kind of resources we would need to give to this.
Now, let me ask another question. And again if other people
know, please chime in. Do we, if we have got the ability to do
it and it's just a matter of resources and priorities, do we
have a full inventory of all the information that is residing
on these unclassified networks?
Mr. Podonsky. I don't believe that we have a complete
inventory on what resides.
Ms. DeGette. Is that something we would need to do?
Mr. Podonsky. That would be a major undertaking for
millions and millions of documents. And I am not so sure,
Congresswoman DeGette, that that is the best use of the monies.
The best use of the monies is to protect the information from
going out, and protect the information from having access by
hackers.
Ms. DeGette. It would probably also be worth reviewing
categories of information to see if we really do need to have
that on our networks then if we can remove it. Correct?
Mr. Podonsky. Yes, ma'am. And that would be up to the
individual program offices as to what types of information they
are allowing their folks to put on the network.
Ms. DeGette. Well, maybe not. Because for some of these
types of information, you could probably make a decision from
the top whether you needed to have that information on
certainly unclassified yellow networks. Information like
aliases and Social Security numbers and biometric records of
employees. It's hard to see how you would need to have that on
some kind of a network. What do you think?
Mr. Podonsky. Well, I don't know how they use all the
information, but I do know they use that network to conduct
business. And they separate that from the classified.
Ms. DeGette. See, what I worry about, though, is if you are
leaving it up to each individual department head, that then you
have no overall standard by which they could weigh it. So if
you had an overall standard, then they could come in and ask
for an extension if they had a need to put that on the network.
Mr. Podonsky. And the CIO when he came on board in 2005, I
believe, or 2006 put together with the three undersecretaries a
governance model of federalizing the federation of policy that
has the overarch policy, and then NNSA, Science, and Energy are
able to tailor that to what their individual missions are.
Ms. DeGette. Now, Mr. Podonsky, do you think that the DOE
lab should consider removing certain information on the
unclassified network or increase its level of classification?
Mr. Podonsky. As I said, Congresswoman DeGette, the
laboratories need to take a good look, and the Department, in
making sure that there are stronger protections of that
information. Some of that information may need to be removed.
But one of the problems is, where do you put it? If you put it
on the classified net, you have now redefined what classified
is.
So I again go back to our oversight perspective, is we need
to keep people out of it, and we need to make sure that we have
a rigorous process to make sure that anybody that might get in
it cannot send information off the net.
Ms. DeGette. What is your opinion on that, Mr. Wilshusen?
Mr. Wilshusen. Well, I think I would also agree to the
point that the information on that yellow network, whether or
not that should be upgraded, if you will, and then reclassified
and then put on the red network is a decision that is whether
or not that information is classified or not. And that is
something that needs to be done, and it probably has already
been done, you know, it's been determined to be sensitive but
unclassified. That is why it's on the yellow network.
But I agree with Mr. Podonsky, that the first thing that
needs to be done is to better protect the information that is
on that network by--
Ms. DeGette. I want to ask you one more question. Do you
think there is some argument to be made about maybe making an
intermediate network between the yellow and red networks for
some of this unclassified information? You don't want to be
calling things, as Mr. Podonsky rightly says, you don't want to
be calling things classified if they are not. On the other
hand, there is things that might be sensitive, like employees'
Social Security numbers that are not necessarily classified
information.
Mr. Wilshusen. Right. And because of that, such as
personally identifiable information needs to be protected. But
should that be on a different network? That is what the yellow
network is for; it's the unclassified protected network.
Ms. DeGette. So your view is we need to protect that
network better.
Mr. Wilshusen. Yes, ma'am. And--
Ms. DeGette. I just want to say, I know you folks can't
make the rules, you can only make the recommendations. And I am
sure that--you don't have to answer this, I am sure that many
days you are just as frustrated as we are; you keep identifying
these problems but yet no progress is made. So I want to thank
you for your commitment to these issues. They are very
important.
Mr. Wilshusen. Thank you.
Mr. Stupak. Mr. Shimkus has a quick question, and then we
will go on to Mr. Inslee.
Mr. Shimkus. And I will be brief. One thing I wanted to
follow up with what I didn't was just an overall assessment of
the corporate culture, or the culture of these labs and this
whole issue. I agree with Chairman Dingell that it's
leadership, and its leadership goes from the top and then the
director of the lab, the director of the sub environments.
Has the corporate--let me, Mr.Wilshusen first. Has the
corporate--did you evaluate the culture of the labs? And with
respect to my colleagues who have been on this issue for a long
time, which again which I haven't, has the culture changed
positively in the security environment for the labs?
Mr. Wilshusen. Well, related to just the cybersecurity
portion of it, and I will defer to Ms. Bowden on the physical
security, we have just completed our review, and that is our
first review that we have done reviewing cybersecurity out at
Los Alamos. We have noted that some of their technical folks in
terms of technical security individuals are among some of the
better ones within the Federal Government. And, indeed, they
implemented many innovative techniques to try to secure their
unclassified network. However, we also found though that there
were still a number of very significant vulnerabilities that
impaired their ability to adequately protect that information
on their network.
But in terms of the culture, I think there has been a
change over the last year from what we have seen during the
course of our audit. It seems like they are more concerned
about the cybersecurity. But whether that is in response to our
initial field site visits and how long that remains, of course,
remains to be seen.
Mr. Shimkus. Mr. Friedman, can you respond to that?
Mr. Friedman. Yes. In all fairness, while we still find
problems and there are still concerns, and lot of them are
serious, I don't think there is any question that the results
of our work suggests, and our interactions with the laboratory
personnel, that there has been a change in mindset, much more
aggressive in the area of security. It may be beyond their
capability to fix all the problems, but I think--and I have
been observing this, sir, for three decades--there is a change.
There is no question about that.
Mr. Shimkus. Thank you. And I would just hope that the
position would be--I am not going to ask Mr. Podonsky to follow
up, but I would just say, if there is a positive change in the
culture, we need to push hard to sustain that change.
Thank you, Mr. Chairman.
Mr. Stupak. Thank you.
Mr. Inslee for questions, please. 10 minutes.
Mr. Inslee. Thank you. There has previously been a letter
entered into the record from Mr. Terry Turchie that discloses
very significant concerns by him. He's formerly with the FBI
and he served as senior counterintelligence officer at Lawrence
Livermore Nuclear Weapons Laboratory. This letter is dated
September 1, 2008. And basically the letter is intended to
alert Congress, it's a letter to Chairman Dingell, of what he
considers very serious failures to focus on
counterintelligence.
He describes there being a significant change from an
emphasis or at least a significant commitment to
counterintelligence to simply what he considers intelligence
gathering. And he outlines in his letter quite a number of
occurrences that would suggest there has been, at least in his
view, a significant reduction in counterintelligence as he
would define that activity. That, to me, is a significant
issue, and I just would ask for the comment of any of you to
respond to those concerns.
I want to note, too, that there are many people that are
disgruntled with Federal activity. This is a gentleman who
seems to have credibility, his resume is pretty outstanding,
and I think his concerns ought to be ones that we would
investigate. So I would ask for any of your response, I don't
know if you have seen the letter, could respond to the general
issue he has raised. His letter in general discusses a lack of
financial and organizational commitment to counterintelligence
as opposed to just what he would consider intelligence
gathering. I just would ask for your comments, if you can
provide them.
Mr. Podonsky. The only thing, Congressman, that I can tell
you is that, number one, I have not seen the letter. We do work
with the intelligence and counterintelligence office, and I
could not give you any informed answer to your question based
on our interaction with the intelligence/counterintelligence.
But I would also defer to the second panel where the director
of the counterintelligence is going to be a witness.
Mr. Inslee. Well, I would ask the panel to take a look at
it and provide us your review, if you can do so. I do think it
brings up some significant issues which would suggest there has
been a real change of emphasis, and we would appreciate your
further comments. Thank you.
I yield back.
Mr. Stupak. The gentleman yields back. Let me thank and ask
this panel--that's all the questions we are going to ask you in
open session; as you referred to once or twice, we will go to
closed session after the next panel. So I would ask that you
just stay in the vicinity, not necessarily have to sit in the
hearing room because we are going to do the next panel which
has eight witnesses. It will take us some time, but we are
going to go into closed session. We will invite you back for
closed session. Thank you.
I am going to ask our next panel to come forward, please.
On our second panel we have Dr. Michael Anastasio, the
Director of the Los Alamos National Laboratory; Dr. George
Miller, who is the Director of Lawrence Livermore Laboratory;
Dr. Thomas Hunter, who is the President and Laboratory Director
at Sandia National Laboratories; Mr. Thomas Pyke, Jr., who is
the Chief Information Officer at the Department of Energy; Dr.
Linda Wilbanks, who is the CIO, Chief Information Officer, at
the National Nuclear Security Administration within the
Department of Energy; Mr. Bradley Peterson, who is the Chief
and Associate Administer for the Defense Nuclear Security at
the National Nuclear Security Administration within the
Department of Energy; and Mr. Stanley Borgia, who is the Deputy
Director for Counterintelligence in the Office of Intelligence
and Counterintelligence at the Department of Energy.
Have we got everybody? We are missing Dr. Wilbanks. We will
have to wait for Dr. Wilbanks here for a minute. It will be
just a second. And it looks like Mr. Peterson, too.
[Brief recess.]
Mr. Stupak. It is the policy of this subcommittee to take
all testimony under oath. Please be advised that witnesses have
the right under the rules of the House to be advised by
counsel. Do any of you wish to be advised by counsel? Everyone
shook their head no. So we will do the oath.
Do you swear or affirm that the testimony you are about to
give will be the truth, the whole truth, and nothing but the
truth in the matter pending before this subcommittee?
[Witnesses sworn.]
Mr. Stupak. Let the record reflect all of our witnesses
took the oath. You are now under oath. We will start with 5-
minute opening statements.
I understand, Mr. Peterson, you wish to go first. So we
will accommodate that request for your opening statement,
please.
STATEMENT OF BRADLEY A. PETERSON, CHIEF AND ASSOCIATE
ADMINISTRATOR, DEFENSE NUCLEAR SECURITY, NATIONAL NUCLEAR
SECURITY ADMINISTRATION
Mr. Peterson. Good morning, Chairman Stupak, Ranking Member
Shimkus, members of the subcommittee. My name is Brad Peterson.
I was recently appointed Chief Defense Nuclear for the National
Security Administration, the NNSA. Prior to this appointment, I
was the Director of the Office of Independent Oversight within
DOE's Office of Health Safety and Security. It gives me a
unique perspective into the issues to be discussed today. In my
new role, I have overall responsibility for physical and
cybersecurity within NNSA.
Following my remarks, Dr. Linda Wilbanks, the NNSA Chief
Information Officer with operational responsibility for
cybersecurity, will provide her opening comments.
While the NNSA faces many challenges and it has significant
room to improve, we continue to make enhancements in our
physical and cybersecurity postures to maintain strong and
robust security. NNSA operates some of the most secure
facilities in the world and generally maintains effective
physical security programs. Over the last 2 years, while there
have been some issues, we see overall progress in improving
performance at the NNSA weapons laboratories.
Earlier this year, the Office of Independent Oversight
conducted a safeguard security inspection of Lawrence Livermore
National Laboratory and identified significant weaknesses in
protective force operations, based in part on poor performance
during force-on-force training exercises.
Immediately after the inspection results were known, the
Office of Defense Nuclear Security within NNSA devoted
considerable attention to understanding the issues and
providing subject matter expertise from across NNSA. While the
NNSA was not pleased with their results from the Livermore
inspection, I can attest to the fact that the Office of Defense
Nuclear Security Livermore site office and laboratory have
taken the issues very seriously and worked aggressively to
implement corrective actions.
Livermore launched a comprehensive recovery plan, and today
we see the results of their efforts taking hold. Protection
force capability at Livermore is much improved and there are
more changes in progress.
Upon assuming my new position in June, the NNSA
Administrator directed me to dispatch a team of senior NNSA
security professionals to conduct an onsite review of the Los
Alamos National Laboratory Protective Force operation to
determine if they had similar issues. The NNSA team found that
the Los Alamos Protective Force had a strong and rigorous
performance testing program and was performing effectively.
This assessment of Los Alamos was reinforced by preliminary
positive results from the recently completed independent
oversight inspection.
Seeking to build sustainable security programs, I intend to
look across the NNSA for examples of where we are getting it
right. We are also engaging in efforts to improve the flow of
information across the NNSA security community through our
security leadership coalition. The coalition has been actively
engaged in evaluating the underlying causes of security and
management issues that we face and developing standardized
solutions. The objective of this effort is to break down
organizational stovepipes and turn a previously reactive
approach to security problems into a proactive approach.
NNSA is making real and fundamental changes to our security
program. These changes seek to reduce the opportunity for human
error by relying on engineered controls. We are also focused on
making our security challenges easier by reducing our
classified footprint. We have emphasized the need for strong
contractor assurance programs designed to spot problem areas
quickly and resolve them before they turn into real security
issues.
Finally, we need to continue to develop a strong Federal
security staff that is technically capable. We need to ensure
that our Federal oversight program takes advantage of the tools
at our disposal, including substantial deductions of award fee
for poor performance and fines provided under 10 CFR 824 when
appropriate. We also need to ensure that we are appropriately
incentivizing and rewarding the right behaviors to drive needed
improvements.
In closing, since taking over as the Chief Defense Nuclear
Security, I have seen a renewed sense of commitment across the
NNSA security community to improve performance through the
sharing of lessons learned and working collectively to address
significant challenges. Security activities at our national
labs are large and complex. The security professionals within
NNSA are working together today to reduce the opportunities for
error and react quickly to any problems that do occur.
Mr. Peterson. I am confident in our ability to continue to
grow and I look forward to the continued challenge.
That concludes my opening comments. I would be pleased to
answer any questions after other opening statements.
Mr. Stupak. Thank you, Mr. Peterson.
[The prepared statement of Mr. Peterson follows:]
[GRAPHIC] [TIFF OMITTED] T3238.039
[GRAPHIC] [TIFF OMITTED] T3238.040
[GRAPHIC] [TIFF OMITTED] T3238.041
[GRAPHIC] [TIFF OMITTED] T3238.042
[GRAPHIC] [TIFF OMITTED] T3238.043
[GRAPHIC] [TIFF OMITTED] T3238.044
[GRAPHIC] [TIFF OMITTED] T3238.045
[GRAPHIC] [TIFF OMITTED] T3238.046
[GRAPHIC] [TIFF OMITTED] T3238.047
[GRAPHIC] [TIFF OMITTED] T3238.048
[GRAPHIC] [TIFF OMITTED] T3238.049
[GRAPHIC] [TIFF OMITTED] T3238.050
[GRAPHIC] [TIFF OMITTED] T3238.051
[GRAPHIC] [TIFF OMITTED] T3238.052
[GRAPHIC] [TIFF OMITTED] T3238.053
Mr. Stupak. Mr. Pyke, let's start with you. We'll go right
down the line. And your opening statement, please, for 5
minutes. If you have a longer statement, it will be submitted
for the record.
STATEMENT OF THOMAS N. PYKE, JR., CHIEF INFORMATION OFFICER,
U.S. DEPARTMENT OF ENERGY
Mr. Pyke. Good afternoon, Chairman Stupak, Ranking Member
Shimkus, members of the subcommittee. My name is Tom Pyke. I am
Chief Information Officer of the Department of Energy.
Over the past 3 years the Department has undertaken a major
effort to improve its cyber security posture. DOE has a
comprehensive cyber security program that includes
establishment of DOE-wide policy, a senior-level governance
structure, cyber security awareness and specialized cyber
security training, improved cyber security incident management
and compliance monitoring.
The program is governed according to a cyber security
management order issued in December 2006. This order directs
the use of a risk-based approach to cyber security management,
and it establishes a governance structure within the Department
that assigns primary responsibility for implementation of cyber
security to the Under Secretary and other senior leaders. These
senior leaders determine and assess program-unique threats and
risks and they issue direction for implementing cyber security
within their respective organizations.
DOE-wide cyber security direction, including direction for
special protection of sensitive unclassified information,
builds on government-wide guidance from the Office of
Management and Budget as well as Federal information processing
standards and other cyber security guidance issued by the
National Institute of Standards and Technology. We also follow
applicable guidance issued by the Department of Defense.
Employing a risk-based approach, DOE senior management,
including NNSA, has given special attention during the past
year to the graded protection of DOE systems and data, taking
into account threat and risk and the sensitivity of the data.
Under our cyber security governance structure, each part of the
Department reviews the sensitivity of the data under its
jurisdiction relative to the strength of the controls that are
in place to protect the data and takes action to strengthen
those controls if needed.
The management of cyber security incidents is an integral
part of cyber security management, including providing timely
alerts to the entire Department of known threats, detecting
cyber attacks as they occur or as soon as possible afterward
and responding to such attacks. The response includes reporting
all cyber security incidents to the US-CERT, which is the
Federal Government's cyber incident handling center. It also
includes mitigating the potential adverse impact of each
incident at the site at which it was detected and elsewhere in
the complex, determining the impact of the incident and
repairing any damage or disruption resulting from the incident.
Cyber attacks are increasing in complexity and frequency
and are becoming more aggressive. DOE is attacked over 10
million times each day in a wide variety of ways, and DOE has
in-depth protection mechanisms in place throughout the complex.
Even with this protection, some of the most sophisticated
attacks against DOE have, on occasion, been able to penetrate
our unclassified systems and networks.
DOE has an in-depth cyber security defense based on
industry and government best practices. And we continually
improve our defenses, including our ability to detect attacks.
However, some cyber attacks continue to evolve to avoid
detection by these defenses.
Within the Department, the Office of the Chief Information
Officer and NNSA cooperate in the reporting of cyber incidents
and support tour sites as they handle each incident. The Office
of the CIO and NNSA have recently signed an agreement to
improve further the way we work together to respond to cyber
incidents. Our office also works in partnership with the
Department's Office of Intelligence and Counterintelligence as
we prepare for future cyber attacks and respond to them.
Counterintelligence data analysis associated with activities
that may have a foreign nexus provides useful input to the
cyber security incident management process led by the Office of
the CIO.
I would be pleased to respond to any questions you may
have, Mr. Chairman.
Mr. Stupak. Thank you, Mr. Pyke.
[The prepared statement of Mr. Pyke follows:]
[GRAPHIC] [TIFF OMITTED] T3238.054
[GRAPHIC] [TIFF OMITTED] T3238.055
[GRAPHIC] [TIFF OMITTED] T3238.056
[GRAPHIC] [TIFF OMITTED] T3238.057
Mr. Stupak. Dr. Wilbanks, your opening statement, please.
STATEMENT OF LINDA R. WILBANKS, PH.D., CHIEF INFORMATION
OFFICER, NATIONAL NUCLEAR SECURITY ADMINISTRATION, U.S.
DEPARTMENT OF ENERGY
Ms. Wilbanks. Chairman Stupak and members of the
subcommittee, I am Dr. Linda Wilbanks, Chief Information
Officer for the National Nuclear Security Administration. Thank
you for the opportunity to appear before you today regarding
the NNSA's cyber security program. As the CIO, I am responsible
to ensure the protection of electronic classified and
unclassified information.
The cyber threats to the Department of Energy and NNSA are
similar to those faced by the Federal Government, every public
and private enterprise, and every individual. NNSA's facilities
are targeted, over 1 million cyber attacks every day of varying
sophistication, ranging from relatively harmless curiosity
seekers to sophisticated hackers to corporate thieves and
national state and belief-based espionage.
In response to these threats, NNSA has established a robust
technical operational managerial-based approach to cyber
security of unclassified, controlled unclassified and
classified information. We believe our approach, which is
continually improving, is sound and provides effective security
for our unclassified and classified networks.
Even with a wide range of threats, I can say very
confidently that our classified networks, which protect our
crown jewels are extremely well protected. We operate separate
networks for our classified information, which are air-gapped
from our unclassified networks. We've implemented a diskless
workstation initiative across the complex to manage the
movement of data within the classified networks.
We also have a wide range of technical and administrative
controls to manage access to the data that resides on our
controlled unclassified networks, which, while not classified,
may include important information. This information requires
added protection, including encryption during transmission and
at rest, the use of two-factor authentication for remote
access.
We continue to assess other controls, collaborating with
our peers in government, leveraging the results of the
assessments to find even better ways to protect our
unclassified networks. Other defense and depth tools we use for
cyber protection are multiple firewalls and monitoring systems
to check for incoming, outgoing and internal unclassified
network traffic to ensure it is authorized and there are no
anomalies.
When our systems detect unusual activities, we quickly
terminate the communication pathways, and when necessary,
selectively isolate portions of our network to quarantine any
potentially harmful activities. Once a harmful activity is
isolated, we deploy our exceptional forensics capabilities to
eradicate the threat, restore the systems to secure operations.
Policy and standards are an important part of establishing
an effective cyber security program, and in May 2008 NNSA's
cyber security policy was issued, addressing many previous
recommendations and findings. This policy was developed in
collaboration with our sites, incorporates the recently issued
DOE National Security Manual and many of their requirements,
such as security plans and certification and accreditation
procedures have already been implemented.
We also have established strong and effective cyber
security incident response capabilities. The DOE and NNSA have
partnered to implement a state-of-the-art facility in Las
Vegas, Nevada. This facility monitors DOE and NNSA networks and
coordinates the response to incidents by utilizing extensive
communications and collaboration among DOE/NNSA sites, other
Federal agencies, law enforcements, intelligence, and
counterintelligence.
In summary, NNSA has a robust technical, operational and
management-based approach to cyber security of the
unclassified, the controlled unclassified and the classified
information. However, we acknowledge the need for continual
improvement. We believe our approach is fundamentally sound,
but the nature of the threat changes daily. We must keep pace
with the adversary and continue to improve the collaboration
between our sites, DOE counterintelligence and the cyber
security experts across the government and industry to succeed
in the future.
This concludes my opening statement. And I'm pleased to
answer questions at the end.
Mr. Stupak. Thank you.
[The statement of Ms. Wilbanks is included with the
statement of Mr. Peterson.]
Mr. Borgia, your opening statement, please.
STATEMENT OF STANLEY J. BORGIA, DEPUTY DIRECTOR FOR
COUNTERINTELLIGENCE, OFFICE OF INTELLIGENCE AND
COUNTERINTELLIGENCE, U.S. DEPARTMENT OF ENERGY
Mr. Borgia. Thank you, Mr. Chairman.
Mr. Stupak. You may want to pull that a little closer. It
doesn't pick up very well.
Mr. Borgia. Chairman Stupak, Ranking Member Shimkus and
distinguished members of the committee, thank you for the
invitation to appear before you on a subject of importance, the
cyber threat.
I'm addressing you today as the Deputy Director of
Counterintelligence in the Department of Energy's Office of
Intelligence and Counterintelligence. However, sir, I would
like to go just a little further in my introduction, because
there is a letter that is controversial, and explain to you
that I am also a Deputy Assistant Director in the FBI, assigned
by Director Mueller to the Secretary of Energy to run the
counterintelligence program. I have been here for over 2 years,
since July of 2006, and I will continue.
We and DOE counterintelligence are both a producer of
intelligence information and a consumer of intelligence
information. We develop and facilitate the transfer of DOE-
unique information to the United States Intelligence Community
and convey actionable Intelligence Community threat information
to all departmental action offices, including the National
Nuclear Security Administration, NNSA. We appreciate that
physical security is an essential element in the protection of
information, and we participate in the National Joint Terrorism
Task Force, National Counterterrorism Center, to enhance the
protection of DOE equities.
Likewise, we are a very active member of the FBI-led
National Cyber Investigative Joint Task Force, or NCIJTF, which
allows us to provide unique DOE and NNSA information to the
cyber investigations community and collaborate at national
initiatives. Membership also provides DOE with invaluable
current cyber-based threat information relevant to our
departmental assets and critical energy infrastructure.
DOE's Counterintelligence Office performs a broad range of
cyber-related functions, including analysis of cyber security
incidents with a foreign nexus. Our work is closely coordinated
with the DOE Office of the Chief Information Officer and the
NNSA's Office of the Chief Information Officer with which we've
maintained a strong and mutually supportive relationship in the
cyber security team.
The nature of the cyber threat to the DOE complex is
constantly evolving. DOE sensors, monitoring attacks on the DOE
networks, have picked up an increased tempo of potential
adversarial activity, including network reconnaissance,
scanning for potential attack vectors and outright cyber
attacks. In 3 of the past 6 months sensors have documented well
over 400 million such indicators of hostile activity every
month.
Further, we have seen thousands of socially engineered e-
mails. They may appear to come from known associates or support
an interesting subject line, but they contain malicious
computer code designed to infect the recipient's computer,
steal and transmit information it contains, and eventually
spread to the rest of the network. A single mouse click by a
single user can contaminate large numbers of networked
computers.
In order to generate counterintelligence investigative
leads from all this activity, I have directed expanded use of
cyber techniques at DOE and NNSA. The results have been
dramatic. In particular, cyber tools developed under this
initiative have enabled investigators at the intelligence and
military organizations to make strides toward attribution for
ongoing computer intrusions directed against DOE and other
United States Government computer networks, a major
accomplishment for DOE, that has demonstrated the value of
these cyber tools for CI analysis.
The counterintelligence cyber program has developed
professional working relationships with the Defense Information
Systems Agency, the Military Service Information Operation
Centers, the military service Criminal Investigation Divisions
and the Joint Information Operations Warfare Analysis Center in
San Antonio, Texas. These are comprehensive information-sharing
relationships as well as expanded partnerships for information
and cyber data exchange. They serve to increase awareness of
the operational methods being employed by individuals and
state-sponsored entities engaged in unauthorized computer
intrusions into DOE computer networks.
DOE in collaboration with the Intelligence Community
partners, DOE national laboratories, chief information officers
and DOE cyber security use data integration tools and intrusion
detection sensors to uncover, investigate and mitigate
suspicious cyber events with a foreign nexus.
In closing, Mr. Chairman, the attacks we see place
virtually every computer connected to the Internet at risk of
compromise, including those of the U.S. Government and our
critical energy infrastructure. Moreover, an attacker has a
significant advantage over the protect-and-defend cyber
security community. DOE's Office of Intelligence and
Counterintelligence will continue to pursue all available
lawful means to detect, investigate and mitigate the pervasive
cyber threats we as a nation now face.
Thank you, Mr. Chairman.
Mr. Stupak. Thank you.
[The prepared statement of Mr. Borgia follows:]
[GRAPHIC] [TIFF OMITTED] T3238.058
[GRAPHIC] [TIFF OMITTED] T3238.059
[GRAPHIC] [TIFF OMITTED] T3238.060
[GRAPHIC] [TIFF OMITTED] T3238.061
Mr. Stupak. Dr. Anastasio, please, for your opening.
STATEMENT OF MICHAEL R. ANASTASIO, PH.D., DIRECTOR, LOS ALAMOS
NATIONAL LABORATORY
Mr. Anastasio. Thank you, Mr. Chairman and Ranking Member
Shimkus. I'm Dr. Michael Anastasio, Director of the Los Alamos
National Laboratory. Thank you for the opportunity to discuss
the lab's continuing efforts to improve and sustain security.
For my first appearance before this subcommittee in January
of 2007, I clearly understood the message from the Members:
Continued security issues at Los Alamos were not going to be
tolerated. I'm pleased to report that at Los Alamos we now have
a record of successes in both physical security and cyber
security. We've taken concrete actions to reduce risk, clarify
policy, establish roles and responsibilities and develop
solutions to continuously improve the security posture at our
site.
These measures are working. Over the past year the
laboratory has reduced potential unauthorized disclosures of
information by two-thirds, and that number continues to
improve.
My written statement details our progress, but there are
three points I'd like to make here now. First, I am especially
proud that the improvements made at the laboratory link
directly to the actions and attitudes of our employees. Members
of our workforce have very little tolerance for any of their
coworkers who are not security conscience. The workforce
understands that the Nation must trust them to handle our most
sensitive secrets, and our actions have helped justify that
trust.
Second, the changes by the employees of Los Alamos have
been coupled with an aggressive security improvement program.
For example, we've reduced the number of vault-type rooms by
one-quarter. We've reduced our classified accountable,
removable electronic media from 12,000 items to fewer than
4,000. We've designed and opened the first supervault-type
rooms and are planning for more. We've converted 94 percent of
our targeted classified workstations to diskless operation.
We've destroyed more than 40,000 classified nuclear weapon
parts and more than 3 million pages of classified documents.
We're implementing a further segregation of our
unclassified cyber network that will provide foreign national
employees access only to the information that they require for
their jobs.
And, third, in anticipation of how the cyber threat will
continue to evolve, we're developing new approaches and
technologies so that we can get ahead of the game to better
protect our unclassified networks.
I'm encouraged that the three recent assessments in the
testimony we heard on the previous panel by our external
reviewers from GAO and HSS have validated our significant
progress. However, these reports also clearly demonstrate that
we need to make further improvements. I agree, and we're moving
aggressively to address them.
Continuous security improvement is essential, and nowhere
is this more evident than in cyber security. As I expressed in
my last appearance before you, the cyber threat remains my most
great concern. This is an ever-increasing, evolving threat from
adversaries who are relentless and technically skilled.
Protecting our classified resources is my highest priority, but
further securing our unclassified yellow network is essential.
This network is the backbone of our operation. It's crucial
that we develop solutions that manage risk and allow users to
access the information they need to do their jobs. One example
is something we call ``glove box computing.'' With this
technology, a user can access, create and manipulate
information, but has no ability to remove it, similar to how we
handle nuclear material.
The cyber threat is one faced by the entire Nation. It's
something that requires a coordinated national response using
our country's combined assets, skills and experience. The
unique cyber capabilities of the national laboratories can be a
valuable resource, building on the integration efforts that are
already under way among all three of our laboratories and with
NNSA and DOE.
In conclusion, Mr. Chairman, Los Alamos is making
significant progress improving our security posture, and we are
committed to continuous improvement to stay ahead of the
evolving threat. I would like to invite you and other members
of the committee to come visit the lab and see how we're doing.
And with that, I'll thank you and be ready to take your
questions.
[The prepared statement of Mr. Anastasio follows:]
[GRAPHIC] [TIFF OMITTED] T3238.062
[GRAPHIC] [TIFF OMITTED] T3238.063
[GRAPHIC] [TIFF OMITTED] T3238.064
[GRAPHIC] [TIFF OMITTED] T3238.065
[GRAPHIC] [TIFF OMITTED] T3238.066
[GRAPHIC] [TIFF OMITTED] T3238.067
[GRAPHIC] [TIFF OMITTED] T3238.068
[GRAPHIC] [TIFF OMITTED] T3238.069
[GRAPHIC] [TIFF OMITTED] T3238.070
[GRAPHIC] [TIFF OMITTED] T3238.071
[GRAPHIC] [TIFF OMITTED] T3238.072
[GRAPHIC] [TIFF OMITTED] T3238.073
[GRAPHIC] [TIFF OMITTED] T3238.074
[GRAPHIC] [TIFF OMITTED] T3238.075
[GRAPHIC] [TIFF OMITTED] T3238.076
[GRAPHIC] [TIFF OMITTED] T3238.077
[GRAPHIC] [TIFF OMITTED] T3238.078
[GRAPHIC] [TIFF OMITTED] T3238.079
[GRAPHIC] [TIFF OMITTED] T3238.080
[GRAPHIC] [TIFF OMITTED] T3238.081
[GRAPHIC] [TIFF OMITTED] T3238.082
[GRAPHIC] [TIFF OMITTED] T3238.083
[GRAPHIC] [TIFF OMITTED] T3238.084
[GRAPHIC] [TIFF OMITTED] T3238.085
[GRAPHIC] [TIFF OMITTED] T3238.086
Mr. Stupak. Well, thank you. And I know the staff was just
there, and unfortunately they didn't get a chance to meet with
you. But hopefully there will be another time, and hopefully
it's not when we're there looking at a lapse or something.
But I think we all know that there have been improvements
at Los Alamos.
Mr. Anastasio. Thank you. I appreciate that.
Mr. Stupak. Dr. Miller, your opening statement, please.
STATEMENT OF GEORGE H. MILLER, PH.D., DIRECTOR, LAWRENCE
LIVERMORE NATIONAL LAB
Dr. Miller. Mr. Chairman, members of the committee, thank
you for the opportunity to provide you my perspective on the
security challenges we face together.
As the director of a national security laboratory, I am
very familiar with the threats to our Nation and take very
seriously our special responsibilities to protect special
nuclear materials and some of the Nation's most sensitive
secrets. Safety and security are my highest priorities, and
they are integrated into a single culture at the laboratory.
Particularly in the cyber security area, threats are
rapidly evolving, continue to grow more sophisticated. My
approach involves anticipation, prevention, detection, response
and sustainment through continuous improvement.
The laboratory uses a variety of techniques to assess both
physical and cyber security, and they are an integral part of
our continuous improvement efforts. These include GAO audits,
ongoing site inspections by DOE's Office of Health Safety and
Security, local site surveys and our own self-assessments.
The HSS inspection this last spring was instrumental in
helping us identify deficiencies in our security readiness. In
summary, the HSS, as you have heard, found significant
weaknesses in two areas, protective force and classified matter
protection. We've made significant progress in addressing these
inspection findings.
I led a thorough review of our actions and decisions to
identify the root cause of what was an unacceptable decline in
our protective force's level of posture demonstrated just 16
months earlier. I'm pleased to report that these actions have
significantly improved the readiness of our protective force as
demonstrated through a security incident response of a fully
integrated force-on-force with an external adversary just 8
weeks ago. This exercise was monitored both by NNSA and HSS,
and the Office of the Chief of Defense Nuclear Security
concluded that the lab's effort has resulted in a posture of
robust protection. Let me tell you how we achieved this.
In short, our analysis revealed that restrictions on and
postponement of comprehensive robust exercises due to safety
considerations had a detrimental effect on the protective force
readiness. We have addressed those safety issues and resumed
frequent exercises while ensuring the safety of our employees.
My written testimony details some of these corrective actions.
I'm committed to sustaining that performance and that level of
progress, and we have scheduled future robust exercises
quarterly to ensure that.
I believe that maintaining adequate cyber security requires
constant attention, utilizing counterintelligence experts and
information technology professionals to anticipate, develop and
deploy effective defensive systems and quickly respond to
emerging threats to assure appropriate protection.
Over the last 2 decades Livermore has hosted and staffed
the Department of Energy's computer incident advisory
capability. This staff of highly trained computer scientists
have provided support for the entire complex with forward-
looking cyber analysis assessments, best practices and
training. In this regard, HSS concluded that the lab faces
significant challenges in this area, but has the teams,
technologies and methods needed for success to effectively
deliver and address cyber security.
Protecting classified information from compromise is my
highest priority. That's why our classified network is air-
gapped from the rest of the laboratory.
We also maintain a separate unclassified network to handle
our unclassified and our business information. Within this
yellow network, different functions are segregated and
isolated. It is used for programmatic activities that are
essential for the laboratory.
These functions require external communication. It is,
therefore, connected to the Internet. But it is protected by a
firewall. And again, as I said, within that network it is
segregated--different functions are segregated. Constant daily
vigilance is required to protect the network, and we use a
comprehensive site-wide risk assessment methodology along with
shared information from my colleagues at the other laboratories
and across the Federal Government to focus our cyber security
efforts on emerging threats.
As an element of our continuous improvement, the lab has
developed a blue network to provide appropriate computer access
for essential mission work by the lab's foreign nationals and
our external collaborators. Technical controls separate that
from the yellow network.
As another example of our continuous improvement and
further segmentation of important data, last year I invested in
the building of and the commissioning of a consolidated data
center for unclassified data. This provides uniform physical
protection, appropriate backup, enhanced reliability and, most
important, state-of-the-art cyber protection.
In conclusion, Mr. Chairman, taking personal and collective
responsibility for safety and security is a fundamental value
of the laboratory and an expectation of all employees. I can
assure you that I am committed to provide the security that you
and your colleagues expect from Lawrence Livermore Laboratory.
I appreciate the opportunity to testify and welcome your
questions.
Mr. Stupak. Thank you, Dr. Miller.
[The prepared statement of Dr. Miller follows:]
Statement of George H. Miller
Opening Remarks
Mr. Chairman and Members of the Committee, thank you for
the opportunity to provide my perspective on the security
challenges facing the Lawrence Livermore National Laboratory
(LLNL) and the other NNSA laboratories. I am George Miller,
Director of LLNL and President of Lawrence Livermore National
Security (LLNS), which has been managing the Laboratory for
almost one year. I started at LLNL in 1972 as a research
physicist in the nuclear weapons program. In my career I have
had responsibilities at every level of management at LLNL. As a
national security laboratory, we are very familiar with the
threats to our nation and take very seriously the special
responsibilities entrusted to us to protect special nuclear
materials (SNM) and some of the nation's most sensitive
secrets. Particularly in the cyber area, threats are rapidly
evolving and continue to grow more sophisticated. Vigilance and
continuous improvement are required.
The Laboratory's approach to both physical and cyber
security employs a multi-layered, defense-in-depth strategy
with opportunities for regular feedback, assessment, and
improvement. This process draws on both internal and external
assessments and I will report on the aggressive actions LLNL is
taking to continue to strengthen both physical and cyber
security. Recently, DOE's Office of Health, Safety, and
Security (HSS) conducted an inspection of LLNL Safeguards and
Security and Cyber Security, and found areas of effective
performance, areas needing improvement, and some areas of
significant weakness. We took immediate action to respond to
these findings and have made significant progress. Recently the
NNSA Office of the Chief of Defense Nuclear Security stated
that improvements made in LLNL Protective Force response
capabilities since the HSS inspection ``have resulted in a
robust protection strategy.'' In the area of cyber security,
the HSS report concluded that the Laboratory faces challenges
but ``.has the teams, technologies, and methods needed for
success to effectively address cyber security program needs.''
We are drawing on those capabilities to expeditiously make
necessary improvements.
Laboratory Security and the Recent HSS Inspection
I can assure you that LLNL is committed to the safe and
secure fulfillment of its mission responsibilities. The
Laboratory takes an integrated approach to safety and security
with a commitment to continuous improvement. Safety and
security are the most important considerations in day-to-day
operations. A fundamental value of the Laboratory is for all
employees to take personal and collective responsibility for
providing for a safe and secure work environment.
An extensive security infrastructure is in place at the
Laboratory, and continual improvements are made to address new
threats and arising concerns. LLNL uses a defense-in-depth
approach to physical security that includes fences, buildings,
doors, repositories, and vaults with various levels of access
control in addition to aggressive armed defense and response
capabilities protecting the Superblock Facility, the special
area where work with SNM is conducted.
Cyber security is a growing and rapidly evolving defense
challenge for all government entities, including the NNSA
laboratories. Cyber attacks are a serious national security
threat that require interagency attention, cooperation, and
investment to improve protection. Recognizing the public trust
placed in the Laboratory to protect some of the nation's most
sensitive secrets, LLNL takes its cyber security
responsibilities very seriously. The Laboratory employs an
integrated management approach to protect its cyber resources
in an ever changing threat environment. LLNL leverages
expertise in security management, counterintelligence, and
information technology to identify and quickly respond to
emerging threats and proactively develop and deploy protective
measures. Most importantly, classified information at LLNL is
secure. It is confined to networks that are isolated and
segmented to ensure need-to-know access and well protected by
technical processes that provide both system and information
security.
Unclassified computing at LLNL is separated into
individually protected, NNSA accredited, network segments that
include a Green network, a Yellow network, and a new Blue
network. Through the use of firewalls, authorization codes, and
other means of security, this segmentation allows for greater
control and increasing levels of hardware and data protection
depending on the types of data and applications that are on
each of the networks. The Yellow network, which is subsequently
discussed in more detail, is the main unclassified network for
desktop computers, applications and databases, unclassified
programmatic activities, internal communications, and business
services. Employees receive and send email, fill out their time
card, do their on-line training, work on technical data and
information, and access benefits and other employment
information on this network. It does contain sensitive
unclassified information such as business proprietary and
personnel information that is segregated within the Yellow
network with additional access controls. The Yellow network is
restricted to Laboratory employees and collaborators. Connected
to the Internet, this network is protected by a robust firewall
and network segments that must be diligently maintained in the
face of ever more sophisticated threats.
The Blue network has recently been piloted and is now
approved for expansion. Its purpose is to provide controlled
access to assets necessary for our foreign national employees
and collaborators to do their work, but at the same time
restrict their access to resources on the Yellow network. The
Green network is lightly firewalled and provides public access
to general LLNL information including job postings.
The Laboratory utilizes a variety of tools to continually
assess and test both physical and cyber security. These include
Government Accountability Office (GAO) audits, on-site
inspections by DOE's HSS, local NNSA site office surveys, self-
assessments, risk assessments, vulnerability scanning, and
system testing conducted by the LLNL cyber security program.
These assessments provide valuable input and are an integral
component of LLNL's continuous improvement process to sustain
the Laboratory's security in an evolving threat environment.
In early March 2008, DOE HSS initiated an inspection of
LLNL Safeguards and Security and Cyber Security. Over a six-
week period, 86 auditors participated in a comprehensive
evaluation of eight security elements. The inspection was
conducted with a high level of professionalism. For example,
the composite adversary team that conducted the force-on-force
exercise was very experienced and innovative in their approach,
and they conducted the force-on-force exercise in a manner to
test LLNL's Superblock Facility security posture to specific
criteria. We value the approach taken by HSS in all facets of
its inspection and the receipt of in-depth feedback to improve
our security posture.
In summary, the HHS inspection found LLNL to have effective
performance in Classification and Information Control,
Personnel Security, and Material Control and Accountability.
HSS found that the Laboratory needed improvement in Physical
Security Systems, Protection Program Management, and certain
aspects of Cyber Security not related to technical controls.
HSS found significant weakness in LLNL's Protective Force and
its Classified Matter Protection and Control.
The Laboratory took immediate steps to address weaknesses
identified in the HSS inspection. In addition, LLNL developed a
comprehensive set of corrective action plans. HSS reviewed the
Laboratory's draft corrective action plans and HSS comments
have been incorporated into the plans. These draft plans
contain 254 milestones to correct and sustain LLNL's progress
toward ensuring a long-term, strengthened security posture.
Aggressive efforts to sustain NNSA site security compliance
requirements have resulted in the completion of one-third of
the milestones to date.
The results of the HSS force-on-force exercise were
disappointing to me and my team. The Laboratory's Protective
Force had performed well in the prior HSS force-on-force
exercise only 16 months earlier (December 2006), and I was
determined to identify the root cause leading to the decline in
the Laboratory's Protective Force readiness. I immediately
ordered a thorough review of our actions and decision making to
identify and correct the root cause. In short, the analysis
revealed that restrictions on and postponements of robust
exercises had a detrimental effect on Protective Force
readiness as well as our ability to conduct the full-scale
exercises that are necessary to appropriately practice team
tactics and fully assess performance. The lack of a robust
exercise environment inhibited the Laboratory's ability to
obtain the necessary feedback to assess our performance.
Safety considerations and attrition in LLNL's Protective
Force were some of the most influential factors that placed
limitations on exercises. For example, the Laboratory's
initiative in 2006 to improve ladder safety practices resulted
in the suspension of force-on-force exercises on the roofs in
the Superblock. In addition, NNSA's prohibition on the use of
smoke due to health concerns prevented us from utilizing this
tool in our training. Other concerns regarding Superblock
employee health and safety further restricted the ability of
our Protective Force officers to engage in realistic exercises
inside Superblock facilities.
Another contributing factor was attrition in the
Laboratory's Protective Force, which has averaged about 10
percent per annum, FY 2006 through FY 2008. Force-on-force
exercises in the Superblock are labor intensive, requiring
sufficient Protective Force personnel to participate in
defensive and offensive teams, help conduct the exercise, and
to provide a stand-alone force to protect the area during the
exercise. With high attrition and a two-year training regiment
for new officers, shortfalls in staffing required careful
workload balancing and significant overtime to provide defense,
train, and exercise.
The limitations emanating from these considerations
resulted in Protective Force exercises that were insufficient
in scope and degree of realism to identify weaknesses in
equipment performance and team tactics.
We took actions to address this root cause. First, we
devoted special attention to expeditiously resolve safety
concerns by, for example, marking and providing guide
structures on roofs for safe access and providing ventilation
within hallways so that blank ammunition can be used. Once we
resolved these concerns, we resumed robust exercises in the
Superblock, and will conduct robust force-on-force exercises on
a quarterly basis. Second, we reinvigorated our physical
security self-assessment program and assigned a seasoned
security professional to a newly created position as the
Security Organization Program Performance Assurance Manager.
Finally, we took away valuable lessons from each of the factors
that contributed to decisions that had self-limited exercises
and assessments.
We have applied the lessons learned from all facets of the
HSS inspection. Working closely with NNSA and utilizing
expertise accessible through reachback to LLNS parent
organizations, LLNL has significantly strengthened its security
posture over the last several months. Highlights are discussed
below in the areas of Protective Force, Classified Matter
Protection and Control, and Cyber Security. In addition, the
Laboratory has implemented management changes to clarify roles
and responsibilities through an integrated chain of command
that incorporates expertise in SNM research, safety, and
security. Vulnerability assessments are being updated to
include the recent protective force, physical security, and
cyber security enhancements.
Protective Force Improvements
LLNL has implemented improvements to its manpower
deployment and training, to its defensive equipment, to its
command and control systems, and continues to implement
improvements to its hardened fighting positions in the
Superblock. These improvements were guided in part by the
lessons learned during a period of intensive activity in May
and June 2008 when over 25 scrimmages, limited-scope
performance tests, and 12 force-on-force exercises against a
variety of adversary teams were conducted in the Superblock
Facility exercising all LLNL Protective Force shifts. The
Laboratory's integrated plan ensures a high-quality training
environment with the appropriate equipment resources to
continually challenge and test the responsiveness of its
Protective Force. LLNL has implemented Protective Force
improvements in four areas: Personnel, Equipment, Team Tactics,
and Training Environment.
Personnel. The HSS Inspection found that LLNL's Protective
Force security officers were individually well trained and
capable as demonstrated by their high test scores. This is due
in part to LLNL adopting the newly proposed Tactical Response
Force (TRF) Standards as part of its training. LLNL is
currently the only site in the complex to qualify all of its
Level 2 and 3 Protective Force officers in this weapons and
physical fitness proficiency standard.
Lessons learned from HSS force-on-force exercise, and the
subsequent force-on-force exercises, resulted in the addition
of Protective Force officers in the Superblock Facility on each
shift, and the addition of a Sergeant to each shift to engage
exclusively in Command and Control. Both of these actions have
been completed and are incorporated into the Security Incident
Response Plan (SIRP).
Equipment. LLNL utilizes Dillon gatling guns, integrated
into Mobile Weapon Platforms (MWP), as part of the security
posture for the Superblock Facility. Since the HSS inspection,
LLNL has developed a robust security incident response plan
that utilizes a MWP deployment strategy that does not rely upon
all vehicles being deployed at all times. This plan allows LLNL
to deploy some or all of the vehicles and maintains a high
level of protection by augmenting and re-deploying forces
within the Superblock in towers, bullet-resistant enclosures,
hardened-fighting positions, or as ground-based strike teams.
Consequently, this plan protects the SNM and provides for
cycling vehicles out of the Superblock Facility for necessary
vehicle service, vehicles to conduct training, and the ability
to upgrade vehicle systems without degrading LLNL's protection
effectiveness. In addition, it forces an adversary to develop a
plan and commit resources to address multiple protection
strategies-a much bigger task for an adversary than would be
required to deal with a static protection configuration.
We have upgraded the defensive equipment used by our
officers to protect the Superblock including improvements to
the MWP that mitigate maintenance and reliability issues. In
addition, the operability of the MWPs is verified each shift.
Team Tactics. Daily and nightly training began and has
continued since April to ensure effective implementation of the
SIRP and verify compliance of the Protective Force officers
with it. These training exercises and Limited Scope Performance
Tests involve individual, small unit, and full team movement
and tactics. Refinements to command and control protocols have
been developed based on these exercises, as well as actions to
address security officer vulnerabilities identified during the
exercises.
Training Environment. In order to facilitate more realistic
training, LLNL engages in force-on-force activities in the
Superblock Facility and indoors with realistic Multiple
Integrated Laser Engagement System (MILES) gear on a routine
basis. During the first week of August 2008, a fully integrated
force-on-force exercise was conducted by an adversary force
from Idaho National Laboratory. This force-on-force exercise
was attended by representatives of the Office of the Chief of
Defense Nuclear Security, NNSA Field Security professionals,
and observers from DOE HSS. The force-on-force exercises were
particularly challenging, designed to test the changes to our
SIRP and the additional training of our security force. LLNL's
security incident response was very successful. The Office of
the Chief of Defense Nuclear Security asserts, ``The results of
the exercises demonstrate that activities completed as part of
the site recovery plans, along with the planned configuration,
have resulted in a robust protection strategy.''
Improvements in Physical Security Systems and Classified Material
Protection & Control
LLNL's security construct is based on a series of defensive
layers-a graded approach that provides increasing barriers that
correspond to the increasing security value of critical
Laboratory assets. Classified information resides in
``limited'' areas and is stored in repositories and/or vault-
type rooms (VTRs). Some of LLNL's VTRs were found to be
deficient in sensor protection by the HSS inspection, and the
necessary additional sensors were immediately installed.
In addition to enhancing the VTRs, LLNL formalized roles
and responsibilities, and improved VTR configuration
management. The Laboratory is consolidating databases that
document the location of classified repositories into a master
database and has established a policy and verification
procedures for configuration control of classified repositories
and VTRs. In addition, procedures for logging and inventory of
failed classified computer hard drives now address concerns
raised by the HSS inspection. LLNL has upgraded the lighting
and video coverage in the Superblock.
Cyber Security Improvements
As an integral component of LLNL's security organization,
the Laboratory's cyber security program proactively develops
and deploys effective defensive systems and quickly responds to
emerging threats to ensure appropriate protection. The cyber
security program takes an integrated approach, strongly
engaging counterintelligence experts and information technology
professionals. The Laboratory has established centralized
policies and procedures for managing cyber security, and it has
in place many effective technical processes and tools for
providing protection. These include perimeter and internal
firewalls, vulnerability scanning, and intrusion detection
systems. In addition, the Laboratory has developed and utilizes
an effective system for user identification, authentication,
and access control to enforce security standards and ensure
appropriate configuration management of software and hardware
systems.
The HSS inspection rated LLNL's cyber security technical
controls ``effective'' and found that the cyber security
program ``has taken an aggressive stance to ensure that when
issues are recognized, corrective action plans and plans of
action and milestones are developed.'' In response to
deficiencies identified in the HSS report, LLNL is
strengthening its cyber security controls for planning,
acquisition, certification, and accreditation of systems to
reduce overall risk. The Laboratory is updating its cyber
security plans to reflect the most up-to-date directives and
include more detailed operational protocols in order to better
test, certify, and accredit systems.
Classified information at LLNL resides on separate networks
for Secret/Restricted Data and Secret/National Security
Information, a practice HSS found ``commendable.'' Their report
concludes that, ``Strong identification and authentication
controls for access to applications and effective segmentation
to ensure need-to-know boundaries, as well as effective
vulnerability scanning and patching, are key factors in the
classified environment being almost totally devoid of
vulnerabilities.''
As mentioned earlier, the Yellow network at the Laboratory
is the main unclassified network for desktop computers,
applications, and databases. This network contains access-
controlled sensitive unclassified information that is required
by most Laboratory employees and collaborators to conduct their
mission responsibilities. It is the backbone for unclassified
programmatic activities, internal communications, and all
business services. Laboratory research, business functions, and
operations require external communications; hence, the Yellow
network is connected to the Internet and protected by a
firewall and network segments.
Vigilance is required to protect Yellow network systems and
data. LLNL first completed a comprehensive sitewide
unclassified risk assessment in 2005. Updated annually and as
new risks are identified, the assessment includes an analysis
of systemic conditions and threats, probabilities of
occurrence, and impact. Consideration of the risks guides
strategies for vulnerability scanning and patching as well as
the implementation of additional measures to limit inward and
outward flows through the firewall. The Laboratory is working
to fully implement effective risk management processes to
identify risks at the system-specific level.
One notable step LLNL is taking to minimize risks is the
development of a Blue network. To be used by foreign nationals
whose collaboration is necessary for LLNL to meet mission
responsibilities, the network was established to provide even
greater assurance that access restrictions to LLNL information
systems are enforced based on need-to-know. The Blue network
segment is separated from the Yellow network through technical
controls. Users have access only to approved resources on the
Yellow network and that access is only permitted with controls
enforced by firewall policy. This prevents foreign nationals
from having the ability to ``knock on doors'' and gain access
to Yellow network resources on an uncontrolled basis. They are
not able to search the Yellow network or monitor activities on
it. The Blue network is being piloted in one of the
Laboratory's directorates and is planned for site-wide
implementation in Fiscal Year 2009.
Closing Remarks
The Laboratory requires annual training for every LLNL
employee to ensure that each understands the importance of
protecting the classified information and materials at the
Laboratory and their individual and collective security
responsibilities. Security is an obligation that we take
extremely seriously. The adversarial threats we face are
growing more sophisticated and defense requires vigilance. When
deficiencies are uncovered or an emerging threat is identified,
we act as promptly and effectively as we can to fix the
specifically identified issue as well as address the root
causes. That is why the Office of the Chief of Defense Nuclear
Security was able to assert that LLNL's concerted efforts
``.have resulted in a robust protection strategy'' after
shortcomings were uncovered by HSS only several months earlier.
I have confidence in LLNL's Protective Force and the
effectiveness of the Security Incident Response Plan.
Cyber security is a challenge facing all government
entities, including LLNL. I agree with the HSS report that
concluded ``the laboratory has the teams, technologies, and
methods needed for success to effectively address cyber
security program needs.'' LLNL welcomes the opportunity to
share some of the lessons we have learned-and to learn from
others-through broader, more concerted, and effectively-
integrated DOE and interagency efforts to cope with this very
serious national security threat.
Lawrence Livermore National Laboratory's Security Posture-Summary
(Attachment)
Lawrence Livermore National Laboratory (LLNL) is committed
to the safe and secure fulfillment of its mission
responsibilities. A fundamental LLNL value is that all
employees must take personal and collective responsibility for
providing for a safe and secure work environment. An extensive
security structure is in place at LLNL, and we are taking
aggressive actions to address arising security threats and
concerns. Particularly, in the cyber area, threats are rapidly
evolving, continuing to grow more sophisticated and vigilance
is required.
The Laboratory benefits from both internal and external
assessments to identify weakness and areas for improvement.
Recently, DOE's Office of Health, Safety, and Security (HSS)
held an inspection of LLNL Safeguards and Security and Cyber
Security that provided valuable feedback. We took immediate
steps to address the identified weaknesses. We conducted a
thorough review to identify the root cause of the disappointing
results of the force-on-force exercise and took corrective
actions. Restrictions on and postponements of robust exercises
had a detrimental effect on Protective Force readiness and
inhibited the Laboratory's ability to obtain essential feedback
on our performance. We resumed the conduct of realistic force-
on-force exercises in the Superblock, and we will conduct
future comprehensive force-on-force exercises on a quarterly
basis. We have also upgraded the defensive equipment used in
the Superblock. Following a fully integrated force-on-force
exercise in August 2008, the NNSA Office of the Chief of
Defense Nuclear Security, improvements made in LLNL Protective
Force response capabilities ``have resulted in a robust
protection strategy.''
In the area of cyber security, the HSS report concluded
that ``the classified environment [at LLNL is] almost totally
void of vulnerabilities.'' LLNL's (unclassified) Yellow network
faces challenges, but it is well protected and the HSS report
states that LLNL ``has the teams, technologies, and methods
needed for success to effectively address cyber security
program needs.'' We are drawing on those capabilities to
expeditiously make improvements, including the development of a
new Blue network for use by foreign national employees and
collaborators.
----------
Mr. Stupak. Dr. Hunter, your opening statement, please,
sir.
Dr. Hunter. Thank you, Mr. Chairman.
Mr. Stupak. You're going to need the mic there. Thanks.
STATEMENT OF THOMAS O. HUNTER, PH.D., PRESIDENT AND
LABORATORIES DIRECTOR, SANDIA NATIONAL LABORATORIES
Dr. Hunter. Thank you, Mr. Chairman, Ranking Member and
distinguished members of the committee. I am Tom Hunter,
President of Sandia Corporation and Director of Sandia National
Laboratories. It's a pleasure to appear before you and talk
about this extremely important matter.
Sandia, as you know, is a national security laboratory and
part of the NNSA; and we develop and support the nonnuclear
parts of the nuclear term, but we also are, further, involved
in research and development across a wide range of national
security areas. I provided written testimony at some length,
but I would like to emphasize just a few points.
First, I would like to talk about our commitment and my
personal commitment to security.
We can only serve the Nation in so many sensitive areas,
and we do place security at the very top of our value system. I
should also be clear that I do not support the view that
science in our world and security should be in conflict or can
be in conflict. I believe that science in the national interest
must embrace effective security.
It is a matter of great personal pride that the Nation has
entrusted us with this most sensitive information. I and my
entire organization are committed to always honor that trust.
We can all live up to our security responsibilities if we're
ever vigilant and constantly aware of the threat facing us and
any vulnerability that may occur. We have decades of experience
evaluating the threats to our nuclear deterrent, and we've
applied that experience to the cyber world as well.
The second point I would like to make is, this Nation's
made a great investment in its classification system, both of
information and materials. We see great value in that system
and we use it as the foundation, the very core, of our security
systems. And this allows us to place the most emphasis on our
security systems in the right places where there's the most
sensitivity.
We believe we have made great progress in the last few
years in our protective systems for physical security. We've
reduced our vulnerability to attack by limiting all discrete
Category I and Category II nuclear material at our site. We did
that just recently and ahead of schedule.
Last year we received the highest possible rating on all
seven major areas of physical security in the evaluation done
by DOE's Office of Independent Oversight. Yet we do not
believe, and it's my strong conviction, that we can rest on any
of our accomplishments. The challenge will always be greater
and our expectation will always be higher.
We're acutely aware of the threat of malicious insiders and
have an active counterintelligence program and one that is
acknowledged to be uniquely effective because of the strong
integration we have because of counterintelligence and our
cyber and physical security programs.
As the committee has so well noted, there is one area,
though, that we, like the majority of the Nation's
institutions, must be even more vigilant. We are part, and a
fundamental part, of the Nation's cyber system. We find that
modern information systems are essential to manage and operate
an enterprise such as ours. But with this great enabler comes a
great risk.
There have rarely been threats to the very core of our
Nation's infrastructure as pervasive and as asymmetrical as a
cyber threat. We have acted aggressively to address the cyber
threat. We have three separate networks for cyber information.
Each system has been uniquely designed for the security
provisions of the information there. All are controlled and
monitored centrally by the laboratory.
When I sign on to my personal computer, it reminds me every
time, like every employee, that I will be subject to
observation and should expect no privacy from our monitoring
systems. We block over 80 percent of our incoming e-mail. We
save and evaluate all cyber traffic at the laboratory by expert
and electronic means. If any user on our system does not
conform to our security requirements, we'll promptly terminate
access from the system.
We maintain a complete registration of all devices on our
system, deploy encryption for sensitive transmissions and
require common operating environment for all desktops. Each
network is subdivided into segments that have separate
monitoring and separate need-to-know protection.
We have close ties with the other institutions in the
Federal Government and the other laboratories in the DOE. When
an attack occurs, there is a direct and effective communication
between Sandia, other laboratories and the DOE.
Finally, I would like to close my comments with emphasis on
one point that I think is most central to the path forward for
the cyber-secure world of the future, and that's people. I've
had the opportunity to witness the dedicated professionals who
defend our cyber systems. I've come to admire and respect their
talent, their expertise and their dedication. Each day--and in
most cases, very long days--they face an adversary that is more
creative and better equipped than the day before. And any day
they may be called upon to scan enormous files and spot
anomalies that could easily allude most trained observers. They
may be called on to go to another laboratory to help sort out
an ongoing attack.
Why do they do it? It is not a matter of compliance. It is
not a matter of administrative requirement. It is not even a
matter of compensation or reward. And it's certainly not
because they could not work anyplace else. It is, in my
judgment, because they are individually committed to serve this
country, to defeat this pervasive threat.
I'm thankful each day they're there with us, and I believe
they're examples of the country's principal hope in the coming
escalation of cyber attacks--talented people surrounded by
talented people and equipped with unique experiences and assets
who devote their careers to this conflict. If we could do only
one thing in the whole world of cyber security, it will be to
apply our Nation's best minds to the problem, train them, hire
them, support them, and empower them.
And I now urge the committee, with all of us, to do
whatever we can to help create an environment where these
people have the opportunity to commit, to excel and to prevail.
Thank you, Mr. Chairman; and I would be pleased to answer
any questions.
Mr. Stupak. Thank you, Dr. Hunter.
[The prepared statement of Dr. Hunter follows:]
[GRAPHIC] [TIFF OMITTED] T3238.087
[GRAPHIC] [TIFF OMITTED] T3238.088
[GRAPHIC] [TIFF OMITTED] T3238.089
[GRAPHIC] [TIFF OMITTED] T3238.090
[GRAPHIC] [TIFF OMITTED] T3238.091
[GRAPHIC] [TIFF OMITTED] T3238.092
[GRAPHIC] [TIFF OMITTED] T3238.093
[GRAPHIC] [TIFF OMITTED] T3238.094
[GRAPHIC] [TIFF OMITTED] T3238.095
[GRAPHIC] [TIFF OMITTED] T3238.096
[GRAPHIC] [TIFF OMITTED] T3238.097
[GRAPHIC] [TIFF OMITTED] T3238.098
[GRAPHIC] [TIFF OMITTED] T3238.099
[GRAPHIC] [TIFF OMITTED] T3238.100
Mr. Stupak. That concludes the opening statements. We'll go
to questions. We're going to go 10 minutes.
I think we'll have votes coming up; maybe we can get our
questions in before that.
Dr. Anastasio, if I may, GAO testified on the first panel
that Los Alamos pulled the access to foreign nationals to the
yellow network. Is that correct?
Mr. Anastasio. No, that's not correct.
Mr. Stupak. It's not?
Mr. Anastasio. Foreign nationals do have access to our
yellow network.
But we have a number of protections in place to ensure that
proper care is taken. We do counterintelligence assessment of
every individual. We have security plans and a very significant
process we go through.
Mr. Stupak. Do you have encryption on some of the more
sensitive parts that are on your yellow?
Mr. Anastasio. We have some encryption on the more
sensitive parts that are on the yellow network, and we have
segmentation that we've put in place and we're further
proceeding with that.
Mr. Stupak. All right.
Dr. Miller, do foreign nationals have access to the yellow
information? The yellow network, I'm sorry.
Dr. Miller. Yes, sir. Just like Dr. Anastasio, we currently
do have foreign nationals on our network. As I indicated in my
testimony, we are in the process of creating another network.
It was just--we did a pilot last year. It was just credited by
NNSA about a week ago. So this fiscal year we will be creating
a separate network for all of our foreign nationals that is
separate from the yellow network.
Mr. Stupak. All right. Would some of the information on
your yellow network go on this new network you're--
Dr. Miller. Yes, sir. I mean, for instance, all of the
training requirements that are completely unclassified are
required by--the foreign nationals require access to the
training requirements. So the training courses, things like
that that they require access to, will be on the blue network.
So there will be some information that is transmitted.
Mr. Stupak. Dr. Hunter, how about yourself, the foreign
nationals on your yellow network?
Dr. Hunter. On our yellow network we have about 11 foreign
nationals that have some access in the appropriate areas, but
none are from sensitive countries and I think the DOE
requirement for the future is about sensitive countries.
Mr. Stupak. Let me ask this question, if I may--Dr.
Wilbanks, if I may.
The Director of Los Alamos noted in his opening statement
that cyber threat is the greatest security concern. Would you
agree that this is perhaps the greatest security concern facing
DOE labs at this point in time?
Ms. Wilbanks. I can only speak from the cyber perspective.
But, yes, sir, I would agree that it's a very high threat.
Mr. Stupak. Well, let me ask you--to point that to the
point that you can in open session here--what's the level of
sophistication of these attacks? Are they increasing in
capability?
Ms. Wilbanks. Yes, sir. I would be happy to elaborate in a
closed session, sir.
Mr. Stupak. Mr. Borgia, Ms. DeGette asked the question
earlier--let me ask you this if I can.
Has a full inventory of the information residing on the
unclassified networks of DOE national labs been inventoried?
Mr. Borgia. No, not that I know of.
Mr. Stupak. The other panel didn't necessarily think it was
necessarily a wise choice. Do you it would be?
Mr. Borgia. I think that I would defer to that answer.
I think the most important thing to do with this
information is to be able to stop the intrusion, if it's
possible. But to be able to catalog that information would be--
that would be a tremendous library of cataloging we would be
responsible for doing in the Department, and it would be
overwhelming.
Mr. Stupak. Let me ask you this question, if I may.
You testified that your work is closely coordinated with
DOE's Office of Chief Information Officer and NNSA's Office of
Chief Information Officer, and that you maintain strong,
mutually supportive relationships in the cyber security. Yet
for the past 3 years the Office of Inspector General has
reported that the Department has failed to adequately address
cyber security coordination and communication.
From a counterintelligence point of view, are you satisfied
with the coordination and communication between the
Counterintelligence and Information Technology Divisions in the
DOE complex regarding the reporting of cyber incidents? And
what, if anything, can be done to improve coordination and
communication?
Mr. Borgia. Yes. Thank you, Mr. Chairman.
I would have to say the answer to that is yes. There has
been a substantial increase in the communication between my
office and the chief information officers in cyber security.
We--in the 2 years I've been here, we've had increasing contact
with these offices--daily contact, weekly meetings, sometimes
twice weekly meetings where we sit down and review matters of
classified concern.
And there is continuing contact at the executive levels in
each of these offices too. Dr. Wilbanks and Mr. Pyke and myself
and their executive management staffs and mine are very, very
familiar with one another, and we talk very frequently.
Mr. Stupak. Let me ask this question, if you can answer it
or if we have to go to a closed session, just let me know.
Mr. Podonsky and his group said they're not very
sophisticated in cyber security, but yet they're able to get in
with his Red Team and take control of--I don't want to say take
``control,'' but have pretty good access in two science labs.
And everyone is telling me today it is more sophisticated. It's
a great concern.
Is it possible that there have been breaches of our cyber
security that we don't know about? Is the sophistication--the
level of sophistication--in other words, like when I play
basketball, are you above the rim or not?
I'm below the rim, believe me. But are there teams above
that rim that we possibly don't even know about?
Mr. Borgia. Yes.
Mr. Stupak. OK. I have more questions, but I'm going to ask
those in closed session on that aspect of it.
Let me ask this. We've talked a little bit about this
yellow network. And let me--in light of that answer, Mr.
Borgia, what is NNSA's opinion on the network access that's
been provided to foreign nationals? What control does, like,
let's say, Los Alamos have in place to ensure that foreign
nationals have a need-to-know for the access they have been
provided with on the network?
Mr. Borgia. Sir, perhaps the lab director or NNSA would be
better to answer that question.
Mr. Stupak. OK.
Dr. Wilbanks, do you want to add anything to that question?
Ms. Wilbanks. The labs have done a great job in segregating
various components within their yellow network that allows
their foreign nationals on there.
Excuse me. As you heard, Lawrence Livermore is building a
separate network for the foreign nationals. They take great
strides to limit the access of the foreign nationals to
specific areas of information, and then to limit their access
within the network itself.
Mr. Stupak. My concern--I guess I brought it up earlier in
the first panel--was that mosaic approach. You take something
that doesn't seem real sensitive. It's on the yellow. So I take
a piece here, take a piece there, put it together, does it
become then sensitive, that we should have greater
restrictions?
Do you care to comment on that, Dr. Anastasio?
Mr. Anastasio. Let me indicate that before we have any
foreign national on our network, we go through a very extensive
review, including a counterintelligence review of those
individuals before we allow them on. We're essentially moving
to do the same thing Lawrence Livermore is doing in their blue
network to have a separate network that's segregated in a way
that allows the foreign national to have access only to the
information they need, as I said in my testimony.
And the other thing is that the yellow network has many
protections on it. It's segregated in a sense already to be the
network we use for information that's beyond what would be
revealed to the general public. Before we put any information
on that network, we go through an extensive classification
review before that information is allowed to be on the network.
But then, beyond that, the mosaic issue is always a
challenge. And it's something they watch out for as we go and
do our reviews of the information and as we look at any issues
that may arise.
But, yeah, I think we are very vigilant about these issues.
Dr. Miller. Mr. Chairman, if I could just add a slight
amplification of that in the sense of an example.
Personally identifiable information is obviously something
we're all very sensitive to. That information is separately
segregated and protected on the yellow network. So, for
instance, I do not have access to the PII of all of the
employees at the laboratory; it is separately segregated. The
number of people who have access to it is limited to a very
small number who actually are required to be able to do that in
concert with their job.
An example of why somebody might want to have access to it
is, if an employee were taken to the medical facility in an
emergency, the medical people need to be able to get access to
personal information about what drugs, whatever. So there are
specific circumstances under which people could get access, but
generally the information is very tightly segregated, based
upon the function and based upon the need to know of the rest
of the people.
Mr. Stupak. But you don't--on your yellow networks you
don't have anything where you catalog what foreign nationals
are looking at or working on, do you?
Mr. Anastasio. We're very--we keep--as Dr. Hunter said, we
keep a full record of all the in-going and out-coming traffic
on our network and we watch that and search it. And we have
sensors deployed to look at the traffic that's going on. And we
periodically do scans, as well as do scrubs of the information
that's moving around, to ensure ourselves that the proper
behavior is going on on the network.
Mr. Stupak. OK.
Dr. Wilbanks, let me ask you one more question, if I may.
If information was being exfiltrated from any of the DOE labs,
would this be detectable? In other words, does DOE have the
ability to fully understand whether information is being lost
from any of the DOE labs' networks?
How would they know this?
Ms. Wilbanks. DOE, NNSA and the site offices themselves
have many sensors that monitor the outgoing traffic. And there
are techniques, technologies to determine what information is
being exfiltrated. I'd be happy to elaborate, sir, in a closed
session.
Mr. Stupak. But it's possible the sensors don't pick up
what's being exfiltrated, right? It just depends on--
Ms. Wilbanks. Yes, sir. That's always a possibility we
face.
Mr. Anastasio. Excuse me, Mr. Chairman. Just to amplify on
that, we do have layers of defense, though. I think that's
important.
Although no layer is perfect, we have sensors that we use
inside the laboratories. We have--NNSA has a set of techniques
that they use, DOE and then even the broader national security
community. So we rely on all those layers to allow us to know
what's going on, and if we have a problem, how we can react.
Mr. Stupak. Sure. I agree with that. But the attacks are
becoming more and more sophisticated. And if we're playing
above the rim, you're not going to know.
Mr. Anastasio. But our job as a national laboratory is to
have the innovation and creativity to stay ahead of the game,
to be leading the world on these activities and to draw on the
full resources of all the elements of the government to do our
job.
So we're very conscious, and Dr. Hunter, I thought, was
very eloquent about the people, that that is a key issue for us
to make sure we have those people that can be at the state of
the art, ahead of the state of the art.
Mr. Stupak. I don't disagree with any of that. But then
when we see reports from other offices indicating that our
cyber security is sort of lacking, and if this is our 14th
hearing over the last 8 years, when it comes to security, I'm
very concerned--not just the physical, but maybe more so the
cyber security which has taken on greater significance.
And if our enemy is getting more sophisticated--well, I
hope we're above the backboard, not above the rim. I'm not real
confident we are at this point in time.
Dr. Hunter, and then I'm going to go to Mr. Shimkus.
Ms. Wilbanks. Mr. Chairman, if I may elaborate, please,
sir.
One of the things I mentioned in my opening statement was
the fact that DOE and NNSA have now combined in their incident
management, incident handling and identification to help keep
us above the backboard, sir.
Mr. Stupak. Right.
Dr. Hunter.
Dr. Hunter. Thank you, Mr. Chairman.
Mr. Stupak. Turn that mic on, please. I'm sorry.
Dr. Hunter. Mr. Chairman, we've all acknowledged the
rightful concern about the cyber issue, as you just stated.
One point I would like to add to what he just said: The
laboratories and the DOE are working very closely together so
they pool their expertise. If there's any evidence, as we watch
very carefully, of things that might have been or could be
exfiltrated, these people call each other and quickly analyze
and try to understand the situation. In a way--so it's like a
big team. When you address one place, you get the team of the
other place that's quickly providing the benefit of their
experience to try to understand what is happening and to
respond to it.
Mr. Stupak. I agree you're doing all that. I hope it works,
but when I get figures like 400 million attacks a month, that's
almost impossible to keep on top of. So I hope those sensors
and filters really are doing their job.
Mr. Shimkus.
Mr. Shimkus. Thank you, Mr. Chairman.
I think you can continue to hear from Members of Congress,
hope that security is improving; but you also hear great
skepticism over the years of Members being involved in some
pretty big breaches.
Let me ask the three directors of the labs, because, Dr.
Miller, you mentioned a blue network. Or the--all labs being
unique, as I understand, Dr. Anastasio, Dr. Hunter, are you
developing blue networks? Are there best practices? Do you
communicate and share information to make you all better?
Mr. Anastasio. Yes, sir, very much.
And so at Los Alamos we--as I said, we're building a
further segmented element of our segmented network on our
yellow network. That's conceptually equivalent to what Lawrence
Livermore is doing with their blue network. We haven't given it
a name of a color; it's essentially the same thing. But--we're
using slightly different approaches to accommodate the
differences we have, but it's really the same thing.
But as far as sharing goes, absolutely we share--we, the
three of us, talk together. We've talked about this issue for
years amongst ourselves, about how to approach it. Even more
important, our technical staff is in constant contact with each
other.
When we had a concern about a penetration of the yellow
network, we had, in fact, people from Sandia to come up to Los
Alamos to actually work in our team. So it's an example of how
we're working together.
Mr. Shimkus. The other thing is time frame. When we're
talking about sensitive information and--yeah, good lessons
learned; you're sharing information--time.
Dr. Anastasio, I'm going to come back to you. But let me
finish with Dr. Miller and Dr. Hunter. And then I'm going to
come back to Los Alamos.
Dr. Miller. Yes. I think the question you raise is a very
important one. And as Dr. Anastasio said, we work very, very
hard. We're very cognizant of the technical approaches that
both Los Alamos and Sandia have taken. They have developments
that--we are watching very carefully; when those developments
mature to the point where they can be adequately assessed, we
will frequently move those across from one laboratory to the
other.
We share people. We share information. So there's a very,
very tight coupling between the three of us and again, as we
have said before, with the NNSA/DOE and the much broader
Federal community in this area.
Dr. Hunter. Thank you. I think I commented on the sharing
and the working together. I will comment on your specific
question about the best practices.
The existence of a three-level network--the unclassified,
the yellow network, as we just described and the classified--
is, in fact, a best practice developed by the laboratories,
which we feel is somewhat unique and important.
Secondly, we have not decided to go to a blue network at
this point. But what we have decided to do is much like what
Mike Anastasio said, emphasize stronger segmentation of the
yellow network to really be sure the need-to-know controls are
in place, and emphasize then monitoring of information coming
and going into that network.
And then finally to really look at this question of what do
foreign nationals particularly need in terms of their
requirements to work at the laboratory, say, on broad science?
Sometimes it's limited to things like payroll and benefit
information, which you can really segment very strongly.
So the combination of those things, we think, will lead us
to the proper decision.
Mr. Shimkus. And let me follow up.
We don't want to get too--you know, just put all the burden
on the foreign national debate, because a lot of our security
breaches would--you know, are nationals--you know, born U.S.
citizens. But, you know--and we--you know, this list is public
on some of these. But the vetting process for those, I mean,
they're still citizens of countries that we have identified as
sensitive or nonsensitive. So the vetting has to be as good as
we do when we give our security clearances, I would assume.
Let me go to Mr. Borgia to respond to the vetting process
of the individuals who are hired, both alien, visitors and
citizens.
Mr. Borgia. Sir, there is a vetting process that
counterintelligence uses to look at foreign nationals who are
coming into the complex.
However, I think it would be better to talk about that in a
classified setting, to give you a more detailed understanding
of what we do. The security program is responsible for
conducting backgrounds of other persons who are hired, you
know--
Mr. Shimkus. And that's fine. We'll have that opportunity.
So thank you.
Let me go to Dr. Anastasio because you're the one who
obviously was the subject of the most recent report. And I
think our position is, anyone who's been, you know, in an
executive position and you--and the inspector general comes
down or--in the military, a former Army officer or someone from
the corporate headquarters, who is doing that same thing,
they've identified numerous deficiencies.
I guess this thing was finally left in December. So then
the compilation of the report, their analysis, finished just a
month ago; and then this is a very recent--you know, a
publication of September 2008.
So if we would go through it, you know, starting on page--
although a risk assessment was completed, it was not
comprehensive. Are we now able to say that the risk assessment
is now comprehensive?
Mr. Anastasio. Yes, we are. As part of our process to get
accreditation and verification with the process we have with
NNSA, we have gone through a very formal set of risk
assessments, and we are--for all our networks and all our
activities on the yellow network, as well, of course, as the
classified network. And we are just now completing that. We'll
be done in December, and we'll finish the full accreditation
and certification of all our systems.
But we've gone and taken other steps in response to the
GAO.
Mr. Shimkus. I'll just keep following, because that's what
you hear by Members, you know, guidelines. You know, if I was
the--you know, the Secretary of Energy, I would say not good.
These are the deficiencies. When will they be resolved? And I
think that's where Members are.
So the other one is policies and procedures have
shortcomings. Have the shortcomings been addressed?
Mr. Anastasio. Yes, sir, they have. Again, we've done a
comprehensive look for all the issues that are--at least in the
draft report. Since the final just came out today, I haven't
seen the final, but we have certainly seen the draft report,
and we are already responding to all of the issues that have
been raised in that report, including more stringent
protections, reducing the number of ports that are active, more
robust cyber detection. We've changed our policies and made
them more clear, as I said in my--and comprehensive--in my
opening statement. And we're just addressing all those things.
Mr. Shimkus. OK. Because my time's short and there are
going to be votes, so you understand the point. I would then
just turn to the other directors. And it would make common
sense for you all to review the report from that position and
relook at your own processes and procedures.
Quickly, if you'd like to, sir.
Dr. Miller. Yes. Again, we certainly are aware, have read
the draft report and have reflected it on ourselves. We will do
the same thing with the final report that just came out.
Mr. Shimkus. The primary job, other than passing the laws
of the land--and we are justly criticized for not doing a good
job in oversight. This is our job; this is what we're supposed
to be doing. And so that's why we're continuing to be on this.
Sir, do you want to add?
Dr. Hunter. Yes, sir.
I just agree. We share the same challenges, and we'll
derive the same lessons learned from every activity.
Mr. Shimkus. You all were out with the rest of the folks
when the first panel was being asked, and we did spend a lot of
time on the yellow network. I did talk about e-mails and
attachments and the Trojan horses and all these things that
some of us are just getting to understand and those types.
A lot of the responses were that we monitor what is--my
impression, just trying to pay attention, was, we monitor
what's being sent out. We grab it, and we segregate it. We hold
onto it.
So it just led me to the question, if we grab and hold onto
it, do we grab and hold onto it before it gets out to the
system, or it's going out the door, so we at least know what we
lost?
Who wants to respond to that question? We know what we
lost. Is that really what we're talking about?
Mr. Pyke. Mr. Shimkus, in quite a number of cases we are
able to actually block the outgoing transmission before it
takes place. There are occasions where we learn about it after
the fact or block it when it's partway out. But we are able,
through the collaboration that's been discussed by various
members of the panel; and through an active collaboration with
the counterintelligence folks, we are able to work together not
just week by week, but in near real time, to use the
information we have to block outgoing attempted exfiltration of
information.
Mr. Shimkus. And Mr. Chairman, if I may, I just want to end
up with--the inspector general testified about incomplete
certification and accreditation. We're kind of raising some of
that at the labs about incomplete implementation by the
Department of Federal cyber security policies, especially for
DOE and for NNSA.
What's your response to these findings?
Ms. Wilbanks. NNSA has implemented new policy as of May
2008 that completely strengthens the certification and
accreditation process. It also strengthens some of the
requirements and restrictions on the yellow network. And the
labs are in the process of implementing this policy at this
time.
Mr. Shimkus. Go ahead.
Mr. Pyke. Mr. Shimkus, if I may, we have a comprehensive
set of requirements DOE-wide in the cyber security area;
always, of course, looking to improve them and to add to them,
but they are in place.
And it's my understanding in working with Dr. Wilbanks and
her staff and my personal observations that NNSA not only
follows these requirements, but given the nature of the mission
of NNSA, they frequently strengthen them to provide protection
against the special risks faced by NNSA programs.
Mr. Shimkus. You know, the inspector general recommends
time frames and benchmarks. I mean, would you agree with his
recommendation? And if you do, do you have them? And if you do,
would you supply those to the committee?
Ms. Wilbanks. Yes, sir. We do agree. Yes, sir. We do have
them. And yes, sir, we will supply them.
Mr. Shimkus. Thanks. Thanks, Mr. Chairman.
Mr. Stupak. Thank you, Mr. Shimkus.
Mr. Borgia, if I may, we had some questions of the first
panel--Mr. Friedman, in particular--about the letter that was
sent to Mr. Dingell by a former senior counterintelligence
officer at Lawrence Livermore.
Are you familiar with that letter at all?
Mr. Borgia. Yes, Mr. Chairman, I am.
Mr. Stupak. What's your reaction to it, especially when
they say that as a result of the changes, vulnerability of DOE
personnel and facilities to hostile intelligence entities has
increased exponentially?
Mr. Borgia. I couldn't hear the first part of the--
Mr. Stupak. That as a result of the changes at DOE, the
vulnerability of DOE personnel and facilities to hostile
intelligence entities has increased exponentially.
Mr. Borgia. That would be wrong, Mr. Chairman.
Mr. Stupak. That would be wrong?
Mr. Borgia. Yes.
Mr. Stupak. And the letter cites about five different
examples.
Mr. Borgia. Sir, I can give you in a classified hearing
great examples of the success that this program is experiencing
right now that collectively have not been experienced
throughout the rest of the 10 years of the program.
We have an extraordinary marriage with the FBI. The FBI is
dedicated, as I mentioned myself, but also 20 other special
agents who are agents in the labs included--including agents in
the weapons labs.
There has been--there's been extraordinary connection with
the Intelligence Community. And this program today has a much
bigger profile in the Intelligence Community. The national
counterintelligence executive has identified this as one of the
top four programs. He'd always talked about this in briefings
on the Hill as the ``top three programs.''
Now he says the top four programs. That's DOE's
counterintelligence program. There is a great new confidence in
the counterintelligence program that is identified and
experienced not only outside in the intelligence community, but
I believe my colleagues in the Department as well as the
Secretary and the NNSA Administrator would agree.
Mr. Stupak. So you wouldn't agree that, if I can summarize
what this individual who had 29 years experience with the FBI
in this area, that the counterintelligence aspect of our
security has been diminished while the intelligence gathering
has increased at the expense of counterintelligence and DOE?
Mr. Wilshusen. Yes. That would be wrong.
Mr. Stupak. That would be wrong?
Mr. Wilshusen. Yes. And, sir, I have almost 25 years in the
FBI, worked counterintelligence, counterterrorism, and criminal
investigative programs. I could sit, and I would be very happy
to sit and talk about and give you the details in a classified
setting about what the accomplishments of this program are.
Mr. Stupak. Well, I wanted to raise it, and I am glad you
are familiar with it because it probably will come up in our
closed session, which we are going to go into soon.
Mr. Shimkus, questions, please.
Mr. Shimkus. Just a unanimous consent request for these two
documents. I think the staff shared them with you. The one's a
Foreign National Assignments with computer access. It just has
a listing of all that. And another one, just to highlight the
fact that we have U.S. citizens that are not good citizens
also. There is a story today, an AP story: Scientist Accused of
Selling Rocket Data to China, an AP story about that. I am
asking unanimous consent to accept those.
Mr. Stupak. Without objection, then--I'm looking for the
date on this one here. Today's date, Scientist Accused of
Selling Rocket Data to China, that will be made part of the
record, that AP news story. And Foreign National Assignees With
Computer Access, dated September 12, 2008, will also be made
part of the record.
[The information appears at the conclusion of the hearing.]
Mr. Stupak. That is going to conclude the open part of our
hearing. We are going to have a couple votes on the floor, so
why don't we do this: Instead of reconvening in 10 minutes, I
think, let's shoot for 2:00. We have got at least three votes
on the floor; they are going to call them here in a second, and
then we can meet in 2218. So let's meet in Room 2218 of the
Rayburn Building at 2:00. And only those individuals who have
appropriate Top Secret/Q level clearances that have been
previously sent to the committee clerk and the House security
will be admitted. So I will dismiss this panel then.
And before we close this portion of the hearing, I ask
unanimous consent that the hearing record will remain open for
30 days for additional questions for the record. Without
objection, the record will be open.
I ask unanimous consent that Tabs 1 through 7 and Tabs 25
and 26, those nonofficial use only exhibits of our document
binder, be entered into the record. Without objection, the
documents will be entered into the record.
Mr. Stupak. That concludes the open portion of this
hearing. We will recess until 2:00 and reconvene in Room 2218
of the Rayburn Building for our closed portion of this hearing.
[Whereupon, at 1:13 p.m., the subcommittee recessed to
proceed in closed session at 2:00 p.m. the same day.]
[GRAPHIC] [TIFF OMITTED] T3238.034
[GRAPHIC] [TIFF OMITTED] T3238.035
[GRAPHIC] [TIFF OMITTED] T3238.036
[GRAPHIC] [TIFF OMITTED] T3238.037
[GRAPHIC] [TIFF OMITTED] T3238.038
[GRAPHIC] [TIFF OMITTED] T3238.101
[GRAPHIC] [TIFF OMITTED] T3238.102
[GRAPHIC] [TIFF OMITTED] T3238.103
[GRAPHIC] [TIFF OMITTED] T3238.104
[GRAPHIC] [TIFF OMITTED] T3238.105
[GRAPHIC] [TIFF OMITTED] T3238.106
[GRAPHIC] [TIFF OMITTED] T3238.107
[GRAPHIC] [TIFF OMITTED] T3238.108
[GRAPHIC] [TIFF OMITTED] T3238.109
[GRAPHIC] [TIFF OMITTED] T3238.110
[GRAPHIC] [TIFF OMITTED] T3238.111
[GRAPHIC] [TIFF OMITTED] T3238.112
[GRAPHIC] [TIFF OMITTED] T3238.113
[GRAPHIC] [TIFF OMITTED] T3238.114
[GRAPHIC] [TIFF OMITTED] T3238.115
[GRAPHIC] [TIFF OMITTED] T3238.116
[GRAPHIC] [TIFF OMITTED] T3238.117
[GRAPHIC] [TIFF OMITTED] T3238.118
[GRAPHIC] [TIFF OMITTED] T3238.119
[GRAPHIC] [TIFF OMITTED] T3238.120
[GRAPHIC] [TIFF OMITTED] T3238.121
[GRAPHIC] [TIFF OMITTED] T3238.122
[GRAPHIC] [TIFF OMITTED] T3238.123
[GRAPHIC] [TIFF OMITTED] T3238.124
[GRAPHIC] [TIFF OMITTED] T3238.125
[GRAPHIC] [TIFF OMITTED] T3238.126
[GRAPHIC] [TIFF OMITTED] T3238.127
[GRAPHIC] [TIFF OMITTED] T3238.128
[GRAPHIC] [TIFF OMITTED] T3238.129
[GRAPHIC] [TIFF OMITTED] T3238.130
[GRAPHIC] [TIFF OMITTED] T3238.131
[GRAPHIC] [TIFF OMITTED] T3238.132
[GRAPHIC] [TIFF OMITTED] T3238.133
[GRAPHIC] [TIFF OMITTED] T3238.134
[GRAPHIC] [TIFF OMITTED] T3238.135
[GRAPHIC] [TIFF OMITTED] T3238.136
[GRAPHIC] [TIFF OMITTED] T3238.137
[GRAPHIC] [TIFF OMITTED] T3238.138
[GRAPHIC] [TIFF OMITTED] T3238.139
[GRAPHIC] [TIFF OMITTED] T3238.140
[GRAPHIC] [TIFF OMITTED] T3238.141
[GRAPHIC] [TIFF OMITTED] T3238.142
[GRAPHIC] [TIFF OMITTED] T3238.143
[GRAPHIC] [TIFF OMITTED] T3238.144
�