[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]





 
63-238 PDF

                                 2010__

2010

A REVIEW OF CONTINUING SECURITY CONCERNS AT DOE'S NATIONAL LABORATORIES

=======================================================================

                                HEARING

                               BEFORE THE

              SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS

                                 OF THE

                    COMMITTEE ON ENERGY AND COMMERCE
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                           SEPTEMBER 25, 2008

                               __________

                           Serial No. 110-152


      Printed for the use of the Committee on Energy and Commerce

                        energycommerce.house.gov
?



                  U.S. GOVERNMENT PRINTING OFFICE
63-238                    WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202ï¿½09512ï¿½091800, or 866ï¿½09512ï¿½091800 (toll-free). E-mail, [email protected].  

                    COMMITTEE ON ENERGY AND COMMERCE

    JOHN D. DINGELL, Michigan,       JOE BARTON, Texas
             Chairman                    Ranking Member
HENRY A. WAXMAN, California          RALPH M. HALL, Texas
EDWARD J. MARKEY, Massachusetts      FRED UPTON, Michigan
RICK BOUCHER, Virginia               CLIFF STEARNS, Florida
EDOLPHUS TOWNS, New York             NATHAN DEAL, Georgia
FRANK PALLONE, Jr., New Jersey       ED WHITFIELD, Kentucky
BART GORDON, Tennessee               BARBARA CUBIN, Wyoming
BOBBY L. RUSH, Illinois              JOHN SHIMKUS, Illinois
ANNA G. ESHOO, California            HEATHER WILSON, New Mexico
BART STUPAK, Michigan                JOHN SHADEGG, Arizona
ELIOT L. ENGEL, New York             CHARLES W. ``CHIP'' PICKERING, 
GENE GREEN, Texas                        Mississippi
DIANA DeGETTE, Colorado              VITO FOSSELLA, New York
    Vice Chair                       ROY BLUNT, Missouri
LOIS CAPPS, California               STEVE BUYER, Indiana
MIKE DOYLE, Pennsylvania             GEORGE RADANOVICH, California
JANE HARMAN, California              JOSEPH R. PITTS, Pennsylvania
TOM ALLEN, Maine                     MARY BONO MACK, California
JAN SCHAKOWSKY, Illinois             GREG WALDEN, Oregon
HILDA L. SOLIS, California           LEE TERRY, Nebraska
CHARLES A. GONZALEZ, Texas           MIKE FERGUSON, New Jersey
JAY INSLEE, Washington               MIKE ROGERS, Michigan
TAMMY BALDWIN, Wisconsin             SUE WILKINS MYRICK, North Carolina
MIKE ROSS, Arkansas                  JOHN SULLIVAN, Oklahoma
DARLENE HOOLEY, Oregon               TIM MURPHY, Pennsylvania
ANTHONY D. WEINER, New York          MICHAEL C. BURGESS, Texas
JIM MATHESON, Utah                   MARSHA BLACKBURN, Tennessee          
G.K. BUTTERFIELD, North Carolina     
CHARLIE MELANCON, Louisiana          
JOHN BARROW, Georgia                 
BARON P. HILL, Indiana               
DORIS O. MATSUI, California          
                                     
_________________________________________________________________

                           Professional Staff

 Dennis B. Fitzgibbons, Chief of 
               Staff
Gregg A. Rothschild, Chief Counsel
   Sharon E. Davis, Chief Clerk
 David L. Cavicke, Minority Staff 
             Director
7________________________________________________________________

              Subcommittee on Oversight and Investigations

                    BART STUPAK, Michigan, Chairman
DIANA DeGETTE, Colorado              JOHN SHIMKUS, Illinois
CHARLIE MELANCON, Louisiana              Ranking Member
    Vice Chairman                    ED WHITFIELD, Kentucky
HENRY A. WAXMAN, California          GREG WALDEN, Oregon
GENE GREEN, Texas                    TIM MURPHY, Pennsylvania
MIKE DOYLE, Pennsylvania             MICHAEL C. BURGESS, Texas
JAN SCHAKOWSKY, Illinois             MARSHA BLACKBURN, Tennessee
JAY INSLEE, Washington               JOE BARTON, Texas (ex officio)
JOHN D. DINGELL, Michigan (ex 
    officio)
  
                             C O N T E N T S

                              ----------                              
                                                                   Page
Hon. Bart Stupak, a Representative in Congress from the State of 
  Michigan, opening statement....................................     1
Hon. John Shimkus, a Representative in Congress from the State of 
  Illinois, opening statement....................................     3
Hon. Gene Green, a Representative in Congress from the State of 
  Texas, opening statement.......................................     5
Hon. Marsha Blackburn, a Representative in Congress from the 
  State of Tennessee, opening statement..........................     5
Hon. John D. Dingell, a Representative in Congress from the State 
  of Michigan, opening statement.................................     6
    Prepared statement...........................................     8
Hon. Michael C. Burgess, a Representative in Congress from the 
  State of Texas, opening statement..............................     9

                               Witnesses

Gregory H. Friedman, Inspector General, U.S. Department of Energy    11
    Prepared statement...........................................    13
Glenn S. Podonsky, Chief Health, Safety, and Security Officer, 
  U.S. Department of Energy......................................    15
    Prepared statement...........................................    18
Gregory C. Wilshusen, Director, Information Security Issues; 
  Accompanied by Allison Bowden, Senior Auditor, Government 
  Accountability Office..........................................    33
    Prepared statement...........................................    35
Bradley A. Peterson, Chief and Associate Director, Defense 
  Nuclear Security, National Security Administration.............    72
    Prepared statement...........................................    75
Thomas N. Pyke, Jr., Chief Information Officer, U.S. Department 
  of Energy......................................................    90
    Prepared statement...........................................    92
Linda R. Wilbanks, Ph.D., Chief Information Officer, National 
  Nuclear Security Administration, U.S. Department of Energy.....    96
    Prepared statement...........................................    75
Stanley J. Borgia, Deputy Director for Counterintelligence, 
  Office of Intelligence and Counterintelligence, U.S. Department 
  of Energy......................................................    97
    Prepared statement...........................................   100
Michael R. Anastasio, Ph.D., Director, Los Alamos National 
  Laboratory.....................................................   104
    Prepared statement...........................................   106
George H. Miller, Ph.D., Director, Lawrence Livermore National 
  Lab............................................................   131
    Prepared statement...........................................   132
Thomas O. Hunter, Ph.D., President and Laboratories Director, 
  Sandia National Laboratory.....................................   138
    Prepared statement...........................................   141

                           Submitted Material

Letter of September 1, 2008, from Terry D. Turchie to Mr. Dingell   165
Letter of September 28, 2007, from Thomas P. D'Agostino to Mr. 
  Turchie........................................................   169
Article, ``Scientist accused of selling rocket data to China,'' 
  The Associated Press...........................................   170
Chart entitled ``Total DOE Foreign National 
  Assignees,''``Scientist accused of selling rocket data to 
  China,'' The Associated Press..................................   171
CRS Report, July 28, 2008........................................   186

 
A REVIEW OF CONTINUING SECURITY CONCERNS AT DOE'S NATIONAL LABORATORIES

                              ----------                              


                      THURSDAY, SEPTEMBER 25, 2008

                  House of Representatives,
      Subcommittee on Oversight and Investigations,
                          Committee on Energy and Commerce,
                                                   Washington, D.C.
    The subcommittee met, pursuant to call, at 10:09 a.m., in 
room 2123, Rayburn House Office Building, Hon. Bart Stupak 
(chairman of the subcommittee) presiding.
    Present: Representatives Stupak, Green, Inslee, DeGette, 
Dingell (ex officio), Shimkus, Burgess, and Blackburn.
    Staff Present: Scott Schloegel, John Sopko, Chris Knauer, 
Steve Futrowsky, Joanne Royce, Kyle Chapman, Alan Slobodin, 
Peter Spencer, and Whitney Drew.

  OPENING STATEMENT OF HON. BART STUPAK, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Stupak. This meeting will come to order. Today we have 
a hearing entitled, ``A Review of Continuing Security Concerns 
at Department of Energy's National Labs.'' We'll start with 
opening statements. I'll begin.
    Today we'll hear from several independent sources about 
security problems that continue to plague the Department of 
Energy's nuclear weapons labs. We'll also hear from DOE 
officials responsible for the operations of the labs and then 
we'll hear from the lab directors who will tell us what they're 
doing to address the shortcomings.
    The Department of Energy's nuclear weapons labs are home to 
some of the country's most sensitive secrets and the country's 
most dangerous nuclear materials. These labs--Sandia, Los 
Alamos, and Lawrence Livermore--employ the world's most 
brilliant scientific minds, but they've also been home to some 
very serious security breaches.
    Los Alamos has historically been our most challenged of the 
three labs. This is the 14th hearing our subcommittee has held 
into security problems at Los Alamos over the past 8 years. 
We've also requested numerous Government Accountability Office 
investigations, which have resulted in countless 
recommendations for improvements at Los Alamos. Thankfully, the 
LANL has implemented several changes that appear to be 
improving the physical security posture. Our staff was 
encouraged by many of the changes they saw at the lab with 
regard to physical security, and these views appear to be 
echoed by the GAO and the Office of Independent Oversight 
Reports. We remain optimistic, but guarded, that Los Alamos 
will continue to improve.
    Unfortunately, at the same time that physical security at 
Los Alamos was improving, Lawrence Livermore National Lab was 
actually regressing. Earlier this year the Department of 
Energy's Office of Independent Oversight conducted a force-on-
force exercise at Lawrence Livermore which, according to GAO 
testimony, resulted in the lab receiving, and I quote, ``the 
lowest possible ratings for protective force performance and 
for physical protection of classified resources,'' end of 
quote. While we are told by lab officials that they have made 
numerous changes to their security force and procedures to 
correct the problems, we expect to learn exactly why or what 
led to the failures and what corrective measures have been put 
in place to ensure that they will not occur again.
    Physical security is just one component to keeping our 
nuclear secrets safe. The most recent vulnerability is that a 
host of unauthorized sources are trying to exploit our lab's 
cyber networks. The Department of Energy's cyber networks are 
attacked millions of times each month by individuals ranging 
from a high school kid looking for a challenge, to the most 
sophisticated adversaries who are seeking very specific 
information.
    Today, we will hear concerns about the Department of 
Energy's cyber security posture from three government entities.
    First, the Government Accountability Office will discuss 
their report detailing shortcomings of the unclassified 
computer network at Los Alamos National Lab. Moreover, they 
will document how highly sensitive--but unclassified--
information on the Department's network may possibly be pieced 
together and could become classified information which would be 
``a valuable target for foreign governments, terrorists and 
industrial spies.''
    Second, DOE's Office of Independent Oversight will tell us 
about how a small team of their cyber attack experts, known as 
a ``Red Team,'' were able to hack into and gain full 
administrative control over two of the Department of Energy's 
science lab computer systems. This same team was also able to 
gain a foothold into part of the weapons labs computer systems.
    Third, we will hear from the DOE's Inspector General, who 
will discuss their recent report outlining the vulnerabilities 
in the Department's unclassified cyber security program and its 
need to improve management and controls. They will document 
that ``since the end of fiscal year 2007, the Department has 
experienced a 45 percent increase in reported cyber security 
incidents.'' In addition, we will hear from the DOE's Associate 
Director of Counterintelligence that DOE networks have picked 
up an increased tempo of potential adversarial activity, and in 
some cases, sensors have documented ``well over 400 million 
such indicators of hostile activity every month.''
    Make no mistake about it, cyber security at our Nation's 
energy labs should be of paramount concern to Congress and the 
American public. The sophistication of our adversaries when it 
comes to cyber attack is significant. But if the Department of 
Energy, and all the Federal Government for that matter, does 
not heed the warning set forth by these independent reports, we 
will put our Nation further at risk. Much is being done to 
protect our sensitive information but much more needs to be 
done.
    We began this Congress by holding a hearing into the 
security concerns at Los Alamos National Lab. We're ending this 
Congress with yet another hearing into security concerns at the 
Department of Energy's labs.
    All too often we find that security improves at the DOE 
while Congress, the GAO and the inspector general or the Office 
of Independent Oversight is shining a light on them. However, 
far too often labs slip back into their own ways and have yet 
another security relapse.
    The Department can be sure that as long as I am chairman of 
this subcommittee there will be a constant light shining on 
them to ensure they are doing all they can to protect our 
Nation's nuclear materials and secrets.
    That is the end of my opening statement. I next turn to Mr. 
Shimkus, the ranking member, for his opening statement, please.

  OPENING STATEMENT OF HON. JOHN SHIMKUS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF ILLINOIS

    Mr. Shimkus. Thank you, Mr. Chairman. I recognize your 
valiant effort to fight this cold and turning from a baritone 
to a bass, it really is Chairman Stupak, and I'll testify to 
that. But thanks for soldiering on, and thanks for this 
hearing.
    There are few topics the subcommittee will examine as 
important to our national security as those concerning the 
security of our national weapons labs. And although I am new to 
this committee, the Oversight and Investigation Subcommittee 
has done it for years, and the committee's responsibility has 
been well noted. And there are few topics where we have been as 
frustrated as those that concern the security at the labs.
    Today's hearing serves as a progress report on work 
requested by the bipartisan committee and subcommittee 
leadership. Our requests were prompted by a series of physical 
and cyber security debacles at Los Alamos National Laboratory 
and poor performance at Lawrence Livermore National Laboratory 
in an April 2008 DOE physical security evaluation.
    We will hear from the Government Accountability Office this 
morning on two topics, one concerning physical security and the 
other one concerning cyber security on the unclassified 
computer network. The GAO details areas of accomplishment, but 
also identifies continued significant concerns. Of these 
concerns, the most troubling involve the cyber threats to what 
is called the ``yellow network,'' the lab's protected 
unclassified network. The yellow network serves as a backbone 
for lab operation and its research mission. However, both the 
GAO and DOE Independent Office of Health, Safety and Security 
have identified particular vulnerabilities with the security of 
the yellow network.
    Action is needed to improve the security of the yellow 
network, but what corrective actions is to take place is based 
on a risk assessment and risk management. Do DOE and NNSA know 
or will they know soon exactly what information is on the 
yellow network? Will DOE and NNSA be willing to identify 
information that needs special protection? And will they be 
able or willing to implement corrective actions?
    Are there any recommendations or corrective actions that 
they believe would be too costly, time consuming or disruptive 
to implement? If so, what evidence supports that belief? And 
does it outweigh the cost to national security? Striking that 
balance is a challenging task.
    There are about 13,000 users of the network at Los Alamos, 
including cleared foreign nationals, some from sensitive 
nations of concern for security officials. We will hear this 
morning that the network fire walls deflect more than 10 
million cyber probes every month and that threats to cyber 
defenses are rapidly escalating in number, sophistication and 
complexity.
    And what is the information on this network? It is not 
classified, but it is sensitive and can have an impact on 
national security. Panelists will detail some of the categories 
for us which, GAO reports, presents a valuable target for 
foreign governments, terrorists and industrial spies.
    How robust is network security especially when probed by 
the most sophisticated adversaries? Have any of the probes 
succeeded? And if they have, what has been lost? What may be 
lost? These critical questions underscore the findings of GAO 
that more needs to be done to protect the network. And if we 
cannot be satisfied that network protections can safeguard 
fully the information of these ever-more sophisticated attacks 
and soon, what other options can we pursue for information 
security? The answer to this will not be easy, and it involves 
striking the balance between mission and security, but we have 
to find an answer.
    This GAO testimony provides just the starting point for the 
security issues we will discuss this morning. When coupled with 
the government audits and evaluations, the testimony raises 
important questions that apply not only to the overall security 
posture at Los Alamos, but at Lawrence Livermore National 
Laboratory and Sandia National Laboratories as well as labs 
overseen in Washington.
    I look forward to hearing the perspective of the lab 
directors with us on the second panel, as well as from DOE and 
the National Nuclear Security Administration officials also on 
the second panel. I will want to hear their answers to the 
questions I pose about enhancing the security of the yellow 
network.
    We should identify measures and indicators for progress on 
improving security going forward as rapidly as possible. We 
also have to ensure that any measures for security can be 
sustained for the long term with sufficient flexibility to 
respond to emerging threats.
    And finally we have to recognize the human factor at work 
here; this means the researchers, the security people and the 
management. I understand there appear to be two cultures at the 
lab with different priorities, the research academic culture 
and the security culture. These solutions need to reflect that 
reality as well as reconcile the differences.
    Thank you, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Shimkus.
    Mr. Green for an opening statement, please.

   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Green. Thank you, Mr. Chairman. And I'll make my 
statement relatively brief.
    I hate to sound like a broken record over these last few 
years, but it's the subcommittee's 14th hearing on security 
issues facing the Department of Energy's national labs. I hope 
that today we can finally show some progress towards securing 
the critical infrastructure and information of our weapons 
labs. With the emerging threats facing our Nation, we cannot 
afford more empty promises of change.
    Los Alamos, Livermore and Sandia house America's most 
sensitive and top secret weapons development programs. The only 
thing not secret about these labs is that there are security 
vulnerabilities.
    In September 2006, the subcommittee learned how simple it 
was for a contract employee to remove a USB ThumbDrive 
containing hundreds of pages of classified documents. Just this 
year, after a mock terrorist attack by DOE at Livermore, we 
learned how easily lab security could be compromised through 
their ill-trained workforce and protective strategy.
    Sometimes I think we have to say enough is enough. I do not 
want to sit through future congressional hearings where we must 
piece together how a perpetrator gained access to classified 
nuclear weapons design information from our labs because we did 
not have the resolve to correct the lab security deficiencies 
today.
    The testimony from this morning's hearing will show that 
some progress has been made. For example, Los Alamos National 
Lab has drastically reduced the number of removable electronic 
media and eliminated thousands of classified nuclear weapons 
parts and reduced the number of bulk-type rooms and areas 
containing special nuclear material. These efforts should be 
commended. But when we are protecting information critical to 
the national security of the United States, incremental action 
is notable but not sufficient.
    We in Congress owe it to the American people to ensure that 
weapons labs are safe and secure. And if the Department of 
Energy or their labs are not up to the task of providing the 
highest level of protection, Congress must be willing to make 
the tough choices to protect our national interests.
    And again I thank you, Mr. Chairman, for continuing these 
hearings. I look forward to the testimony, and I yield back my 
time.
    Mr. Stupak. Thanks, Mr. Green.
    Mr. Stupak. Ms. Blackburn for an opening statement, please.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Ms. Blackburn. Thank you, Mr. Chairman. As has been stated, 
we have had several hearings on the issue of problems with the 
national labs, and with the accountability or the lack thereof 
with the labs. It is frustrating to us to see a reticence to 
make any changes. And I think it is also frustrating to our 
constituents because now more than ever they are paying close 
attention to energy issues, to how the Department of Energy is 
working, to security issues or lack thereof of security.
    And I think that today, as you come before us and as we 
hold this hearing, and as we are in the midst of this financial 
crisis, many people are very concerned about a proposed plan to 
give the Secretary of the Treasury a blank check to bail out 
Wall Street. And what we're hearing is, they don't trust 
government. And we know that that lack of trust is going to, 
therefore, be reflected onto each and every department and 
agency of the Federal Government. And I think that it amplifies 
some of the lack of accountability and the hesitancy that we 
have seen from some of our government agencies and from you.
    And the problems with these labs are more--they're just 
more symptoms of what many people believe to be an incompetence 
of the bureaucracy in the Federal Government, that you have 
gotten too big and too unwieldy and too out of control for your 
own good and definitely for the taxpayers' good.
    If these government-run labs cannot protect classified and 
sensitive information and material, then Congress must begin to 
discuss alternatives to the current operating procedures that 
will solve the problems. It would be interesting to know what 
your best practices are and what your timeline is for meeting 
those best practices.
    Mr. Chairman, I think that protecting that classified 
material and that sensitive data is one of the key 
responsibilities of government. And if it does not, then our 
Nation faces serious risk in the area of breaches of security.
    Congress should put forward initiatives. We are going to 
take the lead on this. If you cannot and will not, then we 
will. We'll take the lead that will increase transparency, that 
will demand accountability on behalf of the taxpayers that are 
footing the bill for this.
    And it's not only for you. It is for the entire Federal 
Government. So as my grandmother would have said, You are on my 
last nerve; and I hope that you're going to be willing to work 
with us and increase some accountability and some transparency.
    And Mr. Chairman, I will yield back the balance of my time.
    Mr. Stupak. I thank the gentlewoman.
    Mr. Dingell, chairman of the full committee, for an opening 
statement, please.

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Dingell. Mr. Chairman, good morning. And thank you for 
your vigorous leadership in the matters before us. And I want 
to thank you also for holding another important hearing on the 
distressing state of security at our Nation's weapons labs.
    This will be the 14th hearing we've held on this topic over 
the last 8 years. It was the topic of our first oversight 
hearing in the 110th Congress and today it may well be one of 
the last of this Congress.
    I feel a little bit like Sisyphus or like Heracles when he 
was confronted with the Augean Stables. We have before us an 
agency which has been totally incapable of addressing problems.
    Back in the days when I was chairman of the Subcommittee on 
Oversight and Investigations 20-some years ago, we had 
hearings. We found a huge problem with regard to security at 
our Nation's labs. We found that they turned off the sprinkler 
systems because they didn't want to wet their computer systems. 
We found they had vehicles, emergency vehicles, that would not 
start.
    We found them with employees in charge of security who did 
not have the ability physically to participate in the 
suppression of penetration of those facilities. We found that 
the tests and the efforts to assure that the Agency could 
respond to security challenges were carefully cooked by 
informing the people beforehand what was going to happen so 
that the drill could take place in the most favorable of 
circumstances. And we found, curious enough, they still were 
not able to do the job that had to be done.
    We found that there were stings with regard to controlled 
substances which were suppressed. We found dissipation of 
public resources and scientific equipment amounting to millions 
of dollars. We found losses of equipment. And we found 
inability to keep track of government property.
    We found the Agency had to go lightly on their drills 
because employees charged with security were having heart 
attacks as a result of having to defend these facilities. It 
was a situation worthy of the Grand Duchy of Graustark. And it 
was indeed a situation which would have been humorous were it 
not for the fact that it was so sad and so dangerous.
    I will not burden my colleagues with further details of the 
events that this committee has had the distressful experience 
of disclosing over the years. But classified information has 
disappeared. Drug users have obtained clearances. Sensitive 
information is being uncovered in drug raids. And promises are 
made and continually broken to improve security by every 
administration that has been before this committee.
    After our last hearing this hearing asked the Government 
Accountability Office to conduct a comprehensive review of 
ongoing security issues at Los Alamos National Lab. Today we're 
going to hear the results of that work as a result, as well as 
the results of a number of audits and studies by the Department 
of Energy's inspector general and its Office of Independent 
Oversight.
    These conclusions are mixed, and I must say that I achieve 
a small measure of comfort by finding that they're mixed. And 
at least they are not, for a change, all bad. While GAO found a 
number of ongoing concerns at Los Alamos National Laboratory 
that deserved the attention of the committee, they also found 
some evidence of improvement for which we rejoice, enough to 
make me slightly optimistic that the lab's security is in some 
way improving.
    This improvement must be tempered, however, by GAO's 
warning that security at DOE labs appears to be cyclical. I'm 
not quite sure what that means, but it may relate to the fact 
that from time to time this committee has hearings to find out 
how the matter progresses. Indeed, however, it is not clear to 
me or, I suspect, anybody else how Los Alamos intends to ensure 
that these problems will not reoccur.
    Unfortunately, we will also learn today that while Los 
Alamos has improved security, another critically important DOE 
weapons lab, Lawrence Livermore National Laboratory, has not. 
In April of 2008, DOE's Office of Independent Oversight 
completed an evaluation review of security at Livermore. The 
results, quite frankly, were shocking and sufficiently serious 
that we can only discuss the specific details in our closed 
session this afternoon.
    I'd like to observe that we have before us identified major 
problems with key aspects of Livermore's protective strategy, 
including malfunctioning equipment, inadequate staffing, 
insufficient training of the protective workforce. And while we 
understand that many of these shortcomings are being addressed, 
or at least we're so informed, the OIO findings are so 
troubling that we must learn more about how DOE allowed this to 
happen and what they're doing to prevent a recurrence.
    Lastly, today, we will hear from an even bigger problem 
facing these labs and DOE as a whole. And that is the threat 
from cyber attacks, a new and increasingly serious danger. At 
our request, GAO conducted a comprehensive review of Los 
Alamos's unclassified cyber network; and the results of the 
review highlight the need for significant security improvements 
to protect sensitive information on Los Alamos's unclassified 
network.
    As noted by the GAO, the information on this network 
presents a valuable target for foreign governments, terrorists 
and industrial spies. And it's an interesting thing that this 
kind of threat enables people to do the kind of penetration of 
our national security simply sitting in their living room, 
working with their computers.
    This problem, however, is not unique to Los Alamos. All of 
DOE's labs are facing cyber security challenges. We're going to 
hear testimony that the labs are virtually naked to concerted 
cyber attacks, especially by assault from persistent or funded 
and dedicated assailants right in there, terrorists or foreign 
governments.
    Given the sensitivity of these facilities and the people 
who work there, we need to learn how DOE is working to correct 
this problem and when we may expect that it will, in fact, be 
corrected.
    Mr. Chairman, under your leadership I know that this 
committee is going to continue its examination into cyber 
security in the next Congress and to broaden it to include all 
departments and agencies within our jurisdiction. Because the 
potential consequences of this situation are very, very 
serious, I expect that this will be one of our most important 
oversight priorities next year.
    And I want to thank you for the work and the leadership 
that you have done and shown, and express my hope that I will 
be able to work with you again on this very important matter. 
Thank you, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Dingell.
    [The prepared statement of Mr. Dingell follows:]

               Prepared Statement of Hon. John D. Dingell

    Mr. Chairman, thank you once again for holding another 
important hearing on the state of security at our Nation's 
weapons labs. This will be the fourteenth hearing we have held 
on this subject over the last eight years. It was the topic of 
our first oversight hearing for the 110th Congress, and today 
it may conclude this Subcommittee's hearings for this Congress.
    I will not bore my colleagues with all the gory details of 
security misadventure and mishap that this Committee has 
uncovered over those 8 years-of classified information 
disappearing, of drug users obtaining clearances, of sensitive 
information being uncovered in drug raids, and of promises made 
and continually broken to improve security.
    Rather, after our last hearing, this Committee asked the 
Government Accountability Office (GAO) to conduct a 
comprehensive review of ongoing security issues at Los Alamos 
National Lab. Today we will hear the results of that work as 
well as the results of a number of audits and studies by the 
Department of Energy's Inspector General and its Office of 
Independent Oversight.
    Their conclusions are mixed. While GAO found a number of 
ongoing concerns at Los Alamos National Laboratory that deserve 
our attention, they also found evidence of some improvement-
enough to make me cautiously optimistic that lab security is in 
some ways improving. However, this improvement must be tempered 
by GAO's warning that security at DOE labs appears cyclical, 
and it is not clear how Los Alamos intends to ensure these 
problems will not reoccur.
    Unfortunately, we will also learn today that while Los 
Alamos has improved security at another critically important 
DOE weapons lab--Lawrence Livermore National Laboratory--has 
not.
    In April 2008, DOE's Office of Independent Oversight (OIO) 
completed an evaluation and review of Livermore's security 
posture. The results were shocking and so serious that we can 
only discuss the specific details in our closed session this 
afternoon.
    Let me just say that they identified major problems with 
key aspects of Livermore's protective strategy, including 
malfunctioning equipment, inadequate staffing, and insufficient 
training of its protective workforce. While we understand that 
many of these shortcomings are being addressed, the OIO 
findings are troubling, and we must learn how DOE allowed this 
to happen and what they are doing to prevent a reoccurrence.
    Lastly, today we will hear of an even bigger problem facing 
these labs, and DOE as a whole, and that is the threat from 
cyber attacks. At our request, GAO conducted a comprehensive 
review of Los Alamos' unclassified cyber network, and the 
results of this review highlight the need for significant 
security improvements to protect sensitive information on Los 
Alamos' unclassified network. As noted by GAO, the information 
on this network presents ``a valuable target for foreign 
governments, terrorists, and industrial spies.''
    Unfortunately, this problem is not unique to Los Alamos. 
All of the DOE labs are facing cyber-security challenges. We 
will hear testimony that the labs are virtually naked to 
concerted cyber attacks-especially by assault from persistent, 
well-funded, and dedicated assailants. Given the sensitivity of 
these facilities and the people who work there, we need to 
learn how DOE is going to correct this problem.
    I would urge this Subcommittee to continue its examination 
into cyber security in the next Congress and broaden it to 
include all departments and agencies within our jurisdiction. I 
expect this may be one of our most important oversight 
priorities next year and look forward to working with you on 
this matter.
                              ----------                              

    Mr. Stupak. Mr. Burgess for an opening statement, please.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. Thank you, Mr. Chairman. This does seem like 
deja vu all over again, doesn't it?
    We've had hearings in the past and we've established some 
serious lapses in security and managerial oversight at Los 
Alamos National Laboratory. Indeed, we went through an entire 
process with those Requests for Proposals as to whether or not 
the management of the lab should change.
    I took a trip out to Los Alamos in July of 2005. I just 
wanted to see for myself on the ground. I have got to say, I 
was impressed by the work being done; I was impressed by the 
dedication of the employees. But as we continued to hear after 
that, even after the evaluation and even though there was no 
management change, but there was promise of some changes, we 
still heard the reports of things that weren't quite right.
    Through all of those hearings, we always heard that things 
at Sandia, things at Lawrence Livermore were the gold standard, 
and that's what we should aspire to. But now we have got a GAO 
report that say significant problems exist in physical and 
electronic security at Lawrence Livermore as well. So the 
security of these agencies may have made some progress in 
strengthening some of the security weaknesses at Los Alamos--
and I think that's still in question.
    The NNSA needs to be more consistent with their progress in 
other facilities. Gaps in the physical protection of classified 
documents, but especially the electronic uses of both 
classified and unclassified, but sensitive; this committee 
should maintain persistent oversight until these problems are 
corrected.
    I am concerned with the cyber security weaknesses and lab 
policies towards the physical protection of computers, portable 
storage devices and other sensitive areas in the labs. It seems 
like we've been through this before at Los Alamos, and I guess 
I have to wonder why we're not learning the lessons as they're 
given to us.
    It's taken for granted that almost any enterprise 
undertaken in life will involve a computer, a cell phone, a 
BlackBerry or some other electronic device. It's also a near 
certitude that an ill-meaning person or persons can attempt to 
illegally access electronic systems and devices for a variety 
of reasons, none of which are good. The rapid advancements in 
technology make the nature of the threat to our electronic 
systems one that is constantly evolving, therefore we need to 
be flexible on the committee, but we need to be vigilant.
    In 2002, Congress passed the Federal Information Security 
Management Act to protect our critical information 
infrastructure. This was before I was elected. And I do wonder 
if our Federal agencies, particularly the Department of Energy, 
are in compliance with this important law. It's a dangerous 
time. Our national security secrets should be closely held, 
closely guarded; and they should stay our national secrets.
    The Office of Inspector General has noted that our nuclear 
labs and Department of Energy work information systems are 
compromised. I will look forward to working with the chairman 
of this subcommittee and the chairman of the full committee to 
ensure that our nuclear secrets do not fall into the wrong 
hands.
    And I will yield back the balance of my time.
    Mr. Stupak. I thank the gentleman. We have our first panel 
before us. Let me introduce them if I may:
    Mr. Gregory Wilshusen, who is the Director of Information 
Security Issues at the U.S. Government Accountability Office. 
And you're accompanied by Ms. Allison Bowden of the GAO. And 
you are senior auditor, correct? OK. Mr. Glenn Podonsky, who is 
the Chief Health, Safety and Security Officer in the Office of 
Health Safety and Security of the Department of Energy; and the 
Honorable Gregory Friedman, who is the Inspector General at the 
Department of Energy.
    Welcome to all of our witnesses.
    It's the policy of this committee to take all testimony 
under oath. Please be advised you have a right by the Rules of 
the House to be advised by counsel during your testimony. Do 
any of you wish to be advised by counsel during your testimony?
    Everybody indicating ``no.'' Therefore, I will ask you to 
stand, raise your right hand and take the oath.
    [Witnesses sworn.]
    Mr. Stupak. Let the record reflect that the witnesses have 
answered in the affirmative to the oath. They are now under 
oath.
    Mr. Stupak. We will begin with opening statements.
    Mr. Friedman, let's start with you. If you don't mind, pull 
that mic up. And you are recognized for 5 minutes. If you have 
a longer statement, it will be submitted for the record. So if 
you would begin, please.

   STATEMENT OF GREGORY H. FRIEDMAN, INSPECTOR GENERAL, U.S. 
                      DEPARTMENT OF ENERGY

    Mr. Friedman. Thank you, Mr. Chairman and members of the 
subcommittee. I'm pleased to be here today at your request to 
testify on matters relating to security at the Department of 
Energy's national defense laboratories. These laboratories, 
which are part of the National Nuclear Security Administration, 
process some of the Department's most sensitive information, 
information which is critical to the Nation's defense.
    Since 2002, the Office of Inspector General has categorized 
information security as one of the Department's most 
significant management challenges. In April of 2007, I 
testified before this subcommittee on the special inquiry 
conducted by my office regarding a diversion of classified data 
from the Los Alamos National Laboratory, an event made possible 
in large part by cyber security-related weaknesses.
    The Office of Inspector General has continued its efforts 
in this area by conducting a number of cyber security reviews 
throughout the Department, including NNSA and its national 
defense laboratories. Early this year we conducted an extensive 
review of the process to certify and accredit classified 
national security information systems. Simply stated, 
certification and accreditation is a critical management tool 
used to recognize and address risks by ensuring that cyber 
security controls are in place.
    Our findings relative to the NNSA and its laboratories 
revealed a number of weaknesses. In particular, we found, 
first, critical security functions had not been adequately 
segregated, providing the opportunity for systems security 
officers to gain access and modify systems without review or 
approval.
    Secondly, risks associated with classified and unclassified 
systems operating in the same environment had not always been 
adequately evaluated.
    Third, the system security plans omitted information on 
hardware such as servers, network printers, and scanners, a 
condition paralleling one of our concerns relating to the 
diversion of classified material at Los Alamos.
    And finally, contingency plans outlining actions necessary 
to resume operations in the event of a disaster were not always 
developed or they were incomplete.
    These weaknesses occurred, in part, because the NNSA had 
not been fully successful in ensuring its laboratories 
implemented the Department's updated cyber security 
requirements. For example, two laboratories completed their 
certification and accreditation process using outdated 
requirements, leaving a number of systems vulnerable to control 
weaknesses. In addition, headquarters and field site officials 
had not effectively reviewed security plans to ensure that they 
were accurate and adequately addressed system risks.
    In our recently issued Federal Information Security 
Management Act evaluation, we identified a number of weaknesses 
that exposed unclassified systems to an increased risk of 
compromise.
    We found, first, two of the three defense labs had not yet 
completed certification accreditation of certain business 
systems, a deficiency first reported in 2006.
    Mandatory security controls were not included in systems 
security plans at one laboratory.
    All three laboratories had not completed implementation of 
the federally mandated standard desktop configuration.
    Computer incident reports did not always include 
information needed for implementing--needed for reporting to 
law enforcement and for subsequent analysis for trending.
    And at one laboratory vulnerabilities were identified that 
may have allowed unsupervised foreign visitors to 
inappropriately access the site's intranet.
    We found that NNSA had not in a timely manner incorporated 
Federal and departmental cyber security requirements into its 
policies and guidance. In addition, NNSA also had not 
effectively completed reviews and performance monitoring, 
activities essential for evaluating the adequacy of cyber 
security operations.
    Our evaluations reveal a mixed picture. The Department and 
NNSA have improved their cyber security efforts, yet weaknesses 
still exist. Additional action is necessary to protect systems 
and the information they contain from increasingly 
sophisticated and persistent attacks.
    Since the end of fiscal year 2007, as has been referred to 
earlier in the opening statements, the Department has 
experienced a 45 percent increase in reported cyber security 
incidents. This significant increase demonstrates the need for 
sustained action in securing the Department's information 
systems.
    Our work suggests that there are some recurring challenges 
that NNSA should consider as it moves forward. Specifically, 
NNSA should implement in a timely manner all relevant Federal 
departmental cyber security requirements, strengthen the 
management and review process by better monitoring field sites 
to ensure adequacy of cyber security program performance and, 
finally, ensure that all outstanding cyber security weaknesses 
are corrected in a timely manner.
    The Office of Inspector General recognizes well the 
importance of cyber and physical security and we are committed 
to continuing our work in these areas.
    Mr. Chairman, this concludes my statement. I would be 
pleased to answer any questions you may have.
    Mr. Stupak. Thank you Mr. Friedman.
    [The prepared statement of Mr. Friedman follows:] 

                    Statement of Gregory H. Friedman

                                Summary

     Since 2002, the Office of Inspector General (OIG) 
has categorized information security as one of the Department 
of Energy's (Department) most significant management 
challenges. While incremental improvements have been made to 
improve security and reduce risks to systems and data, 
additional work needs to be done.
     The OIG recently issued a report on the 
certification and accreditation of the Department's national 
security information systems. Our review disclosed that 
weaknesses exist in the areas of risk management, security 
planning, and contingency planning. In addition, the National 
Nuclear Security Administration (NNSA) had not been fully 
successful in ensuring that its laboratories implemented the 
Department's updated, strengthened policies designed to protect 
national security information systems.
     A Fiscal Year 2008 review of the Department's 
unclassified cyber security program identified opportunities 
for improvements in areas such as certification and 
accreditation of systems, systems inventory, contingency 
planning and segregation of duties.
     The problems identified occurred because NNSA had 
not revised and implemented, in a timely manner, policies and 
guidance incorporating Federal and Departmental cyber security 
requirements. NNSA also had not effectively completed review 
and performance monitoring activities essential for evaluating 
the adequacy of cyber security operations.
     Since the end of Fiscal Year 2007, the Department 
has experienced a 45 percent increase in reported cyber 
security incidents. This significant increase demonstrates the 
need for sustained action in securing the Department's 
information systems.

                               Statement

    Mr. Chairman and members of the Subcommittee, I am pleased 
to be here at your request to testify on matters relating to 
cyber security at the Department of Energy's (Department) 
national defense laboratories. These laboratories, which are 
part of the National Nuclear Security Administration (NNSA), 
possess and process some of the Department's most sensitive 
information; information which is critical to the Nation's 
defense.

                               Background

    The Office of Inspector General (OIG) has a long-standing, 
proactive program to assess the effectiveness of the Department 
of Energy's cyber security strategy. Since 2002, the OIG has 
categorized information security as one of the Department's 
most significant management challenges. In April of 2007, I 
testified before this Subcommittee on the special inquiry 
conducted by my office regarding a diversion of classified data 
from the Los Alamos National Laboratory; an event made 
possible, in large part, by cyber security related weaknesses. 
The OIG has continued its efforts in this area by conducting a 
number of cyber security reviews throughout the Department, 
including NNSA and its national defense laboratories - Los 
Alamos, Lawrence Livermore, and Sandia.

            Review of National Security Information Systems

    In response to our special inquiry on the diversion of 
classified data at Los Alamos, the Department initiated a wide 
range of actions to address cyber security weaknesses related 
to classified systems. For instance, the Department updated and 
strengthened its national security information systems policy 
for segregation of duties and system access techniques.
    Earlier this year, we conducted an extensive review of the 
process to certify and accredit classified national security 
information systems at the NNSA laboratories. Certification and 
accreditation (C&A) is a critical part of the risk management 
process and is vital to understanding and mitigating cyber-
related vulnerabilities. This process is designed to ensure 
that systems are secure prior to beginning operation and that 
they remain so throughout their lifecycle. It includes formal 
steps to: (1) recognize and address risks, (2) determine 
whether system security controls are in place and operating 
effectively, and (3) ensure that changes to systems are 
adequately tested and approved. Our findings relevant to the 
NNSA and its national defense laboratories revealed that:
     Critical security functions had not been 
adequately segregated, providing the opportunity for system 
security officers to gain access and modify systems without 
review or approval, creating an environment in which controls 
could be manually overridden;
     Risks associated with classified and unclassified 
systems operating in the same environment had not always been 
adequately evaluated. This weakness - exacerbated by the lack 
of segregation of duties - increased the risk that classified 
information could be transferred to unclassified systems;
     Users at one laboratory were allowed to manually 
change passwords, a practice specifically prohibited by the 
Department and one which rendered passwords on classified 
systems more susceptible to compromise;
     At the same laboratory, a number of security plans 
were not reviewed and approved by a Federal official, depriving 
NNSA of the opportunity to ensure that all risks to the systems 
were addressed;
     System security plans omitted information on 
hardware such as servers, network printers and scanners, the 
presence of which could have created a security vulnerability 
and enabled the unauthorized processing, diversion or theft of 
classified material. This condition paralleled one of our 
concerns related to the diversion of classified information at 
Los Alamos; and,
     Contingency plans outlining actions necessary to 
resume operations in the event of a disaster were not always 
developed or were incomplete.
    The Department had strengthened policies designed to 
protect national security information systems in response to 
our recommendations following the Los Alamos incident. However, 
NNSA had not been fully successful in ensuring that its 
laboratories implemented these updated and stronger 
requirements. For example, two laboratories completed their C&A 
process using outdated requirements, leaving a number of 
systems vulnerable to control weaknesses such as the lack of 
segregation of duties and strong authentication techniques. In 
addition, Headquarters and field site officials had not 
effectively reviewed security plans to ensure that they were 
accurate and that they adequately addressed system risks.

                     Review of Unclassified Systems

    The OIG has also devoted substantial resources to 
evaluating security measures designed to protect the 
Department's unclassified information systems and data. The 
Federal Information Security Management Act requires that 
agency Inspectors General conduct an annual independent 
evaluation of their Department's unclassified cyber security 
program and practices. Our recently issued Fiscal Year (FY) 
2008 evaluation revealed a mixed-picture: on one hand, the 
Department had made incremental improvements in its 
unclassified cyber security program. For example, various sites 
had taken action to address weaknesses we identified during our 
FY 2007 evaluation by strengthening configuration management, 
updating policy, and incorporating cyber security performance 
requirements into management and operating contracts. However, 
a number of weaknesses that exposed systems to an increased 
risk of compromise still existed within the Department. This 
specifically included NNSA and its national defense 
laboratories. In particular:
     Two of the three defense laboratories had not yet 
completed certification and accreditation of certain business 
systems, a deficiency we first reported in FY 2006;
     System security plans at one laboratory did not 
include mandatory security controls. Such information is 
necessary for management to determine that all system risks 
have been fully considered and that mitigating controls are in 
place;
     At one laboratory, unneeded computer services had 
not been disabled on over 40 servers that hosted publicly 
accessible websites. These services, which in a number of 
instances could be accessed without the use of passwords or 
other authentication techniques, increased the risk of 
malicious damage to the servers and the networks on which they 
operated;
     All three laboratories had not yet completed the 
deployment of the Federally-mandated standard desktop 
configuration, an action that when implemented is intended to 
significantly enhance cyber-related controls;
     Computer incident reports did not always include 
information needed for reporting to law enforcement and for 
subsequent analysis for trending. Further, reported information 
was not always shared with other Department elements; and,
     At one laboratory, vulnerabilities were identified 
that may have allowed unsupervised foreign visitors to 
inappropriately access the site's intranet. Such practices, if 
exploited, could have permitted those individuals to probe the 
laboratory's network for vulnerabilities, implant malicious 
code, or remove data without authorization.

                 Issues Requiring Continuing Attention

    While NNSA has taken steps to address a number of 
weaknesses identified in the past, additional action is 
necessary to protect systems and the information they contain 
from increasingly sophisticated and persistent attacks. Since 
the end of FY 2007, the Department has experienced a 45 percent 
increase in reported cyber security incidents. This significant 
increase demonstrates the need for sustained action in securing 
the Department's information systems.
    Our work suggests that there are some recurring challenges 
that NNSA should consider as it moves forward. Specifically, 
NNSA should:
    1. Implement, in a timely manner, all relevant Federal and 
Departmental cyber security requirements;
    2. Strengthen the management review process by better 
monitoring field sites to ensure the adequacy of cyber security 
program performance; and,
    3. Ensure that all outstanding cyber security weaknesses 
are corrected in a timely manner.
    To achieve the recommended reforms as promptly as possible, 
NNSA should establish firm schedules with specific 
implementation timeframes and benchmarks.

                   Ongoing Inspector General Efforts

    Both cyber and physical security continue to be pressing 
management challenges. For that reason, the Office of Inspector 
General has ongoing activities to examine information 
technology and systems security, implementation of physical 
security technology upgrades, protection of sensitive 
unclassified information, and accounting for nuclear materials 
in the hands of domestic licensees.
    Mr. Chairman, this concludes my statement and I would be 
pleased to answer any questions you may have.
                              ----------                              

    Mr. Stupak. Mr. Podonsky, please, for your opening 
statement.

   STATEMENT OF GLENN S. PODONSKY, CHIEF HEALTH, SAFETY AND 
          SECURITY OFFICER, U.S. DEPARTMENT OF ENERGY

    Mr. Podonsky. Chairman Stupak, Ranking Member Shimkus and 
members of the subcommittee, I want to thank you for inviting 
me to testify today on the status of the security and cyber 
security programs at the Department of Energy's three weapons 
laboratories.
    As the Department's Chief Health, Safety and Security 
Officer, my office and I have a direct interest in the levels 
of rigor and effectiveness at which these laboratories and all 
DOE sites implement the Department's security requirements.
    In the area of physical protection and the protection of 
special nuclear material, the HSS Office of Independent 
Oversight conducted a comprehensive security inspection this 
past spring at Lawrence Livermore National Laboratory and just 
recently completed an inspection at Los Alamos National 
Laboratory. While there were a number of identified weaknesses, 
most notably at Lawrence Livermore, reports of progress 
indicate that they are aggressively addressing identified 
deficiencies. We will validate the effectiveness of these 
corrective actions when we conduct a follow-up inspection in 
the spring.
    The results of our evaluations indicate that the systems in 
place to protect classified matter at these laboratories are 
generally adequate and in compliance with expectations, but 
there are residual issues that must be addressed. In the area 
of cyber security, threats to DOE and NNSA cyber security 
defenses continue to escalate both in terms of the number of 
attacks and in the sophistication and complexity of those 
attacks.
    Mr. Chairman, DOE, along with many other government 
agencies and corporate organizations, are experiencing a broad 
range of cyber security threats that we must protect against on 
a continuous basis. Our interconnected society and dependency 
on the rapid exchange of vast quantities of electronic 
information exposes all of us to cyber threats similar to those 
faced by DOE and NNSA. I believe the entire U.S. Government is 
at a crossroads on how we protect sensitive information.
    Our independent oversight inspections have identified 
numerous positive attributes of the classified cyber security 
programs at each of the weapons laboratories, and while there 
are some deficiencies that need to be addressed, the classified 
cyber security program throughout DOE remains strong.
    Unclassified cyber security presents a different challenge. 
The primary threats to our unclassified networks used to be 
directed at our perimeter defenses, and as a result, the 
Department directed significant effort toward strengthening its 
network perimeter through implementation of fire walls and 
intrusion detection systems. However, as external network's 
defenses have grown stronger, our adversaries have shifted 
strategies and most attacks today are less direct.
    Many new network penetrations now occur as a result of an 
authorized user activating malicious software program commonly 
used known as a Trojan horse or some form of social 
engineering. Once a user activates a malicious program, a 
communication channel is established to the adversary system, 
essentially ignoring the otherwise effective fire wall.
    In January of 2005, my office added to our existing 
inspection program an unannounced network testing process 
commonly referred to as ``red teaming'' to provide a more 
rigorous evaluation of this new threat environment. Red teaming 
evaluates the strengths and weaknesses and security controls, 
as well as the Department's ability to detect and disseminate 
information about attacks and how it addresses the attacks.
    Our most recent red team activity, conducted with only six 
cyber specialists and in under 90 days, resulted in our ability 
to take full control of two site networks and one small site 
office network. Our red team was able to download a very large 
quantity of data in gigabytes, 40,000 documents, some of which 
were sensitive without being detected.
    Additionally, with this access, we installed our own 
malicious programs on a number of laptop computers. As these 
laptops were legitimately connected to other networks through 
authorized accounts, we were able to see these networks and to 
browse the information on them, thus demonstrating our ability 
to migrate through the Department into sensitive networks.
    While there has been moderate improvement in the 
unclassified cyber security arena, including better 
segmentation of computer networks and improved vulnerability 
scanning, we continue to identify problems in fully 
implementing some fundamental security controls at DOE and NNSA 
sites. For example, while some sites within NNSA have improved 
their process for controlling outbound network connections, 
many other sites have not fully implemented mechanisms to 
prevent malicious software programs from sending sensitive 
unclassified information to sources outside their networks.
    The DOE Chief Information Officer and the Under Secretaries 
have made progress in recent years with respect to developing 
new policy and governance model to implement these new 
policies. This governance model essentially enables each Under 
Secretary to determine how they will implement departmental 
requirements through their programmed cyber security plans. Our 
inspections, however, have continued to demonstrate that some 
fundamental cyber security requirements are not consistently 
implemented throughout the Department.
    We don't want to underestimate the work that has already 
taken place. Some sites, especially within NNSA, have addressed 
many of these issues. However, the Department continues to 
identify successful penetrations of our networks.
    To protect sensitive information more effectively, we need 
to enhance certain aspects of departmental policy to include 
requiring encryption of sensitive information stored on all 
computers, implementing a more robust program cyber security 
plan and review process by the DOE's Office of the CIO to 
ensure that the plans are meeting expectations and revisiting 
some of the risk decisions that have been made with particular 
emphasis on the evolving threat environment.
    Additionally, we need to continue to educate our users 
regarding the threats involved with opening attachments and 
running programs from untrusted sources. We should implement 
authenticated gateways for all outbound Internet access to 
reduce the ability for automated programs to establish pathways 
to external systems, as we did with our red team. We should 
also more efficiently analyze suspicious activities across the 
network. Finally, we need to do a better job of keeping 
attackers who manage to gain access to sensitive information on 
our systems from sending that data outside our network 
perimeters as well as limit their ability to migrate to other 
areas of the site's network.
    Mr. Chairman, my office and I believe this subcommittee and 
DOE share the same goal of ensuring that our national security 
assets are well protected and also share the concern when the 
protection effectiveness falls below our standards. However, 
the Department and the laboratories have additional work to do 
to ensure that protection of the classified information they 
possess in both physical and electronic form.
    I cannot stress strongly enough our belief that we need to 
get back to the basics of risk management to identify which 
information needs special protection, to determine appropriate 
protection measures to apply to that information, and then we 
need to ensure that the protection measures are actually 
implemented.
    Thank you, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Podonsky.
    [The prepared statement of Mr. Podonsky follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.001
    
    [GRAPHIC] [TIFF OMITTED] T3238.002
    
    [GRAPHIC] [TIFF OMITTED] T3238.003
    
    [GRAPHIC] [TIFF OMITTED] T3238.004
    
    [GRAPHIC] [TIFF OMITTED] T3238.005
    
    [GRAPHIC] [TIFF OMITTED] T3238.006
    
    [GRAPHIC] [TIFF OMITTED] T3238.007
    
    [GRAPHIC] [TIFF OMITTED] T3238.008
    
    [GRAPHIC] [TIFF OMITTED] T3238.009
    
    [GRAPHIC] [TIFF OMITTED] T3238.010
    
    [GRAPHIC] [TIFF OMITTED] T3238.011
    
    [GRAPHIC] [TIFF OMITTED] T3238.012
    
    [GRAPHIC] [TIFF OMITTED] T3238.013
    
    [GRAPHIC] [TIFF OMITTED] T3238.014
    
    [GRAPHIC] [TIFF OMITTED] T3238.015
    
    Mr. Stupak. Mr. Wilshusen, your opening statement, please, 
sir.

   STATEMENT OF GREGORY C. WILSHUSEN, DIRECTOR, INFORMATION 
SECURITY ISSUES; ACCOMPANIED BY ALLISON BOWDEN, SENIOR AUDITOR, 
                GOVERNMENT ACCOUNTABILITY OFFICE

    Mr. Wilshusen. Chairman Stupak, Ranking Member Shimkus and 
members of the subcommittee.
    Mr. Stupak. Is your mic on, sir? Just pull it up a little 
bit, if you don't mind.
    Mr. Wilshusen. Can you hear me now? OK.
    Chairman Stupak, Ranking Member Shimkus and members of the 
subcommittee, I am pleased to be here today to testify on 
physical and cyber security at the Los Alamos National 
Laboratory or LANL, one of three national laboratories operated 
by the National Nuclear Security Administration that designs 
and develops nuclear weapons for the U.S. stockpile. I am 
joined by Allison Bowden, a GAO senior analyst specializing in 
physical security.
    A basic management objective for any organization is to 
protect the assets and resources that support its critical 
operations from theft, unauthorized access, use, modification, 
destruction or disruption. It is especially critical for 
national laboratories, such as LANL, that possess and process 
special nuclear material, nuclear weapons parts and highly 
sensitive and classified information.
    A successful physical or cyber attack on LANL could have 
devastating consequences for the site, its surrounding 
communities and the Nation's security. Because of these risks, 
LANL needs effective physical and cyber security programs. 
Today I will summarize our recently completed work on physical 
and cyber security at Los Alamos and share our preliminary 
observations on physical security at the Lawrence Livermore 
National Laboratory.
    Mr. Chairman, LANL is improving its physical security. It 
is implementing over two dozen initiatives to reduce, 
consolidate and better protect its classified assets. It has 
reduced the physical footprint of the laboratory by closing 
unneeded facilities, although this initiative is focused more 
on reducing maintenance costs than addressing facility 
security.
    Other challenges remain. Significant physical security 
problems related to nuclear weapon part storage, inadequate 
self-assessments and complete corrective action plans have been 
fully addressed--or have not been fully addressed at the time 
of our review.
    In addition, LANL's ability to sustain security 
improvements over the long term is unproven because its 
approach is for sustaining progress contained weaknesses in the 
early stages of development. For example, a system intended to 
track long-term improvements would not be fully completed for 3 
to 4 years.
    Furthermore, the Los Alamos site office, which is 
responsible for overseeing security at LANL, may not have 
enough staff or the proper training to provide effective 
security oversight.
    To help strengthen LANL's physical security program, GAO 
recommended, among other things, that LANL develop a 
comprehensive strategic plan for addressing identified 
weaknesses and improving program effectiveness.
    At Lawrence Livermore our preliminary observations on 
physical security indicate that its self-assessment and 
performance-assurance testing programs need improvement and 
that NNSA and the Livermore site office have not always 
provided effective security oversight. Both Livermore and the 
site office have actions under way that are intended to improve 
these deficiencies. However, similar to LANL, sustaining 
improvements may be a continuing challenge.
    Turning to cyber security--and in reports being released 
today, Mr. Chairman, we note that Los Alamos has implemented 
numerous measures to enhance cyber security, but weaknesses 
remain that impair the laboratory's ability to sufficiently 
protect the confidentiality, integrity and availability of 
sensitive information on the unclassified network. At the time 
of our site visits, LANL had vulnerabilities in several 
critical areas, including, identifying and authenticating users 
of the networks, encrypting certain sensitive information, 
monitoring compliance with security policies, implementing and 
testing software patches, and planning for contingencies when 
the network services are disrupted. A key reason for these 
weaknesses is that the laboratory had not fully implemented its 
cyber security program to ensure that controls were effectively 
established and maintained.
    In addition, the number of foreign nationals who have 
access to the unclassified network, including about 300, as of 
May 2008, from DOE's designated sensitive countries, had raised 
concerns amongst some laboratory and NNSA officials because of 
the sensitive information contained on the network.
    To enhance cyber security over the unclassified network, we 
are making a total of 52 recommendations to improve LANL's 
program activities, correct specific control weaknesses, and 
ensure a clear and consistent strategy for determining resource 
requirements based on risk.
    In summary, LANL has taken steps to improve its physical 
and cyber security programs, but more remains to be done. Until 
known deficiencies are adequately addressed and improvements 
sustained over the long term, sensitive and classified 
resources will remain at increased and unnecessary risk.
    Mr. Chairman, we'd be happy to answer any questions.
    Mr. Stupak. Thank you.
    [The prepared statement of Mr. Wilshusen follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.016
    
    [GRAPHIC] [TIFF OMITTED] T3238.017
    
    [GRAPHIC] [TIFF OMITTED] T3238.018
    
    [GRAPHIC] [TIFF OMITTED] T3238.019
    
    [GRAPHIC] [TIFF OMITTED] T3238.020
    
    [GRAPHIC] [TIFF OMITTED] T3238.021
    
    [GRAPHIC] [TIFF OMITTED] T3238.022
    
    [GRAPHIC] [TIFF OMITTED] T3238.023
    
    [GRAPHIC] [TIFF OMITTED] T3238.024
    
    [GRAPHIC] [TIFF OMITTED] T3238.025
    
    [GRAPHIC] [TIFF OMITTED] T3238.026
    
    [GRAPHIC] [TIFF OMITTED] T3238.027
    
    [GRAPHIC] [TIFF OMITTED] T3238.028
    
    [GRAPHIC] [TIFF OMITTED] T3238.029
    
    [GRAPHIC] [TIFF OMITTED] T3238.030
    
    [GRAPHIC] [TIFF OMITTED] T3238.031
    
    [GRAPHIC] [TIFF OMITTED] T3238.032
    
    [GRAPHIC] [TIFF OMITTED] T3238.033
    
    Mr. Stupak. Ms. Bowden, would you care to make an opening 
statement?
    Ms. Bowden. No, sir.
    Mr. Stupak. OK. Let's begin our questioning then. Let's go 
10 minutes and move it along.
    Mr. Wilshusen, let me ask you this: I'm glad to hear that 
Los Alamos is doing better. This committee has really been on 
their case, because we have had so many hearings concerning 
their physical security. So we're pleased to see that.
    We've asked in the past that GAO take a look at the need 
for a Los Alamos. In other words, there's a lot of redundancy 
in our labs. Is it necessary to keep that--is that 
investigation or report by GAO ongoing, looking at the physical 
assets of Los Alamos and is it needed?
    Ms. Bowden. Yes, Mr. Chairman. We have finished the first 
part of that review, which was the report that was issued on 
physical security in June 2008. And we are just beginning the 
second phase of that review, which will take a comparative look 
at infrastructure across the nuclear weapons complex.
    Mr. Stupak. OK. Thanks.
    Well, let me ask you this, Ms. Bowden, if I may. One of the 
concerns you raised in reporting on Los Alamos' physical 
security structure, that it seemed to be cyclical in nature. 
I'm glad to see that they're improving. But the labs appear to 
improve when we've had a mishap and they know they're under 
scrutiny.
    How do we make sure there are improvements in the physical 
security, whether it's cyber or just physical security, unless 
this committee or--unless there's an incident, it seems like 
they regress. How do we break the cyclical nature of this?
    Ms. Bowden. In our June 2008 report, we've recommended 
specifically that NNSA effectively incentivize financially, 
through newly established performance-based contracts, 
effective incentives for physical security performance. They 
get beyond compliance-oriented measures, but really look at the 
effectiveness of the security programs at Los Alamos.
    In addition, we believe that effective security oversight 
through the NNSA site office will help address the 
sustainability of improvements in security at the laboratory.
    Mr. Wilshusen. Regarding cyber security, it will take 
several things to make that happen. One, of course, is first 
getting the current control situation up to snuff in terms of--
in particular, like implementing our recommendations over the 
weaknesses in its present controls. But that's only as a point 
certain.
    It's also imperative that the Agency develop the processes 
and the structure to ensure that these controls and its risks 
are adequately assessed over time because the computing 
environment changes. The cyber security environment is very 
dynamic. There are constantly new threats, new technologies and 
new business processes and functionality that are being added 
to the unclassified networks and to any network, speaking 
generally. And so it requires that the Agency sets up the 
processes and effectively implements them over time.
    Mr. Stupak. Well, let me ask you this: To the extent that 
you can testify, you or Mr. Podonsky, in open session here, 
what is the level of sophistication of these cyber attacks? And 
I take it they're increasing in capability.
    It's getting much more sophisticated these cyber attacks, 
is it fair to say?
    Mr. Wilshusen. Definitely, they're becoming more 
sophisticated and they're also becoming more targeted. In the 
past, many of the attacks were just through hackers or virus 
writers that might throw out a virus across the Internet and 
see what they might be able to infiltrate. Now attackers--and 
they come from a variety of sources--more specifically target 
their--well, they more specifically try to target their more 
particular systems or individuals that they want to attack; and 
they tailor that attack to try to encourage an individual to 
open up an e-mail attachment or to provide sensitive 
information, like personally identifiable information, or to go 
to a Web site to which can then be downloaded malicious 
software which can provide the opening to the attacker.
    Mr. Stupak. Mr. Podonsky, I think you actually said in your 
testimony that before instead of a straight-in attack, now they 
use a different method or go through someone who will already 
have access to it, get them to open an e-mail or whatever, and 
then make the attack.
    Mr. Podonsky. In my opening statement I did talk about the 
sophistication of these attacks. And I'm sure in the closed 
session we'll be able to talk with greater granularity.
    However, I want to emphasize again, as I said in my opening 
statement, while DOE is a target, so is the entire United 
States Government.
    Mr. Stupak. Sure.
    Mr. Podonsky. And we need to be sensitive that these 
attacks are very real, not only against our laboratories, but 
against all of our agencies.
    Mr. Stupak. Well, and in my testimony, I had mentioned that 
tens of millions of attacks are taking place each month. Are we 
at a point where the number of attacks have outpaced our 
ability to defend against them, or to identify them when they 
do occur?
    Mr. Podonsky. In our opinion, from independent oversight, 
we believe that there are things that we can do to help protect 
some of the information that we have. But the reality is that 
these attacks continue to be, as you point out, more 
sophisticated and more numerous. And it's a constant, 
continuous struggle for all of us.
    Mr. Stupak. But you also mentioned in your testimony your 
Red Team and how you're able to penetrate two of the DOE labs 
and downloading a very large quantity--gigabytes, you said--of 
information.
    Can you expound further on what your Red Team did? And what 
does this suggest about the capability of the Department of 
Energy to thwart cyber attacks?
    Mr. Podonsky. What I can say in open session, first, yes, I 
would like to explain in greater detail in a closed session 
what they actually did and the only reason I can say that is 
because we do not want to confirm for hackers out there what 
the successful practices are, because we've proven that within 
the Department.
    But suffice it to say that, as I said, with a very small 
group of cyber security specialists, and in under, as I said, 
90 days, we were able to take over the network of two of the 
sites.
    We believe that were we with more people--and I'm not 
asking for more, but were we with more people and had we 
pursued this for a longer period of time, there would have been 
more vulnerabilities that we would have found.
    Mr. Stupak. I think, Mr. Wilshusen, and I think, Mr. 
Podonsky--I think you both mentioned it--the so-called yellow 
network, if you will, or the unclassified network at the labs 
is not sensitive enough to warrant major action to protect it. 
But yet these unclassified networks can lead you to terribly 
sensitive information; is that correct?
    Mr. Wilshusen. Yes. Certainly the information on the yellow 
network contains very sensitive information, including 
unclassified controlled nuclear information, export control 
information, and personally identifiable information about LANL 
employees. This information has intrinsic value to attackers 
and to--of various different types.
    It can be--information from a network potentially can aid 
our competitors, or provide a competitive advantage to--in the 
commercial sector. It can also be a source for intelligence 
gathering and possibly disruption for other adversaries.
    And so certainly that information has value. And I think 
that's indicative, in part, by the number of attempted probes 
that occur at that site.
    Mr. Stupak. Well, you mentioned maybe the commercial nature 
of it. But what about national security? Does the information 
contained in the unclassified network pose a danger from an 
adversary by going through the yellow network or unclassified 
network? Can you get to something where an adversary, from a 
national security point of view, could penetrate and then cause 
us problems?
    Mr. Wilshusen. Well, I would say that the type of 
information on that network could certainly aid intelligence 
operations from other organizations. It's highly sensitive and 
it could potentially lead to that, yes, sir.
    Mr. Stupak. Well, what's your opinion? And on the network 
access that's been provided to foreign nationals from both 
sensitive and nonsensitive countries, do you think that's too 
open to foreign nationals?
    Mr. Wilshusen. Well, I think the issue relates to--it 
really comes down to a risk and benefit decision; you know, 
what is the risk of giving these individuals, particularly from 
the sensitive countries, access to the unclassified network; 
and then what's--first is, what is the benefit of giving them 
access to it?
    And once it's decided whether or not these individuals 
should have access to it, it's incumbent then upon the 
organization to ensure that--as it would for any user, to 
ensure that the access granted to that individual is based on 
the principle of least privilege, and that they're only given 
the access that they need to do the job and no more, and that 
that access is based on need to know.
    Now, we've been informed that the NNSA has decided to 
remove the access of all the foreign nationals from sensitive 
countries, from the yellow network.
    Mr. Stupak. OK. Because isn't it sort of like what we did 
in Los Alamos? I mean, I think we had a hearing on it where 
foreign nationals had access--many people thought too much--and 
then they just pulled back for the foreign national to limit 
the access at Los Alamos; am I correct?
    Ms. Bowden or--do you know?
    Mr. Wilshusen. You mean previously?
    Mr. Stupak. Right.
    Mr. Wilshusen. That I don't know, sir.
    Mr. Stupak. OK.
    Mr. Friedman, if I may ask one question. I don't want to 
leave you out there. Maybe we'll get around the second time.
    In your January 2008 you reported that the Department 
failed to adequately address cyber security incidents, 
coordinations and communications. In our next panel Dr. 
Wilbanks will say just the opposite.
    Why is there such a difference of opinion as to the 
effectiveness of cyber security incident coordination and 
communication? And why is this such a challenging area for the 
Department? And who within the Department is really responsible 
for collecting, reporting and disseminating cyber incident 
information?
    In other words, I guess, who is responsible for the 
program? Why do we have such diverse views on how effective 
they're being on the cyber security?
    Mr. Friedman. Well, Mr. Chairman, I can't speak to Ms. 
Wilbanks' testimony, and I'm not sure I can completely 
understand the distinction.
    The Department does have a fairly sophisticated system of 
collection, both a NNSA system and a non-NSA system of 
collection of these incidents, in part to report to law 
enforcement, partially my office and others, and in part to do 
trending analysis and best practices and to alert the various 
facilities within the Department as to where the problems may 
be, and trends they may see that may affect all of the 
individuals.
    What we found in the past is that these two entities, which 
by the way are in the process of being consolidated, at least 
in part, that they did not receive--we did not receive from 
them all the information that we needed to have a quality 
referral to law enforcement and we had to go back and get 
additional information.
    So the structure is in place along the spectrum. The 
question is, is it as complete and comprehensive as it needs to 
be and as responsive to the needs of law enforcement and to the 
others throughout the Department?
    Mr. Stupak. OK. I thank you. Before I yield to Mr. Shimkus, 
you know, there has been this report or letter by Mr. Terry 
Turchie, and Mr. Dingell brought it up more in his opening 
statement. And I am sure you are going to be looking into that, 
the comments made in the letter by Mr. Turchie as to 
counterintelligence and the intelligence. Will your office be 
looking at that?
    Mr. Friedman. Is that directed to me?
    Mr. Stupak. Yes.
    Mr. Friedman. I first saw the letter from Mr. Turchie this 
morning at 10 minutes to 8:00 and I hadn't seen it previously. 
I had seen the report by the Congressional Research Service 
about 5 or 6 months ago, which addresses many of the same 
issues. We are certainly looking at it carefully and we will be 
considering what the next step should be.
    Mr. Stupak. We look forward to working with you on that, 
because we are going to look at cybersecurity at all the 
agencies under our committee's jurisdiction. So I just wanted 
to let you know. Thank you.
    Mr. Shimkus for questions, please.
    Mr. Shimkus. Thank you, Mr. Chairman. Still being relative 
new to the committee and the oversight, having been on the full 
committee for a long time, I don't come with the years of 
analysis and frustration that many members do in delving into 
this.
    But current events dictate internationally that if a cyber 
red team, given a month and six to seven folks, can do great 
mischief, it poses a question, what can a nation state do with 
unlimited people and really unlimited dollars? In the 
international arena we have seen it with Estonia, we have seen 
it most recently in Georgia, not the State but the country.
    So it begs the question, if there is information, whether 
it is technical in nature or that can be combined on this 
yellow network, that is, quote/unquote, sensitive and all these 
words are--if it is sensitive, either personal information or 
it can then be placed together to create other information, 
that is I think a problem.
    And also, if in this definition of sensitive information 
and that information then runs the risk of--well, let me say it 
this way. In a communication environment, as we talked about 
before, you have got information available for doing the job, 
there is risk entailed. Are we willing to take the risk? Are we 
willing to assume the risk? I understand there is an open 
green--kind of like a green system which we can go to the 
general information on DOE, then the yellow system, and then 
the more--the issue that is classified. How do we clean up the 
yellow network so that the classified information isn't there 
and it is not accessible through the other networks? And let me 
go to Mr. Wilshusen first.
    Mr. Wilshusen. Well, I think, first of all, with regard to 
the information on the yellow network, classified information 
is not authorized to be on that network. And so there has to be 
a process that goes through to make sure that information that 
is on that network is not classified. And so there is some 
classification requirements on that to assure--determine 
whether or not somebody that is on the yellow network can gain 
access to the red network. Is that what you are asking?
    Mr. Shimkus. Or green to yellow to red.
    Mr. Wilshusen. Right. Well, we are--
    Mr. Shimkus. And then is part of that the Trojan Horse part 
of thing that you're talking about is accessing in and then 
sleeping and then awakening and then moving through aspects?
    Mr. Wilshusen. Right. We are, at the request of this 
subcommittee and the full committee, reviewing the security 
controls over the classified network at Los Alamos, too. So I 
can't comment on that at this point in time. Our work is still 
premature to make any type of preliminary information or 
observations on the security controls over the red network.
    However, with regard to the yellow network and the green 
network, they were interconnected in the past, and that was one 
of the issues that we have identified that weaknesses--even 
though our work on this particular engagement focused on the 
yellow network, we found that there were paths from the green 
network into the yellow network.
    Mr. Shimkus. And then I would ask if that was identified, 
have those paths then severed that we know of today, that 
interconnect--the interconnection, the ability to do that?
    Mr. Wilshusen. You mean today is that capability, do those 
weaknesses still exist?
    Mr. Shimkus. And that is probably a question for Mr. 
Friedman and Mr. Podonsky. But, again, I have been on the 
telecommunications, the tech committee and stuff, but I think 
the only way you can really--information gets compromised in 
one or two ways. You either have hackers that can use the 
system to move through, so you have to sever the connection. Or 
you have actually humans who surreptitiously, illegally, as in 
flash drives, grab information. And we know that has happened 
in the past, too.
    So that for security aspects, one would be sever the 
connections on the green network so that it does not have? And 
that is what you recommended. And the question would be to Mr. 
Podonsky and I guess Mr. Friedman, your analysis. Has that 
happened? And can it? Or can you not do the mission if you do 
that?
    Mr. Podonsky. So far, Congressman, we have never identified 
any pathway from the green to yellow network. However, we 
strongly believe that the yellow network that we are referring 
to, which varies from lab to lab and site to site in terms of 
what goes on there, the certification and accreditation process 
that is part of the Department, and Mr. Friedman talked about, 
is there to make sure that we look at some of this 
sensitivities of these networks.
    While my colleague from GAO mentioned that there is no 
classified, or supposed to be, on the yellow network, the fact 
of the matter is we do need a classification process for 
classified information.
    The labs also do need a sensitive process. We need better 
controls. There is no doubt in our minds from the oversight 
perspective that while the information is not classified but is 
sensitive, that doesn't mean it is not valuable to somebody. 
And that is what we are concerned about. But we also believe, 
as I said in my opening statement as well as the written 
testimony, that we believe there are things that we can do, 
like encryption of the information that is on the network.
    Mr. Shimkus. The yellow system, can they e-mail outside of 
the system? If you are on the yellow network, can you e-mail to 
like Berkeley or the country of Georgia? And if you can, is 
that then a main pathway of concern?
    Mr. Podonsky. Yes, it is. And they can. And one of the 
things I mentioned, and I want to reiterate my point in my 
opening statement, is that we need to make tighter controls on 
making sure that if somebody who is unauthorized into the 
yellow network cannot send the information out the way our red 
team did. And there are mechanisms that can be used by the 
Department to prevent that as best we can.
    One of the other problems is at Los Alamos, for example--
and it is not unique to Los Alamos and it is not unique to DOE, 
I can emphasize--is that when you have 25,000 individual 
laptops or stand-alone computers and these people are cleared 
to use those, there is also a trust factor. And we have seen at 
all the sites within the Department sometimes that human factor 
fails. So what we do need is we need systems in place to put 
tighter controls.
    Mr. Shimkus. I am just trying to do a comparable to our 
systems here. We have the Web sites, we have the e-mails. There 
are some firewalls that disallow individuals from e-mailing us 
unless they kind of identify that they are from the 
constituency, and there is a blocking portion of that. I am not 
sure if that is off-the-shelf type--of probably not very--
because we really don't handle sensitive--it might be sensitive 
politically or for other purposes, but not to the extent that 
this is. This is of a concern.
    So I would--that would be where I would follow up, is 
trying to make sure that the individuals are well-screened and 
we do the background checks. Foreign nationals is a concern. 
And the risk, the whole question of risk and reward based upon 
the available information and the work that foreign nationals 
can do.
    So, again, this is my first oversight investigation hearing 
on this subject. I know this committee continues to be very 
diligent. We have had really bad case scenarios in the past. 
And I just pledge my support to the chairman to be engaged with 
him as we move forward. And thank you for your time.
    Mr. Stupak. I appreciate that. I appreciate the gentleman's 
comments.
    If I just may. On this yellow that you were talking about, 
yellow network. Information out there may be unclassified. But 
if I take a piece of yellow unclassified, put it with another 
piece of yellow unclassified, put it together, that information 
then could become classified. Is that?
    Mr. Podonsky. If I can, Mr. Chairman. We call that the 
mosaic effect. And I would say it is counterintuitive to think 
that there is not a value of the information on the network. It 
is speculative for any of us to say that it would actually fit 
together and become classified. But irrespective of whether it 
is classified, the sensitivity can be of extreme value to 
people who mean to do harm to our Nation. It may not be in the 
realm of national security information, but let me give you an 
example.
    We sometimes send things that's password protected. We'll 
send a message, and then it will be followed up by another 
message that has the password in it. So if--I am not from the 
Intelligence Committee, but if somebody is vacuuming up all the 
information they can, they can put those two together and get 
that password protection. Again, it's not classified, but it's 
sensitive enough that we need to have stronger controls in 
place.
    Mr. Stupak. Mr. Friedman.
    Mr. Friedman. Mr. Stupak, first of all, the mosaic effect 
is important. And you described it well, I think. But one of 
the problems with the yellow network, and it's not--it's 
understandable and it's the nature of the contents of the 
network, is that--and if you recall, if I might divert you for 
a second. In 2005 or 2006, we had the exfiltration of PII, 
personally identifiable information, at the Albuquerque Service 
Center, I believe.
    One of the problems is that this information, while it may 
not be classified, if it falls into the hands of the wrong 
individual, that individual could conceivably be exploited by 
an inappropriate source. So there are--it's sensitive 
information that needs to be carefully protected.
    Mr. Stupak. Mr. Dingell for questions, please.
    Mr. Dingell. Mr. Chairman, I thank you. Mr. Chairman, first 
I would like to insert in the record a letter received by me 
from Mr. Terry D. Turchie, which pretty much speaks for itself 
about the situation with regard to security at the Lawrence 
Livermore National Weapons Laboratory. I will have some 
questions about that after I finish my first set of questions 
and perhaps some later time.
    These questions, yes or no. Mr. Podonsky, in your testimony 
you mentioned one of your most recent red teams was able to 
penetrate the networks of two DOE labs. Is that correct?
    Mr. Podonsky. That is correct, sir.
    Mr. Dingell. Which were those?
    Mr. Podonsky. They were two science labs.
    Mr. Dingell. You don't want to identify them by name?
    Mr. Podonsky. I am happy to identify those in executive 
session, sir.
    Mr. Dingell. Thank you. Mr. Podonsky, isn't it true that 
your red team was able to download very large quantities; i.e., 
gigabytes, of data, some of which were sensitive, without being 
detected by DOE authorities?
    Mr. Podonsky. Yes, sir.
    Mr. Dingell. Mr. Podonsky, you also indicated that the 
level of access your team was able to quickly obtain over the 
course of just a few months would have allowed you to change 
data or otherwise corrupt a particular lab's cyber network. 
Isn't that correct?
    Mr. Podonsky. Yes, sir, it is.
    Mr. Dingell. Mr. Podonsky, I am gathering what your red 
team did to these labs' cyber networks has rather profound 
security implications. Is that correct?
    Mr. Podonsky. Yes, sir, it does.
    Mr. Dingell. Mr. Podonsky, doesn't this suggest that the 
DOE does not currently have sufficient capability regarding its 
cyber defenses.
    Mr. Podonsky. No, sir, it does not.
    Mr. Dingell. What, in your words, does this exercise 
suggest as to the capability of DOE and its labs to thwart 
cyber attacks?
    Mr. Podonsky. What it tells us, Mr. Dingell, is that we 
have some of our sites that are inconsistent in their 
application of DOE policies. We have some sites that perform 
better. But, overall, the Department of Energy as the rest of 
the government has to strengthen our cybersecurity networks.
    Mr. Dingell. Mr. Podonsky, isn't it true that the addition 
to the access your team gained at these two sites, by 
installing your own malicious programs on a number of their 
laptop computers your red team was able to make important 
footholds into the networks of other facilities after these 
laptops were legitimately connected to their respective 
networks?
    Mr. Podonsky. Yes, sir. That is correct.
    Mr. Dingell. Mr. Podonsky, moreover, didn't additional 
activity conducted by your red team demonstrate your team's 
ability to possibly move around throughout a number of DOE 
sensitive networks?
    Mr. Podonsky. We believe that that would have been the case 
if we had continued on with the activity.
    Mr. Dingell. What more can you tell about that?
    Mr. Podonsky. Well, we terminated our activity because we 
were aware that there was actual infiltration in some of the 
sites that we were looking at.
    Mr. Dingell. Now, Mr. Wilshusen, yes or no again, please. 
Some have suggested the information on the yellow unclassified 
network at the labs is not sensitive enough to warrant major 
action to protect it. This is a question that our chairman has 
been raising on this. I gather you don't agree with that 
statement.
    Mr. Wilshusen. That is correct; I do not agree.
    Mr. Dingell. Now, Mr. Wilshusen, in fact your reports say 
that the information in the Los Alamos unclassified network 
contains such information as Naval propulsion data, personally 
identifiable information, unclassified controlled nuclear 
information, and a host of other sensitive categories of 
information. Is that correct?
    Mr. Wilshusen. That would be those categories of 
information. Yes.
    Mr. Dingell. Could you mention any other categories that 
should be addressed?
    Mr. Wilshusen. Did you include our unclassified controlled 
nuclear information?
    Mr. Dingell. Yes.
    Mr. Wilshusen. OK.
    Mr. Dingell. Mr. Wilshusen, isn't it the case that your 
report said that that kind of information a valuable target for 
foreign governments, terrorists, and industrial spies?
    Mr. Wilshusen. Yes.
    Mr. Dingell. Mr. Wilshusen, I gather that GAO does not 
believe, given your findings at the labs, the DOE as a whole is 
sufficiently prepared for cyber attacks or cyber intrusions. Is 
that correct?
    Mr. Wilshusen. I would say that they are at increased risk. 
Yes.
    Mr. Dingell. And that would be a substantial risk?
    Mr. Wilshusen. It could be. Yes, sir.
    Mr. Dingell. Now, Mr. Podonsky again. Let's talk about--
let's talk about this. The Director of Los Alamos remarks in 
his testimony that your offices draft audit report for August/
September recognizes that Los Alamos National Laboratory is 
making progress in many security areas. Is that correct?
    Mr. Podonsky. That is correct. They are making improvements 
that we have not seen in 20 years.
    Mr. Dingell. But I gather, however, that the lab is still 
not out of the woods when it comes to physical security. Is 
that correct?
    Mr. Podonsky. There are areas that they need to improve 
upon, but they have made quantum leaps from our last 
inspection.
    Mr. Dingell. Ms. Bowden, isn't it true that DOE's Office of 
Independent Oversight found major concerns regarding Lawrence 
Livermore's security capability in April of this year?
    Ms. Bowden. Yes, sir.
    Mr. Dingell. Ms. Bowden, in your testimony you say 
concerning the exercise that, and I quote, ``Livermore received 
the lowest possible rating for protective force performance and 
protection of classified resources.'' Isn't that correct?
    Ms. Bowden. Yes. That is what the Office of Independent 
Oversight found.
    Mr. Dingell. And, GAO, to the extent that you can identify 
this in an unclassified setting, how did Lawrence Livermore get 
into this position and what are the root causes?
    Ms. Bowden. Well, in a general sense, and based on our 
preliminary observations, because this work is ongoing, we 
discussed that question with officials at the laboratory and 
with officials--Federal officials at the site office. And there 
are a number of factors that may have contributed, though we 
will continue to work on this.
    Those included focus--a focus shift on contract transition, 
the declaration of the site as non-enduring for Category I 
special nuclear material. And, in addition, frequent security 
policy changes over the different design basis threats that had 
been issued over a period of time.
    Mr. Dingell. Thank you.
    Mr. Podonsky, it was your claim that GAO referred to in 
their testimony as doing the physical red teaming of Lawrence 
Livermore. Is that correct?
    Mr. Podonsky. Yes, sir.
    Mr. Dingell. Mr. Podonsky, I have limited time so I know 
you will speak quickly. But tell us how you believe Lawrence 
Livermore got into the posture where it has performed so 
poorly.
    Mr. Podonsky. It's a mystery to us, Mr. Dingell, because we 
have seen in our last inspection before the spring that they 
were performing well. We do believe that a great contributor 
is, as the GAO just mentioned, having to do with the contract 
change-out.
    Mr. Dingell. Ms. Bowden again, if you please. One of the 
concerns you have raised in your report about Los Alamos's 
physical security posture is the cyclical nature. What--that 
is, the labs appear to improve when they have had a mishap and 
know that they are under scrutiny. Is that correct?
    Ms. Bowden. Yes, sir.
    Mr. Dingell. Ms. Bowden again. What explains the root cause 
of the cyclical nature of the security at the labs, and how can 
we prevent this?
    Ms. Bowden. In our report we have made several 
recommendations that we think will address sustaining 
improvements over time, the first of which is providing better 
financial incentive for effective security performance in the 
contract determinations for the award fees at the end of each 
fiscal year. In addition, we feel it's important to ensure 
adequate NNSA site office oversight of security on a consistent 
basis at the laboratory.
    Mr. Dingell. Mr. Chairman, because of the limited amount of 
time, I request that this letter be inserted in the record, and 
I would ask that our witnesses give us their comments on the 
findings and the statements made in the letter, and I would ask 
that the record be kept open so that that may be inserted into 
the record at the appropriate fashion in time.
    Mr. Stupak. Without objection. I would also note that it's 
in our binder. So it will be made part of the record, Mr. 
Chairman.
    [The information appears at the conclusion of the hearing.]
    Mr. Dingell. Thank you, Mr. Chairman.
    This to Mr. Friedman. The Federal Information Security 
Management Act requires that the Office of the Inspector 
General conduct an independent annual evaluation to determine 
whether the Department's unclassified cybersecurity program 
properly protects its information systems. Is that correct?
    Mr. Friedman. That is correct.
    Mr. Dingell. Mr. Friedman, in 2008, your evaluation report 
of the Department's unclassified security program states: The 
Department continues to make, quote, incremental improvements 
in this program. Yet, isn't it true that you have continued to 
find ongoing concerns with DOE's cyber defense capability?
    Mr. Friedman. That is correct.
    Mr. Dingell. Mr. Friedman, in fact, isn't it correct that 
your latest reports found the following over the past few 
years: Unsolved issues surrounding risk assessments and 
adequacy of security controls? Yes or no?
    Mr. Friedman. You are correct, sir.
    Mr. Dingell. Lack of centralized department-wide inventory 
of information systems.
    Mr. Friedman. That is correct.
    Mr. Dingell. That is a fairly simple to do, isn't it, to 
perform that particular act?
    A failure of some sites to complete contingency disaster 
plans.
    Mr. Friedman. Correct.
    Mr. Dingell. Failure of Department officials to implement 
Federal and Department security requirements in a timely 
manner.
    Mr. Friedman. That is correct.
    Mr. Dingell. Mr. Friedman, in your opinion, do these 
weaknesses continue to exist?
    Mr. Friedman. They--our reports are current. And the answer 
to your question, Mr. Chairman, is that until we do another 
review and see that they are not in effect, we will continue to 
believe that they exist. Yes.
    Mr. Dingell. Now, why do these security questions and 
weaknesses continue to exist?
    Mr. Friedman. That is one of the most perplexing questions 
that I deal with every day, Mr. Chairman.
    Mr. Dingell. It seems to be a leadership problem. Doesn't 
it?
    Mr. Friedman. Well, I would say this. The conclusions that 
we reach after thinking about this over a great deal of time is 
that the Department lacks the ability to close the game, in the 
sense that a lot of good actions are initiated but they don't 
get completed and implemented. And that seems to be a problem.
    Mr. Dingell. Thank you.
    Mr. Chairman, I appreciate your courtesy. Thank you.
    Mr. Stupak. Thank you, Mr. Chairman.
    Mr. Burgess for questions.
    Mr. Burgess. Thank you, Mr. Chairman.
    Let me ask a question to the GAO related to the management 
of the money available for security. How much money have we 
allocated for overseeing that security's implemented and 
followed?
    Ms. Bowden. In fiscal year 2007, it was about $188 million.
    Mr. Burgess. And so that is not a huge sum by Washington 
standards, but a significant sum, and the problems persist. 
What sum is it going to take so that we get to the place we 
want to be?
    Mr. Wilshusen. That is a very difficult question to answer, 
and I don't know if I can point to say this is the sum that is 
needed. I think what I can say, though, is that the agency 
needs to properly assess its risks and determine what policies 
and procedures that they need to implement to cost effectively 
reduce those risks to an acceptable level.
    We have to remember that security is a risk management 
problem; it's not a risk elimination or risk avoidance problem. 
Because you can throw so much money at security and you can 
lock down everything, but at the same time the costs would be 
prohibitive as well as it will probably take a major hit on 
productivity. So it's really a balancing act to determine how 
much is necessary to secure the systems based on risk.
    Ms. Bowden. And if I may clarify, the dollar figure was for 
Los Alamos.
    Mr. Burgess. But we are going to have--it will be budget 
time again before we know it, and we are going to have to be 
thinking through these things. At some point we are going to 
need some advice from people like you as to whether or not we 
are doing our job in providing you the resources; i.e., the 
funds that you need to hire the personnel, to purchase the 
software, to run the red teams, to make sure that things happen 
the way that they are supposed to happen.
    Mr. Wilshusen. Well, certainly what I will say, too, is 
that for many of the recommendations that we are making in our 
reports that are being released today, much of that would not 
necessarily require additional acquisition of software devices. 
It's more of a management issue, taking the security controls, 
the devices that are presently there, and configuring them in 
such a manner to make them more secure.
    Mr. Burgess. We may come back to the management question in 
just a moment. But is it also a matter of time?
    Mr. Wilshusen. Yes, sir. Time is of--in our view, time is 
of the essence in terms of taking the corrective actions to 
improve the security over the unclassified network at Los 
Alamos, because of the sensitive information it contains and 
because of the risks associated with the weaknesses that we 
have identified.
    Mr. Burgess. Well, giving you more time may increase the 
risk. Providing you more money, if you can do it in a shorter 
period of time, in my mind at least, would be a reduction of 
risk. I am just not sure how much. I am not sure how much 
flexibility we should be willing to give on time for 
implementation just because of the risk that is out there. I 
mean, and it's not just you, but certainly your area is--it's 
such a significant vulnerability that we really can't overlook 
it.
    A question, Mr. Podonsky, about the number of laptops. What 
was the number that you told us, the number of laptops that may 
move around?
    Mr. Podonsky. I misstated. I was meaning the stand-alone 
sets of computers, which I said were 25,000 users at Los 
Alamos. And I used that example to answer Chairman Stupak's 
questions about the vulnerability of the yellow network.
    Mr. Burgess. What would be the correct figure for the 
number of laptops that may move around in so-called trusted 
circles within the lab?
    Mr. Podonsky. I don't have that number. I would have to get 
that number and get it back to you.
    Mr. Wilshusen. One of the things that we've identified on 
our review was that there are about 13,000 users. Now, this is 
just on the unclassified networks, so I can't comment on all of 
the networks at Los Alamos. But just for a scope. There are 
about 13,000, a little bit over 13,000 users on the 
unclassified network, and that network contained about 25,000 
devices. And so those would include work stations, but also 
routers, switches, and other types of devices.
    Mr. Burgess. But as we have seen from these reports and 
other areas, a misplaced laptop is a source of great 
vulnerability. And all of us, you and us, are under great 
scrutiny in that regard to make certain that these very 
powerful and very useful devices--they can certainly increase 
productivity but they really expose a great deal of 
vulnerability if we are not careful. So I just wonder if we 
shouldn't be a little bit more circumspect about the number of 
devices that are actually out there with information.
    I think it was on this panel that we heard about the 
purchase of some of the equipment, which is proprietary 
equipment, with USB ports that might be vulnerable to access. 
And we sealed them up with JB Weld--which is a good Texas 
product, so I am glad but we used J Weld, but it just seemed 
like a significant oversight in the purchase of that equipment 
to lead us to that degree of vulnerability. And then laptops 
that can move around so easily and be left somewhere or stolen 
or lifted, or even if someone did have an idea to do something 
that they shouldn't be doing, it just makes it that much easier 
for the person who has a criminal intent.
    I guess, Mr. Podonsky, this is for you. On the issue of--I 
think we've talked about this before on this subcommittee, 
about this issue of encryption and sequestration. How is that 
project going? Where are we with that? Can you develop that a 
little bit for us on the sequestration and the equipment side?
    Mr. Podonsky. What I can tell you--first, I am sure the 
second panel can give you more clarity on how far they have 
gone in that arena. But from our inspection process, we don't 
feel that enough of the sites are encrypting the information 
that needs to be encrypted. There is--
    Mr. Burgess. Why is that?
    Mr. Podonsky. Well, because the policy says it is preferred 
that the information be encrypted. And we have learned over 
time that unless there is a regimented language that says you 
shall encrypt it, then using the word ``preferred'' becomes 
accounting option. And we find that a little disturbing.
    Mr. Burgess. Too much flexibility, in other words?
    Mr. Podonsky. That is what we believe.
    Mr. Burgess. Now, is there any problem with obtaining the 
software or the type of software that is available? Is there a 
satisfactory program that is out there that you all are using 
for the encryption?
    Mr. Podonsky. I believe the software is out there; but I 
also understand that the process would be a little bit less 
convenient when doing business.
    Mr. Burgess. And what about the sequestration aspect of it?
    Mr. Podonsky. I will have to defer to the CIOs.
    Mr. Burgess. And I think it was your testimony where you 
said the attacks were becoming more sophisticated, more 
targeted. Are they also becoming more frequent?
    Mr. Podonsky. Yes, sir, they are.
    Mr. Burgess. And do we have a general idea of where they 
are coming from?
    Mr. Podonsky. I think that is a question that really should 
be answered in the executive session.
    Mr. Burgess. Fair enough. We will do that.
    A question was asked about what caused the lower security 
level at Livermore, and I think you answered, Mr. Podonsky. But 
Ms.Bowden, do you have an opinion on that as well through your 
study?
    Ms. Bowden. I think we both agree that there was a shift in 
focus to the contract, the management and operating contract 
transition.
    Mr. Burgess. And that is at Livermore?
    Ms. Bowden. Yes.
    Mr. Burgess. Because at Los Alamos, we had the contract 
evaluation but we didn't change the contract. Correct? Do I 
remember that correctly?
    Ms. Bowden. The contractor was changed in 2006.
    Mr. Burgess. At Los Alamos?
    Ms. Bowden. Um-hmm.
    Mr. Burgess. So when we talked about some of the leadership 
problems as that, do you think that has been dealt with 
satisfactorily?
    Mr. Podonsky. Sir, I would like to answer that, having 
inspected Los Alamos for the last 24 years. The answer is 
absolutely we see a sea change that we haven't seen there 
before. I just came back from the Los Alamos inspection 
closeout for my independent oversight, and we have seen a lot 
of improvements. We have seen commitments that we don't think 
were just pabulum. And we believe it's because of the 
accountability. We know that they are watching our enforcement 
actions and compliance orders. We know that they are paying 
attention to the inspections.
    Mr. Burgess. And do you think that there's going to be a 
way to extrapolate those successes to, say, the Livermore 
facility?
    Mr. Podonsky. I am sorry?
    Mr. Burgess. Is there going to be a way to extrapolate 
those successes to other facilities where we've fallen behind?
    Mr. Podonsky. Based on the aggressiveness by which the 
Livermore folks are addressing our very serious concerns from 
the spring inspection, we are hopeful. But, again, the 
sustainability is going to be an issue that we are going to be 
watching.
    Mr. Burgess. Very good.
    Thank you, Mr. Chairman. I'll yield back.
    Mr. Stupak. I thank the gentleman.
    Ms. DeGette for questions.
    Ms. DeGette. Thank you very much, Mr. Chairman.
    I would like to follow up on some of the questions that Mr. 
Dingell was asking. The first one being, on this yellow 
network, the unclassified network, there is still sensitive 
information. And everybody has agreed with that here today. And 
the question is, what dangers do we have if people can access 
that information? Because even though it's not classified, it 
still is important. Mr. Dingell mentioned a couple of the 
nuclear issues, but I just want to go through the list that the 
GAO listed in their report because it's really kind of 
shocking.
    Business proprietary information. The nuclear information 
he talked about. Export control information. The military 
critical technology list. Confidential foreign government 
information. And personally identifiable information, including 
names, aliases, Social Security numbers, and biometric records 
of employees, contractors, and visitors.
    Now, a lot of this information if someone were to access it 
would be criminal and even worse. This is not just completely 
neutral information. And so I have some follow-up questions on 
what is happening to try to preserve that information.
    I guess my first question would be maybe to you, Mr. 
Podonsky, is do you think that the labs or the DOE have the 
technical expertise and resources to protect this information 
that is currently residing on the unclassified networks?
    Mr. Podonsky. Congresswoman DeGette, we do believe that the 
technical expertise exists within the laboratory community as 
well as with the rest of the Department. We do also believe 
that the sensitivity--we share your concerns about the 
sensitivity that is on the yellow network. That is why I have 
said in my testimony and in my opening statement we do believe 
tighter controls are necessary.
    Ms. DeGette. Well.
    Mr. Podonsky. If I might continue. As exemplified by our 
red teaming effort, and we are not the most sophisticated red 
teaming hackers in the world, but given our capabilities and 
what we were able to do, that should give us all pause as to 
what we need to do.
    Ms. DeGette. I was going to ask that question in a minute, 
because unlike my friend, our ranking member, I have been on 
this committee for 12 years and I have been to Los Alamos and I 
have been in these hearings and we have you guys down all the 
time. And every time you come in, you say, you know, we have 
these risks, we have these problems. It's always cropping up 
some other place. So if we have got the expertise and 
capability to do it, here's my simple question to you, why 
aren't they doing it? Because you are right, it's not just the 
yellow information, it's the red information.
    Mr. Podonsky. I can give you an opinion from oversight as 
to why the Department is not doing it.
    Ms. DeGette. I would love that opinion.
    Mr. Podonsky. And our opinion is it's not always been the 
highest of priorities from different administration to 
different administrations. I would also say--
    Ms. DeGette. But we have had this administration now--do 
you mean Washington administration or lab administration?
    Mr. Podonsky. No. Washington administration.
    Ms. DeGette. Well, we have had this administration 8 years.
    Mr. Podonsky. In 2000, ma'am, we came to the floor of this 
hearing room and gave a demonstration, a live demonstration of 
how we could crack codes of passwords.
    Ms. DeGette. I remember it. I was there.
    Mr. Podonsky. So we know that these problems exist.
    Ms. DeGette. So why--we have had this administration 8 
years. Is your testimony today that it has been a low priority 
for this administration? Yes or no?
    Mr. Podonsky. No, ma'am.
    Ms. DeGette. Then why haven't we done it?
    Mr. Podonsky. I don't have a complete answer for you 
because I am not within the CIO's office. That is in the next 
panel. But from our perspective, we have written reports on 
this very subject multiple times.
    Ms. DeGette. I am frankly, with all due respect, I am not 
particularly interested in the written reports. I am interested 
in when are we going to do this. If we have got the technical 
ability to do it, if we've identified the problem, then how 
quickly could we solve the problem if appropriate attention 
were given? Anybody can answer that if you know the answer.
    Mr. Podonsky. I don't know what my colleagues on the panel 
think, but I think this is a problem that can be solved.
    Ms. DeGette. No. How soon can it be solved?
    Mr. Podonsky. As soon as the resources are applied.
    Ms. DeGette. OK. So it's a resource question. That goes 
back to Dr. Burgess' question, which is, what kind of resources 
are we talking about here?
    Mr. Podonsky. We're talking about dedicated people within 
the cyber community to solve the problems.
    Ms. DeGette. How many dedicated people? How much money?
    Mr. Podonsky. I would have to--without just giving it off 
the top of my head, I couldn't tell you that. But I think that 
we have--
    Ms. DeGette. Do you know that?
    Mr. Podonsky. I believe we have it in the Department. We 
have the technical intellectual capabilities and we have the 
resource capability to make the changes.
    Ms. DeGette. All right. So if you could supplement your 
answer within 30 days, I would appreciate it, telling us what 
kind of resources we would need to give to this.
    Now, let me ask another question. And again if other people 
know, please chime in. Do we, if we have got the ability to do 
it and it's just a matter of resources and priorities, do we 
have a full inventory of all the information that is residing 
on these unclassified networks?
    Mr. Podonsky. I don't believe that we have a complete 
inventory on what resides.
    Ms. DeGette. Is that something we would need to do?
    Mr. Podonsky. That would be a major undertaking for 
millions and millions of documents. And I am not so sure, 
Congresswoman DeGette, that that is the best use of the monies. 
The best use of the monies is to protect the information from 
going out, and protect the information from having access by 
hackers.
    Ms. DeGette. It would probably also be worth reviewing 
categories of information to see if we really do need to have 
that on our networks then if we can remove it. Correct?
    Mr. Podonsky. Yes, ma'am. And that would be up to the 
individual program offices as to what types of information they 
are allowing their folks to put on the network.
    Ms. DeGette. Well, maybe not. Because for some of these 
types of information, you could probably make a decision from 
the top whether you needed to have that information on 
certainly unclassified yellow networks. Information like 
aliases and Social Security numbers and biometric records of 
employees. It's hard to see how you would need to have that on 
some kind of a network. What do you think?
    Mr. Podonsky. Well, I don't know how they use all the 
information, but I do know they use that network to conduct 
business. And they separate that from the classified.
    Ms. DeGette. See, what I worry about, though, is if you are 
leaving it up to each individual department head, that then you 
have no overall standard by which they could weigh it. So if 
you had an overall standard, then they could come in and ask 
for an extension if they had a need to put that on the network.
    Mr. Podonsky. And the CIO when he came on board in 2005, I 
believe, or 2006 put together with the three undersecretaries a 
governance model of federalizing the federation of policy that 
has the overarch policy, and then NNSA, Science, and Energy are 
able to tailor that to what their individual missions are.
    Ms. DeGette. Now, Mr. Podonsky, do you think that the DOE 
lab should consider removing certain information on the 
unclassified network or increase its level of classification?
    Mr. Podonsky. As I said, Congresswoman DeGette, the 
laboratories need to take a good look, and the Department, in 
making sure that there are stronger protections of that 
information. Some of that information may need to be removed. 
But one of the problems is, where do you put it? If you put it 
on the classified net, you have now redefined what classified 
is.
    So I again go back to our oversight perspective, is we need 
to keep people out of it, and we need to make sure that we have 
a rigorous process to make sure that anybody that might get in 
it cannot send information off the net.
    Ms. DeGette. What is your opinion on that, Mr. Wilshusen?
    Mr. Wilshusen. Well, I think I would also agree to the 
point that the information on that yellow network, whether or 
not that should be upgraded, if you will, and then reclassified 
and then put on the red network is a decision that is whether 
or not that information is classified or not. And that is 
something that needs to be done, and it probably has already 
been done, you know, it's been determined to be sensitive but 
unclassified. That is why it's on the yellow network.
    But I agree with Mr. Podonsky, that the first thing that 
needs to be done is to better protect the information that is 
on that network by--
    Ms. DeGette. I want to ask you one more question. Do you 
think there is some argument to be made about maybe making an 
intermediate network between the yellow and red networks for 
some of this unclassified information? You don't want to be 
calling things, as Mr. Podonsky rightly says, you don't want to 
be calling things classified if they are not. On the other 
hand, there is things that might be sensitive, like employees' 
Social Security numbers that are not necessarily classified 
information.
    Mr. Wilshusen. Right. And because of that, such as 
personally identifiable information needs to be protected. But 
should that be on a different network? That is what the yellow 
network is for; it's the unclassified protected network.
    Ms. DeGette. So your view is we need to protect that 
network better.
    Mr. Wilshusen. Yes, ma'am. And--
    Ms. DeGette. I just want to say, I know you folks can't 
make the rules, you can only make the recommendations. And I am 
sure that--you don't have to answer this, I am sure that many 
days you are just as frustrated as we are; you keep identifying 
these problems but yet no progress is made. So I want to thank 
you for your commitment to these issues. They are very 
important.
    Mr. Wilshusen. Thank you.
    Mr. Stupak. Mr. Shimkus has a quick question, and then we 
will go on to Mr. Inslee.
    Mr. Shimkus. And I will be brief. One thing I wanted to 
follow up with what I didn't was just an overall assessment of 
the corporate culture, or the culture of these labs and this 
whole issue. I agree with Chairman Dingell that it's 
leadership, and its leadership goes from the top and then the 
director of the lab, the director of the sub environments.
    Has the corporate--let me, Mr.Wilshusen first. Has the 
corporate--did you evaluate the culture of the labs? And with 
respect to my colleagues who have been on this issue for a long 
time, which again which I haven't, has the culture changed 
positively in the security environment for the labs?
    Mr. Wilshusen. Well, related to just the cybersecurity 
portion of it, and I will defer to Ms. Bowden on the physical 
security, we have just completed our review, and that is our 
first review that we have done reviewing cybersecurity out at 
Los Alamos. We have noted that some of their technical folks in 
terms of technical security individuals are among some of the 
better ones within the Federal Government. And, indeed, they 
implemented many innovative techniques to try to secure their 
unclassified network. However, we also found though that there 
were still a number of very significant vulnerabilities that 
impaired their ability to adequately protect that information 
on their network.
    But in terms of the culture, I think there has been a 
change over the last year from what we have seen during the 
course of our audit. It seems like they are more concerned 
about the cybersecurity. But whether that is in response to our 
initial field site visits and how long that remains, of course, 
remains to be seen.
    Mr. Shimkus. Mr. Friedman, can you respond to that?
    Mr. Friedman. Yes. In all fairness, while we still find 
problems and there are still concerns, and lot of them are 
serious, I don't think there is any question that the results 
of our work suggests, and our interactions with the laboratory 
personnel, that there has been a change in mindset, much more 
aggressive in the area of security. It may be beyond their 
capability to fix all the problems, but I think--and I have 
been observing this, sir, for three decades--there is a change. 
There is no question about that.
    Mr. Shimkus. Thank you. And I would just hope that the 
position would be--I am not going to ask Mr. Podonsky to follow 
up, but I would just say, if there is a positive change in the 
culture, we need to push hard to sustain that change.
    Thank you, Mr. Chairman.
    Mr. Stupak. Thank you.
    Mr. Inslee for questions, please. 10 minutes.
    Mr. Inslee. Thank you. There has previously been a letter 
entered into the record from Mr. Terry Turchie that discloses 
very significant concerns by him. He's formerly with the FBI 
and he served as senior counterintelligence officer at Lawrence 
Livermore Nuclear Weapons Laboratory. This letter is dated 
September 1, 2008. And basically the letter is intended to 
alert Congress, it's a letter to Chairman Dingell, of what he 
considers very serious failures to focus on 
counterintelligence.
    He describes there being a significant change from an 
emphasis or at least a significant commitment to 
counterintelligence to simply what he considers intelligence 
gathering. And he outlines in his letter quite a number of 
occurrences that would suggest there has been, at least in his 
view, a significant reduction in counterintelligence as he 
would define that activity. That, to me, is a significant 
issue, and I just would ask for the comment of any of you to 
respond to those concerns.
    I want to note, too, that there are many people that are 
disgruntled with Federal activity. This is a gentleman who 
seems to have credibility, his resume is pretty outstanding, 
and I think his concerns ought to be ones that we would 
investigate. So I would ask for any of your response, I don't 
know if you have seen the letter, could respond to the general 
issue he has raised. His letter in general discusses a lack of 
financial and organizational commitment to counterintelligence 
as opposed to just what he would consider intelligence 
gathering. I just would ask for your comments, if you can 
provide them.
    Mr. Podonsky. The only thing, Congressman, that I can tell 
you is that, number one, I have not seen the letter. We do work 
with the intelligence and counterintelligence office, and I 
could not give you any informed answer to your question based 
on our interaction with the intelligence/counterintelligence. 
But I would also defer to the second panel where the director 
of the counterintelligence is going to be a witness.
    Mr. Inslee. Well, I would ask the panel to take a look at 
it and provide us your review, if you can do so. I do think it 
brings up some significant issues which would suggest there has 
been a real change of emphasis, and we would appreciate your 
further comments. Thank you.
    I yield back.
    Mr. Stupak. The gentleman yields back. Let me thank and ask 
this panel--that's all the questions we are going to ask you in 
open session; as you referred to once or twice, we will go to 
closed session after the next panel. So I would ask that you 
just stay in the vicinity, not necessarily have to sit in the 
hearing room because we are going to do the next panel which 
has eight witnesses. It will take us some time, but we are 
going to go into closed session. We will invite you back for 
closed session. Thank you.
    I am going to ask our next panel to come forward, please.
    On our second panel we have Dr. Michael Anastasio, the 
Director of the Los Alamos National Laboratory; Dr. George 
Miller, who is the Director of Lawrence Livermore Laboratory; 
Dr. Thomas Hunter, who is the President and Laboratory Director 
at Sandia National Laboratories; Mr. Thomas Pyke, Jr., who is 
the Chief Information Officer at the Department of Energy; Dr. 
Linda Wilbanks, who is the CIO, Chief Information Officer, at 
the National Nuclear Security Administration within the 
Department of Energy; Mr. Bradley Peterson, who is the Chief 
and Associate Administer for the Defense Nuclear Security at 
the National Nuclear Security Administration within the 
Department of Energy; and Mr. Stanley Borgia, who is the Deputy 
Director for Counterintelligence in the Office of Intelligence 
and Counterintelligence at the Department of Energy.
    Have we got everybody? We are missing Dr. Wilbanks. We will 
have to wait for Dr. Wilbanks here for a minute. It will be 
just a second. And it looks like Mr. Peterson, too.
    [Brief recess.]
    Mr. Stupak. It is the policy of this subcommittee to take 
all testimony under oath. Please be advised that witnesses have 
the right under the rules of the House to be advised by 
counsel. Do any of you wish to be advised by counsel? Everyone 
shook their head no. So we will do the oath.
    Do you swear or affirm that the testimony you are about to 
give will be the truth, the whole truth, and nothing but the 
truth in the matter pending before this subcommittee?
    [Witnesses sworn.]
    Mr. Stupak. Let the record reflect all of our witnesses 
took the oath. You are now under oath. We will start with 5-
minute opening statements.
    I understand, Mr. Peterson, you wish to go first. So we 
will accommodate that request for your opening statement, 
please.

     STATEMENT OF BRADLEY A. PETERSON, CHIEF AND ASSOCIATE 
   ADMINISTRATOR, DEFENSE NUCLEAR SECURITY, NATIONAL NUCLEAR 
                    SECURITY ADMINISTRATION

    Mr. Peterson. Good morning, Chairman Stupak, Ranking Member 
Shimkus, members of the subcommittee. My name is Brad Peterson. 
I was recently appointed Chief Defense Nuclear for the National 
Security Administration, the NNSA. Prior to this appointment, I 
was the Director of the Office of Independent Oversight within 
DOE's Office of Health Safety and Security. It gives me a 
unique perspective into the issues to be discussed today. In my 
new role, I have overall responsibility for physical and 
cybersecurity within NNSA.
    Following my remarks, Dr. Linda Wilbanks, the NNSA Chief 
Information Officer with operational responsibility for 
cybersecurity, will provide her opening comments.
    While the NNSA faces many challenges and it has significant 
room to improve, we continue to make enhancements in our 
physical and cybersecurity postures to maintain strong and 
robust security. NNSA operates some of the most secure 
facilities in the world and generally maintains effective 
physical security programs. Over the last 2 years, while there 
have been some issues, we see overall progress in improving 
performance at the NNSA weapons laboratories.
    Earlier this year, the Office of Independent Oversight 
conducted a safeguard security inspection of Lawrence Livermore 
National Laboratory and identified significant weaknesses in 
protective force operations, based in part on poor performance 
during force-on-force training exercises.
    Immediately after the inspection results were known, the 
Office of Defense Nuclear Security within NNSA devoted 
considerable attention to understanding the issues and 
providing subject matter expertise from across NNSA. While the 
NNSA was not pleased with their results from the Livermore 
inspection, I can attest to the fact that the Office of Defense 
Nuclear Security Livermore site office and laboratory have 
taken the issues very seriously and worked aggressively to 
implement corrective actions.
    Livermore launched a comprehensive recovery plan, and today 
we see the results of their efforts taking hold. Protection 
force capability at Livermore is much improved and there are 
more changes in progress.
    Upon assuming my new position in June, the NNSA 
Administrator directed me to dispatch a team of senior NNSA 
security professionals to conduct an onsite review of the Los 
Alamos National Laboratory Protective Force operation to 
determine if they had similar issues. The NNSA team found that 
the Los Alamos Protective Force had a strong and rigorous 
performance testing program and was performing effectively. 
This assessment of Los Alamos was reinforced by preliminary 
positive results from the recently completed independent 
oversight inspection.
    Seeking to build sustainable security programs, I intend to 
look across the NNSA for examples of where we are getting it 
right. We are also engaging in efforts to improve the flow of 
information across the NNSA security community through our 
security leadership coalition. The coalition has been actively 
engaged in evaluating the underlying causes of security and 
management issues that we face and developing standardized 
solutions. The objective of this effort is to break down 
organizational stovepipes and turn a previously reactive 
approach to security problems into a proactive approach.
    NNSA is making real and fundamental changes to our security 
program. These changes seek to reduce the opportunity for human 
error by relying on engineered controls. We are also focused on 
making our security challenges easier by reducing our 
classified footprint. We have emphasized the need for strong 
contractor assurance programs designed to spot problem areas 
quickly and resolve them before they turn into real security 
issues.
    Finally, we need to continue to develop a strong Federal 
security staff that is technically capable. We need to ensure 
that our Federal oversight program takes advantage of the tools 
at our disposal, including substantial deductions of award fee 
for poor performance and fines provided under 10 CFR 824 when 
appropriate. We also need to ensure that we are appropriately 
incentivizing and rewarding the right behaviors to drive needed 
improvements.
    In closing, since taking over as the Chief Defense Nuclear 
Security, I have seen a renewed sense of commitment across the 
NNSA security community to improve performance through the 
sharing of lessons learned and working collectively to address 
significant challenges. Security activities at our national 
labs are large and complex. The security professionals within 
NNSA are working together today to reduce the opportunities for 
error and react quickly to any problems that do occur.
    Mr. Peterson. I am confident in our ability to continue to 
grow and I look forward to the continued challenge.
    That concludes my opening comments. I would be pleased to 
answer any questions after other opening statements.
    Mr. Stupak. Thank you, Mr. Peterson.
    [The prepared statement of Mr. Peterson follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.039
    
    [GRAPHIC] [TIFF OMITTED] T3238.040
    
    [GRAPHIC] [TIFF OMITTED] T3238.041
    
    [GRAPHIC] [TIFF OMITTED] T3238.042
    
    [GRAPHIC] [TIFF OMITTED] T3238.043
    
    [GRAPHIC] [TIFF OMITTED] T3238.044
    
    [GRAPHIC] [TIFF OMITTED] T3238.045
    
    [GRAPHIC] [TIFF OMITTED] T3238.046
    
    [GRAPHIC] [TIFF OMITTED] T3238.047
    
    [GRAPHIC] [TIFF OMITTED] T3238.048
    
    [GRAPHIC] [TIFF OMITTED] T3238.049
    
    [GRAPHIC] [TIFF OMITTED] T3238.050
    
    [GRAPHIC] [TIFF OMITTED] T3238.051
    
    [GRAPHIC] [TIFF OMITTED] T3238.052
    
    [GRAPHIC] [TIFF OMITTED] T3238.053
    
    Mr. Stupak. Mr. Pyke, let's start with you. We'll go right 
down the line. And your opening statement, please, for 5 
minutes. If you have a longer statement, it will be submitted 
for the record.

 STATEMENT OF THOMAS N. PYKE, JR., CHIEF INFORMATION OFFICER, 
                   U.S. DEPARTMENT OF ENERGY

    Mr. Pyke. Good afternoon, Chairman Stupak, Ranking Member 
Shimkus, members of the subcommittee. My name is Tom Pyke. I am 
Chief Information Officer of the Department of Energy.
    Over the past 3 years the Department has undertaken a major 
effort to improve its cyber security posture. DOE has a 
comprehensive cyber security program that includes 
establishment of DOE-wide policy, a senior-level governance 
structure, cyber security awareness and specialized cyber 
security training, improved cyber security incident management 
and compliance monitoring.
    The program is governed according to a cyber security 
management order issued in December 2006. This order directs 
the use of a risk-based approach to cyber security management, 
and it establishes a governance structure within the Department 
that assigns primary responsibility for implementation of cyber 
security to the Under Secretary and other senior leaders. These 
senior leaders determine and assess program-unique threats and 
risks and they issue direction for implementing cyber security 
within their respective organizations.
    DOE-wide cyber security direction, including direction for 
special protection of sensitive unclassified information, 
builds on government-wide guidance from the Office of 
Management and Budget as well as Federal information processing 
standards and other cyber security guidance issued by the 
National Institute of Standards and Technology. We also follow 
applicable guidance issued by the Department of Defense.
    Employing a risk-based approach, DOE senior management, 
including NNSA, has given special attention during the past 
year to the graded protection of DOE systems and data, taking 
into account threat and risk and the sensitivity of the data. 
Under our cyber security governance structure, each part of the 
Department reviews the sensitivity of the data under its 
jurisdiction relative to the strength of the controls that are 
in place to protect the data and takes action to strengthen 
those controls if needed.
    The management of cyber security incidents is an integral 
part of cyber security management, including providing timely 
alerts to the entire Department of known threats, detecting 
cyber attacks as they occur or as soon as possible afterward 
and responding to such attacks. The response includes reporting 
all cyber security incidents to the US-CERT, which is the 
Federal Government's cyber incident handling center. It also 
includes mitigating the potential adverse impact of each 
incident at the site at which it was detected and elsewhere in 
the complex, determining the impact of the incident and 
repairing any damage or disruption resulting from the incident.
    Cyber attacks are increasing in complexity and frequency 
and are becoming more aggressive. DOE is attacked over 10 
million times each day in a wide variety of ways, and DOE has 
in-depth protection mechanisms in place throughout the complex. 
Even with this protection, some of the most sophisticated 
attacks against DOE have, on occasion, been able to penetrate 
our unclassified systems and networks.
    DOE has an in-depth cyber security defense based on 
industry and government best practices. And we continually 
improve our defenses, including our ability to detect attacks. 
However, some cyber attacks continue to evolve to avoid 
detection by these defenses.
    Within the Department, the Office of the Chief Information 
Officer and NNSA cooperate in the reporting of cyber incidents 
and support tour sites as they handle each incident. The Office 
of the CIO and NNSA have recently signed an agreement to 
improve further the way we work together to respond to cyber 
incidents. Our office also works in partnership with the 
Department's Office of Intelligence and Counterintelligence as 
we prepare for future cyber attacks and respond to them. 
Counterintelligence data analysis associated with activities 
that may have a foreign nexus provides useful input to the 
cyber security incident management process led by the Office of 
the CIO.
    I would be pleased to respond to any questions you may 
have, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Pyke.
    [The prepared statement of Mr. Pyke follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.054
    
    [GRAPHIC] [TIFF OMITTED] T3238.055
    
    [GRAPHIC] [TIFF OMITTED] T3238.056
    
    [GRAPHIC] [TIFF OMITTED] T3238.057
    
    Mr. Stupak. Dr. Wilbanks, your opening statement, please.

   STATEMENT OF LINDA R. WILBANKS, PH.D., CHIEF INFORMATION 
    OFFICER, NATIONAL NUCLEAR SECURITY ADMINISTRATION, U.S. 
                      DEPARTMENT OF ENERGY

    Ms. Wilbanks. Chairman Stupak and members of the 
subcommittee, I am Dr. Linda Wilbanks, Chief Information 
Officer for the National Nuclear Security Administration. Thank 
you for the opportunity to appear before you today regarding 
the NNSA's cyber security program. As the CIO, I am responsible 
to ensure the protection of electronic classified and 
unclassified information.
    The cyber threats to the Department of Energy and NNSA are 
similar to those faced by the Federal Government, every public 
and private enterprise, and every individual. NNSA's facilities 
are targeted, over 1 million cyber attacks every day of varying 
sophistication, ranging from relatively harmless curiosity 
seekers to sophisticated hackers to corporate thieves and 
national state and belief-based espionage.
    In response to these threats, NNSA has established a robust 
technical operational managerial-based approach to cyber 
security of unclassified, controlled unclassified and 
classified information. We believe our approach, which is 
continually improving, is sound and provides effective security 
for our unclassified and classified networks.
    Even with a wide range of threats, I can say very 
confidently that our classified networks, which protect our 
crown jewels are extremely well protected. We operate separate 
networks for our classified information, which are air-gapped 
from our unclassified networks. We've implemented a diskless 
workstation initiative across the complex to manage the 
movement of data within the classified networks.
    We also have a wide range of technical and administrative 
controls to manage access to the data that resides on our 
controlled unclassified networks, which, while not classified, 
may include important information. This information requires 
added protection, including encryption during transmission and 
at rest, the use of two-factor authentication for remote 
access.
    We continue to assess other controls, collaborating with 
our peers in government, leveraging the results of the 
assessments to find even better ways to protect our 
unclassified networks. Other defense and depth tools we use for 
cyber protection are multiple firewalls and monitoring systems 
to check for incoming, outgoing and internal unclassified 
network traffic to ensure it is authorized and there are no 
anomalies.
    When our systems detect unusual activities, we quickly 
terminate the communication pathways, and when necessary, 
selectively isolate portions of our network to quarantine any 
potentially harmful activities. Once a harmful activity is 
isolated, we deploy our exceptional forensics capabilities to 
eradicate the threat, restore the systems to secure operations.
    Policy and standards are an important part of establishing 
an effective cyber security program, and in May 2008 NNSA's 
cyber security policy was issued, addressing many previous 
recommendations and findings. This policy was developed in 
collaboration with our sites, incorporates the recently issued 
DOE National Security Manual and many of their requirements, 
such as security plans and certification and accreditation 
procedures have already been implemented.
    We also have established strong and effective cyber 
security incident response capabilities. The DOE and NNSA have 
partnered to implement a state-of-the-art facility in Las 
Vegas, Nevada. This facility monitors DOE and NNSA networks and 
coordinates the response to incidents by utilizing extensive 
communications and collaboration among DOE/NNSA sites, other 
Federal agencies, law enforcements, intelligence, and 
counterintelligence.
    In summary, NNSA has a robust technical, operational and 
management-based approach to cyber security of the 
unclassified, the controlled unclassified and the classified 
information. However, we acknowledge the need for continual 
improvement. We believe our approach is fundamentally sound, 
but the nature of the threat changes daily. We must keep pace 
with the adversary and continue to improve the collaboration 
between our sites, DOE counterintelligence and the cyber 
security experts across the government and industry to succeed 
in the future.
    This concludes my opening statement. And I'm pleased to 
answer questions at the end.
    Mr. Stupak. Thank you.
    [The statement of Ms. Wilbanks is included with the 
statement of Mr. Peterson.]
     Mr. Borgia, your opening statement, please.

      STATEMENT OF STANLEY J. BORGIA, DEPUTY DIRECTOR FOR 
        COUNTERINTELLIGENCE, OFFICE OF INTELLIGENCE AND 
         COUNTERINTELLIGENCE, U.S. DEPARTMENT OF ENERGY

    Mr. Borgia. Thank you, Mr. Chairman.
    Mr. Stupak. You may want to pull that a little closer. It 
doesn't pick up very well.
    Mr. Borgia. Chairman Stupak, Ranking Member Shimkus and 
distinguished members of the committee, thank you for the 
invitation to appear before you on a subject of importance, the 
cyber threat.
    I'm addressing you today as the Deputy Director of 
Counterintelligence in the Department of Energy's Office of 
Intelligence and Counterintelligence. However, sir, I would 
like to go just a little further in my introduction, because 
there is a letter that is controversial, and explain to you 
that I am also a Deputy Assistant Director in the FBI, assigned 
by Director Mueller to the Secretary of Energy to run the 
counterintelligence program. I have been here for over 2 years, 
since July of 2006, and I will continue.
    We and DOE counterintelligence are both a producer of 
intelligence information and a consumer of intelligence 
information. We develop and facilitate the transfer of DOE-
unique information to the United States Intelligence Community 
and convey actionable Intelligence Community threat information 
to all departmental action offices, including the National 
Nuclear Security Administration, NNSA. We appreciate that 
physical security is an essential element in the protection of 
information, and we participate in the National Joint Terrorism 
Task Force, National Counterterrorism Center, to enhance the 
protection of DOE equities.
    Likewise, we are a very active member of the FBI-led 
National Cyber Investigative Joint Task Force, or NCIJTF, which 
allows us to provide unique DOE and NNSA information to the 
cyber investigations community and collaborate at national 
initiatives. Membership also provides DOE with invaluable 
current cyber-based threat information relevant to our 
departmental assets and critical energy infrastructure.
    DOE's Counterintelligence Office performs a broad range of 
cyber-related functions, including analysis of cyber security 
incidents with a foreign nexus. Our work is closely coordinated 
with the DOE Office of the Chief Information Officer and the 
NNSA's Office of the Chief Information Officer with which we've 
maintained a strong and mutually supportive relationship in the 
cyber security team.
    The nature of the cyber threat to the DOE complex is 
constantly evolving. DOE sensors, monitoring attacks on the DOE 
networks, have picked up an increased tempo of potential 
adversarial activity, including network reconnaissance, 
scanning for potential attack vectors and outright cyber 
attacks. In 3 of the past 6 months sensors have documented well 
over 400 million such indicators of hostile activity every 
month.
    Further, we have seen thousands of socially engineered e-
mails. They may appear to come from known associates or support 
an interesting subject line, but they contain malicious 
computer code designed to infect the recipient's computer, 
steal and transmit information it contains, and eventually 
spread to the rest of the network. A single mouse click by a 
single user can contaminate large numbers of networked 
computers.
    In order to generate counterintelligence investigative 
leads from all this activity, I have directed expanded use of 
cyber techniques at DOE and NNSA. The results have been 
dramatic. In particular, cyber tools developed under this 
initiative have enabled investigators at the intelligence and 
military organizations to make strides toward attribution for 
ongoing computer intrusions directed against DOE and other 
United States Government computer networks, a major 
accomplishment for DOE, that has demonstrated the value of 
these cyber tools for CI analysis.
    The counterintelligence cyber program has developed 
professional working relationships with the Defense Information 
Systems Agency, the Military Service Information Operation 
Centers, the military service Criminal Investigation Divisions 
and the Joint Information Operations Warfare Analysis Center in 
San Antonio, Texas. These are comprehensive information-sharing 
relationships as well as expanded partnerships for information 
and cyber data exchange. They serve to increase awareness of 
the operational methods being employed by individuals and 
state-sponsored entities engaged in unauthorized computer 
intrusions into DOE computer networks.
    DOE in collaboration with the Intelligence Community 
partners, DOE national laboratories, chief information officers 
and DOE cyber security use data integration tools and intrusion 
detection sensors to uncover, investigate and mitigate 
suspicious cyber events with a foreign nexus.
    In closing, Mr. Chairman, the attacks we see place 
virtually every computer connected to the Internet at risk of 
compromise, including those of the U.S. Government and our 
critical energy infrastructure. Moreover, an attacker has a 
significant advantage over the protect-and-defend cyber 
security community. DOE's Office of Intelligence and 
Counterintelligence will continue to pursue all available 
lawful means to detect, investigate and mitigate the pervasive 
cyber threats we as a nation now face.
    Thank you, Mr. Chairman.
    Mr. Stupak. Thank you.
    [The prepared statement of Mr. Borgia follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.058
    
    [GRAPHIC] [TIFF OMITTED] T3238.059
    
    [GRAPHIC] [TIFF OMITTED] T3238.060
    
    [GRAPHIC] [TIFF OMITTED] T3238.061
    
    Mr. Stupak. Dr. Anastasio, please, for your opening.

STATEMENT OF MICHAEL R. ANASTASIO, PH.D., DIRECTOR, LOS ALAMOS 
                      NATIONAL LABORATORY

    Mr. Anastasio. Thank you, Mr. Chairman and Ranking Member 
Shimkus. I'm Dr. Michael Anastasio, Director of the Los Alamos 
National Laboratory. Thank you for the opportunity to discuss 
the lab's continuing efforts to improve and sustain security.
    For my first appearance before this subcommittee in January 
of 2007, I clearly understood the message from the Members: 
Continued security issues at Los Alamos were not going to be 
tolerated. I'm pleased to report that at Los Alamos we now have 
a record of successes in both physical security and cyber 
security. We've taken concrete actions to reduce risk, clarify 
policy, establish roles and responsibilities and develop 
solutions to continuously improve the security posture at our 
site.
    These measures are working. Over the past year the 
laboratory has reduced potential unauthorized disclosures of 
information by two-thirds, and that number continues to 
improve.
    My written statement details our progress, but there are 
three points I'd like to make here now. First, I am especially 
proud that the improvements made at the laboratory link 
directly to the actions and attitudes of our employees. Members 
of our workforce have very little tolerance for any of their 
coworkers who are not security conscience. The workforce 
understands that the Nation must trust them to handle our most 
sensitive secrets, and our actions have helped justify that 
trust.
    Second, the changes by the employees of Los Alamos have 
been coupled with an aggressive security improvement program. 
For example, we've reduced the number of vault-type rooms by 
one-quarter. We've reduced our classified accountable, 
removable electronic media from 12,000 items to fewer than 
4,000. We've designed and opened the first supervault-type 
rooms and are planning for more. We've converted 94 percent of 
our targeted classified workstations to diskless operation. 
We've destroyed more than 40,000 classified nuclear weapon 
parts and more than 3 million pages of classified documents.
    We're implementing a further segregation of our 
unclassified cyber network that will provide foreign national 
employees access only to the information that they require for 
their jobs.
    And, third, in anticipation of how the cyber threat will 
continue to evolve, we're developing new approaches and 
technologies so that we can get ahead of the game to better 
protect our unclassified networks.
    I'm encouraged that the three recent assessments in the 
testimony we heard on the previous panel by our external 
reviewers from GAO and HSS have validated our significant 
progress. However, these reports also clearly demonstrate that 
we need to make further improvements. I agree, and we're moving 
aggressively to address them.
    Continuous security improvement is essential, and nowhere 
is this more evident than in cyber security. As I expressed in 
my last appearance before you, the cyber threat remains my most 
great concern. This is an ever-increasing, evolving threat from 
adversaries who are relentless and technically skilled. 
Protecting our classified resources is my highest priority, but 
further securing our unclassified yellow network is essential.
    This network is the backbone of our operation. It's crucial 
that we develop solutions that manage risk and allow users to 
access the information they need to do their jobs. One example 
is something we call ``glove box computing.'' With this 
technology, a user can access, create and manipulate 
information, but has no ability to remove it, similar to how we 
handle nuclear material.
    The cyber threat is one faced by the entire Nation. It's 
something that requires a coordinated national response using 
our country's combined assets, skills and experience. The 
unique cyber capabilities of the national laboratories can be a 
valuable resource, building on the integration efforts that are 
already under way among all three of our laboratories and with 
NNSA and DOE.
    In conclusion, Mr. Chairman, Los Alamos is making 
significant progress improving our security posture, and we are 
committed to continuous improvement to stay ahead of the 
evolving threat. I would like to invite you and other members 
of the committee to come visit the lab and see how we're doing.
    And with that, I'll thank you and be ready to take your 
questions.
    [The prepared statement of Mr. Anastasio follows:]

    [GRAPHIC] [TIFF OMITTED] T3238.062
    
    [GRAPHIC] [TIFF OMITTED] T3238.063
    
    [GRAPHIC] [TIFF OMITTED] T3238.064
    
    [GRAPHIC] [TIFF OMITTED] T3238.065
    
    [GRAPHIC] [TIFF OMITTED] T3238.066
    
    [GRAPHIC] [TIFF OMITTED] T3238.067
    
    [GRAPHIC] [TIFF OMITTED] T3238.068
    
    [GRAPHIC] [TIFF OMITTED] T3238.069
    
    [GRAPHIC] [TIFF OMITTED] T3238.070
    
    [GRAPHIC] [TIFF OMITTED] T3238.071
    
    [GRAPHIC] [TIFF OMITTED] T3238.072
    
    [GRAPHIC] [TIFF OMITTED] T3238.073
    
    [GRAPHIC] [TIFF OMITTED] T3238.074
    
    [GRAPHIC] [TIFF OMITTED] T3238.075
    
    [GRAPHIC] [TIFF OMITTED] T3238.076
    
    [GRAPHIC] [TIFF OMITTED] T3238.077
    
    [GRAPHIC] [TIFF OMITTED] T3238.078
    
    [GRAPHIC] [TIFF OMITTED] T3238.079
    
    [GRAPHIC] [TIFF OMITTED] T3238.080
    
    [GRAPHIC] [TIFF OMITTED] T3238.081
    
    [GRAPHIC] [TIFF OMITTED] T3238.082
    
    [GRAPHIC] [TIFF OMITTED] T3238.083
    
    [GRAPHIC] [TIFF OMITTED] T3238.084
    
    [GRAPHIC] [TIFF OMITTED] T3238.085
    
    [GRAPHIC] [TIFF OMITTED] T3238.086
    
    Mr. Stupak. Well, thank you. And I know the staff was just 
there, and unfortunately they didn't get a chance to meet with 
you. But hopefully there will be another time, and hopefully 
it's not when we're there looking at a lapse or something.
    But I think we all know that there have been improvements 
at Los Alamos.
    Mr. Anastasio. Thank you. I appreciate that.
    Mr. Stupak. Dr. Miller, your opening statement, please.

   STATEMENT OF GEORGE H. MILLER, PH.D., DIRECTOR, LAWRENCE 
                     LIVERMORE NATIONAL LAB

    Dr. Miller. Mr. Chairman, members of the committee, thank 
you for the opportunity to provide you my perspective on the 
security challenges we face together.
    As the director of a national security laboratory, I am 
very familiar with the threats to our Nation and take very 
seriously our special responsibilities to protect special 
nuclear materials and some of the Nation's most sensitive 
secrets. Safety and security are my highest priorities, and 
they are integrated into a single culture at the laboratory.
    Particularly in the cyber security area, threats are 
rapidly evolving, continue to grow more sophisticated. My 
approach involves anticipation, prevention, detection, response 
and sustainment through continuous improvement.
    The laboratory uses a variety of techniques to assess both 
physical and cyber security, and they are an integral part of 
our continuous improvement efforts. These include GAO audits, 
ongoing site inspections by DOE's Office of Health Safety and 
Security, local site surveys and our own self-assessments.
    The HSS inspection this last spring was instrumental in 
helping us identify deficiencies in our security readiness. In 
summary, the HSS, as you have heard, found significant 
weaknesses in two areas, protective force and classified matter 
protection. We've made significant progress in addressing these 
inspection findings.
    I led a thorough review of our actions and decisions to 
identify the root cause of what was an unacceptable decline in 
our protective force's level of posture demonstrated just 16 
months earlier. I'm pleased to report that these actions have 
significantly improved the readiness of our protective force as 
demonstrated through a security incident response of a fully 
integrated force-on-force with an external adversary just 8 
weeks ago. This exercise was monitored both by NNSA and HSS, 
and the Office of the Chief of Defense Nuclear Security 
concluded that the lab's effort has resulted in a posture of 
robust protection. Let me tell you how we achieved this.
    In short, our analysis revealed that restrictions on and 
postponement of comprehensive robust exercises due to safety 
considerations had a detrimental effect on the protective force 
readiness. We have addressed those safety issues and resumed 
frequent exercises while ensuring the safety of our employees. 
My written testimony details some of these corrective actions. 
I'm committed to sustaining that performance and that level of 
progress, and we have scheduled future robust exercises 
quarterly to ensure that.
    I believe that maintaining adequate cyber security requires 
constant attention, utilizing counterintelligence experts and 
information technology professionals to anticipate, develop and 
deploy effective defensive systems and quickly respond to 
emerging threats to assure appropriate protection.
    Over the last 2 decades Livermore has hosted and staffed 
the Department of Energy's computer incident advisory 
capability. This staff of highly trained computer scientists 
have provided support for the entire complex with forward-
looking cyber analysis assessments, best practices and 
training. In this regard, HSS concluded that the lab faces 
significant challenges in this area, but has the teams, 
technologies and methods needed for success to effectively 
deliver and address cyber security.
    Protecting classified information from compromise is my 
highest priority. That's why our classified network is air-
gapped from the rest of the laboratory.
    We also maintain a separate unclassified network to handle 
our unclassified and our business information. Within this 
yellow network, different functions are segregated and 
isolated. It is used for programmatic activities that are 
essential for the laboratory.
    These functions require external communication. It is, 
therefore, connected to the Internet. But it is protected by a 
firewall. And again, as I said, within that network it is 
segregated--different functions are segregated. Constant daily 
vigilance is required to protect the network, and we use a 
comprehensive site-wide risk assessment methodology along with 
shared information from my colleagues at the other laboratories 
and across the Federal Government to focus our cyber security 
efforts on emerging threats.
    As an element of our continuous improvement, the lab has 
developed a blue network to provide appropriate computer access 
for essential mission work by the lab's foreign nationals and 
our external collaborators. Technical controls separate that 
from the yellow network.
    As another example of our continuous improvement and 
further segmentation of important data, last year I invested in 
the building of and the commissioning of a consolidated data 
center for unclassified data. This provides uniform physical 
protection, appropriate backup, enhanced reliability and, most 
important, state-of-the-art cyber protection.
    In conclusion, Mr. Chairman, taking personal and collective 
responsibility for safety and security is a fundamental value 
of the laboratory and an expectation of all employees. I can 
assure you that I am committed to provide the security that you 
and your colleagues expect from Lawrence Livermore Laboratory.
    I appreciate the opportunity to testify and welcome your 
questions.
    Mr. Stupak. Thank you, Dr. Miller.
    [The prepared statement of Dr. Miller follows:]

                     Statement of George H. Miller

                            Opening Remarks

    Mr. Chairman and Members of the Committee, thank you for 
the opportunity to provide my perspective on the security 
challenges facing the Lawrence Livermore National Laboratory 
(LLNL) and the other NNSA laboratories. I am George Miller, 
Director of LLNL and President of Lawrence Livermore National 
Security (LLNS), which has been managing the Laboratory for 
almost one year. I started at LLNL in 1972 as a research 
physicist in the nuclear weapons program. In my career I have 
had responsibilities at every level of management at LLNL. As a 
national security laboratory, we are very familiar with the 
threats to our nation and take very seriously the special 
responsibilities entrusted to us to protect special nuclear 
materials (SNM) and some of the nation's most sensitive 
secrets. Particularly in the cyber area, threats are rapidly 
evolving and continue to grow more sophisticated. Vigilance and 
continuous improvement are required.
    The Laboratory's approach to both physical and cyber 
security employs a multi-layered, defense-in-depth strategy 
with opportunities for regular feedback, assessment, and 
improvement. This process draws on both internal and external 
assessments and I will report on the aggressive actions LLNL is 
taking to continue to strengthen both physical and cyber 
security. Recently, DOE's Office of Health, Safety, and 
Security (HSS) conducted an inspection of LLNL Safeguards and 
Security and Cyber Security, and found areas of effective 
performance, areas needing improvement, and some areas of 
significant weakness. We took immediate action to respond to 
these findings and have made significant progress. Recently the 
NNSA Office of the Chief of Defense Nuclear Security stated 
that improvements made in LLNL Protective Force response 
capabilities since the HSS inspection ``have resulted in a 
robust protection strategy.'' In the area of cyber security, 
the HSS report concluded that the Laboratory faces challenges 
but ``.has the teams, technologies, and methods needed for 
success to effectively address cyber security program needs.'' 
We are drawing on those capabilities to expeditiously make 
necessary improvements.

           Laboratory Security and the Recent HSS Inspection

    I can assure you that LLNL is committed to the safe and 
secure fulfillment of its mission responsibilities. The 
Laboratory takes an integrated approach to safety and security 
with a commitment to continuous improvement. Safety and 
security are the most important considerations in day-to-day 
operations. A fundamental value of the Laboratory is for all 
employees to take personal and collective responsibility for 
providing for a safe and secure work environment.
    An extensive security infrastructure is in place at the 
Laboratory, and continual improvements are made to address new 
threats and arising concerns. LLNL uses a defense-in-depth 
approach to physical security that includes fences, buildings, 
doors, repositories, and vaults with various levels of access 
control in addition to aggressive armed defense and response 
capabilities protecting the Superblock Facility, the special 
area where work with SNM is conducted.
    Cyber security is a growing and rapidly evolving defense 
challenge for all government entities, including the NNSA 
laboratories. Cyber attacks are a serious national security 
threat that require interagency attention, cooperation, and 
investment to improve protection. Recognizing the public trust 
placed in the Laboratory to protect some of the nation's most 
sensitive secrets, LLNL takes its cyber security 
responsibilities very seriously. The Laboratory employs an 
integrated management approach to protect its cyber resources 
in an ever changing threat environment. LLNL leverages 
expertise in security management, counterintelligence, and 
information technology to identify and quickly respond to 
emerging threats and proactively develop and deploy protective 
measures. Most importantly, classified information at LLNL is 
secure. It is confined to networks that are isolated and 
segmented to ensure need-to-know access and well protected by 
technical processes that provide both system and information 
security.
    Unclassified computing at LLNL is separated into 
individually protected, NNSA accredited, network segments that 
include a Green network, a Yellow network, and a new Blue 
network. Through the use of firewalls, authorization codes, and 
other means of security, this segmentation allows for greater 
control and increasing levels of hardware and data protection 
depending on the types of data and applications that are on 
each of the networks. The Yellow network, which is subsequently 
discussed in more detail, is the main unclassified network for 
desktop computers, applications and databases, unclassified 
programmatic activities, internal communications, and business 
services. Employees receive and send email, fill out their time 
card, do their on-line training, work on technical data and 
information, and access benefits and other employment 
information on this network. It does contain sensitive 
unclassified information such as business proprietary and 
personnel information that is segregated within the Yellow 
network with additional access controls. The Yellow network is 
restricted to Laboratory employees and collaborators. Connected 
to the Internet, this network is protected by a robust firewall 
and network segments that must be diligently maintained in the 
face of ever more sophisticated threats.
    The Blue network has recently been piloted and is now 
approved for expansion. Its purpose is to provide controlled 
access to assets necessary for our foreign national employees 
and collaborators to do their work, but at the same time 
restrict their access to resources on the Yellow network. The 
Green network is lightly firewalled and provides public access 
to general LLNL information including job postings.
    The Laboratory utilizes a variety of tools to continually 
assess and test both physical and cyber security. These include 
Government Accountability Office (GAO) audits, on-site 
inspections by DOE's HSS, local NNSA site office surveys, self-
assessments, risk assessments, vulnerability scanning, and 
system testing conducted by the LLNL cyber security program. 
These assessments provide valuable input and are an integral 
component of LLNL's continuous improvement process to sustain 
the Laboratory's security in an evolving threat environment.
    In early March 2008, DOE HSS initiated an inspection of 
LLNL Safeguards and Security and Cyber Security. Over a six-
week period, 86 auditors participated in a comprehensive 
evaluation of eight security elements. The inspection was 
conducted with a high level of professionalism. For example, 
the composite adversary team that conducted the force-on-force 
exercise was very experienced and innovative in their approach, 
and they conducted the force-on-force exercise in a manner to 
test LLNL's Superblock Facility security posture to specific 
criteria. We value the approach taken by HSS in all facets of 
its inspection and the receipt of in-depth feedback to improve 
our security posture.
    In summary, the HHS inspection found LLNL to have effective 
performance in Classification and Information Control, 
Personnel Security, and Material Control and Accountability. 
HSS found that the Laboratory needed improvement in Physical 
Security Systems, Protection Program Management, and certain 
aspects of Cyber Security not related to technical controls. 
HSS found significant weakness in LLNL's Protective Force and 
its Classified Matter Protection and Control.
    The Laboratory took immediate steps to address weaknesses 
identified in the HSS inspection. In addition, LLNL developed a 
comprehensive set of corrective action plans. HSS reviewed the 
Laboratory's draft corrective action plans and HSS comments 
have been incorporated into the plans. These draft plans 
contain 254 milestones to correct and sustain LLNL's progress 
toward ensuring a long-term, strengthened security posture. 
Aggressive efforts to sustain NNSA site security compliance 
requirements have resulted in the completion of one-third of 
the milestones to date.
    The results of the HSS force-on-force exercise were 
disappointing to me and my team. The Laboratory's Protective 
Force had performed well in the prior HSS force-on-force 
exercise only 16 months earlier (December 2006), and I was 
determined to identify the root cause leading to the decline in 
the Laboratory's Protective Force readiness. I immediately 
ordered a thorough review of our actions and decision making to 
identify and correct the root cause. In short, the analysis 
revealed that restrictions on and postponements of robust 
exercises had a detrimental effect on Protective Force 
readiness as well as our ability to conduct the full-scale 
exercises that are necessary to appropriately practice team 
tactics and fully assess performance. The lack of a robust 
exercise environment inhibited the Laboratory's ability to 
obtain the necessary feedback to assess our performance.
    Safety considerations and attrition in LLNL's Protective 
Force were some of the most influential factors that placed 
limitations on exercises. For example, the Laboratory's 
initiative in 2006 to improve ladder safety practices resulted 
in the suspension of force-on-force exercises on the roofs in 
the Superblock. In addition, NNSA's prohibition on the use of 
smoke due to health concerns prevented us from utilizing this 
tool in our training. Other concerns regarding Superblock 
employee health and safety further restricted the ability of 
our Protective Force officers to engage in realistic exercises 
inside Superblock facilities.
    Another contributing factor was attrition in the 
Laboratory's Protective Force, which has averaged about 10 
percent per annum, FY 2006 through FY 2008. Force-on-force 
exercises in the Superblock are labor intensive, requiring 
sufficient Protective Force personnel to participate in 
defensive and offensive teams, help conduct the exercise, and 
to provide a stand-alone force to protect the area during the 
exercise. With high attrition and a two-year training regiment 
for new officers, shortfalls in staffing required careful 
workload balancing and significant overtime to provide defense, 
train, and exercise.
    The limitations emanating from these considerations 
resulted in Protective Force exercises that were insufficient 
in scope and degree of realism to identify weaknesses in 
equipment performance and team tactics.
    We took actions to address this root cause. First, we 
devoted special attention to expeditiously resolve safety 
concerns by, for example, marking and providing guide 
structures on roofs for safe access and providing ventilation 
within hallways so that blank ammunition can be used. Once we 
resolved these concerns, we resumed robust exercises in the 
Superblock, and will conduct robust force-on-force exercises on 
a quarterly basis. Second, we reinvigorated our physical 
security self-assessment program and assigned a seasoned 
security professional to a newly created position as the 
Security Organization Program Performance Assurance Manager. 
Finally, we took away valuable lessons from each of the factors 
that contributed to decisions that had self-limited exercises 
and assessments.
    We have applied the lessons learned from all facets of the 
HSS inspection. Working closely with NNSA and utilizing 
expertise accessible through reachback to LLNS parent 
organizations, LLNL has significantly strengthened its security 
posture over the last several months. Highlights are discussed 
below in the areas of Protective Force, Classified Matter 
Protection and Control, and Cyber Security. In addition, the 
Laboratory has implemented management changes to clarify roles 
and responsibilities through an integrated chain of command 
that incorporates expertise in SNM research, safety, and 
security. Vulnerability assessments are being updated to 
include the recent protective force, physical security, and 
cyber security enhancements.

                     Protective Force Improvements

    LLNL has implemented improvements to its manpower 
deployment and training, to its defensive equipment, to its 
command and control systems, and continues to implement 
improvements to its hardened fighting positions in the 
Superblock. These improvements were guided in part by the 
lessons learned during a period of intensive activity in May 
and June 2008 when over 25 scrimmages, limited-scope 
performance tests, and 12 force-on-force exercises against a 
variety of adversary teams were conducted in the Superblock 
Facility exercising all LLNL Protective Force shifts. The 
Laboratory's integrated plan ensures a high-quality training 
environment with the appropriate equipment resources to 
continually challenge and test the responsiveness of its 
Protective Force. LLNL has implemented Protective Force 
improvements in four areas: Personnel, Equipment, Team Tactics, 
and Training Environment.
    Personnel. The HSS Inspection found that LLNL's Protective 
Force security officers were individually well trained and 
capable as demonstrated by their high test scores. This is due 
in part to LLNL adopting the newly proposed Tactical Response 
Force (TRF) Standards as part of its training. LLNL is 
currently the only site in the complex to qualify all of its 
Level 2 and 3 Protective Force officers in this weapons and 
physical fitness proficiency standard.
    Lessons learned from HSS force-on-force exercise, and the 
subsequent force-on-force exercises, resulted in the addition 
of Protective Force officers in the Superblock Facility on each 
shift, and the addition of a Sergeant to each shift to engage 
exclusively in Command and Control. Both of these actions have 
been completed and are incorporated into the Security Incident 
Response Plan (SIRP).
    Equipment. LLNL utilizes Dillon gatling guns, integrated 
into Mobile Weapon Platforms (MWP), as part of the security 
posture for the Superblock Facility. Since the HSS inspection, 
LLNL has developed a robust security incident response plan 
that utilizes a MWP deployment strategy that does not rely upon 
all vehicles being deployed at all times. This plan allows LLNL 
to deploy some or all of the vehicles and maintains a high 
level of protection by augmenting and re-deploying forces 
within the Superblock in towers, bullet-resistant enclosures, 
hardened-fighting positions, or as ground-based strike teams. 
Consequently, this plan protects the SNM and provides for 
cycling vehicles out of the Superblock Facility for necessary 
vehicle service, vehicles to conduct training, and the ability 
to upgrade vehicle systems without degrading LLNL's protection 
effectiveness. In addition, it forces an adversary to develop a 
plan and commit resources to address multiple protection 
strategies-a much bigger task for an adversary than would be 
required to deal with a static protection configuration.
    We have upgraded the defensive equipment used by our 
officers to protect the Superblock including improvements to 
the MWP that mitigate maintenance and reliability issues. In 
addition, the operability of the MWPs is verified each shift.
    Team Tactics. Daily and nightly training began and has 
continued since April to ensure effective implementation of the 
SIRP and verify compliance of the Protective Force officers 
with it. These training exercises and Limited Scope Performance 
Tests involve individual, small unit, and full team movement 
and tactics. Refinements to command and control protocols have 
been developed based on these exercises, as well as actions to 
address security officer vulnerabilities identified during the 
exercises.
    Training Environment. In order to facilitate more realistic 
training, LLNL engages in force-on-force activities in the 
Superblock Facility and indoors with realistic Multiple 
Integrated Laser Engagement System (MILES) gear on a routine 
basis. During the first week of August 2008, a fully integrated 
force-on-force exercise was conducted by an adversary force 
from Idaho National Laboratory. This force-on-force exercise 
was attended by representatives of the Office of the Chief of 
Defense Nuclear Security, NNSA Field Security professionals, 
and observers from DOE HSS. The force-on-force exercises were 
particularly challenging, designed to test the changes to our 
SIRP and the additional training of our security force. LLNL's 
security incident response was very successful. The Office of 
the Chief of Defense Nuclear Security asserts, ``The results of 
the exercises demonstrate that activities completed as part of 
the site recovery plans, along with the planned configuration, 
have resulted in a robust protection strategy.''

   Improvements in Physical Security Systems and Classified Material 
                          Protection & Control

    LLNL's security construct is based on a series of defensive 
layers-a graded approach that provides increasing barriers that 
correspond to the increasing security value of critical 
Laboratory assets. Classified information resides in 
``limited'' areas and is stored in repositories and/or vault-
type rooms (VTRs). Some of LLNL's VTRs were found to be 
deficient in sensor protection by the HSS inspection, and the 
necessary additional sensors were immediately installed.
    In addition to enhancing the VTRs, LLNL formalized roles 
and responsibilities, and improved VTR configuration 
management. The Laboratory is consolidating databases that 
document the location of classified repositories into a master 
database and has established a policy and verification 
procedures for configuration control of classified repositories 
and VTRs. In addition, procedures for logging and inventory of 
failed classified computer hard drives now address concerns 
raised by the HSS inspection. LLNL has upgraded the lighting 
and video coverage in the Superblock.

                      Cyber Security Improvements

    As an integral component of LLNL's security organization, 
the Laboratory's cyber security program proactively develops 
and deploys effective defensive systems and quickly responds to 
emerging threats to ensure appropriate protection. The cyber 
security program takes an integrated approach, strongly 
engaging counterintelligence experts and information technology 
professionals. The Laboratory has established centralized 
policies and procedures for managing cyber security, and it has 
in place many effective technical processes and tools for 
providing protection. These include perimeter and internal 
firewalls, vulnerability scanning, and intrusion detection 
systems. In addition, the Laboratory has developed and utilizes 
an effective system for user identification, authentication, 
and access control to enforce security standards and ensure 
appropriate configuration management of software and hardware 
systems.
    The HSS inspection rated LLNL's cyber security technical 
controls ``effective'' and found that the cyber security 
program ``has taken an aggressive stance to ensure that when 
issues are recognized, corrective action plans and plans of 
action and milestones are developed.'' In response to 
deficiencies identified in the HSS report, LLNL is 
strengthening its cyber security controls for planning, 
acquisition, certification, and accreditation of systems to 
reduce overall risk. The Laboratory is updating its cyber 
security plans to reflect the most up-to-date directives and 
include more detailed operational protocols in order to better 
test, certify, and accredit systems.
    Classified information at LLNL resides on separate networks 
for Secret/Restricted Data and Secret/National Security 
Information, a practice HSS found ``commendable.'' Their report 
concludes that, ``Strong identification and authentication 
controls for access to applications and effective segmentation 
to ensure need-to-know boundaries, as well as effective 
vulnerability scanning and patching, are key factors in the 
classified environment being almost totally devoid of 
vulnerabilities.''
    As mentioned earlier, the Yellow network at the Laboratory 
is the main unclassified network for desktop computers, 
applications, and databases. This network contains access-
controlled sensitive unclassified information that is required 
by most Laboratory employees and collaborators to conduct their 
mission responsibilities. It is the backbone for unclassified 
programmatic activities, internal communications, and all 
business services. Laboratory research, business functions, and 
operations require external communications; hence, the Yellow 
network is connected to the Internet and protected by a 
firewall and network segments.
    Vigilance is required to protect Yellow network systems and 
data. LLNL first completed a comprehensive sitewide 
unclassified risk assessment in 2005. Updated annually and as 
new risks are identified, the assessment includes an analysis 
of systemic conditions and threats, probabilities of 
occurrence, and impact. Consideration of the risks guides 
strategies for vulnerability scanning and patching as well as 
the implementation of additional measures to limit inward and 
outward flows through the firewall. The Laboratory is working 
to fully implement effective risk management processes to 
identify risks at the system-specific level.
    One notable step LLNL is taking to minimize risks is the 
development of a Blue network. To be used by foreign nationals 
whose collaboration is necessary for LLNL to meet mission 
responsibilities, the network was established to provide even 
greater assurance that access restrictions to LLNL information 
systems are enforced based on need-to-know. The Blue network 
segment is separated from the Yellow network through technical 
controls. Users have access only to approved resources on the 
Yellow network and that access is only permitted with controls 
enforced by firewall policy. This prevents foreign nationals 
from having the ability to ``knock on doors'' and gain access 
to Yellow network resources on an uncontrolled basis. They are 
not able to search the Yellow network or monitor activities on 
it. The Blue network is being piloted in one of the 
Laboratory's directorates and is planned for site-wide 
implementation in Fiscal Year 2009.

                            Closing Remarks

    The Laboratory requires annual training for every LLNL 
employee to ensure that each understands the importance of 
protecting the classified information and materials at the 
Laboratory and their individual and collective security 
responsibilities. Security is an obligation that we take 
extremely seriously. The adversarial threats we face are 
growing more sophisticated and defense requires vigilance. When 
deficiencies are uncovered or an emerging threat is identified, 
we act as promptly and effectively as we can to fix the 
specifically identified issue as well as address the root 
causes. That is why the Office of the Chief of Defense Nuclear 
Security was able to assert that LLNL's concerted efforts 
``.have resulted in a robust protection strategy'' after 
shortcomings were uncovered by HSS only several months earlier. 
I have confidence in LLNL's Protective Force and the 
effectiveness of the Security Incident Response Plan.
    Cyber security is a challenge facing all government 
entities, including LLNL. I agree with the HSS report that 
concluded ``the laboratory has the teams, technologies, and 
methods needed for success to effectively address cyber 
security program needs.'' LLNL welcomes the opportunity to 
share some of the lessons we have learned-and to learn from 
others-through broader, more concerted, and effectively-
integrated DOE and interagency efforts to cope with this very 
serious national security threat.

   Lawrence Livermore National Laboratory's Security Posture-Summary 
                              (Attachment)

    Lawrence Livermore National Laboratory (LLNL) is committed 
to the safe and secure fulfillment of its mission 
responsibilities. A fundamental LLNL value is that all 
employees must take personal and collective responsibility for 
providing for a safe and secure work environment. An extensive 
security structure is in place at LLNL, and we are taking 
aggressive actions to address arising security threats and 
concerns. Particularly, in the cyber area, threats are rapidly 
evolving, continuing to grow more sophisticated and vigilance 
is required.
    The Laboratory benefits from both internal and external 
assessments to identify weakness and areas for improvement. 
Recently, DOE's Office of Health, Safety, and Security (HSS) 
held an inspection of LLNL Safeguards and Security and Cyber 
Security that provided valuable feedback. We took immediate 
steps to address the identified weaknesses. We conducted a 
thorough review to identify the root cause of the disappointing 
results of the force-on-force exercise and took corrective 
actions. Restrictions on and postponements of robust exercises 
had a detrimental effect on Protective Force readiness and 
inhibited the Laboratory's ability to obtain essential feedback 
on our performance. We resumed the conduct of realistic force-
on-force exercises in the Superblock, and we will conduct 
future comprehensive force-on-force exercises on a quarterly 
basis. We have also upgraded the defensive equipment used in 
the Superblock. Following a fully integrated force-on-force 
exercise in August 2008, the NNSA Office of the Chief of 
Defense Nuclear Security, improvements made in LLNL Protective 
Force response capabilities ``have resulted in a robust 
protection strategy.''
    In the area of cyber security, the HSS report concluded 
that ``the classified environment [at LLNL is] almost totally 
void of vulnerabilities.'' LLNL's (unclassified) Yellow network 
faces challenges, but it is well protected and the HSS report 
states that LLNL ``has the teams, technologies, and methods 
needed for success to effectively address cyber security 
program needs.'' We are drawing on those capabilities to 
expeditiously make improvements, including the development of a 
new Blue network for use by foreign national employees and 
collaborators.
                              ----------                              

    Mr. Stupak. Dr. Hunter, your opening statement, please, 
sir.
    Dr. Hunter. Thank you, Mr. Chairman.
    Mr. Stupak. You're going to need the mic there. Thanks.

      STATEMENT OF THOMAS O. HUNTER, PH.D., PRESIDENT AND 
      LABORATORIES DIRECTOR, SANDIA NATIONAL LABORATORIES

    Dr. Hunter. Thank you, Mr. Chairman, Ranking Member and 
distinguished members of the committee. I am Tom Hunter, 
President of Sandia Corporation and Director of Sandia National 
Laboratories. It's a pleasure to appear before you and talk 
about this extremely important matter.
    Sandia, as you know, is a national security laboratory and 
part of the NNSA; and we develop and support the nonnuclear 
parts of the nuclear term, but we also are, further, involved 
in research and development across a wide range of national 
security areas. I provided written testimony at some length, 
but I would like to emphasize just a few points.
    First, I would like to talk about our commitment and my 
personal commitment to security.
    We can only serve the Nation in so many sensitive areas, 
and we do place security at the very top of our value system. I 
should also be clear that I do not support the view that 
science in our world and security should be in conflict or can 
be in conflict. I believe that science in the national interest 
must embrace effective security.
    It is a matter of great personal pride that the Nation has 
entrusted us with this most sensitive information. I and my 
entire organization are committed to always honor that trust. 
We can all live up to our security responsibilities if we're 
ever vigilant and constantly aware of the threat facing us and 
any vulnerability that may occur. We have decades of experience 
evaluating the threats to our nuclear deterrent, and we've 
applied that experience to the cyber world as well.
    The second point I would like to make is, this Nation's 
made a great investment in its classification system, both of 
information and materials. We see great value in that system 
and we use it as the foundation, the very core, of our security 
systems. And this allows us to place the most emphasis on our 
security systems in the right places where there's the most 
sensitivity.
    We believe we have made great progress in the last few 
years in our protective systems for physical security. We've 
reduced our vulnerability to attack by limiting all discrete 
Category I and Category II nuclear material at our site. We did 
that just recently and ahead of schedule.
    Last year we received the highest possible rating on all 
seven major areas of physical security in the evaluation done 
by DOE's Office of Independent Oversight. Yet we do not 
believe, and it's my strong conviction, that we can rest on any 
of our accomplishments. The challenge will always be greater 
and our expectation will always be higher.
    We're acutely aware of the threat of malicious insiders and 
have an active counterintelligence program and one that is 
acknowledged to be uniquely effective because of the strong 
integration we have because of counterintelligence and our 
cyber and physical security programs.
    As the committee has so well noted, there is one area, 
though, that we, like the majority of the Nation's 
institutions, must be even more vigilant. We are part, and a 
fundamental part, of the Nation's cyber system. We find that 
modern information systems are essential to manage and operate 
an enterprise such as ours. But with this great enabler comes a 
great risk.
    There have rarely been threats to the very core of our 
Nation's infrastructure as pervasive and as asymmetrical as a 
cyber threat. We have acted aggressively to address the cyber 
threat. We have three separate networks for cyber information. 
Each system has been uniquely designed for the security 
provisions of the information there. All are controlled and 
monitored centrally by the laboratory.
    When I sign on to my personal computer, it reminds me every 
time, like every employee, that I will be subject to 
observation and should expect no privacy from our monitoring 
systems. We block over 80 percent of our incoming e-mail. We 
save and evaluate all cyber traffic at the laboratory by expert 
and electronic means. If any user on our system does not 
conform to our security requirements, we'll promptly terminate 
access from the system.
    We maintain a complete registration of all devices on our 
system, deploy encryption for sensitive transmissions and 
require common operating environment for all desktops. Each 
network is subdivided into segments that have separate 
monitoring and separate need-to-know protection.
    We have close ties with the other institutions in the 
Federal Government and the other laboratories in the DOE. When 
an attack occurs, there is a direct and effective communication 
between Sandia, other laboratories and the DOE.
    Finally, I would like to close my comments with emphasis on 
one point that I think is most central to the path forward for 
the cyber-secure world of the future, and that's people. I've 
had the opportunity to witness the dedicated professionals who 
defend our cyber systems. I've come to admire and respect their 
talent, their expertise and their dedication. Each day--and in 
most cases, very long days--they face an adversary that is more 
creative and better equipped than the day before. And any day 
they may be called upon to scan enormous files and spot 
anomalies that could easily allude most trained observers. They 
may be called on to go to another laboratory to help sort out 
an ongoing attack.
    Why do they do it? It is not a matter of compliance. It is 
not a matter of administrative requirement. It is not even a 
matter of compensation or reward. And it's certainly not 
because they could not work anyplace else. It is, in my 
judgment, because they are individually committed to serve this 
country, to defeat this pervasive threat.
    I'm thankful each day they're there with us, and I believe 
they're examples of the country's principal hope in the coming 
escalation of cyber attacks--talented people surrounded by 
talented people and equipped with unique experiences and assets 
who devote their careers to this conflict. If we could do only 
one thing in the whole world of cyber security, it will be to 
apply our Nation's best minds to the problem, train them, hire 
them, support them, and empower them.
    And I now urge the committee, with all of us, to do 
whatever we can to help create an environment where these 
people have the opportunity to commit, to excel and to prevail.
    Thank you, Mr. Chairman; and I would be pleased to answer 
any questions.
    Mr. Stupak. Thank you, Dr. Hunter.
    [The prepared statement of Dr. Hunter follows:]
    [GRAPHIC] [TIFF OMITTED] T3238.087
    
    [GRAPHIC] [TIFF OMITTED] T3238.088
    
    [GRAPHIC] [TIFF OMITTED] T3238.089
    
    [GRAPHIC] [TIFF OMITTED] T3238.090
    
    [GRAPHIC] [TIFF OMITTED] T3238.091
    
    [GRAPHIC] [TIFF OMITTED] T3238.092
    
    [GRAPHIC] [TIFF OMITTED] T3238.093
    
    [GRAPHIC] [TIFF OMITTED] T3238.094
    
    [GRAPHIC] [TIFF OMITTED] T3238.095
    
    [GRAPHIC] [TIFF OMITTED] T3238.096
    
    [GRAPHIC] [TIFF OMITTED] T3238.097
    
    [GRAPHIC] [TIFF OMITTED] T3238.098
    
    [GRAPHIC] [TIFF OMITTED] T3238.099
    
    [GRAPHIC] [TIFF OMITTED] T3238.100
    
    Mr. Stupak. That concludes the opening statements. We'll go 
to questions. We're going to go 10 minutes.
    I think we'll have votes coming up; maybe we can get our 
questions in before that.
    Dr. Anastasio, if I may, GAO testified on the first panel 
that Los Alamos pulled the access to foreign nationals to the 
yellow network. Is that correct?
    Mr. Anastasio. No, that's not correct.
    Mr. Stupak. It's not?
    Mr. Anastasio. Foreign nationals do have access to our 
yellow network.
    But we have a number of protections in place to ensure that 
proper care is taken. We do counterintelligence assessment of 
every individual. We have security plans and a very significant 
process we go through.
    Mr. Stupak. Do you have encryption on some of the more 
sensitive parts that are on your yellow?
    Mr. Anastasio. We have some encryption on the more 
sensitive parts that are on the yellow network, and we have 
segmentation that we've put in place and we're further 
proceeding with that.
    Mr. Stupak. All right.
    Dr. Miller, do foreign nationals have access to the yellow 
information? The yellow network, I'm sorry.
    Dr. Miller. Yes, sir. Just like Dr. Anastasio, we currently 
do have foreign nationals on our network. As I indicated in my 
testimony, we are in the process of creating another network. 
It was just--we did a pilot last year. It was just credited by 
NNSA about a week ago. So this fiscal year we will be creating 
a separate network for all of our foreign nationals that is 
separate from the yellow network.
    Mr. Stupak. All right. Would some of the information on 
your yellow network go on this new network you're--
    Dr. Miller. Yes, sir. I mean, for instance, all of the 
training requirements that are completely unclassified are 
required by--the foreign nationals require access to the 
training requirements. So the training courses, things like 
that that they require access to, will be on the blue network. 
So there will be some information that is transmitted.
    Mr. Stupak. Dr. Hunter, how about yourself, the foreign 
nationals on your yellow network?
    Dr. Hunter. On our yellow network we have about 11 foreign 
nationals that have some access in the appropriate areas, but 
none are from sensitive countries and I think the DOE 
requirement for the future is about sensitive countries.
    Mr. Stupak. Let me ask this question, if I may--Dr. 
Wilbanks, if I may.
    The Director of Los Alamos noted in his opening statement 
that cyber threat is the greatest security concern. Would you 
agree that this is perhaps the greatest security concern facing 
DOE labs at this point in time?
    Ms. Wilbanks. I can only speak from the cyber perspective. 
But, yes, sir, I would agree that it's a very high threat.
    Mr. Stupak. Well, let me ask you--to point that to the 
point that you can in open session here--what's the level of 
sophistication of these attacks? Are they increasing in 
capability?
    Ms. Wilbanks. Yes, sir. I would be happy to elaborate in a 
closed session, sir.
    Mr. Stupak. Mr. Borgia, Ms. DeGette asked the question 
earlier--let me ask you this if I can.
    Has a full inventory of the information residing on the 
unclassified networks of DOE national labs been inventoried?
    Mr. Borgia. No, not that I know of.
    Mr. Stupak. The other panel didn't necessarily think it was 
necessarily a wise choice. Do you it would be?
    Mr. Borgia. I think that I would defer to that answer.
    I think the most important thing to do with this 
information is to be able to stop the intrusion, if it's 
possible. But to be able to catalog that information would be--
that would be a tremendous library of cataloging we would be 
responsible for doing in the Department, and it would be 
overwhelming.
    Mr. Stupak. Let me ask you this question, if I may.
    You testified that your work is closely coordinated with 
DOE's Office of Chief Information Officer and NNSA's Office of 
Chief Information Officer, and that you maintain strong, 
mutually supportive relationships in the cyber security. Yet 
for the past 3 years the Office of Inspector General has 
reported that the Department has failed to adequately address 
cyber security coordination and communication.
    From a counterintelligence point of view, are you satisfied 
with the coordination and communication between the 
Counterintelligence and Information Technology Divisions in the 
DOE complex regarding the reporting of cyber incidents? And 
what, if anything, can be done to improve coordination and 
communication?
    Mr. Borgia. Yes. Thank you, Mr. Chairman.
    I would have to say the answer to that is yes. There has 
been a substantial increase in the communication between my 
office and the chief information officers in cyber security. 
We--in the 2 years I've been here, we've had increasing contact 
with these offices--daily contact, weekly meetings, sometimes 
twice weekly meetings where we sit down and review matters of 
classified concern.
    And there is continuing contact at the executive levels in 
each of these offices too. Dr. Wilbanks and Mr. Pyke and myself 
and their executive management staffs and mine are very, very 
familiar with one another, and we talk very frequently.
    Mr. Stupak. Let me ask this question, if you can answer it 
or if we have to go to a closed session, just let me know.
    Mr. Podonsky and his group said they're not very 
sophisticated in cyber security, but yet they're able to get in 
with his Red Team and take control of--I don't want to say take 
``control,'' but have pretty good access in two science labs. 
And everyone is telling me today it is more sophisticated. It's 
a great concern.
    Is it possible that there have been breaches of our cyber 
security that we don't know about? Is the sophistication--the 
level of sophistication--in other words, like when I play 
basketball, are you above the rim or not?
    I'm below the rim, believe me. But are there teams above 
that rim that we possibly don't even know about?
    Mr. Borgia. Yes.
    Mr. Stupak. OK. I have more questions, but I'm going to ask 
those in closed session on that aspect of it.
    Let me ask this. We've talked a little bit about this 
yellow network. And let me--in light of that answer, Mr. 
Borgia, what is NNSA's opinion on the network access that's 
been provided to foreign nationals? What control does, like, 
let's say, Los Alamos have in place to ensure that foreign 
nationals have a need-to-know for the access they have been 
provided with on the network?
    Mr. Borgia. Sir, perhaps the lab director or NNSA would be 
better to answer that question.
    Mr. Stupak. OK.
    Dr. Wilbanks, do you want to add anything to that question?
    Ms. Wilbanks. The labs have done a great job in segregating 
various components within their yellow network that allows 
their foreign nationals on there.
    Excuse me. As you heard, Lawrence Livermore is building a 
separate network for the foreign nationals. They take great 
strides to limit the access of the foreign nationals to 
specific areas of information, and then to limit their access 
within the network itself.
    Mr. Stupak. My concern--I guess I brought it up earlier in 
the first panel--was that mosaic approach. You take something 
that doesn't seem real sensitive. It's on the yellow. So I take 
a piece here, take a piece there, put it together, does it 
become then sensitive, that we should have greater 
restrictions?
    Do you care to comment on that, Dr. Anastasio?
    Mr. Anastasio. Let me indicate that before we have any 
foreign national on our network, we go through a very extensive 
review, including a counterintelligence review of those 
individuals before we allow them on. We're essentially moving 
to do the same thing Lawrence Livermore is doing in their blue 
network to have a separate network that's segregated in a way 
that allows the foreign national to have access only to the 
information they need, as I said in my testimony.
    And the other thing is that the yellow network has many 
protections on it. It's segregated in a sense already to be the 
network we use for information that's beyond what would be 
revealed to the general public. Before we put any information 
on that network, we go through an extensive classification 
review before that information is allowed to be on the network.
    But then, beyond that, the mosaic issue is always a 
challenge. And it's something they watch out for as we go and 
do our reviews of the information and as we look at any issues 
that may arise.
    But, yeah, I think we are very vigilant about these issues.
    Dr. Miller. Mr. Chairman, if I could just add a slight 
amplification of that in the sense of an example.
    Personally identifiable information is obviously something 
we're all very sensitive to. That information is separately 
segregated and protected on the yellow network. So, for 
instance, I do not have access to the PII of all of the 
employees at the laboratory; it is separately segregated. The 
number of people who have access to it is limited to a very 
small number who actually are required to be able to do that in 
concert with their job.
    An example of why somebody might want to have access to it 
is, if an employee were taken to the medical facility in an 
emergency, the medical people need to be able to get access to 
personal information about what drugs, whatever. So there are 
specific circumstances under which people could get access, but 
generally the information is very tightly segregated, based 
upon the function and based upon the need to know of the rest 
of the people.
    Mr. Stupak. But you don't--on your yellow networks you 
don't have anything where you catalog what foreign nationals 
are looking at or working on, do you?
    Mr. Anastasio. We're very--we keep--as Dr. Hunter said, we 
keep a full record of all the in-going and out-coming traffic 
on our network and we watch that and search it. And we have 
sensors deployed to look at the traffic that's going on. And we 
periodically do scans, as well as do scrubs of the information 
that's moving around, to ensure ourselves that the proper 
behavior is going on on the network.
    Mr. Stupak. OK.
    Dr. Wilbanks, let me ask you one more question, if I may. 
If information was being exfiltrated from any of the DOE labs, 
would this be detectable? In other words, does DOE have the 
ability to fully understand whether information is being lost 
from any of the DOE labs' networks?
    How would they know this?
    Ms. Wilbanks. DOE, NNSA and the site offices themselves 
have many sensors that monitor the outgoing traffic. And there 
are techniques, technologies to determine what information is 
being exfiltrated. I'd be happy to elaborate, sir, in a closed 
session.
    Mr. Stupak. But it's possible the sensors don't pick up 
what's being exfiltrated, right? It just depends on--
    Ms. Wilbanks. Yes, sir. That's always a possibility we 
face.
    Mr. Anastasio. Excuse me, Mr. Chairman. Just to amplify on 
that, we do have layers of defense, though. I think that's 
important.
    Although no layer is perfect, we have sensors that we use 
inside the laboratories. We have--NNSA has a set of techniques 
that they use, DOE and then even the broader national security 
community. So we rely on all those layers to allow us to know 
what's going on, and if we have a problem, how we can react.
    Mr. Stupak. Sure. I agree with that. But the attacks are 
becoming more and more sophisticated. And if we're playing 
above the rim, you're not going to know.
    Mr. Anastasio. But our job as a national laboratory is to 
have the innovation and creativity to stay ahead of the game, 
to be leading the world on these activities and to draw on the 
full resources of all the elements of the government to do our 
job.
    So we're very conscious, and Dr. Hunter, I thought, was 
very eloquent about the people, that that is a key issue for us 
to make sure we have those people that can be at the state of 
the art, ahead of the state of the art.
    Mr. Stupak. I don't disagree with any of that. But then 
when we see reports from other offices indicating that our 
cyber security is sort of lacking, and if this is our 14th 
hearing over the last 8 years, when it comes to security, I'm 
very concerned--not just the physical, but maybe more so the 
cyber security which has taken on greater significance.
    And if our enemy is getting more sophisticated--well, I 
hope we're above the backboard, not above the rim. I'm not real 
confident we are at this point in time.
    Dr. Hunter, and then I'm going to go to Mr. Shimkus.
    Ms. Wilbanks. Mr. Chairman, if I may elaborate, please, 
sir.
    One of the things I mentioned in my opening statement was 
the fact that DOE and NNSA have now combined in their incident 
management, incident handling and identification to help keep 
us above the backboard, sir.
    Mr. Stupak. Right.
    Dr. Hunter.
    Dr. Hunter. Thank you, Mr. Chairman.
    Mr. Stupak. Turn that mic on, please. I'm sorry.
    Dr. Hunter. Mr. Chairman, we've all acknowledged the 
rightful concern about the cyber issue, as you just stated.
    One point I would like to add to what he just said: The 
laboratories and the DOE are working very closely together so 
they pool their expertise. If there's any evidence, as we watch 
very carefully, of things that might have been or could be 
exfiltrated, these people call each other and quickly analyze 
and try to understand the situation. In a way--so it's like a 
big team. When you address one place, you get the team of the 
other place that's quickly providing the benefit of their 
experience to try to understand what is happening and to 
respond to it.
    Mr. Stupak. I agree you're doing all that. I hope it works, 
but when I get figures like 400 million attacks a month, that's 
almost impossible to keep on top of. So I hope those sensors 
and filters really are doing their job.
    Mr. Shimkus.
    Mr. Shimkus. Thank you, Mr. Chairman.
    I think you can continue to hear from Members of Congress, 
hope that security is improving; but you also hear great 
skepticism over the years of Members being involved in some 
pretty big breaches.
    Let me ask the three directors of the labs, because, Dr. 
Miller, you mentioned a blue network. Or the--all labs being 
unique, as I understand, Dr. Anastasio, Dr. Hunter, are you 
developing blue networks? Are there best practices? Do you 
communicate and share information to make you all better?
    Mr. Anastasio. Yes, sir, very much.
    And so at Los Alamos we--as I said, we're building a 
further segmented element of our segmented network on our 
yellow network. That's conceptually equivalent to what Lawrence 
Livermore is doing with their blue network. We haven't given it 
a name of a color; it's essentially the same thing. But--we're 
using slightly different approaches to accommodate the 
differences we have, but it's really the same thing.
    But as far as sharing goes, absolutely we share--we, the 
three of us, talk together. We've talked about this issue for 
years amongst ourselves, about how to approach it. Even more 
important, our technical staff is in constant contact with each 
other.
    When we had a concern about a penetration of the yellow 
network, we had, in fact, people from Sandia to come up to Los 
Alamos to actually work in our team. So it's an example of how 
we're working together.
    Mr. Shimkus. The other thing is time frame. When we're 
talking about sensitive information and--yeah, good lessons 
learned; you're sharing information--time.
    Dr. Anastasio, I'm going to come back to you. But let me 
finish with Dr. Miller and Dr. Hunter. And then I'm going to 
come back to Los Alamos.
    Dr. Miller. Yes. I think the question you raise is a very 
important one. And as Dr. Anastasio said, we work very, very 
hard. We're very cognizant of the technical approaches that 
both Los Alamos and Sandia have taken. They have developments 
that--we are watching very carefully; when those developments 
mature to the point where they can be adequately assessed, we 
will frequently move those across from one laboratory to the 
other.
    We share people. We share information. So there's a very, 
very tight coupling between the three of us and again, as we 
have said before, with the NNSA/DOE and the much broader 
Federal community in this area.
    Dr. Hunter. Thank you. I think I commented on the sharing 
and the working together. I will comment on your specific 
question about the best practices.
    The existence of a three-level network--the unclassified, 
the yellow network, as we just described and the classified--
is, in fact, a best practice developed by the laboratories, 
which we feel is somewhat unique and important.
    Secondly, we have not decided to go to a blue network at 
this point. But what we have decided to do is much like what 
Mike Anastasio said, emphasize stronger segmentation of the 
yellow network to really be sure the need-to-know controls are 
in place, and emphasize then monitoring of information coming 
and going into that network.
    And then finally to really look at this question of what do 
foreign nationals particularly need in terms of their 
requirements to work at the laboratory, say, on broad science? 
Sometimes it's limited to things like payroll and benefit 
information, which you can really segment very strongly.
    So the combination of those things, we think, will lead us 
to the proper decision.
    Mr. Shimkus. And let me follow up.
    We don't want to get too--you know, just put all the burden 
on the foreign national debate, because a lot of our security 
breaches would--you know, are nationals--you know, born U.S. 
citizens. But, you know--and we--you know, this list is public 
on some of these. But the vetting process for those, I mean, 
they're still citizens of countries that we have identified as 
sensitive or nonsensitive. So the vetting has to be as good as 
we do when we give our security clearances, I would assume.
    Let me go to Mr. Borgia to respond to the vetting process 
of the individuals who are hired, both alien, visitors and 
citizens.
    Mr. Borgia. Sir, there is a vetting process that 
counterintelligence uses to look at foreign nationals who are 
coming into the complex.
    However, I think it would be better to talk about that in a 
classified setting, to give you a more detailed understanding 
of what we do. The security program is responsible for 
conducting backgrounds of other persons who are hired, you 
know--
    Mr. Shimkus. And that's fine. We'll have that opportunity. 
So thank you.
    Let me go to Dr. Anastasio because you're the one who 
obviously was the subject of the most recent report. And I 
think our position is, anyone who's been, you know, in an 
executive position and you--and the inspector general comes 
down or--in the military, a former Army officer or someone from 
the corporate headquarters, who is doing that same thing, 
they've identified numerous deficiencies.
    I guess this thing was finally left in December. So then 
the compilation of the report, their analysis, finished just a 
month ago; and then this is a very recent--you know, a 
publication of September 2008.
    So if we would go through it, you know, starting on page--
although a risk assessment was completed, it was not 
comprehensive. Are we now able to say that the risk assessment 
is now comprehensive?
    Mr. Anastasio. Yes, we are. As part of our process to get 
accreditation and verification with the process we have with 
NNSA, we have gone through a very formal set of risk 
assessments, and we are--for all our networks and all our 
activities on the yellow network, as well, of course, as the 
classified network. And we are just now completing that. We'll 
be done in December, and we'll finish the full accreditation 
and certification of all our systems.
    But we've gone and taken other steps in response to the 
GAO.
    Mr. Shimkus. I'll just keep following, because that's what 
you hear by Members, you know, guidelines. You know, if I was 
the--you know, the Secretary of Energy, I would say not good. 
These are the deficiencies. When will they be resolved? And I 
think that's where Members are.
    So the other one is policies and procedures have 
shortcomings. Have the shortcomings been addressed?
    Mr. Anastasio. Yes, sir, they have. Again, we've done a 
comprehensive look for all the issues that are--at least in the 
draft report. Since the final just came out today, I haven't 
seen the final, but we have certainly seen the draft report, 
and we are already responding to all of the issues that have 
been raised in that report, including more stringent 
protections, reducing the number of ports that are active, more 
robust cyber detection. We've changed our policies and made 
them more clear, as I said in my--and comprehensive--in my 
opening statement. And we're just addressing all those things.
    Mr. Shimkus. OK. Because my time's short and there are 
going to be votes, so you understand the point. I would then 
just turn to the other directors. And it would make common 
sense for you all to review the report from that position and 
relook at your own processes and procedures.
    Quickly, if you'd like to, sir.
    Dr. Miller. Yes. Again, we certainly are aware, have read 
the draft report and have reflected it on ourselves. We will do 
the same thing with the final report that just came out.
    Mr. Shimkus. The primary job, other than passing the laws 
of the land--and we are justly criticized for not doing a good 
job in oversight. This is our job; this is what we're supposed 
to be doing. And so that's why we're continuing to be on this.
    Sir, do you want to add?
    Dr. Hunter. Yes, sir.
    I just agree. We share the same challenges, and we'll 
derive the same lessons learned from every activity.
    Mr. Shimkus. You all were out with the rest of the folks 
when the first panel was being asked, and we did spend a lot of 
time on the yellow network. I did talk about e-mails and 
attachments and the Trojan horses and all these things that 
some of us are just getting to understand and those types.
    A lot of the responses were that we monitor what is--my 
impression, just trying to pay attention, was, we monitor 
what's being sent out. We grab it, and we segregate it. We hold 
onto it.
    So it just led me to the question, if we grab and hold onto 
it, do we grab and hold onto it before it gets out to the 
system, or it's going out the door, so we at least know what we 
lost?
    Who wants to respond to that question? We know what we 
lost. Is that really what we're talking about?
    Mr. Pyke. Mr. Shimkus, in quite a number of cases we are 
able to actually block the outgoing transmission before it 
takes place. There are occasions where we learn about it after 
the fact or block it when it's partway out. But we are able, 
through the collaboration that's been discussed by various 
members of the panel; and through an active collaboration with 
the counterintelligence folks, we are able to work together not 
just week by week, but in near real time, to use the 
information we have to block outgoing attempted exfiltration of 
information.
    Mr. Shimkus. And Mr. Chairman, if I may, I just want to end 
up with--the inspector general testified about incomplete 
certification and accreditation. We're kind of raising some of 
that at the labs about incomplete implementation by the 
Department of Federal cyber security policies, especially for 
DOE and for NNSA.
    What's your response to these findings?
    Ms. Wilbanks. NNSA has implemented new policy as of May 
2008 that completely strengthens the certification and 
accreditation process. It also strengthens some of the 
requirements and restrictions on the yellow network. And the 
labs are in the process of implementing this policy at this 
time.
    Mr. Shimkus. Go ahead.
    Mr. Pyke. Mr. Shimkus, if I may, we have a comprehensive 
set of requirements DOE-wide in the cyber security area; 
always, of course, looking to improve them and to add to them, 
but they are in place.
    And it's my understanding in working with Dr. Wilbanks and 
her staff and my personal observations that NNSA not only 
follows these requirements, but given the nature of the mission 
of NNSA, they frequently strengthen them to provide protection 
against the special risks faced by NNSA programs.
    Mr. Shimkus. You know, the inspector general recommends 
time frames and benchmarks. I mean, would you agree with his 
recommendation? And if you do, do you have them? And if you do, 
would you supply those to the committee?
    Ms. Wilbanks. Yes, sir. We do agree. Yes, sir. We do have 
them. And yes, sir, we will supply them.
    Mr. Shimkus. Thanks. Thanks, Mr. Chairman.
    Mr. Stupak. Thank you, Mr. Shimkus.
    Mr. Borgia, if I may, we had some questions of the first 
panel--Mr. Friedman, in particular--about the letter that was 
sent to Mr. Dingell by a former senior counterintelligence 
officer at Lawrence Livermore.
    Are you familiar with that letter at all?
    Mr. Borgia. Yes, Mr. Chairman, I am.
    Mr. Stupak. What's your reaction to it, especially when 
they say that as a result of the changes, vulnerability of DOE 
personnel and facilities to hostile intelligence entities has 
increased exponentially?
    Mr. Borgia. I couldn't hear the first part of the--
    Mr. Stupak. That as a result of the changes at DOE, the 
vulnerability of DOE personnel and facilities to hostile 
intelligence entities has increased exponentially.
    Mr. Borgia. That would be wrong, Mr. Chairman.
    Mr. Stupak. That would be wrong?
    Mr. Borgia. Yes.
    Mr. Stupak. And the letter cites about five different 
examples.
    Mr. Borgia. Sir, I can give you in a classified hearing 
great examples of the success that this program is experiencing 
right now that collectively have not been experienced 
throughout the rest of the 10 years of the program.
    We have an extraordinary marriage with the FBI. The FBI is 
dedicated, as I mentioned myself, but also 20 other special 
agents who are agents in the labs included--including agents in 
the weapons labs.
    There has been--there's been extraordinary connection with 
the Intelligence Community. And this program today has a much 
bigger profile in the Intelligence Community. The national 
counterintelligence executive has identified this as one of the 
top four programs. He'd always talked about this in briefings 
on the Hill as the ``top three programs.''
    Now he says the top four programs. That's DOE's 
counterintelligence program. There is a great new confidence in 
the counterintelligence program that is identified and 
experienced not only outside in the intelligence community, but 
I believe my colleagues in the Department as well as the 
Secretary and the NNSA Administrator would agree.
    Mr. Stupak. So you wouldn't agree that, if I can summarize 
what this individual who had 29 years experience with the FBI 
in this area, that the counterintelligence aspect of our 
security has been diminished while the intelligence gathering 
has increased at the expense of counterintelligence and DOE?
    Mr. Wilshusen. Yes. That would be wrong.
    Mr. Stupak. That would be wrong?
    Mr. Wilshusen. Yes. And, sir, I have almost 25 years in the 
FBI, worked counterintelligence, counterterrorism, and criminal 
investigative programs. I could sit, and I would be very happy 
to sit and talk about and give you the details in a classified 
setting about what the accomplishments of this program are.
    Mr. Stupak. Well, I wanted to raise it, and I am glad you 
are familiar with it because it probably will come up in our 
closed session, which we are going to go into soon.
    Mr. Shimkus, questions, please.
    Mr. Shimkus. Just a unanimous consent request for these two 
documents. I think the staff shared them with you. The one's a 
Foreign National Assignments with computer access. It just has 
a listing of all that. And another one, just to highlight the 
fact that we have U.S. citizens that are not good citizens 
also. There is a story today, an AP story: Scientist Accused of 
Selling Rocket Data to China, an AP story about that. I am 
asking unanimous consent to accept those.
    Mr. Stupak. Without objection, then--I'm looking for the 
date on this one here. Today's date, Scientist Accused of 
Selling Rocket Data to China, that will be made part of the 
record, that AP news story. And Foreign National Assignees With 
Computer Access, dated September 12, 2008, will also be made 
part of the record.
    [The information appears at the conclusion of the hearing.]
    Mr. Stupak. That is going to conclude the open part of our 
hearing. We are going to have a couple votes on the floor, so 
why don't we do this: Instead of reconvening in 10 minutes, I 
think, let's shoot for 2:00. We have got at least three votes 
on the floor; they are going to call them here in a second, and 
then we can meet in 2218. So let's meet in Room 2218 of the 
Rayburn Building at 2:00. And only those individuals who have 
appropriate Top Secret/Q level clearances that have been 
previously sent to the committee clerk and the House security 
will be admitted. So I will dismiss this panel then.
    And before we close this portion of the hearing, I ask 
unanimous consent that the hearing record will remain open for 
30 days for additional questions for the record. Without 
objection, the record will be open.
    I ask unanimous consent that Tabs 1 through 7 and Tabs 25 
and 26, those nonofficial use only exhibits of our document 
binder, be entered into the record. Without objection, the 
documents will be entered into the record.
    Mr. Stupak. That concludes the open portion of this 
hearing. We will recess until 2:00 and reconvene in Room 2218 
of the Rayburn Building for our closed portion of this hearing.
    [Whereupon, at 1:13 p.m., the subcommittee recessed to 
proceed in closed session at 2:00 p.m. the same day.]

[GRAPHIC] [TIFF OMITTED] T3238.034

[GRAPHIC] [TIFF OMITTED] T3238.035

[GRAPHIC] [TIFF OMITTED] T3238.036

[GRAPHIC] [TIFF OMITTED] T3238.037

[GRAPHIC] [TIFF OMITTED] T3238.038

[GRAPHIC] [TIFF OMITTED] T3238.101

[GRAPHIC] [TIFF OMITTED] T3238.102

[GRAPHIC] [TIFF OMITTED] T3238.103

[GRAPHIC] [TIFF OMITTED] T3238.104

[GRAPHIC] [TIFF OMITTED] T3238.105

[GRAPHIC] [TIFF OMITTED] T3238.106

[GRAPHIC] [TIFF OMITTED] T3238.107

[GRAPHIC] [TIFF OMITTED] T3238.108

[GRAPHIC] [TIFF OMITTED] T3238.109

[GRAPHIC] [TIFF OMITTED] T3238.110

[GRAPHIC] [TIFF OMITTED] T3238.111

[GRAPHIC] [TIFF OMITTED] T3238.112

[GRAPHIC] [TIFF OMITTED] T3238.113

[GRAPHIC] [TIFF OMITTED] T3238.114

[GRAPHIC] [TIFF OMITTED] T3238.115

[GRAPHIC] [TIFF OMITTED] T3238.116

[GRAPHIC] [TIFF OMITTED] T3238.117

[GRAPHIC] [TIFF OMITTED] T3238.118

[GRAPHIC] [TIFF OMITTED] T3238.119

[GRAPHIC] [TIFF OMITTED] T3238.120

[GRAPHIC] [TIFF OMITTED] T3238.121

[GRAPHIC] [TIFF OMITTED] T3238.122

[GRAPHIC] [TIFF OMITTED] T3238.123

[GRAPHIC] [TIFF OMITTED] T3238.124

[GRAPHIC] [TIFF OMITTED] T3238.125

[GRAPHIC] [TIFF OMITTED] T3238.126

[GRAPHIC] [TIFF OMITTED] T3238.127

[GRAPHIC] [TIFF OMITTED] T3238.128

[GRAPHIC] [TIFF OMITTED] T3238.129

[GRAPHIC] [TIFF OMITTED] T3238.130

[GRAPHIC] [TIFF OMITTED] T3238.131

[GRAPHIC] [TIFF OMITTED] T3238.132

[GRAPHIC] [TIFF OMITTED] T3238.133

[GRAPHIC] [TIFF OMITTED] T3238.134

[GRAPHIC] [TIFF OMITTED] T3238.135

[GRAPHIC] [TIFF OMITTED] T3238.136

[GRAPHIC] [TIFF OMITTED] T3238.137

[GRAPHIC] [TIFF OMITTED] T3238.138

[GRAPHIC] [TIFF OMITTED] T3238.139

[GRAPHIC] [TIFF OMITTED] T3238.140

[GRAPHIC] [TIFF OMITTED] T3238.141

[GRAPHIC] [TIFF OMITTED] T3238.142

[GRAPHIC] [TIFF OMITTED] T3238.143

[GRAPHIC] [TIFF OMITTED] T3238.144


                                 
