[Senate Hearing 110-619]
[From the U.S. Government Publishing Office]
S. Hrg. 110-619
PASSPORT FILES: PRIVACY PROTECTION NEEDED FOR ALL AMERICANS
=======================================================================
HEARING
before the
COMMITTEE ON THE JUDICIARY
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
JULY 10, 2008
__________
Serial No. J-110-105
__________
Printed for the use of the Committee on the Judiciary
U.S. GOVERNMENT PRINTING OFFICE
44-368 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON THE JUDICIARY
PATRICK J. LEAHY, Vermont, Chairman
EDWARD M. KENNEDY, Massachusetts ARLEN SPECTER, Pennsylvania
JOSEPH R. BIDEN, Jr., Delaware ORRIN G. HATCH, Utah
HERB KOHL, Wisconsin CHARLES E. GRASSLEY, Iowa
DIANNE FEINSTEIN, California JON KYL, Arizona
RUSSELL D. FEINGOLD, Wisconsin JEFF SESSIONS, Alabama
CHARLES E. SCHUMER, New York LINDSEY O. GRAHAM, South Carolina
RICHARD J. DURBIN, Illinois JOHN CORNYN, Texas
BENJAMIN L. CARDIN, Maryland SAM BROWNBACK, Kansas
SHELDON WHITEHOUSE, Rhode Island TOM COBURN, Oklahoma
Bruce A. Cohen, Chief Counsel and Staff Director
Stephanie A. Middleton, Republican Staff Director
Nicholas A. Rossi, Republican Chief Counsel
C O N T E N T S
----------
STATEMENTS OF COMMITTEE MEMBERS
Page
Feingold, Hon. Russell D., a U.S. Senator from the State of
Wisconsin, prepared statement.................................. 43
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont. 1
prepared statement........................................... 52
Specter, Hon. Arlen, a U.S. Senator from the State of
Pennsylvania................................................... 3
WITNESSES
Duda, Mark W., Assistant Inspector General for Audits, Department
of State, Washington, D.C...................................... 6
Geisel, Harold W., Ambassador and Acting Inspector General,
Department of State, Washington, D.C........................... 4
Raul, Alan Charles, Partner, Sidley Austin, LLP, Washington, D.C. 17
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center, Washington, D.C............................ 13
Schwartz, Ari, Vice President, Center for Democracy & Technology,
Washington, D.C................................................ 15
QUESTIONS AND ANSWERS
Responses of Ambassador Geisel to questions submitted by Senators
Specter, Leahy and Kennedy..................................... 21
Responses of Alan Charles Raul to questions submitted by Senator
Specter........................................................ 27
Responses of Marc Rotenberg to questions submitted by Senators
Specter and Feingold........................................... 31
Responses of Ari Schwartz to questions submitted by Senators
Feingold and Specter........................................... 36
SUBMISSIONS FOR THE RECORD
Duda, Mark W., Assistant Inspector General for Audits, Department
of State, Washington, D.C., statement.......................... 38
Geisel, Harold W., Ambassador and Acting Inspector General,
Department of State, Washington, D.C., statement............... 45
Kennedy, Patrick F., Under Secretary of State for Management,
Department of State, Washington, D.C., letter.................. 50
Raul, Alan Charles, Partner, Sidley Austin, LLP, Washington,
D.C., statement................................................ 54
Rotenberg, Marc, Executive Director, Electronic Privacy
Information Center, Washington, D.C., statement................ 57
Schwartz, Ari, Vice President, Center for Democracy & Technology,
Washington, D.C., statement.................................... 79
PASSPORT FILES: PRIVACY PROTECTION NEEDED FOR ALL AMERICANS
----------
THURSDAY, JULY 10, 2008
U.S. Senate,
Committee on the Judiciary,
Washington, D.C.
The Committee met, pursuant to notice, at 10:03 a.m., in
room SD-226, Dirksen Senate Office Building, Hon. Patrick J.
Leahy, Chairman of the Committee, presiding.
Present: Senators Leahy, Cardin, and Specter.
OPENING STATEMENT OF HON. PATRICK J. LEAHY, A U.S. SENATOR FROM
THE STATE OF VERMONT
Chairman Leahy. Good morning. Today, the Committee is going
to hold an important hearing on the unauthorized access of
Americans' passport files. Millions of Americans, including, I
expect, every member of this Committee, entrust their personal
information to the State Department in order to obtain
passports and other services. We give a great deal of
information, but we trust our Government to protect the private
information of its citizens. But, sadly, the State Department
has failed to honor this duty. They have left millions of
ordinary Americans vulnerable to not only privacy violations
but to identity theft that could come from that and other
crimes.
Now, last week--while Americans were celebrating
Independence Day--the State Department's Acting Inspector
General issued a report finding that State Department workers
and contractors repeatedly accessed the passport files of
entertainers, athletes, and other high-profile Americans
without proper authorization. Now, I do not care whether it is
a well-known person or someone we have never heard of. Either
way it is wrong. And this revelation of passport snooping comes
after press reports in March that the passport files of three
Presidential candidates--Senators Obama, Clinton, and McCain--
were improperly accessed. Somebody running for office, as they
do, give up enough of their privacy as it is. They ought to be
able to count on their own Government protecting it.
The Inspector General's findings raise serious concerns
about possible violations of the Privacy Act and other Federal
laws. And according to the report, 85 percent of the passport
records included in a sample of high-profile Americans had been
searched at least once--and many files were searched multiple
times--during a 5\1/2\-year period. In fact, one individual's
passport records were searched 356 different times by 77
different people.
The Inspector General's report reveals that the records of
millions of ordinary Americans are also vulnerable to privacy
breaches. There are no checks in the system to even determine
if the passport files of the average American are accessed.
Now, these files, just so we fully understand, contain name,
date and place of birth, and Social Security numbers. As some
of the experts on the Internet and data privacy know these are
the kinds of facts somebody wants when they want to steal your
identity. But the State Department does not have a general lack
of policies, procedures, guidance, and training to stop it.
According to the report, the Department's Passport Information
Electronic Records System--PIERS--contains the passport records
for approximately 127 million passport holders. Now that our
Government is requiring us to have passports even to go into a
friendly country, like Canada, the number of passport files to
protect grows.
The State Department could not readily identify the
universe of Government workers and contractors who have access
to this information. The Inspector General estimates that this
figure exceeds 20,000 Government employees from various
agencies and outside contractors. We might as well just post
this stuff on billboards all over the country. And the tip of
the iceberg in this report is the fact that passport
information is shared with other agencies, and we have no idea
what procedures are followed to protect information once it
leaves the State Department. So here, sure, take all this
information, bring it back someday. It has got to be better
than that. The State Department Inspector General has referred
this serious matter to the Justice Department. I made it very
clear to the Attorney General yesterday that I hope the
Department's Criminal Division will investigate this
thoroughly. If criminal violations have occurred, people ought
to go to jail.
The lax data security at the State Department is not
unique. A week does not go by without reports of personal data
privacy breaches at Government agencies and private businesses.
Just recently, we had front-page headlines with news about the
theft of sensitive medical information from the National
Institutes of Health, and earlier reports of data breaches have
involved virtually every branch of our Federal Government. I
just cannot imagine this. You might as well just open up the
files and leave them out on the street corner and say, ``Here,
help yourself.''
The Inspector General's report is just the latest example
of why we should have swift action on the Leahy-Specter
Personal Data Privacy and Security Act. Senator Specter and I
put this together. It is a comprehensive privacy bill that
would help to prevent data security breaches and provide
further protections in the handling of American's private data.
And I hope that the Senate will promptly pass it.
Data privacy and security at our Federal agencies is a
serious and growing problem. We have to address it. So we have
to understand not only what went wrong at the State Department
but elsewhere. And I am glad the Department's Acting Inspector
General and Assistant Inspector General for Audits are here to
share their findings. And we have a distinguished panel of
privacy experts. And then I hope we will end up passing the
Leahy-Specter bill.
[The prepared statement of Senator Leahy appears as a
submission for the record.]
With that, I will turn to Senator Specter.
STATEMENT OF HON. ARLEN SPECTER, A U.S. SENATOR FROM THE STATE
OF PENNSYLVANIA
Senator Specter. Thank you. Mr. Chairman, I commend you on
calling this hearing so promptly. The Inspector General's
report was issued on July 7th. This is July 10th. That is
pretty unusual for an oversight committee to move into a field.
But I think the implications of this matter warrant it.
On every turn, we find that privacy is in jeopardy.
Yesterday we enacted followup legislation on the Foreign
Intelligence Surveillance Act, which goes further than we had
in the past. And when you deal with national security, there
are very weighty factors. But where you have snoopers, there is
absolutely no justification for what they are doing. And,
regrettably, when you take a look at all of the snoopers, it is
sort of overwhelming.
Just last month, sensitive information on about a thousand
patients at Walter Reed Army Medical Center exposed a security
breach. Last year, thieves stole a Transportation Security
Administration computer containing information on some 100,000
current and former employees. The Department of Agriculture 2
years ago exposed 26,000 employees, contractors, and retirees
to an invasion of privacy. Also in 2006, hackers stole data
from the Defense Department system on 14,000 active-duty and
retired servicemembers' independents. And the list goes on and
on. There is obviously a great interest in personalities and
high-profile people, but we have to do something very forceful
to stop it.
I was intrigued by one of the statistics in the IG's
report, Inspector General's report, that the records of one
individual were accessed a total of 356 times by 77 users
between 2002 and 2008. I would like to know who that was. Maybe
I would be interested in that myself.
[Laughter.]
Senator Specter. There must be something very fascinating,
perhaps even lurid, about that particular individual.
But one of the great values in our society is privacy, and
vigilance is the cost of being effective at protecting it. So I
am glad to see our Committee moving ahead, Mr. Chairman, and I
am glad to cooperate with you in expediting this important
hearing.
Chairman Leahy. Well, it would be impossible to move
forward on this without you, and you have been so good on the
privacy bill. You know, in Vermont, we tend to respect our
privacy a great deal, and I will put this story in perspective.
I live on a dirt road, an old 1850s farmhouse we have had for
over 50 years, a lot of land, fields, and whatnot. And
adjoining farmers hayed the fields and so on since I was a
teenager. And this was a story in the New York Times. It is the
only thing I think was ever written about me that I have
actually saved, even framed, and it goes almost this way.
It was a Saturday morning. A little farmer was standing on
the porch. A reporter in an out-of-State car pulls up and says,
``Does Senator Leahy live up this road?'' He said, ``Are you a
relative of his?'' He said, ``No. No, I am not.'' He said,
``Well, are you a friend of his?'' ``Well, not really.'' ``Is
he expecting you?'' ``No.'' ``Never heard of him.''
[Laughter.]
Chairman Leahy. So we love our privacy.
Senator Specter. Well, Senator Leahy, as I understand it,
the ``fahrm''--also know as the ``farm''--is expansive enough
so that you can hide.
Chairman Leahy. That it is.
We are fortunate this morning. Our first witness is
Ambassador Harold Geisel. Ambassador Geisel currently serves as
the Acting Inspector General for the Department of State. He
assumed the duties of Deputy Inspector General for the
Department of State and the Broadcasting Board of Governors in
June of this year. He is a career Department of State foreign
service officer. He has dedicated more than 20 years to the
Department. In 1994, Ambassador Geisel was assigned as Acting
Inspector General of the State Department. He help the position
of Deputy Assistant Secretary of State for Information
Management from 1995 to 1996, during which he directed the
development of the Department's first IT strategy plan. He
served as our Ambassador to Mauritius in 1996 to 1999, received
his bachelor's degree in liberal arts from Johns Hopkins
University and his master's degree in finance from the
University of Virginia. And I saw Senator Cardin of Maryland
smile when I mentioned Johns Hopkins.
Please go ahead, Ambassador.
STATEMENT OF AMBASSADOR HAROLD W. GEISEL, ACTING INSPECTOR
GENERAL, DEPARTMENT OF STATE, WASHINGTON, D.C.
Ambassador Geisel. Chairman Leahy, Ranking Member Specter,
Senator Cardin, thank you for inviting me to discuss with you
the privacy concerns reported in the results of our review of
controls over access to passport records in the Department of
State's Passport Information Electronic Records System, or
PIERS. The full report has been provided to the Committee.
In March 2008, media reports surfaced that the passport
files maintained by the Department of State of three U.S.
Senators, who were also Presidential candidates, had been
improperly accessed by Department employees and contractors. On
March 21, 2008, the Office of Inspector General, Office of
Audits, initiated a review of Bureau of Consular Affairs
controls over access to passport records and issued the final
report 1 week ago, on July 2nd. The OIG made 22 recommendations
to address the control weaknesses, and the Department concurred
with 19 of them, partially agreed with one, and did not agree
with two recommendations.
OIG found many control weaknesses--including a general lack
of policies, procedures, guidance, and training--relating to
the prevention and detection of unauthorized access to passport
and applicant information and the subsequent response and
disciplinary processes when a potential unauthorized access is
substantiated.
As of April 2008, PIERS contained records on about 192
million passports for about 127 million passport holders. These
records include personally identifiable information, or PII, as
it is known, such as the applicant's name, gender, Social
Security number, date and place of birth, and passport number.
PIERS also contains additional information, such as previous
names used by the applicant, citizenship status of the
applicant's parents or spouse, and scanned images of passport
photos. PIERS offers users the ability to query information
pertaining to passports and vital records, as well as to view
and print original copies of the associated documents. As a
result, PIERS records are protected from release by the Privacy
Act of 1974. Unauthorized access to PIERS records may also
constitute a violation of the Computer Fraud and Abuse Act.
At the time of the publicized breaches, neither Consular
Affairs nor the Department had implemented breach notification
policies, procedures, or other criteria for reporting incidents
of unauthorized access of passport records when they were
detected. However, between March and May 2008, Consular Affairs
and the Bureau of Administration took a number of corrective
actions, including issuing interim guidance on the various
steps to be followed and decisions to be made in response to a
potential incident of unauthorized access to passport records
and applicant personally identifiable information, and they
issued a Department-wide PII breach response policy.
While these immediate actions taken are commendable, OIG
has recommended that the Department conduct the necessary
vulnerability and risk assessments of all passport systems
given the weaknesses and data vulnerabilities identified in
this review of PIERS. Accordingly, OIG believes that the
Department should make resources available to conduct the
assessments as quickly as possible.
OIG also recommended that CA ensure the accuracy of its
Privacy Impact Assessments for PIERS and for all other passport
systems to accurately reflect security controls for and risks
to personally identifiable information.
I would like to introduce Mr. Mark W. Duda, Assistant
Inspector General for Audits, who led this review, and he will
provide a summary of the findings.
Thank you for the opportunity to present this timely
information to you today. Following Mr. Duda's remarks, we
would be happy to answer any questions you may have.
[The prepared statement of Ambassador Geisel appears as a
submission for the record.]
Chairman Leahy. Thank you, Ambassador. And, of course, Mr.
Duda, prior to being at the Department of State, was senior
evaluator in the Department of Treasury Office of Inspector
General, as well as auditor in charge at the Smithsonian
Institution's Office of Inspector General. And, Senator Cardin,
you will be interested in known he received a bachelor of
science degree in accounting from the University of Maryland
and a master of business administration from the University of
Baltimore.
Senator Cardin. I am glad to see that we are getting the
best talent in the Nation working for us.
[Laughter.]
Chairman Leahy. Mr. Duda, why don't you go ahead, and then
we will start with the questions.
STATEMENT OF MARK W. DUDA, ASSISTANT INSPECTOR GENERAL FOR
AUDITS, DEPARTMENT OF STATE, WASHINGTON, D.C.
Mr. Duda. Chairman Leahy, Ranking Member Specter, members
of the Committee, thank you for the opportunity to discuss the
results of our review of controls over access to passport
records in the Department of State's Passport Information
Electronic Records System, which is also known as PIERS. I will
be referring to that acronym periodically.
On March 21, 2008, following the first reported breach of a
Presidential candidate's passport records and at the direction
of the former Acting Inspector General, the Office of Inspector
General, Office of Audits, initiated this review of the Bureau
of Consular Affairs controls over access to passport records in
PIERS. Specifically, this review focused on determining whether
the Department: one, adequately protects passport records and
data contained in PIERS from unauthorized access; and, two,
responds effectively when incidents of unauthorized access do
occur.
During fiscal year 2007, the Department issued about 18.4
million passports domestically and participated or assisted in
the issuance of about 365,000 passports overseas.
According to Consular Affairs officials, there were about
20,500 users with active PIERS accounts as of May 2008, and
about 12,200 of these users were employees or contractors of
the Department. PIERS is also accessed by users at other
Federal departments and agencies, including the Department of
Homeland Security, the Federal Bureau of Investigation, and the
Office of Personnel Management, to assist in conducting
investigations, security assessments, and analyses.
In our review, OIG found many control weaknesses--including
a general lack of policies, procedures, guidance, and
training--relating to the prevention and detection of
unauthorized access to passport and applicant information and
the subsequent response and disciplinary processes when a
potential unauthorized access is substantiated.
In some cases, Department officials stated that the lack of
resources contributed to the lack of controls and to the
Department's ability to assess vulnerabilities and risk. OIG
described some security and management practices utilized by
both the Internal Revenue Service and the Social Security
Administration as examples where similar improvements could be
made by the Department.
OIG made 22 recommendations to address the control
weaknesses found with safeguarding passport records. We did not
verify instances of unauthorized access, but we did conduct a
judgmentally determined study to identify the frequency with
which the records for 150 high-profile individuals were
accessed in PIERS between September 2002 and March 2008. Our
results revealed several patterns that raised serious concerns
about the potential for undetected unauthorized access to
passport records. Of the 150 names included in the study, OIG
found that the records of 127 individuals, or 85 percent, had
been accessed at least one time. The results showed a total of
4,148 hits to the passport information for these 150
individuals. OIG made no determination as to whether the hits
represented authorized or unauthorized access. Additionally,
although an 85-percent hit rate appears to be excessive, the
Department currently lacks any criteria to determine whether
this is an unusually high rate.
As stated by the Acting Inspector General, following the
publicized passport record breaches, the Department implemented
a number of corrective actions and has other efforts planned,
as we have detailed in the report.
Based on the responses from Department officials, of the 22
recommendations made the Department has agreed with 19 of those
recommendations; they partially agree with one recommendation;
and they disagreed with two recommendations. To ensure adequate
and timely action, OIG will conduct a full compliance followup
review of the Department's implementation of the
recommendations in this report, as well as Consular Affairs'
process for reviewing possible unauthorized accesses by users
as identified in our study.
Thank you for the opportunity to appear before you today. I
would be happy to answer any questions you have.
[The prepared statement of Mr. Duda appears as a submission
for the record.]
Chairman Leahy. Well, thank you. As I sort of indicated
before, I will start with you, Ambassador. I know the State
Department has placed a number of celebrities on a special
watchlist, and dignitaries watch out for that. I am just as
concerned by the person we do not know the name of who lives
down the street, works in a store, or whatever else, because
they have also given all this information up. And it is one
thing with a watchlist. They are not on that watchlist. Isn't
it virtually impossible to know if the passport files of
ordinary American citizens have been improperly accessed?
Ambassador Geisel. Senator, that is really the key
question. The answer is we have the ability to know if they
have been accessed. We do not at this time know if they have--
whether the access is authorized or unauthorized, and a crucial
part of our recommendations is that we have to know that.
Chairman Leahy. Yes, because it is one thing to go and look
back and say, OK, pick out passport number 2936000 or whatever
and find that. But I am thinking of--for example, if somebody
wants to--well, I will check on my neighbor or my former
boyfriend or girlfriend, or somebody may have a more nefarious
thing, I want to get this information, I know where this person
lives, they are fairly wealthy, I want to get this information
and sell it to somebody who will probably pay a lot of money
for it because they are going to use it to clean out their bank
account. I mean, there is nothing to ring alarm bells when that
happens. Is that correct?
Ambassador Geisel. As it stands right now, Senator, that is
absolutely correct, and that is why I think one of our most
important recommendations is that the Department take a look at
software that does work, such as is used currently by the
Internal Revenue Service or the Social Security Administration.
Chairman Leahy. And we know in the past that the Internal
Revenue Service had a problem with this. People were looking at
the tax returns of movie actors and all, and usually it was
just because it is kind of fun to find out. But if they can do
that, they can also get the person who runs the local grocery
store.
Mr. Duda, the State Department has brought in a lot of
contractors for this surge capacity in processing passport
applications, especially when it decided that our neighbor to
the north, Canada, the most friendly country we have ever been
involved with, poses such a threat that we have all got to
start having passports to go there. That is a political comment
to the aside only because I think the policy is ridiculous. But
as a result, a lot of outside people were hired.
Is there a greater vulnerability to snooping if you are
using outside contractors because you do not have the kind of
leverage that you might have in the State Department? If you
find a State Department employee doing it, they can be
disciplined. They can be fired. They can be whatever else. But
is there greater concern because we have had to rely so much on
outside contractors?
Mr. Duda. There could be, but there are actually controls
you can put in place. Obviously, if the Department is
soliciting the services of a contractor, they are entering into
a contract with a vendor, you know, the Department is paying
the vendor. The Department writes the contracts. The Department
can put whatever, you know, is legally feasible into a
contract. And one of the things that can be put in the
contracts is adequate controls to ensure that contractors have
access to this data.
Chairman Leahy. Has that been done?
Mr. Duda. Partially.
Chairman Leahy. Partially. And shouldn't we make sure that
if we are going to have penalties, criminal or otherwise, that
they be the same whether you are somebody in the State
Department or somebody in a private contractor?
Mr. Duda. Absolutely.
Chairman Leahy. Thank you. And in that regard, Ambassador,
the Attorney General suggested that DOJ will open a criminal
investigation into the passport breaches involving the three
Presidential candidates based upon the referral from your
office. Are there going to be more referrals from your office?
Ambassador Geisel. We don't comment on investigations, but
there will certainly be referrals where we feel that a case can
be made to the Justice Department and that the Justice
Department has reasonable probability of achieving a good
prosecution.
Chairman Leahy. Both Senator Specter and I are former
prosecutors, as are a number of the people on this Committee,
and, frankly, in this kind of thing, I think some well-placed
prosecutions with the use of the criminal code may be as much
of a deterrent as you can imagine.
Senator Specter?
Senator Specter. Thank you, Mr. Chairman.
Has anybody been caught?
Ambassador Geisel. Yes, sir. Those were the referrals that
were made.
Senator Specter. And what happened as a result of their
being identified, apprehended, and caught?
Ambassador Geisel. Excuse me, sir.
[Pause.]
Ambassador Geisel. If these people have actually been
referred to Justice, I--
Senator Specter. No, I don't want to know ``ifs.'' I want
to know if you have apprehended people and they have been
caught. That is what I want to know.
Ambassador Geisel. The answer is yes, sir.
Senator Specter. And how many?
Ambassador Geisel. Five so far, but it is very much of an
ongoing investigation, and I am sure--
Senator Specter. Only five.
Ambassador Geisel. So far.
Senator Specter. And have there been prosecutions against
those individuals?
Ambassador Geisel. I am not aware of what Justice is doing
with those referrals.
Senator Specter. Well, Ambassador, you ought to be. You
ought to followup as to what the Department of Justice is
doing. We would like to know that.
Let me talk to the witness, if I may. I only have 5
minutes. What is the motivation behind this, if you know? Is it
just curiosity? Is it just snooping? Why so many invasions of
privacy here?
Ambassador Geisel. Well, I hope it is just snooping. I
suspect--
Senator Specter. No, no. I don't want to know what you
hope. What evidence do you have as to what motivates people to
do this?
Ambassador Geisel. I don't think we know yet what motivated
these particular people to snoop.
Senator Specter. Well, have they been questioned?
Obviously, they have been. What has the interrogation of these
people disclosed?
Ambassador Geisel. So far it is snooping, sir.
Senator Specter. So far what?
Ambassador Geisel. It is snooping, just as you said. It is
snooping. It is peeping. We don't have any evidence that the--
which is what I worry about, that someone would do this, for
instance, for the purpose of perpetrating identity fraud.
Senator Specter. Well, is the Department of State making a
real effort to push prosecutions? Prosecutor Leahy might say to
you that if you get a conviction, you deter some people from
doing it. I certainly would say that.
Ambassador Geisel. Amen, Senator. I cannot think of a
better way--I think there are two--
Senator Specter. So what have you done to pursue
prosecutions to try to have some deterrence?
Ambassador Geisel. We have referred them to the Justice
Department.
Senator Specter. Have you followed up? We write lots of
letters to the Department of Justice. Senator Leahy had a whole
portfolio of them yesterday talking to the Attorney General.
There has to be followup. This is a primary responsibility of
the Department of State, and the Department of State ought to
pursue it.
Ambassador Geisel. I absolutely agree with you, Senator.
Senator Specter. Well, what do you plan to do about it?
Ambassador Geisel. I think the best answer is that we, A,
intend to followup but, B, intend to put in a much better
system or recommend--
Senator Specter. Well, a better system we have talked
about, but where you have the specific cases, would you give a
report to the Committee within 30 days on the issue of followup
and what has happened?
Ambassador Geisel. Absolutely, sir.
Senator Specter. I note that the penalty for looking for
commercial advantage or financial gain is increased to 5 years.
It is 1 year otherwise. Has there been any showing that any of
these invasions of privacy were motivated by commercial
advantage or financial gain?
Ambassador Geisel. Not yet, sir, but as I said, that is our
greatest worry.
Senator Specter. Have you pursued the issue as to whether
somebody is looking for financial gain?
Ambassador Geisel. Yes, sir, but as I said, so far it
appears to be peeping.
Senator Specter. When you have the evidence of unauthorized
disclosure, do you go to the individuals whose files have been
tampered with to see if they have any indication that they have
been prejudiced in any way by what has happened?
Ambassador Geisel. That is part of an ongoing
investigation, and I am sure you understand that I--
Senator Specter. I understand. I am not asking you about
specific cases. I am asking about procedures. I am not asking
you about a specific case.
Ambassador Geisel. Yes, sir.
Senator Specter. I would not intrude on that.
Ambassador Geisel. I understand. I don't know that we
have--let me ask our people. Have we gone to specific
individuals?
The answer is--as you advised, I will not discuss it in
detail, but the answer is yes, we have done so.
Senator Specter. The answer is yes to which question?
Ambassador Geisel. The answer is yes, we have spoken with
individuals to see if they were affected by the--
Senator Specter. I am not asking you about any specific
individuals. Have you found any individuals who have been
prejudiced aside from--just an invasion of privacy is a
prejudice all by itself. But beyond that, have they lost
financially? Have they had anything specific happen as a result
of the unauthorized disclosure or snooping on their records?
Ambassador Geisel. We have not--that is a negative, sir. So
far, no one has advised that they have been adversely affected
in a financial sense by the snooping.
Senator Specter. Well, as a final comment--my red light is
on--I would urge you to get tough about it and to followup.
Ambassador Geisel. Absolutely.
Senator Specter. And reports are not sufficient. When
Congress is providing criminal penalties, you have a real
hammer, and you ought to be using it. If you would supply in
writing any recommendations you have for modifications of the
statute, I think the Committee would appreciate that.
Thank you very much, Ambassador. Thank you, Mr. Duda.
Thank you, Mr. Chairman.
Chairman Leahy. Thank you.
Senator Cardin?
Senator Cardin. Thank you, Mr. Chairman. I certainly agree
with your comments and Senator Specter's comments, and I want
to followup on Senator Specter's points.
First of all, I want to thank both of you for what you are
doing in helping us to put in the right procedures to make sure
this never happens again. But I just want to underscore the
point that Senator Specter has made. When we had similar
problems in other agencies--I think about laptops that were
taken out of offices and that contained sensitive data that
went missing--we were not clear as to what was being done with
that sensitive information, which included Social Security
numbers. We know that identity theft is one of the largest
criminal problems we have in our community today. We know that
the information contained in passport files would be very
valuable for people who want to participate in identity theft.
As Senator Leahy has said, we know that the information could
be valuable for criminals who want information about potential
targets. So the vulnerability is there with the information,
and that is why it is particularly sensitive.
I think your testimony has raised a lot more questions than
we have the answers to. Obviously, someone who does this for
curiosity to peep in someone else's records is wrong and needs
to be disciplined. But if they are doing it for financial
reward, if it is part of criminal activities, then that is a
much more serious issue, and we want to know about that also.
I also believe--and I know there is a large volume of
people whose records have been unauthorized access. But I think
to a certain degree those individuals are entitled to know
that. And although in a criminal investigation you may be
looking at a specific number of cases in order to get the
cooperation of the individuals whose records were unauthorized
accessed, but I do think if someone looked at my passport
records, I have a right to know that.
So are any steps being taken in order to notify the
individuals whose records were unauthorized accessed so that
they are on record, first, that that was done and, second, to
be alerted to potentially being a victim to other types of
activities such as identity theft?
Ambassador Geisel. To date, Senator, the work that we have
done, we are not yet at the point, as Mr. Duda explained, that
we are certain that the access was unauthorized, although
obviously when you are talking about numerous breaches, it
seems a sure shot.
The problem will be--well, we cannot notify anyone until we
know that the access was unauthorized. In many cases, it would
have been authorized. For example, someone who often crosses
the border, the Homeland Security person will have a very good
reason for going back to that file. But we have a lot more work
to do.
Mr. Duda. One of the things I wanted to point out is that,
you know, management's responsibility is obviously to have a
system in place, have the controls to prevent unauthorized
access to, you know, PII information for all Americans. OIG's
role obviously is to oversee that and do testing and so forth.
In this review that we did, we identified such a large
number of potential unauthorized accesses and a control
environment that was limited, at best. We made significant
recommendations which the Department largely agree with and is
in the process of implementing. And one of the things they are
doing right now, they have told us--CIA officials have told us
that they are looking into all of the potential unauthorized
accesses from our case study, and then once the determination
that the Department makes, they will then make referrals to the
Office of Inspector General.
Senator Cardin. Let me make a recommendation. To the extent
that you determine that someone's passport records were
accessed, unauthorized, will you recommend that that individual
be notified that his or her records were inappropriately
accessed?
Mr. Duda. Yes, absolutely. I don't know whether that will
be a management responsibility, but OIG definitely--
Senator Cardin. Will you let us know whether that
recommendation is followed by the agency so that we know
whether, in fact, those who were victimized are at least aware
that they were victimized?
Mr. Duda. Yes. One of the corrective actions the Department
has already implemented is drafting a breach response policy,
and I don't recall the exact specifics, but--
Senator Cardin. I just want to make sure that we know
whether the victims, those whose records were accessed
inappropriately, will be notified, and whether you will be able
to follow up to let us know whether that, in fact, was carried
out by the agency.
Ambassador Geisel. We will make that recommendation,
Senator.
Senator Cardin. I appreciate it.
The second point, Mr. Chairman, just very quickly, we just
finished acting on the FISA statute, and it just raises a
question to me as to whether agencies are accessing passport
records for mass data collections. Is any of this involved in a
data collection system where there is routine information
gathered on our passport records as part of homeland security
or intelligence operations that you are aware of?
Mr. Duda. Not that I am aware of, but one of our concerns
in this review or any potential plans of sharing the data in
PIERS or any of the other passport systems with other agencies
for any purpose, we want to make sure that there are adequate
controls in place.
Senator Cardin. Will you also report back to us if your
review shows that there is mass data collections from the
passport records that are questionable from the point of view
of whether they are authorized by statute?
Mr. Duda. Absolutely.
Senator Cardin. Thank you.
Thank you, Mr. Chairman.
Chairman Leahy. Thank you very much, and if we have other
questions, we will submit them for the record. There is going
to be a roll call vote fairly soon, so if we seem to be
speeding along, that is why. But thank you both very, very
much. It helps us highlight the concern that we have here.
The next panel, if we could arrange to bring them up. This
panel of people are certainly known to this Committee. Marc
Rotenberg is the Executive Director of the Electronic Privacy
Information Center, EPIC, in Washington, D.C. He teaches
information privacy law at Georgetown University Law Center, an
excellent school, having graduated from there. He has testified
before Congress on such topics as encryption policy, consumer
protection, computer security, communications privacy. He
chairs the ABA Committee on Privacy and Information Protection.
He has served on several national and international advisory
panels, including expert panels in cryptography policy and
computer security for the OECD, legal experts in cyber space
law for UNESCO. He is a founding board member and former chair
of the Public Interest Registry, which manages the .org domain.
He also served as counsel, in full disclosure, an invaluable
member of my staff on the Senate Judiciary Committee. He is a
graduate of Harvard and Stanford Law School, the recipient of
more awards than I could even name, but that includes the World
Technology Award in Law.
Mr. Rotenberg, please go ahead.
STATEMENT OF MARC ROTENBERG, EXECUTIVE DIRECTOR, ELECTRONIC
PRIVACY INFORMATION CENTER, WASHINGTON, D.C.
Mr. Rotenberg. Thank you very much, Mr. Chairman, Senator
Cardin. I appreciate the opportunity to be here today.
We have a particular interest in the privacy of personal
information collected by Federal agencies, and as the recent
news stories and the report from the Inspector General have
made clear, the passport information that we are required to
provide to the Government is not adequately protected. And we
are particularly concerned about this because there are growing
demands on personal information by the Federal Government, and
with the increasing use of identification documents.
So it is not simply the passport information of
Presidential candidates or celebrities that is at issue. It is
the personal information of people who apply for a driver's
license, work in the Federal Government, or travel to Canada.
And for these reasons, we think that more needs to be done to
protect personal privacy, not only at the State Department but
also across the Federal Government.
Now, I think it is helpful to understand the background of
the particular incident at the State Department to put in
context what the Inspector General uncovered. It was back in
1992 when State Department officials were found to be going
through the passport files of then Presidential candidate Bill
Clinton to try to find embarrassing information. And there was
an investigation. The State Department subsequently dismissed
employees who were engaging in this activity. This is precisely
the concern about information that individuals provide to the
Federal Government that will be misused, that will obtained by
identity thieves, or that will be used in ways that are simply
not appropriate.
So it was because of that 1992 incident that alarm bells
literally went off this spring at the State Department when it
was determined that the passport files of Senators Obama,
McCain, and Clinton had been improperly accessed. And I think
it is worth noting that all three Senators made statements at
the time about the importance of protecting the privacy of
personal information. In fact, Senator Obama himself said,
``One of the things that the American people count on in their
interactions with any level of government is that if they have
to disclose personal information, that it stay personal and
stay private.''
Now, the Inspector General's report, which was undertaken
pursuant to the March release of the passport information,
provides some useful information and some useful
recommendations. But I should point out that much of the report
has been redacted, that is to say, of the 22 recommendations
contained in the IG's report, only six, in fact, are available
for public review. There are many sections of the report that
have literally been blacked out. If I may show the Committee,
we have a few pages here from the report.
[Displays documents.]
This is a page labeled ``Sensitive but unclassified.'' The
top half of the page references the FOIA exemption (b)(2) as
the basis for withholding the information. The bottom does not
even bother with the (b)(2) designation. It just blacks out the
entire section of the report. This is problematic because, of
course, to evaluate the adequacy of the recommendations made by
the Inspector General, it is important to see the whole report.
Now, we have made--and it is included in my complete
statement--a series of recommendations. We do think there
should be auditing so that whenever there is access, those
access events will be recorded. We do think there should be
improved oversight. We think there needs to be some independent
evaluation of the privacy safeguards within the Federal
agencies, including the State Department. But I think most
importantly, the legislation S. 495, which you, Mr. Chairman,
cosponsored along with Senator Specter and was favorably
reported by this Committee, contains several very important
provisions that, if in force, might have actually prevented
this from occurring, because a big problem today at the State
Department is that a lot of the information processing is being
done by private contractors. The agency turns over to a private
company the responsibility for producing the passports, for
collecting the information for the passports, for inspecting
the information. And it is in that process of outsourcing the
Government function that the privacy concern arises. And so
this legislation, S. 495, actually puts in place disciplinary
requirements so that if these kinds of problems occur, people
can be held accountable, opportunities to review the contractor
relationship so that an agency can make a determination if the
contractor is doing enough to protect personal privacy.
One of the remarkable facts here is that just a few days
before the State Department revealed that three Presidential
candidates had their passport files improperly accessed, the
agency had renewed its contract with Stanley, the privacy
company, a 5-year deal for $570 million. I think if a company
cannot protect the personal information of American citizens
that it obtains, the agencies need to rethink some of those
contracts.
So thank you very much for the opportunity. I would be
pleased to answer your questions.
[The prepared statement of Mr. Rotenberg appears as a
submission for the record.]
Chairman Leahy. Thank you very, very much.
Ari Schwartz is the Vice President and Chief Operating
Officer of the Center for Democracy and Technology, CDT. He
works to promote privacy protection in the Digital Age while
expanding access to Government information through the
Internet. He is the leader of the Anti-Spyware Coalition, in
2006 was awarded the RSA Award for Excellence in Public Policy
for his work in building the Anti-Spyware Coalition and other
efforts against spyware. He has been named to the top five
Influential IT Security Thinkers of 2007 by Secure Computing
magazine, served as a member of the Department of Commerce
National Institute of Standards and Technology Information,
among others.
So, Mr. Schwartz, I am delighted you are here because I am
a bit of a bug or nag in my office on keeping spyware off our
computers.
STATEMENT OF ARI SCHWARTZ, VICE PRESIDENT, CENTER FOR DEMOCRACY
& TECHNOLOGY, WASHINGTON, D.C.
Mr. Schwartz. Thank you very much, Senator Leahy, and
Senator Cardin as well. Thank you for holding this important
public hearing and for inviting me to participate.
I would especially like to commend you, Mr. Chairman, on
how you opened this hearing. While the news reporting on the
subject of passport breach has focused on whether Presidential
candidates or other celebrities had their passport records
snooped through, the privacy and security of the passport
records of average individuals has received considerably less
attention, and you raised that in your opening statement and I
appreciate that.
As we heard earlier, there seems to be little to no
protection on how to prevent or detect the truly nefarious
activities which passport records such as stalking or identity
theft that we could see with this kind of browsing.
To address this problem, CDT suggests that Congress take
the same approach that it did 11 years ago when it was found
that IRS employees were browsing tax records. Congress should
increase oversight and civil and criminal penalties on passport
records. Just to send you to the right place, that is the
Taxpayer Browsing Protection Act of 1997 that I know the
Chairman and many other people on this Committee worked on.
The illegal browsing of passport records of Americans by
Government employees should be a major concern not only to the
millions of passport holders but to all Americans as it
suggests an inability of Government to protect privacy at the
highest levels.
The Inspector General's report pointed to many flaws in the
State Department's ability to protect privacy. CDT has raised
many of these same concerns over the past 3 years with the
State Department. For example, the Inspector General found that
the Privacy Impact Assessment for the passport data base was
just inaccurate. CDT wrote to Secretary Rice over a year ago to
raise concerns about Privacy Impact Assessments at the State
Department, and particularly the E-Passport program. We never
received a reply, and no changes to the PIAs were ever made.
CDT has since found incomplete and inaccurate information in
several other Privacy Impact Assessments on the Department of
State website.
The State Department must be held accountable for the
failures of its privacy program and encouraged to provide
resources and leadership so that it can be ensured that our
privacy is being protected when held by the State Department.
To prevent other serious breaches of public trust Congress
will need to address the roots of the problem by more closely
monitoring the State Department's collection of personal data.
While the State Department has clearly been a failing
agency across the board on privacy, there are several other
failing agencies as well. For example, one agency that CDT
spoke to told us that a privacy audit revealed that they had
lost track of half of their Privacy Act system of records. They
simply do not know where millions of personal records were that
were originally brought in by this agency. One retiring
security official from the Department of Interior explained
publicly, while discussing that agency's constant failures in
privacy and security reporting, ``We are promiscuous with our
data. We don't know where our data is.''
You can call this a privacy concern. You can call this a
security concern. You can call it a data management concern.
But to the American taxpayer, it is certainly called a failure.
CDT agrees with GAO's recent analysis suggesting that the
way to ensure privacy protection at agencies is through
improvement in existing Government privacy laws, oversight, and
leadership. To solve these problems beyond our initial State
Department specific suggestions, CDT recommends that Congress
work with the executive branch in the four following areas:
No. 1, expanding Privacy Act coverage and closing Privacy
Act loopholes.
No. 2, improving the quality of Privacy Impact Assessments
by Government agencies. This would also include Privacy Impact
Assessments for Government use of commercial data, as required
in the Leahy-Specter data breach bill, S. 495 as referenced
earlier.
No. 3, improving privacy leadership. This would include a
permanent Chief Privacy Officer position at the Office of
Management and Budget written into law, Chief Privacy Officers
at all major component agencies, and the creation of an
independent Chief Privacy Officer Council with a similar
structure to the CIO and CFO councils.
And, No. 4, increasing and improving privacy reporting and
audits. I detail all these suggestions in my written testimony.
In general, we believe that there is now consensus around a
set of sound recommendations for action by Congress and
executive branch to fill the gaps and loopholes in privacy law
and policy. CDT urges the Committee and the Senate to work
quickly so that the next President can have the right tools in
place upon taking office and can get started immediately on
strengthening privacy in the Federal Government.
I look forward to working with you, and we thank you for
your leadership on these important issues. Thank you for your
attention, and I look forward to your questions.
[The prepared statement of Mr. Schwartz appears as a
submission for the record.]
Chairman Leahy. Thank you very much.
Alan Raul is a partner in the Washington, D.C., office of
the international law firm Sidley Austin. He chairs Sidley's
Information Law Privacy Practice Group, served as Vice Chairman
of the White House Privacy and Civil Liberties Oversight Board
from March 2006 through January 2008. He was the Associate
Counsel to President Reagan from 1986 to 1988, where he
represented the White House in connection with the Iran-contra
investigation. He served as General Counsel to the Office of
Management and Budget in the Executive Office of the President.
He was nominated by President George H.W. Bush and confirmed by
the Senate to the position of General Counsel at the U.S.
Department of Agriculture from 1989 to 1993. He is a graduate
of Harvard College, Harvard University's Kennedy School of Law,
and to show there is no rivalry, the Yale School.
Please go ahead.
STATEMENT OF ALAN CHARLES RAUL, PARTNER, SIDLEY AUSTIN, LLP,
WASHINGTON, D.C.
Mr. Raul. Thank you, Chairman Leahy, Senator Specter,
Senator Cardin. Thank you for inviting me to testify on
protecting the privacy of passport files maintained by the U.S.
Department of State. It is an honor to appear before you this
morning.
I am testifying today in a personal capacity. As you noted,
I am currently engaged in private law practice in Washington
where I focus on privacy, data security, and Internet law. And
until recently, I also served in a part--time capacity as Vice
Chairman of the White House Privacy and Civil Liberties
Oversight Board.
This hearing arises because of a recent investigation and
report by the State Department's Inspector General indicating
that the passport files of high-profile individuals, including
the files of three Presidential candidates--namely, Senators
McCain, Obama, and Clinton--may have been improperly accessed
by State Department employees and contractors. The State
Department announced this week that it had terminated around
five contractors in connection with what appear to be serious
violations of personal privacy, Federal law, and internal
controls.
While the investigation continues, if the facts turn out to
be as they now appear, there is no question that the standards
of the Privacy Act of 1974 were not satisfied. To the extent
agency employees and contractors accessed passport files with
no official need to do so, they disrespected the privacy of
affected passport holders and applicants and brought
substantial disrepute upon their agency.
The Privacy Act, the e-Government Act of 2002, and the
Federal Information Security Management Act of 2002--FISMA--all
require Government agencies to adopt and implement effective
controls to prevent just the sort of invasion of personal
information that occurred here.
Moreover, each of these Acts authorizes the Director of the
Office of Management and Budget to assist, guide, and oversee
Federal efforts in the realm of privacy and information
security. Congress and the White House should continue to
support and encourage OMB's leading role in the field of
privacy and information security.
With regard to the specific incident at hand, it is not
clear at this point whether any of the individuals whose files
were accessed experienced any pecuniary losses or other actual
damages that would support claims of civil liability under the
Supreme Court's Doe v. Chao decision of 2004. However, if any
agency employee or contractor ``willfully disclose[d] the
material in any manner to any person or agency not entitled to
receive it,'' or ``knowingly and willfully request[ed] or
obtain[ed] any record concerning an individual from an agency
under false pretenses,'' then they would be guilty of a
criminal misdemeanor and fined up to $5,000.
It is perfectly clear now, however, that existing law and
applicable guidance should have prevented State Department
employees and contractors from engaging in frolics and
detours--or worse--through the passport files of politicians,
prominent figures, or indeed, of any Americans. The fact that
these files were subject to access for no good reason is highly
troubling. We all expect the Government to do much better in
safeguarding our personal information.
Plainly, the State Department must redouble its efforts to
conduct privacy impact and risk assessments, to communicate
binding privacy policies to all parties handling personal
information--both employees and contractors--provide its
employees and contractors with meaningful privacy and data
security training so they take these issues seriously, and
ensure effective audit trails for accessing personal
information, as well as establishing clear guidelines for
disciplining and terminating employees and contractors who
transgress. The State Department should also revisit its
administrative, technical, and physical safeguards to prevent
future abuse of passport files and other personal records.
At the same time, care must be taken to avoid unduly
restricting proper access to information that is essential for
national security purposes. As the 9/11 Commission recommended,
and Congress enacted, the country has a critical need to
promote an ``information sharing environment'' that transcends
traditional governmental boundaries in order to help prevent
future terrorist attacks. But the relevant Government agencies,
including the State Department, must effectively integrate
protections for privacy and other civil liberties into this new
information-sharing environment.
In any event, if the executive branch wishes to hold the
private sector, State governments, and foreign nations to high
standards for information privacy and security, it needs to be
a consistently good role model for privacy itself. To that end,
the Government obviously has plenty of room for improvement
under existing privacy laws and standards for information
security.
Thank you for considering my views.
[The prepared statement of Mr. Raul appears as a submission
for the record.]
Chairman Leahy. Thank you. The vote has started. I want to
ask one question, and then we will recess for a couple minutes
to see if others are coming back.
Mr. Rotenberg, last year Senator Specter and I introduced
our Personal Data Privacy and Security Act. Now, this has a
specific requirement that the General Services Administration
has to evaluate the privacy security practices of potential
Government contractors, but then put penalty provisions in if
they fail to follow and fail to protect data privacy. Would
this help?
Mr. Rotenberg. Absolutely, Senator. As I was thinking about
the legislation, which I believe you introduced in 2007, it
occurred to me this was actually an example where the
legislation was ahead of the problem. In other words, if these
requirements had been put in place back in 2007, I believe the
State Department would have been much more careful in its
relationship with the private contractor, and I think the
private contractor would have been much more diligent about the
activities of its employees. And it was the failure to pass
that legislation earlier that very well may have made possible
this recent breach.
So I hope the Senate--and the House, of course--act on
this. I think it would prevent a lot of damage going forward.
It is a very sensible approach to a real problem.
Chairman Leahy. Mr. Schwartz, Mr. Raul, how do you feel
about that?
Mr. Schwartz. I strongly agree with that statement. It
would definitely help privacy and security to have that kind of
review, and the Government needs to ensure that their security
efforts and the security efforts of their contractors are the
best that there are. And I would actually take it a step
further and say that the entire title of that bill, S. 495,
Title 4, would have helped in this case. It has better auditing
capability in that section, assuming that was not done in this
case, and improvement of Privacy Impact Assessments, something
that the Inspector General specifically pointed out in this
case was a failure.
Chairman Leahy. Mr. Raul?
Mr. Raul. Chairman Leahy, due diligence of potential
contractors with regard to their information security systems
and processes is essential. I think that is recognized in other
legislation like Gramm-Leach-Bliley, HIPAA, regulations under
those statutes. I think there is existing guidance that Federal
agencies should be doing it now.
I think the message really need to be effectively
communicated to the various departments and agencies that they
need to take this seriously. So I would support strongly
sending that message to all agencies.
Chairman Leahy. Well, you know, my concern is we know how
much there are attacks from outside our borders into all our
different computer banks, and a lot of this has been reported
in the press, and I will not go into some aspects of it for
obvious reasons in an open session. So we have to guard against
that, and we should, of course, for the obvious reasons--
national security and everything else.
I hate to have to think we have to guard against our own
people, and yet it seems possible. The Inspector General's
report included 22 recommendations for improvements in the
Consular Affairs Bureau of the State Department.
We have that the Department is going to implement most of
the recommendations. Is that going to be enough? Again, I am
thinking about what we do with our own people. It is a whole
different subject what happens when we have countries, not just
bad actors outside but actually state-sponsored efforts to
penetrate our computer systems.
Mr. Rotenberg. Senator, I think the Inspector General's
report is helpful, but I don't think it will be enough. It has
recommendations to the agencies, some of which apparently the
bureaus are disputing. I think there needs to be here a clear
mandate about how the practices are going to change so that
this does not happen in the future. And I think there needs to
be a comprehensive approach that prevents this from happening
in other Federal agencies.
One of the realities right now is that security breaches
are on the increase in the Federal Government, and without
adequate safeguards to ensure particularly with private
contractor access to personal data, I think this problem will
continue to get worse.
Mr. Schwartz. Mr. Chairman, I would say that the external
security and the internal security are actually tied together
and that you cannot really separate the two. It seems in this
case, from what we know from the public reports, that the State
Department did not know all the people that had access to it,
and did not even list all the agencies that have access to it.
Chairman Leahy. That really frosted me when I saw that.
Mr. Schwartz. And then we also see--and I just said from
other agencies, we know that agencies are losing systems. If
they do not know where it is, that makes it more vulnerable to
outside attack. You cannot secure something if you do not know
where it is.
These are all systems that have personal information of
Americans in them, so I think that it is a major concern both
for the internal threat that comes from this and the external
threat as well.
Mr. Raul. One of the critical components, Chairman Leahy,
in any information security program is the conduct of a risk
assessment, either incorporated in a Privacy Impact Assessment
as required by the Federal Government, or in vulnerability
assessments.
From my review of the redacted version of the Inspector
General's report, it is not clear whether the State Department
had conducted sufficient risk assessments in this area. And it
sounds like they were not sure who had access, what information
they had. You know, that is unacceptable because risks, as you
say, Mr. Chairman, can be either internal or external, and for
various different motivations. And if an agency does not know
what is at risk, it cannot possibly protect against it.
Chairman Leahy. We will stand in recess. I keep looking up
here. You are probably wondering what I am looking at. It is
those five lights in the back which went on some time ago. That
is the 5-minute warning. I am heading to the floor. Take care.
We will stand in recess.
[Whereupon, at 11:09 a.m., the Committee was adjourned.]
[Questions and answers and submissions for the record
follow.]
[GRAPHIC] [TIFF OMITTED] 44368.001
[GRAPHIC] [TIFF OMITTED] 44368.002
[GRAPHIC] [TIFF OMITTED] 44368.003
[GRAPHIC] [TIFF OMITTED] 44368.004
[GRAPHIC] [TIFF OMITTED] 44368.005
[GRAPHIC] [TIFF OMITTED] 44368.006
[GRAPHIC] [TIFF OMITTED] 44368.007
[GRAPHIC] [TIFF OMITTED] 44368.008
[GRAPHIC] [TIFF OMITTED] 44368.009
[GRAPHIC] [TIFF OMITTED] 44368.010
[GRAPHIC] [TIFF OMITTED] 44368.011
[GRAPHIC] [TIFF OMITTED] 44368.012
[GRAPHIC] [TIFF OMITTED] 44368.013
[GRAPHIC] [TIFF OMITTED] 44368.014
[GRAPHIC] [TIFF OMITTED] 44368.015
[GRAPHIC] [TIFF OMITTED] 44368.016
[GRAPHIC] [TIFF OMITTED] 44368.017
[GRAPHIC] [TIFF OMITTED] 44368.018
[GRAPHIC] [TIFF OMITTED] 44368.019
[GRAPHIC] [TIFF OMITTED] 44368.020
[GRAPHIC] [TIFF OMITTED] 44368.021
[GRAPHIC] [TIFF OMITTED] 44368.022
[GRAPHIC] [TIFF OMITTED] 44368.023
[GRAPHIC] [TIFF OMITTED] 44368.024
[GRAPHIC] [TIFF OMITTED] 44368.025
[GRAPHIC] [TIFF OMITTED] 44368.026
[GRAPHIC] [TIFF OMITTED] 44368.027
[GRAPHIC] [TIFF OMITTED] 44368.028
[GRAPHIC] [TIFF OMITTED] 44368.029
[GRAPHIC] [TIFF OMITTED] 44368.030
[GRAPHIC] [TIFF OMITTED] 44368.031
[GRAPHIC] [TIFF OMITTED] 44368.032
[GRAPHIC] [TIFF OMITTED] 44368.033
[GRAPHIC] [TIFF OMITTED] 44368.034
[GRAPHIC] [TIFF OMITTED] 44368.035
[GRAPHIC] [TIFF OMITTED] 44368.036
[GRAPHIC] [TIFF OMITTED] 44368.037
[GRAPHIC] [TIFF OMITTED] 44368.038
[GRAPHIC] [TIFF OMITTED] 44368.039
[GRAPHIC] [TIFF OMITTED] 44368.040
[GRAPHIC] [TIFF OMITTED] 44368.041
[GRAPHIC] [TIFF OMITTED] 44368.042
[GRAPHIC] [TIFF OMITTED] 44368.043
[GRAPHIC] [TIFF OMITTED] 44368.044
[GRAPHIC] [TIFF OMITTED] 44368.045
[GRAPHIC] [TIFF OMITTED] 44368.046
[GRAPHIC] [TIFF OMITTED] 44368.047
[GRAPHIC] [TIFF OMITTED] 44368.048
[GRAPHIC] [TIFF OMITTED] 44368.049
[GRAPHIC] [TIFF OMITTED] 44368.050
[GRAPHIC] [TIFF OMITTED] 44368.051
[GRAPHIC] [TIFF OMITTED] 44368.052
[GRAPHIC] [TIFF OMITTED] 44368.053
[GRAPHIC] [TIFF OMITTED] 44368.054
[GRAPHIC] [TIFF OMITTED] 44368.055
[GRAPHIC] [TIFF OMITTED] 44368.056
[GRAPHIC] [TIFF OMITTED] 44368.057
[GRAPHIC] [TIFF OMITTED] 44368.058
[GRAPHIC] [TIFF OMITTED] 44368.059
[GRAPHIC] [TIFF OMITTED] 44368.060
[GRAPHIC] [TIFF OMITTED] 44368.061
[GRAPHIC] [TIFF OMITTED] 44368.062
[GRAPHIC] [TIFF OMITTED] 44368.063
[GRAPHIC] [TIFF OMITTED] 44368.064
[GRAPHIC] [TIFF OMITTED] 44368.065
[GRAPHIC] [TIFF OMITTED] 44368.066
[GRAPHIC] [TIFF OMITTED] 44368.067
[GRAPHIC] [TIFF OMITTED] 44368.068
[GRAPHIC] [TIFF OMITTED] 44368.069
�