[House Hearing, 112 Congress]
[From the U.S. Government Publishing Office]

                      AND A ROADMAP FOR ITS FUTURE



                               before the

                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION


                           SEPTEMBER 20, 2012


                           Serial No. 112-119


       Printed for the use of the Committee on Homeland Security


      Available via the World Wide Web: http://www.gpo.gov/fdsys/



81-128 PDF                WASHINGTON : 2013
For sale by the Superintendent of Documents, U.S. Government Printing 
Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; DC 
area (202) 512-1800 Fax: (202) 512-2250  Mail: Stop SSOP, Washington, DC 


                   Peter T. King, New York, Chairman
Lamar Smith, Texas                   Bennie G. Thompson, Mississippi
Daniel E. Lungren, California        Loretta Sanchez, California
Mike Rogers, Alabama                 Sheila Jackson Lee, Texas
Michael T. McCaul, Texas             Henry Cuellar, Texas
Gus M. Bilirakis, Florida            Yvette D. Clarke, New York
Paul C. Broun, Georgia               Laura Richardson, California
Candice S. Miller, Michigan          Danny K. Davis, Illinois
Tim Walberg, Michigan                Brian Higgins, New York
Chip Cravaack, Minnesota             Cedric L. Richmond, Louisiana
Joe Walsh, Illinois                  Hansen Clarke, Michigan
Patrick Meehan, Pennsylvania         William R. Keating, Massachusetts
Ben Quayle, Arizona                  Kathleen C. Hochul, New York
Scott Rigell, Virginia               Janice Hahn, California
Billy Long, Missouri                 Ron Barber, Arizona
Jeff Duncan, South Carolina
Tom Marino, Pennsylvania
Blake Farenthold, Texas
Robert L. Turner, New York
            Michael J. Russell, Staff Director/Chief Counsel
               Kerry Ann Watkins, Senior Policy Director
                    Michael S. Twinchek, Chief Clerk
                I. Lanier Avant, Minority Staff Director

                            C O N T E N T S



The Honorable Peter T. King, a Representative in Congress From 
  the State of New York, and Chairman, Committee on Homeland 
  Security.......................................................     1
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     3


Mr. Richard L. Skinner, Former Inspector General, Department of 
  Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7
Mr. Stewart A. Baker, Former Assistant Secretary for Policy, 
  Department of Homeland Security:
  Oral Statement.................................................    14
  Prepared Statement.............................................    15
Mr. Frank J. Cilluffo, Former Principal Advisory to Governor Tom 
  Ridge, White House Office of Homeland Security:
  Oral Statement.................................................    20
  Prepared Statement.............................................    22
Mr. David C. Maurer, Director, Homeland Security and Justice, 
  Government Accountability Office:
  Oral Statement.................................................    30
  Prepared Statement.............................................    32


Questions From Chairman Peter T. King for Richard L. Skinner.....    63
Questions From Chairman Peter T. King for Stewart A. Baker.......    64
Questions From Chairman Peter T. King for Frank J. Cilluffo......    64
Questions From Chairman Peter T. King for David C. Maurer........    65

                      AND A ROADMAP FOR ITS FUTURE


                      Thursday, September 20, 2012

             U.S. House of Representatives,
                    Committee on Homeland Security,
                                            Washington, DC.
    The committee met, pursuant to call, at 10:07 a.m., in Room 
311, Cannon House Office Building, Hon. Peter T. King [Chairman 
of the committee] presiding.
    Present: Representatives King, Lungren, Rogers, McCaul, 
Bilirakis, Miller, Walberg, Marino, Turner, Thompson, Jackson 
Lee, Cuellar, Richardson, Richmond, Clarke of Michigan, and 
    Chairman King. Okay. Good morning. The Committee on 
Homeland Security will come to order. The Ranking Member has 
been delayed, but he will be here. His staff has suggested that 
we start the hearing, since our witnesses are here.
    The committee is meeting today to examine the current state 
of the Department of Homeland Security--oh, the Ranking Member 
is here, thank you--and the solution to the future. I will now 
recognize myself for an opening statement.
    I want to thank each of the witnesses for being here today. 
I believe all of you have testified here before. Mr. Baker has 
done double duty, also, by being in the Department testifying 
and now coming back. He is also a noted author. Again, it is 
great to have all of you here today.
    This, I think we always try to keep this committee as 
bipartisan as possible. But I would say that today's hearing 
will probably be the essence of bipartisanship because everyone 
on the committee wants the Department to succeed. All of us 
believe that progress has been made.
    There are questions, of course, of where more progress can 
be made where there are still deficiencies. Each of you is an 
expert on the issues so we really look forward to your 
testimony. I know since September 11 we had four Islamist 
attacks or attempted attacks within the United States. In 
addition to that, there have been dozens of disrupted terrorist 
attacks against the homeland.
    Just in the last 2 years alone we have had a series of 
them, including bomb plots against the Capitol Building. There 
was a young man arrested in Chicago last week. So this is an 
on-going threat against the United States. I think the fact 
that none of these attacks has succeeded is at least partially 
due to the efforts of the Department of Homeland Security and 
also how it fits into the overall counterterrorism matrix that 
has been established since September 11.
    Now, the current unrest in the Middle East involving 
radicals and affiliates of al-Qaeda further underscores how 
threats from that part of the world impact our counterterrorism 
efforts to prevent weapons of mass destruction from getting 
into the hands of those who want to kill Americans in the 
    Now, during the 112th Congress, this committee has examined 
a series of issues. Obviously, there was a lot of publicity and 
notoriety, or interest, in the hearings we had on the issue of 
radicalization in the Muslim-American community, steps to 
address the issue. But we also had a series of other hearings, 
including cybersecurity, hardening our critical infrastructure, 
protecting chemical facilities.
    The operations of TSA, Chairman Rogers has been especially 
active on that. That is an area of particular concern to us on 
both sides of the aisle as far as making the TSA more efficient 
and also more effective. Also, what it can do to, again, 
improve its image. Not in the sense of image, but in gaining 
the confidence of the American people, which it has not been 
able to do.
    Also, we have looked into issues regarding reforms to the 
Department--in its management, improve employee morale, cut red 
tape, save taxpayer dollars. Also emergency communications, the 
effective administration of Homeland Security grants, reduce 
our vulnerability to attacks on the homeland using IEDs such as 
the Times Square car bomb.
    Also the whole issue of border security along the land and 
maritime borders. We look forward to building on this 
oversight. But this hearing today, and your testimony, can, I 
believe, help guide us in the right direction and provide a 
more coherent framework for us.
    As we consider the road map for DHS, some of the questions 
we have is: How can the Department use scarce taxpayer dollars? 
Because unlike after 9/11, when basically the money that was 
felt was needed was given, the fact is that we do face budget 
restraints. I believe, in too many cases there has been too 
much money cut from the Department of Homeland Security.
    Whether I like it or not or the Ranking Member likes it or 
not, for the foreseeable future that is the reality that DHS is 
going to have to face. Even if the cuts are not as severe in 
the future as they have been over the last several years, it is 
going to be a very, very tight, tight budget no matter what.
    So how can the Department use the taxpayers' dollars more 
wisely? How effective are the Department's efforts to counter 
violent extremism? To what extent is DHS able to work with our 
allies overseas? To what extent have they become a player in 
the intelligence community, both here and overseas?
    Also, just what recommendations that you believe the 
Department should make to strengthen the overall homeland 
security of the United States. Now, there has been progress 
made in a lot of areas. I am sure you are going to touch on 
that, and all sides can agree that there has been progress 
made. Certainly involving FEMA, involving strategic and 
operational plans, allocating funding based on risk, raising 
public awareness about the importance of reporting suspicious 
    Yet there is so much more work to be done as far as 
integrating management functions, strengthening information 
technology and financial management, improving contracting and 
acquisition practices and controls, ultimately establishing a 
biometric exit screening system, securing the border using 
objective measures, enforcing penalties against immigration 
violators, exercising authority to secure chemical facilities, 
developing a risk-based approach to screening airline 
passengers, strategically managing risks and assessing program 
    Also, I think one thing we all agree on is that Congress 
has to undertake its own reform. If we are going to be able to 
effectively oversee the Department of Homeland Security, we 
can't have this number of committees and subcommittees--
depending on what number you want to use, it is in the eighties 
or nineties, it is more than 100 of committees, subcommittees--
commissions, boards that the Department has to report to, often 
giving the same testimony, just to a different set of Members 
of Congress; some of whom are just interesting in getting their 
spot on the evening news on a committee that has, at best, 
tangential association with the Department of Homeland 
    So that is really our burden and not yours. But any 
testimony you could give us to strengthen our case for both 
sides of the aisle would be greatly appreciated. So I want to 
thank all of you for being in here today. I look forward to 
your testimony. This will be, I assume, the last full committee 
hearing of the year; certainly until after the recess.
    I want to thank the Ranking Member. We haven't always 
agreed, but I believe we have been able to work in a collegial 
way. I say, that is all Members on the committee. Considering 
the divisions that there have been in Congress over the past 2 
years, while maybe everything isn't perfect on this committee I 
think we can say we have done, I think, as well if not better 
than almost any other committee in Congress in trying to find 
ways to work together.
    So with that softball approach, I am recognizing the 
Ranking Member, the distinguished gentleman from Mississippi, 
for his opening statement.
    Mr. Thompson. Thank you very much, Chairman King. I do 
agree with you on your last statement. We, I think, have set 
the bar for a lot of other committees on our ability to work. I 
look forward to continuing to work with you on that.
    But there are differences, and I think from time to time 
those differences are reflected. But the greatness of this 
country is that people who differ can still come together for 
the common good. We do that. Again, thank you for holding this 
    In March 2003 the Federal Government stood up the 
Department of Homeland Security in response to the separate 
2001 terrorist attack. Today, the Department of Homeland 
Security is the third-largest agency in the Federal Government, 
employing about 220,000 people and operating both domestically 
and internationally.
    Prior to the September 2001, the United States used various 
approaches to handle catastrophic dangers, including National 
Guard involvement, law enforcement, and emergency management. 
But the events of 2001 forced us to begin a process aimed at 
the development of a cohesive homeland security policy.
    Over the last 10 years, the concept of homeland security 
has evolved and expanded. While the need to address terrorism 
remains central to our understanding of homeland security, we 
now understand that homeland security must include other 
catastrophic incidents. We must remain concerned about the 
risks that may threaten the lives of our people.
    But we cannot fail to recognize those things that may 
threaten the strength of our democracy, the vitality of our 
economy, as well as the continuation of public and private-
sector activities that impact our daily lives. From critical 
infrastructure protection to cybersecurity, the evolution and 
expansion of our understanding of homeland security has 
required us to ask the Department about risk assessment, 
strategic development, and operational priorities.
    From my vantage point, the ability to come to grips with 
these questions of risk strategy and operations has formed a 
core of the Department's struggles as well as form the basis 
for its successes. So as we begin to discuss the Department's 
road map to the future, we must acknowledge that its presence 
on GAO's high-risk list remains a continuing cause for concern.
    The importance of the Department's high-risk designation, 
and its ability to implement its plans to resolve the 
transformation and integration issues that continue to hamper 
its development into a cohesive organizational unit, cannot be 
understated. For several years, I have noted the need to 
strengthen the ability of the under secretary for management to 
require and enforce uniform administrative practices and 
procedures through each component.
    It seems to me that the lack of power in the management 
office will continue to permit ineffective and inconsistent 
practices in procurement and personnel throughout the 
components. We see the results of these inconsistencies each 
time we learn about wasted money. We read about the fallout of 
these inconsistent practices every year when a Department ends 
up near the bottom of OPM's annual survey of employee 
    So as we consider the road map forward, let us be sure to 
consider how the Department can achieve the mission, and 
improve its internal operations. The biggest challenge, 
however, is whether Congress will fully fund Homeland Security 
efforts as opposed to slashing the Homeland Security budget as 
proposed by the Majority.
    While the threat to homeland security has not diminished, 
the Department of Homeland Security has been required to do 
more with less. The fiscal 2012 Homeland Security 
appropriations short-changed homeland security from border 
security to aviation security, science, and technology. In 
particular, the management directorate and the budget 
environment for fiscal year 2013 has not changed.
    In fact, it may have worsened. I would like to also say at 
this point that Congress hasn't been really helpful in some of 
these situations because we have not, when I was chair--and now 
Chairman King, since he is back--been able to convince our 
leadership that a consolidated jurisdiction for the Department 
of Homeland Security would be in the best interests of this 
    I think we still agree on that, right?
    Chairman King. Absolutely.
    Mr. Thompson. Okay. Just checking. So I want to make sure 
that everybody understands that as long as jurisdiction is 
split the Department is tasked with responding to over 100 
committees and subcommittees on this Hill. That is just too 
much. So I look forward to hearing from our witnesses on these 
and other issues as we discuss the path forward for the 
    I yield back the balance of my time.
    Chairman King. I thank the Ranking Member for his statement 
and for yielding back. Also emphasize again that we stand as 
one on the whole issue of jurisdictional consolidation. It 
makes absolutely no sense, the current situation; absolutely 
none whatsoever.
    As I mentioned before, we are pleased to have a 
distinguished panel of witnesses before us today on this vital 
topic. It is, again, a privilege to have you here today once 
again. Let me begin with Mr. Richard Skinner, who was the first 
Senate-confirmed inspector general of the Department of 
Homeland Security. He served in that capacity from 2008 to 
early 2011.
    He has held managerial positions in various agencies 
throughout the Federal Government, including FEMA, the 
Department of Agriculture, the Department of Justice, the 
Department of Commerce and the State Department. In 1998, he 
received the President's meritorious executive rank award for 
superior accomplishment in management programs of the United 
States Government.
    I would just say, as Chairman and as former Ranking Member, 
your testimony before our committee has always been extremely 
helpful. I think we would agree, totally nonpartisan and in the 
best interests of the country.
    With that, the gentleman's recognized for 5 minutes.
    Mr. Thompson. If the gentleman will yield, we agree on 
that, too.


    Mr. Skinner. Well, thank you very much and good morning, 
Chairman King and Ranking Member Thompson. It is good to see 
everyone again. It is truly an honor to be here today, and I 
really thank you very much for this opportunity.
    Since its inception in 2003, the Department has worked to 
accomplish the largest reorganization of the Federal Government 
in more than a half a century. This task has presented many 
challenges. While it is making progress, the Department still 
has much to do to be a cohesive, efficient, and effective 
    Today, I would like to talk about four often-overlooked 
management support functions that constitute the platform upon 
which the Department's programs must operate and are critical 
to the successful accomplishment of the Department's mission. 
That is financial management, IT management, acquisition 
management, and grants management.
    Concerning financial management, in 2011 the Department was 
again unable to obtain an opinion on its financial statements. 
Numerous material internal control weaknesses were again 
reported. Although it has reduced the number of material 
weaknesses and has received a qualified audit opinion on its 
consolidated balance sheet and custodial activity, it is 
unlikely this progress will continue unless the Department 
modernizes its financial systems.
    Due to 2012 budget reductions--and also it looks like in 
2013, as well--recent modernization initiatives have been on 
hold indefinitely. It is not clear now when the Department will 
resume its modernization strategy, nor is it clear whether 
these initiatives, if and when they are ever implemented, will 
ensure that financial management systems can generate reliable, 
useful, timely information for day-to-day decision-making.
    In the interim, the Department must continue to use 
archaic, unreliable systems to manage its financial resources. 
Also, the Department and its components are still struggling to 
upgrade and integrate their respective IT infrastructures. 
According to recent OIG reports as recent as this past July, 
program and field offices continue to develop information 
technology systems independently of the CIO, and have been slow 
to adopt the Department's standard information technology 
development approach.
    As a result, critical systems are not integrated, do not 
meet user requirements, and do not provide the information 
technology capabilities that agency personnel and its external 
partners both in the Federal Government as well as the State 
and local levels need to carry out critical infrastructures in 
a timely, effective, and efficient manner.
    With regard to acquisition management, Secretary Napolitano 
and her executive team have demonstrated a genuine commitment 
to improve the Department's acquisition management function. 
However, much work remains to be done. Most notably, the 
Department needs to identify and acquire the resources needed 
to fulfill its acquisition management responsibilities.
    The urgency and complexity of the Department's mission will 
continue to demand rapid pursuit of major investments in high-
risk, complex acquisition programs. To effectively manage these 
large-dollar procurements, the Department will need a sustained 
commitment, increased resources, and smarter processes to 
administer and oversee the contractors' work.
    Finally, since its inception the Department has distributed 
over $18 billion through the Homeland Security Grant Program. 
Yet, according to an OIG report released earlier this year, the 
Department does not have a system in place to determine the 
extent that these funds enhance the State's capabilities to 
prevent, deter, respond to, and recover from terrorist attacks, 
major disasters, and other emergencies.
    Consequently, the Department has been awarding Homeland 
Security Grant funds to States each year for on-going programs 
without knowing the accomplishments from prior years' fundings 
or the extent to which additional funds are needed to achieve 
desired results. Strategic planning, performance measurement, 
and oversight are essential management controls to ensure that 
grant funds are used for their intended purpose and that 
enhancements in preparedness capabilities are being achieved.
    Otherwise, it is impossible to determine whether annual 
investments are actually improving our Nation's homeland 
security posture. In today's economic climate, it is critical 
that the Department concentrate its limited resources on those 
threats that pose the greatest threat to the country.
    In summary, it is evident that the Department's senior 
officials are well aware of these challenges and are attempting 
to remedy them. Yet they have actually made headway, Mr. 
Chairman, as you pointed out. The question is, however: Does 
the Department have the resolve and wherewithal to sustain 
those efforts?
    The ability of the Department to do so is fragile, not only 
because of the early stage of development of those efforts, but 
also because of the Government's budget constraints and the 
current lack of resources to implement planned corrective 
actions. In today's environment of large Government deficits 
and pending budget cuts, the new challenge will be to sustain 
the progress already made and, at the same time, continue to 
make necessary improvements.
    Unless the Department and Congress stay focused on these 
challenges, it will be harder than ever to facilitate solutions 
to strengthen the Department's critical management support 
functions and, ultimately, to ensure the success of the 
Homeland Security mission.
    Mr. Chairman, this concludes my prepared statement. I will 
be happy to answer any questions the committee may have.
    [The prepared statement of Mr. Skinner follows:]
                Prepared Statement of Richard L. Skinner
                           September 20, 2012
    Good afternoon, Chairman Rogers, Ranking Member Thompson, and 
Members of the committee. It is truly an honor to be here today to 
discuss what the Department of Homeland Security needs to do in the 
years ahead to become a more efficient organization. I thank you for 
this opportunity.
    Since its inception in 2003, the Department has worked to 
accomplish the largest reorganization of the Federal Government in more 
than half a century. This task, creating the third-largest Cabinet 
agency with the missions of protecting the country against another 
terrorist attack, responding to threats and hazards, ensuring safe and 
secure borders, welcoming lawful immigrants and visitors, and promoting 
the free flow of commerce, has presented many challenges. While the 
Department has made progress over the past 9 years, it still has much 
to do to establish a cohesive, efficient, and effective organization.
    The OIG's latest major management challenges report, dated November 
10, 2011, continues to address a broad range of issues, including both 
program and administrative challenges. In total, the OIG identified 
nine categories of challenges: Financial Management, Information 
Technology Management, Acquisition Management, Grants Management, 
Emergency Management, Infrastructure Protection, Border Security, 
Transportation Security, and Trade Operations and Security. These are 
essentially the same management challenges that the the OIG reported as 
early as 2005. Today, I would like to talk about four of those 
management challenges:
   Financial management,
   Information technology management,
   Acquisition management, and
   Grants management.
    These management support functions constitute the platform upon 
which the Department's programs must operate and are critical to the 
successful accomplishment of the Department's mission. Some of these 
challenges were inherited by the Department from the legacy agencies. 
Nevertheless, the complexity and urgency of the Department's mission 
have hampered its efforts to make sustainable progress in implementing 
corrective actions.
    Senior officials at the Department recognize the significance of 
these challenges and understand that addressing them will take a 
sustained and focused effort. They have, in fact, taken actions over 
the past several years to implement, transform, and strengthen the 
Department's management support functions; albeit, in my opinion, at a 
snail's pace.
                          financial management
    Financial management has been and continues to be a major 
management challenge for the Department since its creation in 2003. In 
fiscal year 2011, the Department was again unable to obtain an opinion 
on its financial statements, and numerous material internal control 
weaknesses were again reported. These weaknesses, due to their 
materiality, are impediments to obtaining a clean opinion and providing 
positive assurance over internal controls at the Department level. The 
Department has made progress from its early days, however. It has 
reduced the number of material weaknesses in internal controls from 18 
to 5. It also received a qualified audit opinion on its consolidated 
balance sheet and custodial activity for the first time in fiscal year 
2011. Unfortunately, unless the Department modernizes its financial 
systems, it is unlikely this progress will continue.
    The Department twice unsuccessfully attempted to implement an 
integrated Department-wide financial management system, wasting 
millions of dollars. In 2007, the Department ended its first attempt, 
the Electronically Managing Enterprise Resources for Government 
Effectiveness and Efficiency system after determining it would not 
provide the expected functionality and performance. In 2011, the 
Department decided to change its strategy for financial system 
modernization. Rather than implement a Department-wide integrated 
financial management system solution, the Department decided to take a 
decentralized approach to financial management systems modernization at 
the component level. Specifically, the Department reported in its 
December 2011 strategy that it plans to replace financial management 
systems at three components it has identified as most in need, e.g., 
FEMA, USCG, and ICE. However, due to fiscal year 2012 budget 
reductions, these initiatives have been put on hold indefinitely. It is 
now not clear when the Department will resume its modernization 
strategy, nor is it clear whether this new, decentralized approach, if 
and whenever it is implemented, will ensure that components' financial 
management systems can generate reliable, useful, timely information 
for day-to-day decision making; enhance the Department's ability to 
comprehensively view financial information across the Department; and 
comply with related Federal requirements at the Department and its 
components. In the interim, the Department must continue to use 
archaic, unreliable systems to manage it financial resources, which is 
unfortunate, particularly in this day and age of budget austerity and 
the public demand for increased fiscal transparency and accountability.
                   information technology management
    According to recent OIG and GAO reports, DHS and its components are 
still struggling to upgrade or transition their respective IT 
infrastructures, both locally and enterprise-wide.
    Integrating the IT systems, networks, and capabilities of the 
various legacy agencies to form a single infrastructure for effective 
communications and information exchange remains one of the Department's 
biggest challenges.
    For example, on October 20, 2011, the Assistant IG for Emergency 
Management Oversight, Matt Jadacki, testified that FEMA's existing 
information technology systems do not effectively support disaster 
response activities. FEMA has not completed its efforts to establish an 
enterprise architecture, and its IT strategic plan was not 
comprehensive enough to coordinate and prioritize its modernization 
initiatives and IT projects. The plan did not include clearly-defined 
goals and objectives, nor did it address program office IT strategic 
goals. Without these critical elements, FEMA is challenged to establish 
an effective approach to modernize its information technology 
infrastructure and systems.
    According to Mr. Jadacki, there is not an adequate understanding of 
existing information technology resources and needs throughout the 
agency. Specifically, FEMA's Office of the Chief Information Officer 
(CIO) does not have a complete, documented inventory of systems to 
support disasters. Further, program and field offices continue to 
develop information technology systems independently of the CIO and 
have been slow to adopt the agency's standard information technology 
development approach. As a result, systems are not integrated, do not 
meet user requirements, and do not provide the information technology 
capabilities agency personnel and its external partners need to carry 
out disaster response and recovery operations in a timely, effective, 
and efficient manner.
    Furthermore, according to a report issued recently by GAO, FEMA 
does not have an effective system to manage flood insurance and claims 
data, although it invested roughly 7 years and $40 million on a new 
system whose development has been halted because it did not meet users' 
    Most recently, on June 29, 2012, the Assistant IG for Information 
Technology Audits, Frank Deffer, reported that the information 
technology environment and the aging IT infrastructure within CBP does 
not fully support CBP's mission needs. According to Mr. Deffer, 
interoperability and functionality of the technology infrastructure 
have not been sufficient to support CBP mission activities fully. As a 
result, CBP employees have created workarounds or employed alternative 
solutions, which may hinder CBP's ability to accomplish its mission and 
ensure officer safety.
    Similar problems also have been reported at the Coast Guard, 
Citizen and Immigration Services, Immigration and Customs Enforcement, 
and Secret Service. Technical and cost barriers, aging infrastructure 
that is difficult to support, outdated IT strategic plans to guide 
investment decisions, and stove-piped system development have impeded 
the Department's efforts to modernize and integrate its IT systems, 
networks, and capabilities.
Information Sharing
    The Homeland Security Act of 2002 makes coordination of homeland 
security communication with State and local government authorities, the 
private sector, and the public a key Department responsibility. 
However, due to time pressures, the Department did not complete a 
number of the steps essential to effective planning and implementation 
of the Homeland Security Information Network (HSIN)--the ``sensitive 
but unclassified'' system it instituted to help carry out this mission. 
For example, the HSIN and the Homeland Security State and Local 
Community of Interest systems, both developed by DHS, are not 
integrated. As a result, users must maintain separate accounts, and 
information cannot easily be shared across the systems. State and local 
fusion center personnel expressed concern that there were too many 
Federal information sharing systems that were not integrated. As such, 
effective sharing of the counter-terrorist and emergency management 
information critical to ensuring homeland security remains an on-going 
challenge for the Department. Resources, legislative constraints, 
privacy, and cultural challenges--often beyond the control of the 
Department--pose obstacles to the success of the Department's 
information-sharing initiatives.
    On a broader scale, the Department is also challenged with 
incorporating data mining into its overall strategy for sharing 
information to help detect and prevent terrorism. Data mining aids 
agents, investigators, and analysts in the discovery of patterns and 
relationships from vast quantities of data. The Homeland Security Act 
authorizes the Department to use data mining and tools to access, 
receive, and analyze information. However, the Department's data mining 
activities consist of various stove-piped activities that use limited 
data mining features. For example, CBP performs matching to target 
high-risk cargo. The Secret Service automates the evaluation of 
counterfeit documents. TSA collects tactical information on suspicious 
activities. ICE detects and links anomalies indicative of criminal 
activity to discover relationships. Without Department-wide planning, 
coordination, and direction, the potential for integrating advanced 
data mining functionality and capabilities to address homeland security 
issues remains untapped.
                         acquisition management
    DHS has taken notable action to implement, transform, and 
strengthen its acquisition management capabilities. During my tenure as 
the IG of the Department, the Secretary and Deputy Secretary of 
Homeland Security, and other senior officials demonstrated a genuine 
commitment to improve the Department's acquisition management function. 
In its December 2011 strategy for high-risk management, the Department 
presented detailed plans to address a number of acquisition management 
challenges. However, much work remains to fully implement these plans 
and address these challenges. Most notably, the Department needs to 
identify and acquire the resources needed to implement its acquisition 
    OIG and GAO audits over the past 9 years have identified problems 
related to acquisition oversight, cost growth, and schedule delays, 
resulting in performance problems and mission delays, as illustrated by 
the problems the Department experienced with the Coast Guard's 
Deepwater program, CBP's SBINet program, FEMA's flood map modernization 
program, and the CFO's financial systems consolidation initiatives. 
Each of these efforts failed to meet capability, benefit, cost, and 
schedule expectations. For example, in June 2010 my former office 
reported that over half of the programs we reviewed awarded contracts 
to initiate acquisition activities without component or Department 
approval of documents essential to planning acquisitions, such as 
mission need statements outlining the specific functional capabilities 
required to accomplish DHS' mission and objectives; operational 
requirements; and acquisition program baselines. Additionally, the OIG 
reported that only a small number of DHS' major acquisitions had 
validated cost estimates.
    The urgency and complexity of the Department's mission will 
continue to demand rapid pursuit of major investment programs. Between 
fiscal years 2003 and 2010, the Department spent about 40 percent of 
its budget through contracts. Although that figure may have decreased 
over the past 2 years, the Department will continue to rely heavily on 
contractors to accomplish its multifaceted mission and will continue to 
pursue high-risk, complex acquisition programs.
    The Department must have an infrastructure in place that enables it 
to effectively oversee the complex and large-dollar procurements 
critically important to achieving its mission.
    Both the OIG and the GAO have reported that the Office of the Chief 
Procurement Officer needs more staff and authority to carry out its 
general oversight responsibilities. The GAO recommended that the 
Department provide the Office of the Chief Procurement Officer 
sufficient resources and enforcement authority to enable effective, 
Department-wide oversight of acquisition policies and procedures. The 
OIG made a similar recommendation.
Common Themes in Audits of Department Contracts
    Over the past several years, the OIG and GAO conducted numerous 
audits of individual Department contracts, such as TSA's information 
technology services, CBP's SBInet program, the Coast Guard's Deepwater 
program, and FEMA contracting. Common themes and risks emerged from 
these audits, primarily poor planning, the dominant influence of 
expediency, poorly-defined requirements, and inadequate oversight that 
contributed to ineffective or inefficient results and increased costs. 
To ensure that its acquisition programs are successful, the Department 
must lay the foundation to oversee and assess contractor performance, 
and control costs and schedules. This requires a sustained commitment, 
increased resources, and smarter processes to administer and oversee 
the contractors' work.
FEMA Procurements
    The Assistant IG for Emergency Management Oversight, Matt Jadacki, 
testified on October 20, 2011 that FEMA has developed and strengthened 
acquisition management policies and processes, but it continues to face 
challenges. For example, weak internal controls have resulted in multi-
million dollar contracts with vague and questionable requirements and 
no performance measures. Agency employees responsible for managing and 
monitoring the contractors do not always receive written guidance or 
training on how to evaluate contractor performance or certify billing 
invoices. Continued improvements are needed in FEMA's oversight of 
    During my tenure as the IG, my office issued several reports 
recommending improvements to FEMA's acquisition processes. Those 
recommendations have resulted in policies and procedures on contract 
closeout, transferring contract files from one contracting officer to 
another, and labeling and organizing contract files so all contract 
actions are properly documented.
    In fiscal year 2010, FEMA deployed Disaster Assistance Employees to 
accelerate contract closeout efforts for the Disaster Relief Fund, de-
obligating $1.2 billion. These contract closeout efforts continue 
annually and are in direct response to an OIG recommendation. I was 
pleased to learn that FEMA has created Disaster Acquisition Response 
Teams, whose focus on contract administration and oversight of large 
disaster contracts is much needed. My office also reported FEMA's need 
for an overarching sourcing strategy. Headquarters, regional, and local 
FEMA representatives were ordering goods without communicating with 
their counterparts at other locations. This resulted in goods ordered 
that were not needed, purchased from the wrong source, or at the wrong 
time. My former office recommended that FEMA adopt the single-point 
ordering concept, to coordinate all sourcing decisions through the 
Logistics Section. As a result of this recommendation, FEMA piloted the 
single-point ordering concept during its response to Hurricane Irene.
Strategic Sourcing
    The Department can improve management of its strategic sourcing. In 
March 2011, the OIG reported that the Department did not have a 
logistics process in place to facilitate strategic sourcing of 
detection equipment. Strategic sourcing would require that management 
standardize equipment purchases for explosive, metal, and radiation 
detection equipment; identify common mission requirements among 
components; and develop standard data elements for managing the 
inventory accounts of detection equipment. Improving its management of 
detection equipment will offer the Department opportunities to 
streamline the acquisition process and improve efficiencies.
Acquisition Workforce
    DHS made progress in the recruitment and retention of a workforce 
capable of managing a complex acquisition program. At the time of my 
retirement on March 1, 2011 the number of procurement staff had more 
than doubled since 2005. In addition, participation in the Acquisition 
Professional Career Program, which seeks to develop acquisition 
leaders, increased 62 percent from 2008 to 2010. Nevertheless, DHS 
continues to face workforce challenges across the Department. For 
example, according to GAO, the Coast Guard reduced its acquisition 
workforce vacancies from approximately 20 percent to 13 percent, and 
had filled 832 of its 951 acquisition positions as of November 2010. 
Although acquisition workforce vacancies have decreased, program 
managers have on-going concerns about staffing program offices. Also, 
according to its August 2010 human-capital staffing study, program 
managers reported concerns with staffing adequacy in program management 
and technical areas. To make up for shortfalls in hiring systems 
engineers and other acquisition workforce positions for its major 
programs, the Coast Guard must use contractors.
    Likewise, according to the OIG's Major Management Challenges 
report, dated November 2011, acquisition staff turnover in FEMA has 
exacerbated file maintenance problems and resulted in multimillion-
dollar contracts not being managed effectively or consistently. One of 
FEMA's challenges is hiring experienced contracting officers to work 
disaster operations. The majority of FEMA staff at a disaster site work 
on an on-call, intermittent basis, and, oftentimes, they lack the 
training and experience to manage large disaster response and recovery 
    FEMA also has made great strides in improving its contracting 
officer's technical representative (COTR) cadre. FEMA has designated 
staff to oversee the COTR program; developed a tiered system which ties 
training requirements to dollar values of contracts a COTR can monitor; 
and established an intranet site containing tools for COTR use. 
However, many trained COTRs have never been assigned a contract and are 
unsure of their ability to be effective. And, although they represent 
the contracting officer, the COTRs' appraisals are completed by their 
supervisors in the program offices for which they work, rather than the 
applicable contracting officer, thus leading to divided loyalties.
    Finally, the Department has not fully planned for or acquired the 
workforce needed to implement its acquisition oversight policies. 
According to a GAO report issued in February 2011, the Department needs 
to continue its efforts to: (1) Identify and acquire resources needed 
to achieve key actions and outcomes; (2) implement a program to 
independently monitor and validate corrective measures; and (3) show 
measurable, sustainable progress in implementing corrective actions and 
achieving key outcomes. The Department needs to demonstrate sustained 
progress in all of these areas to strengthen and integrate the 
acquisition management functions throughout the Department.
Knowledge Management and Information Systems
    According to the OIG's annual Major Management Challenges report, 
the Department has made progress in deploying an enterprise acquisition 
information system and tracking key acquisition data. The Department's 
acquisition reporting system of record, known as nPRS (next-Generation 
Periodic Reporting System), tracks components' major acquisition 
investments. It also has capabilities to store key acquisition 
documents, earned value management information, and risk 
identification. Component personnel are responsible for entering and 
updating information, which includes cost, budget, performance, and 
schedule data. However, components did not complete and report all key 
information in nPRS. The OIG reported that only 7 of 17 programs (41%) 
reported Acquisition Program Baseline required milestones. These 
milestones establish the acquisition cost, schedule, and performance 
values. Only 13 (76%) programs reviewed contained required key 
documentation such as mission needs statements, acquisition plans, 
operational requirements documents, and integrated logistics support 
    In addition, the Department reported in its December 2011 strategy 
for high-risk management that senior executives are not confident 
enough in the data to use the Department's Decision Support Tool which 
was developed to help make acquisition decisions, address problems 
meeting cost or schedule goals, and prepare for program review 
    Although the Department continues to make progress in improving its 
acquisition management, it remains a significant challenge, in part 
because of the magnitude of the number, dollar value, and complexity of 
its acquisition activity.
                           grants management
Disaster Grants Management
    FEMA oversees billions of dollars in disaster grant funds each 
year, and, due to the environment under which these funds are 
administered, they are highly vulnerable to fraud, waste, and abuse. To 
illustrate, during fiscal years 2010 and 2011, the OIG's audits of 105 
disaster grants identified $365 million in questionable cost and funds 
that could be put to better use. The extent of the fraud, waste, and 
abuse that the OIG uncovers year after year in the disaster relief 
program, for the past 20 years, is unacceptable, and it needs to be 
vigorously addressed. Yet FEMA still has not developed a robust program 
to curtail fraud, waste, and abuse within its disaster relief programs.
Preparedness Grants Management
    During fiscal years 2002 through 2011, FEMA distributed over $18 
billion through the Homeland Security Grant Program. According to an 
OIG report released this past July, FEMA does not have a system in 
place to determine the extent that Homeland Security Grant Program 
funds enhanced the States' capabilities to prevent, deter, respond to, 
and recover from terrorist attacks, major disasters, and other 
emergencies. Also, FEMA does not require States to report progress in 
achieving milestones as part of the annual application process. As a 
result, when annual application investment justifications for 
individual continuing projects are being reviewed, FEMA does not know 
whether prior year milestones for the projects have been completed. 
FEMA also does not know the amount of funding required to achieve 
needed preparedness and response capabilities.
    Furthermore, according to the OIG's annual Major Management 
Challenges report, dated November 2011, FEMA continues to face 
challenges in mitigating redundancy and duplication among preparedness 
grant programs, including barriers at the legislative, departmental, 
and State levels. The preparedness grant application process is 
ineffective because FEMA does not compare and coordinate grant 
applications across preparedness programs. Since grant programs may 
have overlapping goals or activities, FEMA risks funding potentially 
duplicative or redundant projects.
    Public Law 110-53, Implementing Recommendations of the 9/11 
Commission Act of 2007, required the OIG to audit individual States' 
management of State Homeland Security Program and Urban Areas Security 
Initiatives grants and annually submit to Congress a report summarizing 
the results of these audits. In the audits completed to date, the OIG 
concluded that the States have generally done an efficient and 
effective job of administering the grant management program 
requirements, distributing grant funds, and ensuring that all the 
available funds were used.
    However, on March 20, 2012, the assistant inspector general for 
audits testified that FEMA needs to make improvements in strategic 
management, performance measurement, and oversight. According to Ms. 
Richards, FEMA needs to improve its guidance on strategic plans for 
State Homeland Security Grants. While current guidance for State 
Homeland Security strategic plans encourages revisions every 2 years, 
the language is such that it does not require revisions to be made--it 
is just strongly encouraged. Consequently, many States have outdated 
strategic plans, and many do not have Homeland Security strategic plans 
with goals and objectives that are specific, measurable, achievable, 
results-oriented, and time-limited. Without some form of measurable 
goal or objective, or a mechanism to objectively gather results-
oriented data, States have no assurance of the level of effectiveness 
of their preparedness and response capabilities. Also, States are less 
capable of determining progress toward goals and objectives when making 
funding and management decisions. The OIG reported deficiencies in 
strategic planning in 15 of the 20 State audits completed as of March 
    In regard to performance measurement, Ms. Richards said that FEMA 
needs to improve its guidance on establishing metrics and measuring 
performance. The OIG continues to report that many States have not 
received proper guidance and, consequently, have not adequately 
documented or tracked their progress and performance. Providing 
guidance on the appropriate metrics and requiring those metrics to be 
documented would provide the States with tools to help them understand 
the effectiveness of each grant program. FEMA also needs to strengthen 
its guidance on reporting progress in achieving milestones as part of 
the States' annual program justifications. Because of insufficient 
information on milestones and program accomplishments, FEMA has been 
annually awarding Homeland Security Grant Program funds to States for 
on-going programs without knowing the accomplishments from prior years' 
funding or the extent to which additional funds are needed to achieve 
desired capabilities. Tracking accomplishments and milestones are 
critical elements in making prudent management decisions because of the 
evolving, dynamic changes that can occur between years or during a 
grant's period of performance. OIG audits reported problems with 
performance measurement in 19 of 20 State audits completed as of March 
    Finally, Ms. Richards said that FEMA needs to improve its oversight 
to ensure the States are meeting their reporting obligations in a 
timely manner to ensure FEMA has the information it needs to make 
program decisions and oversee program achievements. Further, FEMA needs 
to improve its oversight to ensure that States are complying with 
Federal regulations in regard to procurements and safeguarding of 
assets acquired with Federal funds. In its annual audits of the State 
Homeland Security Program, the OIG repeatedly found weaknesses in the 
States' oversight of grant activities. Those weaknesses include 
inaccuracies and untimely submissions of financial status reports; 
untimely allocation and obligation of grant funds; and not following 
Federal procurement, property, and inventory requirements. Delays in 
the submission of Financial Status Reports hampers FEMA's ability to 
effectively and efficiently monitor program expenditures and prevents 
the State from drawing down funds in a timely manner, ultimately 
affecting the effectiveness of the program.
    Strategic planning, performance measurement, and oversight are 
important management controls for FEMA to ensure that Federal funds are 
used for their intended purpose and that enhancements in preparedness 
capabilities are being achieved. Without a bona fide performance 
measurement system, it is impossible to determine whether annual 
investments are actually improving our Nation's homeland security 
posture. Furthermore, without clear, meaningful performance standards, 
FEMA lacks the tools necessary to make informed funding decisions. In 
today's economic climate, it is critical that FEMA concentrate its 
limited resources on those threats that pose the greatest risk to the 
    While some aspects of the Department's management support 
challenges were inherited from the Department's legacy agencies, the 
complexity and urgency of the Department's mission has oftentimes 
exacerbated the Department's ability to address them in a disciplined 
and effective manner.
    It is evident that the Department's senior officials are well aware 
of these challenges and are attempting to remedy them, and they have 
actually made some headway. The question is, however: Does the 
Department have the resolve and wherewithal to sustain those efforts? 
The ability of the Department to do so is fragile, not only because of 
the early stage of development that the initiatives are in, but also 
because of the Government's budget constraints and the current lack of 
resources to implement planned corrective actions. In today's 
environment of large Government deficits and pending budget cuts, the 
new challenge will be to sustain the progress already made and at the 
same time continue to make the necessary improvements that are critical 
to the success of the Department's management functions.
    Unless the Department and Congress stay focused on these 
challenges, it will be harder than ever to facilitate solutions to 
strengthen the Department's management support functions and, 
ultimately, its homeland security mission.
    Mr. Chairman, this concludes my prepared statement. I will be 
pleased to answer any questions you or the Members may have.

    Chairman King. Thank you very much, Mr. Skinner, for your 
    Our next witness, Stewart Baker, is a partner in the law 
office of Steptoe & Johnson here in Washington, DC. I first met 
Mr. Baker when he was the first assistant secretary for policy 
at the Department of Homeland Security. In that role, he led a 
staff of 250 people and was responsible for the Department-wide 
policy analysis as well as the Department's affairs, strategic 
planning, and relationships with law enforcement and public 
advisory committees.
    Other than that, he had nothing to do. It was a 48-hour-a-
day job, and Secretary Baker did an outstanding job. He was 
named the top lawyer in international security by Washingtonian 
magazine in 2011, and is an exceptionally distinguished 
attorney and public servant.
    I am privileged to recognize Secretary Baker for 5 minutes.


    Mr. Baker. Thank you, Chairman King, Ranking Member 
Thompson. It is a pleasure to be back here. I have almost 
recovered from my time in Government. You have seen my prepared 
testimony. What I thought I would do is just touch on three 
areas where the Department has big challenges, and actually 
challenge myself to give the Department a grade. So I will give 
the Department a grade on these things.
    On the question of unity, coordination, making the 
Department work as a whole, I think a C-minus is the best the 
Department can get. It gets that because we have had three 
strong Secretaries in a row who will not be denied when they 
are paying attention, the components, the Department act more 
or less as a whole. But the spotlight of Secretarial attention 
is not the only place that coordination has to take place.
    Outside that spotlight, we are not seeing the coordination 
that is necessary. Probably more important in times of tough 
budgets than any other because we can no longer afford 
duplication of effort or initiatives that may meet a particular 
component's priorities but don't fit into the overall National 
priorities that the Secretary is setting.
    I think Ranking Member Thompson pointed out how important 
it is that we have a cohesive Department. I couldn't agree 
more, and we are not there and not even close. As I think the 
Chairman pointed out, having 100 oversight committees means 
there is one committee in each body that actually wants a 
single policy to come out of the Department.
    Everybody else sees that the Secretary and the Secretary's 
priorities as potentially getting in the way of their ability 
to oversee some component of the Department. So having reform 
of jurisdiction is absolutely essential if you are going to get 
that grade above a gentleman's C-minus.
    Let me turn to something where I think the story is very 
good, in contrast, and where I would give the Department an A. 
That is in carrying out the vision of the Homeland Security 
Act, of thinking seriously about keeping terrorists from 
crossing our borders. That used to be spread among three or 
four different agencies, and none of them thought that was 
their most important mission.
    Putting all of those authorities in one place has led to a 
transformation of the way we think about border security. The 
way we have transformed that is in getting more data about the 
people who are coming across the border--whether it is the ESTA 
or PNR or the overseas interviews that Customs and Border 
Protection does, or for the first time--we actually know 
whether the people who are coming from other countries are 
criminals or not, something we never knew.
    None of that would have happened because all of it came 
with a privacy resistance, an international resistance that 
three Secretaries in a row have stood up to, to build a much 
clearer sense of who is coming across our borders so we focus 
our attention on the riskiest travelers. Chairman King, you 
mentioned all of the domestic attacks, many of them thwarted.
    What is little covered--although I think this committee 
knows it quite well--is that in practically every one of those 
CBP, thanks to its data programs, knew something about, and 
contributed to the thwarting of, those attacks, or the 
apprehension of the attackers. That is a complete change from 
where we were when the Homeland Security Act was passed.
    Finally, let me turn to someplace where I would give the 
Department, I guess, a B-plus for defending its turf but a D-
plus for actually making us safer. That is in cyber. We are not 
safer than we were when the Homeland Security Act was passed. 
Things have gotten worse there.
    We need to be doing much more. I believe that more 
regulatory authority is necessary. Certainly the Department 
needs a better relationship with NSA than they have today. But 
I think even without taking on the regulatory issue, there are 
ways to work with the private sector to build a better 
information-sharing system than we currently have without 
having to go back and change some of the privacy laws that have 
made it hard to do that.
    By opening up the resources of the private sector to 
actually fund more investigations. I won't dwell on that, but I 
think the Department, if they are serious about this, can make 
a big difference in cyber. But they are going to need to 
improve their workforce substantially.
    Thank you.
    [The prepared statement of Mr. Baker follows:]
                 Prepared Statement of Stewart A. Baker
                           September 20, 2012
    Thank you, Chairman King, Ranking Member Thompson, and 
distinguished Members of the committee, for this opportunity to testify 
on the state of the Department of Homeland Security.
    This is a timely hearing. We are approaching the tenth anniversary 
of the Homeland Security Act that created the Department. It's time to 
ask what the Department has done well, where it has failed, and how it 
can do better in the future.
                      where dhs still falls short
    I will cut to the chase. The Department's biggest unmet challenge 
is making sure that its components are working together to the same 
goal. This was a central objective of the Homeland Security Act. It 
combined many agencies into a single Department so that all of them 
would use their authorities cooperatively in the fight against 
    That may seem obvious, but this is Washington, and doing the 
obvious is not easy. The coordination efforts of a 10-year-old 
Department do not always impress component agencies that can trace 
their origins to the founding of the Republic.
    The good news of the last 10 years is that the Department has had 
three Secretaries who had no doubt about who was running the Department 
and who insisted on the cooperation of all parts of the Department to 
implement their highest priorities. The bad news is that, in my view, 
these accomplishments owe more to the Secretaries' personalities than 
to the institutions they have built. In general, the offices that 
support the Secretary, from the various management offices to the 
office of policy, have not created a framework that can coordinate the 
big, proud components of DHS on issues that are outside the spotlight 
of Secretarial attention.
    The need to strengthen those institutions is especially pressing 
now. We face a possible change of leadership at DHS no matter who wins 
the next election. And the Department faces a difficult budget outlook. 
Even in a time of record deficits, DHS's budget has hit a ceiling. 
There is almost no prospect of overall budget increases in the future, 
and cuts are likely. Budget decisions simply must be based on how each 
component's expenditures fit the Department's highest priorities. The 
Department will have to identify redundancies and may have to eliminate 
programs with powerful constituencies. If that is not done on the basis 
of a careful, institutionalized review of the Department's overall 
strategy, we will not use the scarce dollars that remain in a way that 
best protects the country. That would be a tragedy.
                           three case studies
    That, of course, is a very general evaluation. Let me be more 
specific about several important DHS initiatives.
1. Data-based security screening
    One of the Department's unquestionable successes is the way it has 
unified the Government's screening and enforcement on the border, 
something that was once a side business for three or four departments 
with other priorities. DHS realized early that it couldn't spend even 5 
minutes with every traveler who was crossing the border. Instead, it 
had to concentrate on the riskiest travelers, and to do that it needed 
more information about travelers, as far in advance as possible. As 
with so much at the Department, this has been a bipartisan priority; 
Secretary Napolitano has preserved and improved many data programs 
launched under earlier Secretaries. And DHS's data programs have 
contributed to the identification and apprehension of several travelers 
seeking to commit acts of terror on U.S. soil in recent years.
    This initiative has been a great success--one that could not have 
been achieved without the Department. The use of travel reservation 
(``PNR'') data to screen travelers has come under constant attack on 
bogus privacy grounds from the European Union, which has torn up its 
earlier agreement to honor the program every time a new Secretary has 
been sworn in. Every time, the new Secretary has insisted on 
maintaining the program.
    The Department has also gone on the offensive to get other 
important data about travelers. Before the Department was created, 
remarkably, our border inspectors had no way to know whether travelers 
from other countries had been convicted even of the most serious 
crimes. Now, thanks to the leverage of the Visa Waiver Program, every 
participating country other than Japan has a ``PCSC'' agreement with 
the United States, that will provide access to travelers' criminal 
records. The Department has also implemented ESTA, a ``reservation'' 
system that allows the Department to screen VWP travelers for potential 
risk before they begin their trips.
    The Department has further expanded available information by 
launching Global Entry, which speeds clearance at the border for 
travelers who have been vetted in advance. Going forward, it will have 
background information on frequent travelers from a number of foreign 
partners, including the Netherlands, South Korea, Germany, Australia, 
and Brazil. As a result, DHS can focus more resources on riskier 
    Finally, DHS has begun gathering more data in foreign airports, 
successfully posting U.S. Government officers there to interview and in 
some cases to pre-clear travelers, a security enhancement that benefits 
both the individual traveler and the host government.
    These data programs have improved the efficiency of border 
screening while also speeding most travelers across the border more 
quickly. Despite the hostility of privacy campaigners, the programs 
have proved themselves. There have been no known abuses of the data. 
This is a success that could only have been achieved by a unified 
Department. It is a success that DHS can be proud of.
    That does not mean that it is perfect. In my view, our 
international negotiation strategy needs a coherent plan, with 
priorities, to make sure we get the most important information about 
the riskiest travelers at least cost to the United States. I also fear 
that our last PNR agreement accepted too many of Europe's limitations 
on PNR while surrendering too many protections for the program. And I'm 
disappointed that we have not persuaded Japan to supply information 
about the yakuza, or professional criminals, who may be traveling to 
the United States. But these are tactical criticisms of a program that 
is a great strategic victory.
    Indeed, it is a victory that is paying dividends in airports around 
the country. Everyone likes to criticize TSA, and one of the most valid 
criticisms is that it treats all of us like suspected terrorists. 
What's less known is that this treatment was more or less mandated by 
privacy campaigners, who persuaded Congress that TSA could not be 
trusted with the same travel reservation data that our border officials 
use every day. Lacking any information about travelers, TSA had no 
choice but to treat them all alike.
    Now that the use of data for screening at the border has proven 
itself, the dam is beginning to break for TSA as well. TSA now has 
access to each traveler's name, gender, and date of birth. 
Increasingly, it also knows about the traveler's travel history, based 
on the voluntary provision of frequent flier data. It has shown how 
this data allows risk-based variations in screening, using date of 
birth to reduce screening hassles for children under 12 and seniors 
over 75. And overseas, in response to the Christmas day bomb attempt, 
CBP and TSA are combining forces to do data-based screening of 
passengers on U.S.-bound foreign flights. Finally, TSA is using Global 
Entry and other data to create a known traveler screening process for 
domestic flights.
    This is all great progress, though more is needed. In the next 5 
years, TSA should expand its use of data-based screening further, 
expediting travel for the great majority while demonstrating that it 
can be trusted with personal data. Because of past privacy limitations, 
it is likely that TSA will need Congressional assistance to achieve 
this goal.
                            2. cybersecurity
    Sometimes it's easier to persuade the team to give you the ball 
than to actually run with it. That is DHS's problem in cybersecurity 
right now.
    DHS seems to have successfully fended off the many agencies and 
committees that wanted to seize parts of its cybersecurity mission. 
Whether DHS can carry out the mission, though, remains uncertain.
    Although the Homeland Security Act clearly gave DHS authority over 
civilian cybersecurity issues, it did not give DHS the kind of trained 
personnel it needed. Finding talented cyberwarriors is a challenge even 
for private-sector firms. Attracting them to the Department has been 
doubly difficult, especially with a hiring process that in my 
experience was largely dysfunctional. The Department's biggest 
challenge is hiring and maintaining a cybersecurity staff that can earn 
the respect of private cybersecurity experts. With the exception of a 
handful of officials, DHS has not yet built a cadre of employees who 
can match their counterparts at NSA or Goldman Sachs. This is critical. 
If DHS fails in personnel, it will likely fail in the rest of its 
cybersecurity-related activities.
    There are other challenges for DHS in cybersecurity. They include:
   Building a better relationship with NSA.--The outlines of a 
        working relationship with NSA are obvious. DHS should provide 
        policy guidance based in law and prudence for any cybersecurity 
        mission affecting the civilian sector, but it must rely heavily 
        on NSA's technical and operational expertise. This fundamental 
        truth has been obscured by personalities, mistrust, and 
        impatience on both sides. It's got to end, especially in the 
        face of adversaries who must find the squabbling email messages 
        especially amusing because they are reading them in real time.
   Gaining authority to insist on serious private-sector 
        security measures.--DHS has plenty of legislative authority to 
        cajole and convene the private sector in the name of 
        cybersecurity. It's been doing that for 10 years. The private 
        sector has paid only limited attention. In part that's because 
        DHS had only modest technical expertise to offer, but it's 
        largely because few industries felt a need to demonstrate to 
        DHS that they were taking its concerns seriously. That is one 
        reason that DHS needs at least some authority to demand that 
        industry respond to the cybersecurity threat, especially where 
        it poses risks to civilian life that are not adequately 
        recognized by the market. I fully recognize that cybersecurity 
        measures do not lend themselves to traditional command-and-
        control regulation, and that information technology is a major 
        driver for economic growth. That's a reason to be cautious 
        about how Government approaches the private sector. But it's 
        not a reason for Government to ignore the risk of a 
        cybersecurity meltdown. It's worth remembering that, for a 
        couple of decades, we were told that the financial derivatives 
        trade was too complex for traditional Government regulation and 
        a major driver of economic growth, and that the private sector 
        could do a better job of internalizing risk than any Government 
        regulator. We should not wait for the cybersecurity equivalent 
        of the financial meltdown to give DHS a larger role in 
        cybersecurity standards.
    Sometimes the businessmen arguing against regulation are wrong--so 
wrong that they end up hurting their own industries. I believe that 
this is true of those who oppose even the lightest form of 
cybersecurity standards. Most of the soft quasi-regulatory provisions 
that business groups rejected in talks with the Senate will likely be 
incorporated into an Executive Order that they will have little ability 
to influence. Even worse from their point of view, the pressure for 
legislation is likely to continue--and will become irresistible if we 
suffer a serious infrastructure failure as a result of hacking. In that 
event, the cybersecurity legislation that Congress adopts will have to 
go beyond the Executive Order and into the territory of much tougher 
regulation. By failing to adopt more limited legislation now, Congress 
is sowing the seeds for more aggressive regulation in the future.
    Moving beyond the fight over ``regulation''.--That said, DHS cannot 
wait for a National consensus on its regulatory role. There are many 
other steps that DHS could take to improve cybersecurity without 
touching the regulatory third rail. Let me outline a few of them here:
   Information-sharing.--It should be obvious why the targets 
        of cyber attacks need to share information. We can greatly 
        reduce the effectiveness of those attacks if we use the 
        experience of others to bolster our own defenses. As soon as 
        one victim discovers a new command-and-control server, or a new 
        piece of malware, or a new email address sending poisoned 
        files, that information can be used by other companies and 
        agencies to block similar attacks on their networks. This is 
        not information sharing of the ``let's sit around a table and 
        talk'' variety. It must be automated and must occur at the 
        speed of light, not at the speed of lawyers or bureaucrats.
    I supported CISPA, which would have set aside two poorly-conceived 
        and aging privacy laws that made it hard to implement such 
        sharing. I still do. But if CISPA is going to be blocked for a 
        time by privacy objections, as seems likely, we need to ask a 
        different question: Can the automated information-sharing 
        system that we need be built without rewriting those aging 
        privacy laws? I believe that it can; we simply need a more 
        creative and determined approach to the law. Administration 
        lawyers, who have taken an unnecessarily rigid view of existing 
        law, should be sent back to find ways to build automated 
        information sharing under existing law.
   Emphasize attribution.--We will never defend our way out of 
        the cybersecurity crisis. I know of no other crime where the 
        risk of apprehension is so low, and where we simply try to 
        build thicker and thicker defenses to protect ourselves.
    The obvious alternative is to identify the attackers and to find 
        ways to punish them. But many information security experts have 
        grown skeptical of this alternative. As they point out, 
        retribution depends on attribution, and attribution is 
        difficult; attackers can hop from country to country and from 
        server to server to protect their identities.
    That skepticism is outmoded, however. Investigators no longer need 
        to trace each hop the hackers take. Instead, they can find 
        other ways to compromise and then identify the attackers, 
        either by penetrating hacker networks directly or by observing 
        their behavior on compromised systems and finding behavioral 
        patterns that uniquely identify the attackers. It is harder and 
        harder for anyone to function in cyberspace without dropping 
        bits of identifying data here and there. If our security is 
        inherently flawed, so too is the security of our attackers. 
        This means that it is realistic to put attribution at the 
        center of our response to cyberattacks.
    We should take the offense, surrounding and breaking into hacker 
        networks to gather information about what they're stealing and 
        who they're giving it to. That kind of information will help us 
        prosecute criminals and embarrass state-sponsored attackers. It 
        will also allow us to tell the victim of an intrusion with some 
        precision who is in his network, what they want, and how to 
        stop them. DHS's intelligence analysis arm should be issuing 
        more such reports and fewer bland generalities about terrorism 
        risks for local law enforcement agencies.
   Use DHS law enforcement authorities more effectively.--Law 
        enforcement agencies have a vital role to play in 
        cybersecurity--even when the prospect of actually arresting the 
        attacker is remote. Law enforcement agencies have investigative 
        authorities, including search warrants and wiretaps, that can 
        help identify attackers. Those authorities should be used 
        strategically to aid in the overall attribution effort.
    The best way to achieve that goal is for DHS's cybersecurity office 
        to be fully coordinated with law enforcement agencies that have 
        criminal investigative authorities. By pooling information, 
        authorities, and resources, these agencies should pursue a 
        common strategy--one that identifies the bad guys, first to 
        disable their attacks and eventually to bring them to justice. 
        Coordination between DHS and the FBI may have its challenges, 
        but today it seems that there is only modest coordination even 
        between DHS's cybersecurity office and its own cybercrime 
        investigators. Certainly I have seen no sign that ICE and 
        Secret Service investigations are prioritized strategically 
        based on guidance from the DHS cybersecurity office. The result 
        is wasted opportunities and wasted resources. Instead, ICE and 
        Secret Service cybercrime investigators should be detached to a 
        task force ran by the cybersecurity office as a way of 
        dramatizing the need for an all-of-DHS approach to the problem.
    Law enforcement authorities create a second opportunity that we are 
        not fully exploiting. Increasingly, it is law enforcement that 
        tells businesses they have been compromised. But usually the 
        first question from businesses is one best directed towards the 
        cyber defenders rather than the cyber cops: ``What can we do to 
        get the attacker out?'' This is a ``teachable moment,'' when 
        all of DHS's cyberdefense and industry-outreach capabilities 
        should be engaged, talking to the compromised company about the 
        nature of the intruder, his likely goals and tactics, and how 
        to defeat them. Currently, however, DHS's cybersecurity office 
        and its cybercrime investigators do not present themselves as a 
        unified team when visiting the victims of attacks. Better 
        coordination within the Department would pay dividends and 
        provide a model for coordination across Department lines.
   Recruit private-sector resources to the fight.--In my 
        private practice, I advise a fair number of companies who are 
        fighting on-going intrusions at a cost of $50 or $100 thousand 
        a week. The money they are spending is going almost entirely to 
        defensive measures. At the end of the process, they may succeed 
        in getting the intruder out of their system. But the next week, 
        the same intruder may get another employee to click on a 
        poisoned link and the whole process will begin again. It's a 
        treadmill. Like me, these companies see only one way off the 
        treadmill: To track the attackers, figure out who the attackers 
        are and where they're selling the information, and then 
        sanction the attackers and their customers.
    When private companies' cybersecurity executives were surveyed 
        recently, ``more than half thought their companies would be 
        well served by the ability to `strike back' against their 
        attackers.'' W. Fallon, Winning Cyber Battles Without Fighting, 
        Time (Aug, 27, 2012). And the FBI's top cybersecurity lawyer 
        just this week called our current strategy a ``failed 
        approach'' and urged that the Government enable hacking victims 
        ``to detect who's penetrating their systems and to take more 
        aggressive action to defend themselves.'' Washington Post (Sep. 
        17, 2012).
    He's right. But under Federal law, there are grave doubts about how 
        far a company can go in hacking the hackers. I happen to think 
        that some of those doubts are not well-founded, but only a very 
        brave company would ignore them.
    Now, there's no doubt that U.S. intelligence and law enforcement 
        agencies have the authority to conduct such an operation, but 
        by and large they don't. Complaining to them about even a 
        state-sponsored intrusion is like complaining to the D.C. 
        police that someone stole your bicycle. You might get a visit 
        from the police; you might get their sympathy; you might even 
        get advice on how to protect your next bicycle. What you won't 
        get is a serious investigation. There are just too many crimes 
        that have a higher priority.
    In my view, that's a mistake. The Department, drawing on the 
        resources of the entire Government, should do some full-bore 
        criminal and intelligence investigations of private-sector 
        intrusions, especially those that appear to be state-sponsored. 
        We can identify the attackers, and we can make them pay.
    But if we want do that at scale, we have to let the victims 
        participate in, and pay for, investigations that the Government 
        will never have the resources to pursue. Too many Government 
        officials have viewed such private countermeasures as a kind of 
        vigilante lynch mob justice. That just shows a lack of 
        imagination. In the real world, if someone stops making 
        payments on a car loan but keeps the car, the lender doesn't 
        call the police; he hires a repo man. In the real world, if 
        your child is kidnapped, and the police aren't making it a 
        priority, you hire a private investigator. And, if I remember 
        correctly the westerns I watched growing up, if a gang robs the 
        town bank and the sheriff finds himself outnumbered, he 
        deputizes a posse of citizens to help him track the robbers 
        down. Not one of those solutions is the equivalent of a lynch 
        mob or of vigilante justice. Every one allows the victim to 
        supplement law enforcement while preserving social control and 
    DHS could probably experiment with that solution tomorrow if it 
        chose, as could the FBI. Its law enforcement agencies often 
        have probable cause for a search warrant or even a wiretap 
        order aimed at cyber intruders. I know of no legal barrier to 
        obtaining such an order, then relying on a private contractor 
        paid by the victims to actually carry out the search or the 
        tap, as long as that happens under Government supervision. (The 
        Antideficiency Act, which arguably prohibits the Government 
        from accepting free services, has more holes than my last pair 
        of hiking socks, including exceptions for protection of 
        property in emergencies and for gifts that also benefit the 
    If systematic looting of America's commercial secrets truly is a 
        crisis, and I believe that it is, why have we not already 
        unleashed the creativity and resources of the private sector 
        that attackers are victimizing?
    Mr. Chairman, that concludes my prepared testimony. I will be 
pleased to answer any questions the committee may have.

    Chairman King. Thank you, Secretary Baker.
    Our next witness, Frank Cilluffo, is associate vice 
president at George Washington University, where he directs the 
Homeland Security Policy Institute. I have had the privilege of 
being out there. You know, it is accurate to say that Mr. 
Cilluffo was present at the creation.
    Shortly after the 9/11 attacks, Mr. Cilluffo was appointed 
by the President to the Office of Homeland Security, and served 
as the principle advisor to Governor Tom Ridge. Prior to his 
White House appointment, Mr. Cilluffo served in policy 
positions at the Center for Strategic and International 
    His work has been widely published in academic, law, 
business, and policy journals, as well as magazines and 
newspapers around the world. Without giving away too much, I 
can tell you often, before we prepare our committee agenda or 
look into topics we are going to cover, we look at what you 
have been saying on it lately. We certainly appreciate your 
wisdom and input.
    With that, Mr. Cilluffo, I am privileged to recognize you 
for 5 minutes.


    Mr. Cilluffo. Thank you, Mr. Chairman. Thank you for the 
opportunity to appear before you today. Mr. Thompson, good to 
see you again, as well. Let me also, before jumping in--and I 
was asked to talk on the threat-related issues--thank you for 
your leadership in this committee. I mean, you really have 
taken on the hard issues facing this country.
    I think you have tackled them head-on. Not an easy set of 
issues. I will be very brief, not my strong suit as I have 
never had an unspoken thought. But what I thought I would do is 
touch on some of the counterterrorism issues that we see and 
the current terrorism threat, as well as some of the cyber 
challenges where I am very much in agreement with Stewart's 
    Firstly, as the recent terrorist attack in Benghazi clearly 
demonstrated, as well as unrest not only the Middle East, in 
North Africa, but also in Southeast Asia, there is no time to 
be lulled into a sense of complacency. A set of issues that I 
think a lot of people have been.
    Yes, we have had a number of successful counterterrorism 
events of late. Most notably, the successful strike against 
Osama bin-Laden, Anwar al-Awlaki, Ilyas Kashmiri, probably the 
most dangerous unknown terrorist out there. But by no means 
does this mean that ding-dong, the witch is dead.
    Unfortunately, what we have seen is the threat metastasize. 
It has morphed. Today, it comes in various shapes, sizes, 
flavors, and forms, ranging from al-Qaeda senior leadership, 
still operating out of the Fatah as well as its affiliates, 
most notably al-Qaeda in the Arabian Peninsula; home to 
probably the world's most dangerous bomb maker, in Ibrahim al-
Asiri, to al-Qaeda and the Islamic Maghreb, which is growing 
leaps and bounds not only across the Maghreb but also 
throughout the Sahel, as well as like-minded jihadi 
organizations in the African continent as a whole.
    Ansar al-Dine in Mali, you are seeing Mauritania being 
taken over by Islamist groups, all the way through to the Horn 
of Africa, with Al Shabaab in Somalia. So the prognosis is not 
very good. Actually, if you have seen the way it has spread, I 
am not sure that some of our traditional counterterrorism 
instruments are the most appropriate right now.
    Moreover, the reason you have seen some success in the 
Fatah is because we have--think of it as--suppressive fire. It 
is based on our successful counterterrorism initiatives. If we 
ease off that gas pedal, don't think that that vacuum isn't 
going to be instantaneously filled not only by al-Qaeda, but 
other like-minded individuals.
    Bottom line here is, is the more time they are looking over 
their shoulder the less time they are plotting, training, and 
executing attacks. So I just warn the Congress to be able to 
support some of our counterterrorism measures. African 
continent, I can get into that in greater depth later.
    But you literally are seeing swaths; the entire Maghreb, 
northwest Africa, all the way through from Mauritania to the 
Horn of Africa, in Somalia. These are areas where you are 
seeing Jihadi groups take advantage of under- and un-governed 
spaces. Why any of these regions? Because they are un-governed 
    I would also note that you have seen the homegrown threat 
in the United States. This is not an insignificant set of 
issues. We have had 58 cases, 58 plots, that have been 
prevented since 9/11. Some of those very significant. In New 
York City, for example, Naji Bolazazi. That was a very 
significant plot.
    That was blinking red as red could be red. Faisal Shahzad, 
also a very significant plot. So as much as we can lean forward 
and support our State and local law enforcement authorities, I 
think we need to be able to do so very quickly on cyber. I 
think it is fair to say that our cyber community is where 
homeland and counterterrorism community was shortly after 9/11.
    We have a lot to do. Long on nouns, short on verbs. We have 
been talking about it, but we are not actually addressing some 
of the most significant issues. To rack and stack the threat, 
you have got countries that are integrating computer network 
attack and computer network exploit into their warfighting 
    Russia, China, at the top of the list. But also, you have 
countries like North Korea, Iran, who are increasingly becoming 
a terrorist threat. Their proxies, Hezbollah, are of great 
concern. What they lack in capability they more than make up 
for in intent. In the cyber domain, you can buy capabilities.
    Intent and cash can take you a long way, something I think 
we need to be thinking about. Finally, in terms of 
recommendations--and I will be very quick here--one policy 
recommendation. The biggest, biggest missing dimension of our 
counterterrorism statecraft thus far, in my eyes, has been, 
``It is the ideology.'' To paraphrase Bill Clinton, it is not, 
``the economy, stupid,'' but, in this case, ``the ideology, 
    We have got to get a comprehensive approach that exposes 
the hypocrisy of the jihadists and ultimately helps facilitate 
it fall under its own weight. Think of negative political 
campaigning. We need to do more in this respect. We also need 
to start focusing on the victims, not only the perpetrators.
    Ultimately, to me, this is where we have an awful lot we 
should and can do beyond the traditional battlefields. Second, 
a structural one. That Department of Homeland Security, I would 
argue, needs an office of net assessment; someone who is not 
fettered by day-to-day intelligence needs, not fettered by day-
to-day policy needs, but has the ability to step back, think 
big, ask the what-ifs, look for the game-changers.
    That doesn't currently exist because everyone is running 
out of their inboxes daily. A very tactical one, NPPD as well 
as intelligence and analysis at DHS. I think they have a very 
unique thing that they can bring to the counterterrorism fight. 
That is, coming up with new intelligence products that are very 
oriented around critical infrastructures.
    No one else in the intelligence community has that 
capability. We need to make that a reality. Information 
sharing, we have got to move at least the CISPA bill that Mr. 
Rogers and others had proposed, if you ask me. Is it enough? 
Probably not. But at the very least, we need to move on those 
    Finally, in the cyber domain we are never going to firewall 
our way out of the problem. At the end of the day, the 
initiative stands with the offender, on the offense. So we have 
got to clearly articulate a cyber deterrent strategy, one that 
is actor-specific. Because right now, we are lumping China and 
Russia with a kid operating out of his basement, drinking a lot 
of Jolt Cola or whatever they drink nowadays.
    But at the end of the day we need to get to the point where 
we can actually have a clearly articulated cyber deterrent 
strategy, and one that we are willing to act when red lines are 
    Thank you, Mr. Chairman.
    [The prepared statement of Mr. Cilluffo follows:]
                     Statement of Frank J. Cilluffo
                           September 20, 2012
    Chairman King, Ranking Member Thompson, and distinguished Members 
of the committee, thank you for the opportunity to testify before you 
today. Throughout your tenure as Chairman of this committee, 
Congressman King, you have consistently taken on the hard issues facing 
our country, and have committed to addressing them. Thank you for your 
leadership. Turning to the timing and subject of today's hearing both 
are well-selected. As recent events from the Middle East and North 
Africa through to Southeast Asia regrettably illustrate, violent 
extremism continues to thrive. With the United States and its interests 
still in the cross-hairs of jihadi and Islamist militants across the 
globe, the present moment is sadly opportune to assess the activities 
of the Department of Homeland Security (DHS) and give careful 
consideration to a roadmap for its future. Despite significant 
progress, especially on the counterterrorism front, the existing and 
projected threat climate is such that continued vigilance and a robust 
as well as proactive posture is needed--not only at DHS but throughout 
Government, at all levels, and supported by approaches that effectively 
integrate the private sector and the efforts of individual citizens 
  the threat ecosystem of today and tomorrow: challenges for dhs and 
    Al-Qaeda (AQ) has been a shrewd practitioner of the art of stoking, 
piggybacking upon, and exploiting local grievances in order to further 
AQ's own goals and objectives and the broader global jihad. In a 
military context, this is referred to as tactical, operational, and 
strategic ``swarming''; and it has clearly been adopted by others as 
well, as recent incidents around the globe have unfortunately 
demonstrated. Usama bin Laden may be dead, but the toxic ideology that 
he left behind lives on, and the narrative that it informs continues to 
resonate powerfully in certain quarters. Today perhaps the most 
significant locus of his legacy and methods is in Africa; though 
Pakistan's Federally Administered Tribal Areas, better known as FATA, 
remain a combustible region, one where it would be imprudent to ease up 
on U.S. pressure against militants.\1\
    \1\ U.S. military actions, including the use of drones, have had 
significant operational effects on al-Qaeda (and associated entities) 
by disrupting foreign fighter pipelines to the region, activities of 
key facilitators, and training camps. Think of it as suppressive fire. 
The more time al-Qaeda and associated entities spend looking over their 
shoulders, the less time they have to train, plot, and execute 
terrorist attacks. And with al-Qaeda senior leaders on their back 
heels, now is the time to exploit this unique window of 
counterterrorism opportunity by maintaining the operational tempo to 
consolidate these gains.
    In Africa, al-Qaeda in the Arabian Peninsula (AQAP), al-Qaeda in 
the Islamic Maghreb (AQIM), Al Shabab (Somalia), Ansar al-Dine (Mali), 
Boko Haram (Nigeria), and their ilk persist in sowing discord and 
violence in a cross-continental swath ranging from east to west, 
leaving not even Timbuktu untouched. Indeed, even Yemen, the subject of 
significant counterterror efforts on the part of the United States (and 
others), remains home to AQAP and to one of the world's most dangerous 
bomb-makers, Ibrahim al-Asiri. Notwithstanding U.S. and allied 
counterterrorism efforts that have yielded a good measure of success, 
these terror affiliates remain committed to carrying forward the mantle 
of bin Laden, and to exploiting both ungoverned and under-governed 
spaces. The latter tactic pre-dated the Arab Spring, but evidenced 
reinforcement and magnification thereafter. The tragic violence of 
recent days, beginning in Benghazi and directed against U.S. personnel 
and interests (and those of allies), may come to further prove this 
point, though key facts remain under investigation.
    As observed in a report on Mauritania published earlier this year 
by the Carnegie Endowment for International Peace, Africa is a hot spot 
because of the confluence of multiple factors, including poverty, 
corruption, and weak governance. The ensuing void left in countries 
like Mauritania, where state infrastructure like the education system 
is weak, offers an opening to ``mahadras'' (religious schools) 
propagating violent ideologies, which in turn spur the growth of 
militancy. The outlook for the Continent is not entirely bleak however; 
as the study points out, ``there is a high level of distrust between 
black Africans and AQIM, a movement led and dominated by Arabs''--which 
portends a recruitment challenge for al-Qaeda forces in the area, at 
least in the longer term.\2\ The outcome is not predetermined, though, 
as AQ was able to surmount and ingrain itself into the tribal 
populations indigenous to the FATA by pursuing a concerted strategy of 
marrying into these clans. Whether a similar or other course might 
further pave the way for inroads into African countries remains to be 
seen and merits continued U.S. vigilance, as well as that of our 
    \2\ Anouar Boukhars, The Drivers of Insecurity in Mauritania 
Carnegie Paper (April 2012) http://carnegieendowment.org/2012/04/30/
    The various terrorist organizations cited above are exhibiting, 
moreover, an increasing willingness to reach out and partner with one 
another, as well as with others, who may be able to help build their 
indigenous capacities and further their particular goals. The twin 
phenomena of violent extremism and cross-group cooperation of such 
forces is assuredly not limited to Africa, and extends to the veritable 
witch's brew of forces that ranges from Iraq, Pakistan, and the 
Caucasus, to Mali, Nigeria, and Somalia--where militants linked to al-
Qaeda tried to kill the country's new President just last week in a 
double suicide/homicide blast. Pakistan is especially complex, and 
dangerous. Groups that were once regionally focused now subscribe ever-
more to al-Qaeda's goals and the broader global jihad. This toxic blend 
includes the Haqqani network,\3\ Laskhar-e-Taiba (LeT), Tehrik-i-
Taliban Pakistan, Harkat-ul-Jihad al-Islami (HuJI), Jaish-e-Mohammed, 
and the Islamic Movement of Uzbekistan; all of which cooperate with al-
Qaeda on a tactical and sometimes strategic basis, linked by an 
affinity for militant Islamist ideology--with United States, Indian, 
Israeli, and Western targets increasingly in their cross-hairs. 
Historically, collaborative efforts among such groups were primarily 
linked to covert logistical support, including the provision of money, 
safe havens, and arms, as well as the movement back and forth of key 
personnel from one entity to another.
    \3\ Recently designated a Foreign Terrorist Organization by the 
Department of State (a too-long delayed move, though one rightly 
supported by the Chairman of this Committee). http://
20120907135632.html#axzz26kbUie00; see also Frank J. Cilluffo, ``U.S.-
India Counterterrorism Cooperation: Deepening the Partnership'' Hearing 
before the House of Representatives Committee on Foreign Affairs, 
Subcommittee on Terrorism, Non-proliferation and Trade (September 14, 
2011) http://www.gwumc.edu/hspi/policy/testimony9.13.11_cilluffo.pdf.
    Not so today, where the relationships between terrorist groups are 
becoming more overt and strategic in nature. As events on the ground in 
Syria demonstrate, there will be no shortage of opportunities for 
foreign fighters who wish to travel to jihadi conflict zones. Consider 
also Africa, where the head of U.S. Africa Command General Carter Ham 
has stated that ``the linkages between AQIM and Boko Haram are probably 
the most worrisome in terms of the indications we have that they are 
likely sharing funds, training and explosive materials that can be 
quite dangerous.''\4\ So too closer to home, where the Commander of 
U.S. Southern Command General Douglas M. Fraser has observed a similar 
type of convergence (based on convenience) between terrorist and 
criminal organizations in the Tri-Border area of Argentina, Brazil, and 
Paraguay.\5\ Within the Continental United States, furthermore, the New 
York City Police Department has expanded its decade-plus focus on core 
al-Qaeda, affiliates, and the homegrown threat (inspired by AQ), to 
include Iran and Hezbollah--as part of NYPD's continuing efforts to 
build a robust and independent counterterror posture for the City of 
New York.\6\ In turn, the Los Angeles Police Department recently 
elevated the government of Iran and its proxies (notably Hezbollah) to 
a Tier I threat.\7\ This last development is particularly concerning 
given Iran's on-going drive to achieve nuclear weapons capability, and 
the statement this month of Lebanese Hezbollah leader Sayyed Hassan 
Nasrallah to the effect that there will be no distinction drawn between 
Israel and the United States in terms of retaliation, should Israel 
attack Iran to halt its progress toward the nuclear goal: ``If Israel 
targets Iran, America bears responsibility.''\8\ Both the Director of 
the (U.S.) National Counterterrorism Center and the Director of 
National Intelligence have underscored concern about Iran and their 
proxies, suggesting respectively in recent testimony (the former before 
this committee) that ``Iran remains the foremost state sponsor of 
terrorism''\9\; and that Iran is ``now more willing to conduct an 
attack in the United States.''\10\
    \4\ Tristan McConnell, ``Triple threat: Coordination suspected 
between African terrorist organizations'' Global Post (June 26, 2012) 
    \5\ Statement before the Senate Armed Services Committee (March 6, 
2012) http://www.armed-services.senate.gov/statemnt/2012/03%20March/
    \6\ Testimony of Mitchell D. Silber before the U.S. House of 
Representatives Committee on Homeland Security Iran, Hezbollah, and the 
Threat to the Homeland (March 21, 2012) http://homeland.house.gov/
    \7\ Frank J. Cilluffo, Sharon L. Cardash, and Michael Downing, ``Is 
America's view of Iran and Hezbollah dangerously out of date?'' 
FoxNews.com (March 20, 2012) http://www.foxnews.com/opinion/2012/03/20/
    \8\ Reuters, ``Nasrallah: Iran could strike US bases if attacked'' 
The Jerusalem Post (September 3, 2012) http://www.jpost.com/
    \9\ Matthew G. Olsen, ``Understanding the Homeland Threat 
Landscape'' Hearing before the House Committee on Homeland Security 
(July 25, 2012) http://homeland.house.gov/sites/homeland.house.gov/
    \10\ James R. Clapper, ``Unclassified Statement for the Record on 
the Worldwide Threat Assessment of the US Intelligence Community for 
the Senate Select Committee on Intelligence'' (January 31, 2012) http:/
    All this to say there is little ground for complacency, as toxic 
forces converge and cooperate in multiple spots across the globe, more 
than ever before; as ideology and narrative continue to inspire, 
including those here in the United States--recall that 58-plus 
homegrown jihadi terrorism plots have been discovered in this country 
since 9/11; and as foreign fighters return to their homelands battle-
hardened and armed with Western passports--10 feet tall in the eyes of 
those who admire their exploits, and more importantly, a direct threat 
to Western security given their familiarity with potential targets they 
may select to attack.\11\ Where foreign fighters are concerned, so-
called ``bridge figures'' are of special importance, as they ensure 
that particular fighter pool is replenished, by helping to inspire, 
radicalize, and motivate. These figures exude charisma, and exhibit 
cultural and linguistic fluency as well as other skills that propel 
them to positions of leadership, guidance, and prominence. Abdullah al-
Faisal, a Jamaican with ties to shoe bomber Richard Reid and to 
(attempted) Times Square bomber Faisal Shahzad, is but one example.\12\
    \11\ Frank J. Cilluffo, ``Open Relationship'' ForeignPolicy.com 
(February 15, 2012) http://www.foreignpolicy.com/articles/2012/02/15/
open_relationship?page=0,0; and Jerome P. Bjelopera ``American Jihadist 
Terrorism: Combating a Complex Threat'' CRS Report for Congress 
(November 15, 2011) http://www.fas.org/sgp/crs/terror/R41416.pdf (but 
note that numbers have increased since the Report was published).
    \12\ Frank J. Cilluffo, Jeffrey B. Cozzens, and Magnus Ranstorp, 
Foreign Fighters: Trends, Trajectories & Conflict Zones (October 1, 
2010 http://www.gwumc.edu/hspi/policy/report_foreignfighters501.pdf.
    Just as the threat has gravitated and metastasized to areas in the 
physical world that will best support the ideology and activities at 
issue, so too has the threat taken hold in (and of) the cyber domain--
where terrorists are still afforded too much freedom of maneuver. Being 
squeezed in Pakistan's FATA, the Sahel, Yemen, or elsewhere, does not 
mean ``game over'' when the internet offers a transnational base and 
springboard for a variety of operations, including fundraising, 
recruitment, planning, training, and even implementation and execution 
of plots and plans.\13\ As I outlined in testimony before the Senate 5 
years ago: ``Extremists value the internet so highly that some have 
adopted the slogan `keyboard equals Kalashnikov'. Terrorist groups now 
have their own media production arms (al-Qaeda relies on As-Sahab and 
the Global Islamic Media Front, for example). Terrorists produce their 
own television programs and stations, websites, chat rooms, on-line 
forums, video games, videos, songs, and radio broadcasts.''\14\ Having 
said that, and as I have indicated in further Senate testimony, this 
one more than a decade ago: ``Bits, bytes, bugs, and gas will never 
replace bullets and bombs as the terrorist weapon of choice.''\15\
    \13\ The George Washington University Homeland Security Policy 
Institute (HSPI) and the University of Virginia Critical Incident 
Analysis Group (CIAG), NETworked Radicalization (Special Report: May 
2007) http://www.gwumc.edu/hspi/policy/NETworkedRadicalization.pdf.
    \14\ ``The Internet: A Portal to Violent Islamist Extremism'' (May 
3, 2007) http://www.gwumc.edu/hspi/policy/testimony5.3.07_cilluffo.pdf.
    \15\ ``Critical Infrastructure Protection: Who's In Charge'' 
(October 4, 2001) http://www.gwumc.edu/hspi/policy/
    However, as kinetic measures (U.S. and allied) generate gains in 
the real-world, this may lead al-Qaeda and its sympathizers to enter 
even more deeply into the cyber domain. Indeed, al-Qaeda and their 
jihadi ilk may be surfing in the wake of ``Anonymous'' and other such 
groups, to learn from and perhaps also exploit their actions. The cyber 
threat writ large is much broader and more multifaceted, though. It may 
emanate from individual hackers, ``hacktivists,'' criminal or terrorist 
groups, nation-states or those that they sponsor. Moreover, the threat 
spectrum affects the public and private sectors, the interface and 
intersections between them, as well as individual citizens. From a 
homeland security perspective, foreign states are (by and large) our 
principal concerns in the cyber domain, at least in terms of 
sophistication; specifically those countries that pose an advanced and 
persistent threat, namely Russia and China. Their tactics may also be 
exploited by others.\16\ Furthermore, as laid out in my testimony to a 
joint hearing of two subcommittees of this body in April 2012, the 
government of Iran and its terrorist proxies are serious concerns in 
the cyber context. What Iran may lack in capability, it makes up for in 
intent; and our adversaries do not need highly sophisticated 
capabilities--just intent and cash--as there exists an arms bazaar of 
cyber weapons, allowing our adversaries to buy or rent the tools they 
need or seek.\17\
    \16\ Frank J. Cilluffo, ``The U.S. Response to Cybersecurity 
Threats'' American Foreign Policy Council (AFPC) Defense Dossier 
(August 2012) http://www.afpc.org/files/august2012.pdf; see also Office 
of the National Counterintelligence Executive (NCIX), Foreign Spies 
Stealing U.S. Economic Secrets in Cyber Space: Report to Congress on 
Foreign Economic Collection and Industrial Espionage 2009-2011 (October 
2011) http://www.ncix.gov/publications/reports/fecie_all/
    \17\ ``The Iranian Cyber Threat to the United States'' Statement 
before the House of Representatives Committee on Homeland Security, 
Subcommittees on Counterterrorism and Intelligence, and on 
Cybersecurity, Infrastructure Protection, and Security Technologies 
(April 26, 2012) http://www.gwumc.edu/hspi/policy/
Iran%20Cyber%20Testimony%204.26.12%20Frank%20- Cilluffo.pdf.
    The cyber threat (and supporting technology) has markedly outpaced 
our prevention and response efforts. Use of cyber means as a force 
multiplier for kinetic activities, which would represent the 
convergence of the physical and cyber worlds, constitutes probably the 
area of greatest concern over the next 5 to 10 years. Foreign 
militaries are increasingly integrating computer network attack (CNA) 
and computer network exploitation (CNE) capabilities into their 
warfighting, and military planning and doctrine.\18\ Such activity may 
involve ``intelligence preparation of the battlefield,'' to include the 
mapping of perceived adversaries' critical infrastructures. To my mind, 
the line between this type of reconnaissance and an act of aggression 
is very thin, turning only on the matter of intent. Foreign 
intelligence services, too, are engaging in cyber espionage against us, 
often combining technical and human intelligence in their exploits. 
Here, everything from critical infrastructure to intellectual property 
is potentially at risk. These exploits permit others to leapfrog many 
bounds beyond their rightful place in the innovation cycle, by 
profiting from (theft of) the research and development in which private 
and public U.S. entities invested heavily. At worst, these exploits 
hold the potential to significantly degrade our National defense and 
National security, and thereby undermine the trust and confidence of 
the American people in their Government.
    \18\ Bryan Krekel, Patton Adams, and George Bakos, Occupying the 
Information High Ground: Chinese Capabilities for Computer Network 
Operations and Cyber Espionage, Prepared for the U.S.-China Economic 
and Security Review Commission by Northrop Grumman Corporation (March 
7, 2012) p. 54 http://www.uscc.gov/RFP/2012/USCC%20Report_Chinese_Capa- 
    New opportunities for resilience, generated by forces including 
changing technologies, will assuredly present themselves. Indeed it is 
this ability to reconstitute, recover, and get back on our feet is in 
fact perhaps the best deterrent. The storms that battered the National 
Capital Region this summer leaving close to a million people without 
power during a week-long heat wave are instructive in terms of our 
shortcomings on resilience. Mother Nature may be a formidable 
adversary, but just imagine the level of damage and destruction that a 
determined and creative enemy could have wrought. There is no lack of 
trying, as a recently published DHS report makes clear, noting the 
spike in attacks (from 9 incidents to 198) against U.S. critical 
infrastructure from 2009 to 2011.\19\ The good news, on the other hand, 
is that the most serious of these incidents could have been avoided 
through the adoption of basic security steps and best practices. The 
bad news, of course, is that these fundamental measures were not yet 
put into place.
    \19\ Suzanne Kelly ``Homeland security cites sharp rise in cyber 
attacks'' CNN.com (July 4, 2012). http://security.blogs.cnn.com/2012/
                       dhs: a look back and ahead
    Looking ahead, U.S. and allied counterterrorism efforts that 
achieved localized successes must be woven into a larger, sustained, 
and strategic effort; one that continues to apply targeted pressure to 
deny adversaries the time and space to maneuver, including in 
cyberspace. Since the threat now comes in various shapes, sizes, and 
forms--ranging from al-Qaeda's Senior Leadership (Ayman al-Zawahiri and 
his top deputies), to its principal franchises and affiliates, to 
individuals inspired by (if not directly connected to) al-Qaeda's 
ideology, which includes the ``home-grown'' threat--the U.S. response, 
and that of DHS in turn, must be at once both sufficiently 
comprehensive in scope and sufficiently nimble in approach to address 
effectively the multi-dimensional threat landscape of today as well as 
    Unfortunately our efforts to counter and defeat the jihadist 
ideology have been lacking, with the result that the terrorist 
narrative lives on, and continues to attract and inspire those who wish 
us harm. A sustained, comprehensive, integrated, and effective effort 
to combat violent Islamist extremism is, in my view, the biggest 
element missing from U.S. statecraft on counterterrorism. Although the 
Department of State's Center for Strategic Counterterrorism 
Communications (CSCC) is doing some good work and represents a positive 
development in this space, now is the time to double down, do more, and 
hit back harder. The power of negative imagery, as in a political 
campaign, could be harnessed to hurt our adversaries and further chip 
away at their appeal and credibility in the eyes of peers, followers, 
and sympathizers. A sustained and systemic strategic communications 
effort aimed at exposing the hypocrisy of Islamists' words versus their 
deeds, could knock them off balance, as could embarrassing their 
leadership by bringing to light their seamy connections to criminal 
enterprises and drug-trafficking organizations. The increasingly hybrid 
nature of the threat presents additional opportunities in this last 
regard, as drugs and arms trafficking are used to finance terrorism, 
and so too kidnapping for ransom (think Abu Sayyaf and AQIM). Brokering 
in-fighting between and among al-Qaeda, its affiliates, and the broader 
jihadi orbit in which they reside, will damage violent Islamists' 
capability to propagate their message and organize operations both at 
home and abroad. Locally administered programs are especially 
significant, as many of the solutions reside outside the U.S. 
Government and will require communities policing themselves. In short, 
we could and should do more to drive wedges and foment distrust 
(including by exploiting points of conflict between local interests and 
the larger global aims of AQ); encourage defectors; delegitimize and 
disaggregate our adversaries' narrative; and above all, remember the 
    \20\ Frank J. Cilluffo, ``The Future of Homeland Security: Evolving 
and Emerging Threats'' Hearing Before the Senate Committee on Homeland 
Security & Governmental Affairs (July 11, 2012) http://www.gwumc.edu/
    As the distinction between home and abroad increasingly blurs, due 
in part to technologies and tools such as social media, it is important 
to study and ultimately institutionalize counterterrorism lessons 
learned elsewhere, including about tactics, techniques, and procedures. 
In the aftermath of the ``26-11'' Mumbai attacks, for instance, the Los 
Angeles, Las Vegas, and New York City Police Departments each sent a 
team of experts to Mumbai. The objective was to meet with Indian 
counterparts to learn about Mumbai's response model and then-existing 
loopholes, which knowledge LAPD, LVPD, and NYPD could then apply to 
their home cities, with an eye to closing gaps in their own 
counterterrorism strategies and operations. More initiatives of this 
kind are needed, as is the continuation of those that already exist 
(such as police exchanges). Endeavors of this type are particularly 
important in a resource-scarce environment, as they can help avoid the 
need to reinvent the wheel.\21\
    \21\ Cilluffo, ``U.S.-India Counterterrorism Cooperation.''
    To obtain a truly ``rich picture'' of the threat in this country, 
we must focus on the field--not the Beltway. As recent history shows, 
the military and intelligence communities have come to just such a 
field bias. For the counterterrorism community to do otherwise is to 
risk stifling and stymieing the good work being done where the rubber 
meets the road. State and local authorities can and should complement 
what the Federal Government does not have the capacity or resources to 
collect (or is simply not best-suited to do) in terms of intelligence; 
and thereby help determine the scope and contours of threat domains in 
the United States. Further leveraging our decentralized law enforcement 
infrastructure could also serve to better power our Fusion Centers, 
which should be given ample opportunity to flourish. The equivalent of 
Commanders' Intent, which gives those in the field the leeway to do 
what they need to do and which incorporates an honest ``hotwash'' after 
the fact to determine what went wrong and how to fix that, is needed in 
present civilian context for counterterrorism and intelligence 
purposes. Moreover, opportunities still exist to tap and apply 
intelligence and information from the field of organized crime to the 
field of counterterrorism, and vice versa. Hybrid thinking that marries 
up the two fields in this way, in order to further build our reservoir 
of knowledge on the counterterrorism side could prove valuable.
    Straightforward yet powerful steps remain to be taken. This was 
revealed starkly in multiple rounds of survey work--first with the 
major metropolitan intelligence chiefs and later with the fusion 
centers--that the Homeland Security Policy Institute (HSPI) recently 
completed in an attempt to bring a little science to the art of 
intelligence. For example, too few Fusion Centers currently do threat 
assessments. This is unacceptable, especially in a climate of limited 
resources in which allocation decisions (regarding human, capital, and 
financial resources) should be priority-ordered, meaning that scarce 
resources should be directed to those counter-threat measures, gaps, 
and shortfalls that constitute areas of greatest need. And Fusion 
Center-specific threat assessments are just a start. Regional threat 
assessments are also needed. Our adversaries do not respect local, 
State, or even National boundaries hence our response posture must be 
similarly nimble and cohesive. Yet according to HSPI survey research 
published in June of this year, only 29% of Fusion Center respondents 
reported that their Center conducted a regional threat assessment on at 
least a yearly basis. Almost half reported that their Centers simply 
did not conduct regional threat assessments. Furthermore, those working 
in the Fusion Centers have yet to be invested with the analytical 
skill-craft and training necessary for them to accomplish their 
mission. Current incentive structures place too much emphasis on 
information processing and not enough on analytical outcome. Greater 
resources should be allocated to the professional development of those 
working in the Centers. Within them lies untapped collection and 
analysis potential. Realizing and unleashing that potential will 
further bolster State and local law enforcement efforts, and help 
develop anticipatory intelligence to prevent terrorist attacks and the 
proliferation of criminal enterprise operations.\22\ In tandem, and 
without taking anything away from the Fusion Centers, Joint Regional 
Intelligence Groups (JRIGs) also have a role to play, including by 
helping to place National threat information into State and local 
    \22\ Frank J. Cilluffo, Joseph R. Clark, Michael P. Downing, and 
Keith D. Squires ``Counterterrorism Intelligence: Fusion Center 
Perspectives'' HSPI Counterterrorism Intelligence Survey Research 
(CTISR) (June 2012). http://www.gwumc.edu/hspi/policy/
HSPI%20Counterterrorism- %20Intelligence%20-
%20Fusion%20Center%20Perspectives%206-26-12.pdf. See also Frank J. 
Cilluffo, Joseph R. Clark, and Michael P. Downing ``Counterterrorism 
Intelligence: Law Enforcement Perspectives'' CTISR (September 2011). 
    DHS continues to mature over time. However its capacities generally 
still remain reactive in nature. As a result, the Department's internal 
capabilities to assess future threats and then take actions are not yet 
evolved to the level that the security ecosystem demands. This is a 
significant shortfall, especially relative to the cyber domain where 
threats may morph and metastasize in milliseconds. Volume and pace in 
the cyber arena alone make for a serious challenge, including the 
potential for damage to critical U.S. infrastructure such as water and 
power systems, and telecommunications and finance. Since (as mentioned 
above) cyber tools/attacks may also be leveraged, acting as a force 
multiplier in connection with kinetic actions undertaken by our 
adversaries, the ability to look over the horizon and think creatively, 
including through the eyes of those of those who may bear hostile 
intent towards this country, is to be prized. Yet DHS does not 
currently have the built-in structural capacity to do so. Precisely 
because the Department must be able to respond to a wide range of 
threats that may materialize quickly, an Office of Net Assessment (ONA) 
could and should be created.
    The ONA would fill the much-needed role of brain trust, while 
remaining unfettered by the ``crisis du jour'' or the day-to-day 
demands flowing from intelligence needs and operations. The ever-
shifting and unpredictable security environment facing the United 
States requires the constant questioning of assumptions, the asking of 
what-ifs, and the thinking of the unthinkable, all in order to identify 
game changers. The ONA should take a comprehensive, multi-disciplinary 
approach to its analysis, looking at the full range of factors which 
will alter and shape the security environment of the future, including 
social, political, technological, economic, demographic, and other 
trends. The duties of ONA should include studying existing threats in 
order to project their evolution into the future; studying trends in 
the weapons, technologies, modalities, and targets utilized by our 
adversaries (i.e., the events that can transform the security 
landscape); reviewing existing U.S. capabilities in order to identify 
gaps between current capabilities and the requirements of tomorrow's 
threats; conducting war games and red team scenarios to introduce 
innovative thinking on possible future threats; assessing how terrorist 
groups/cells could operate around, and/or marginalize the effectiveness 
of, policies and protective measures. Admittedly, this is a tall order. 
The alternative, however, is to walk into the future partly blind and 
thus remain more vulnerable than we need to or should be.
    This proposal is not new, I should add. To the contrary, it 
appeared in the January 2007 Homeland Security Advisory Council Report 
of the Future of Terrorism Task Force, for which I served as Vice 
Chairman together with Chairman Lee Hamilton.\23\ Now is the time--
indeed it is well past time--to take this recommendation off the page 
and enact it. Our adversaries are patient and they are long-term 
thinkers whose horizons extend well beyond weeks and months. To help 
counter them effectively, we must not lose sight of the long game 
either. Indeed, the general qualities needed from an organizational 
standpoint (U.S./DHS) mirror many of the traits that our adversaries 
have exhibited over time. They are proactive, innovative, well-
networked, flexible, patient, young and enthusiastic, technologically 
savvy, and learn and adapt continuously based upon both successful and 
failed operations around the globe. We and our Government must be and 
do likewise. Our institutions, both their structure and culture, must 
be responsive to the ever-changing threat environment. This entails 
much more than rearranging boxes on an organization chart. Together 
with policy and technology, people are a crucial component of the 
equation. Organizational change will not take root unless supported by 
cultural change, which in turn takes time, leadership, and both 
individual and community commitment. Many at DHS have worked long and 
hard to bring about a cohesive and collaborative culture that drives 
mission success; but we would do well to keep striving on that front, 
if only because sustaining an end-state can be as difficult as arriving 
at it in the first place.
    \23\ http://www.dhs.gov/xlibrary/assets/hsac-future-terrorism-
    The type of forward-leaning assessment and evaluation described 
above could have a range of salutary knock-on effects, including the 
possibility of better-calibrated budgeting, operational planning, and 
acquisitions, through the provision of a foundation from which forward-
estimates may be derived. As things now stand, the Department still has 
a ways to go in terms of aligning actions with future threats--although 
the Quadrennial Homeland Security Review (QHSR), while less than 
perfect, has served as a useful starting point. Still, as a mechanism 
and process for helping to bring DHS resources and plans into sync with 
the threat environment, the QHSR is not as forward-leaning as it could 
or should be. The country would be better served by a more robust 
posture and process, one that anticipates threats before they manifest, 
and that allows the Secretary to determine what tools are needed for 
meeting them, what force structure is needed (at the Federal, State, 
and local levels), and what resources are needed from Congress to make 
that plan a reality. Importantly, we do not yet have a true ``rich 
picture'' of the domestic threat landscape because the National 
Intelligence Estimate (NIE) does not fully elaborate upon that 
dimension. This gap must be remedied, with State and local officials at 
the heart of that exercise, because they are best-positioned to 
undertake the task.
    Cyber threats in particular manifest in nanoseconds, and we need to 
be able to enact cyber response measures that are almost as quick. This 
means developing and implementing an ``active defense'' capability to 
immediately attribute and counter attacks and future threats in real-
time. Although much work remains to be done on the counterterrorism 
side, the country has achieved significant progress in this area. In 
contrast, the U.S. cybersecurity community's state of development is 
akin to that of the counterterrorism community as it stood shortly 
after 9/11. Despite multiple incidents that could have served as 
galvanizing events to shore up U.S. resolve to formulate and implement 
the changes that are needed, and not just within Government, we have 
yet to take those necessary steps. Officials in the homeland security 
community should therefore undertake contingency planning that 
incorporates attacks on U.S. infrastructure. At minimum, ``red-
teaming'' and additional threat assessments are needed. The latter 
should include modalities of attack and potential consequences. Working 
together with DHS Intelligence and Analysis colleagues, the 
Department's National Protection and Programs Directorate (NPPD) could 
and should do more in terms of threat and intelligence reporting, 
especially in relation to critical infrastructure, where DHS is well-
positioned to add real and unique value given the Department's 
relationship with and responsibilities towards the private sector. 
Consider the cyber-attacks on Saudi Aramco and Qatari RasGas this past 
summer, which hit thousands of computers at these critical oil and gas 
producers with a virus. As events unfolded, one would expect that 
counterpart industries here in the United States would have welcomed 
DHS products that directly assessed these events and kept U.S. owners 
and operators abreast of latest developments, their broader 
significance and potential follow-on implications.
    The United States should also develop and clearly articulate a 
cyber-deterrence strategy. Such a deterrence policy should apply 
generally, and also in a tailored manner that is actor/adversary-
specific. A solid general posture could serve as an 80 percent 
solution, neutralizing the majority of threats before they manifest 
fully. This, in turn, would free up resources (human, capital, 
technological, etc.) to focus our limited resources and bandwidth on 
the high-end of the threat spectrum and on those which are most 
sophisticated and persistent. To operationalize these recommendations, 
we must draw lines in the sand. Preserving flexibility of U.S. response 
by maintaining some measure of ambiguity is useful, so long as we make 
parameters clear by laying down certain markers or selected redlines 
whose breach will not be tolerated. More investment needs to be made in 
our offensive capability as well, in order to support the foregoing 
proposals in terms of practice and at the level of principle (to signal 
a credible commitment). Cybersecurity by definition is transnational in 
nature and will require some level of transnational solutions, yet it 
must not be approached like an arms control treaty (i.e., attribution 
and verification are still a ways away). Notably NPPD, which manages 
the cyber-portfolio for DHS, has done some good work in the 
international arena, including cyber-specific capacity-building efforts 
and exercises, in multilateral settings and with bilateral partners. 
However, as the Department's Inspector General noted in a report issued 
just this month,\24\ DHS must continue to build on its Cybersecurity 
Strategy of November 2011,\25\ such as by clearly delineating ``roles 
and responsibilities'' for NPPD.\26\
    \24\ DHS Office of Inspector General, DHS Can Strengthen Its 
International Cybersecurity Programs (Redacted) (August 2012) http://
    \25\ Blueprint for a Secure Cyber Future: The Cybersecurity 
Strategy for the Homeland Security Enterprise http://www.dhs.gov/
    \26\ Mickey McCarter, ``NPPD Lacks Strategy To Guide International 
Cybersecurity Efforts'' Homeland Security Today (September 4, 2012) 
    Plainly we have not yet made the requisite business case for the 
private sector to undertake and implement needed cybsecurity measures. 
This represents a fundamental problem, given that the majority of 
critical infrastructure in this country is owned and operated by the 
private sector. The urgency for making this case needs no further 
explanation, but we must take care to strike just the right balance of 
carrots--such as tax breaks, priority in Government contracting 
opportunities, and indemnification of liability, allowing those who 
have done what has been asked of them to avoid costly litigation--and 
sticks; and of measures that ensure both privacy and security. To help 
ensure compliance with standards and best practices, a ``Good 
Housekeeping'' seal of approval could be granted to those who meet the 
bar. To the extent that this encourages industry-wide adoption and 
robust outcomes, such measure could spur the insurance and reinsurance 
sectors to step into the fray. In addition, the Federal Government has 
a responsibility to share threat information (i.e., signatures, hostile 
plans and techniques to degrade, disrupt or destroy systems) that 
places our critical infrastructures at risk. The pilot program 
introduced within the confines of the defense industrial base offers a 
solid starting point, and an example of a promising information-sharing 
environment.\27\ It probably should go without saying, but part of 
leading by example also entails the U.S. Government striving to place 
its own house in order, as a crucial corollary to meeting the threat.
    \27\ Frank J. Cilluffo and Andrew Robinson, ``While Congress 
Dithers, Cyber Threats Grow Greater'' Nextgov.com (July 24, 2012) 
    In conclusion, the challenges that lie on the horizon remain 
substantial, but with the requisite will and leadership--to lean 
forward and exhibit a field bias towards military, intelligence 
community, and law enforcement experts on the front lines--the country 
can and will continue to make progress towards meeting those 
imperatives. Again, I wish to thank the Committee and its staff for the 
opportunity to testify today, and I would be pleased to try to answer 
any questions that you may have.

    Chairman King. Thank you, Mr. Cilluffo.
    Our final witness is Mr. David Maurer. He is a GAO director 
in the Homeland Security and Justice Team, where he leads GAO's 
work reviewing DHS and DOJ management issues. His recent work 
in these areas includes DHS management integration, the 
Quadrennial Homeland Security Review, Secret Service financial 
management, DOJ grant management, Federal prison system, and an 
assessment of technologies for detecting explosives in the 
passenger rail environment.
    Mr. Maurer has testified before this committee several 
times and, surprisingly, he has agreed to come back again. So 
we thank you very much for your testimony, and look forward to 
it. Thank you for your service.


    Mr. Maurer. Great. Thank you very much. Good morning, 
Chairman King, Ranking Member Thompson, other Members and 
staff. I am pleased to be here today to talk about DHS's on-
going efforts to build a unified Department and position itself 
for the future.
    Since it began operations nearly a decade ago, DHS has made 
significant strides. Today, it has almost $60 billion in budget 
authority to carry out a wide variety of critical missions. 
Fending off terrorist threats, securing the border, 
safeguarding cyberspace, and providing disaster relief.
    However, DHS has considerable work ahead to address 
weaknesses in its current operations and management that hinder 
the Department's ability to achieve its full potential. As a 
result, DHS remains on our high-risk list. My main message 
today is this. At the root of many of the Department's problems 
is a fundamental cross-cutting and significant challenge; 
namely, DHS needs to do a better job managing its resources.
    Specifically, DHS needs a strong, unified management 
foundation that enables its components to execute their vital 
missions. DHS also needs to ensure that increasingly scarce 
resources are strategically managed and aligned with risk-based 
priorities. Making tough, informed resource decisions is 
important because DHS will never have enough people, money, and 
systems to fully address every threat.
    DHS has a lot of work ahead to achieve these goals. Two 
years ago, to help DHS with that task we identified 31 actions 
and outcomes that are critical to addressing the Department's 
challenges. DHS agreed to achieve these outcomes, and has taken 
actions to do so. But DHS isn't there yet.
    It currently lacks vital management capabilities to 
integrate the Department into something greater than the sum of 
its parts. For example, nearly every major DHS acquisition 
program has experienced funding instability, workforce 
shortfalls, and/or changes to their planned capabilities. DHS 
morale scores consistently among the lowest in the Federal 
    DHS has twice attempted, and failed, to build an integrated 
Department-wide financial management system. The Department has 
also struggled to achieve strategic visibility over how it 
allocates its resources. For example, Congress has appropriated 
nearly $40 billion for DHS grant programs, however DHS has 
limited visibility over how these funds are used, does not 
effectively coordinate across its various programs, and lacks 
mechanisms for assessing grant effectiveness.
    DHS also does not know how much it spends on research and 
development activities, and lacks policies to define and 
coordinate R&D across the Department. DHS says it plans to 
spend $167 billion on major acquisition programs in the coming 
years. But that is, at best, an educated guess.
    Most programs lack validated cost estimates, and DHS is 
still in the early stages of grappling with strategically 
managing these programs as a portfolio rather than on an 
individual basis. In recent years, DHS has worked hard to fix 
problems like these, and has achieved some key successes. For 
example, DHS obtained a qualified audit opinion on its balance 
sheet for the first time since its operation last year.
    It has significantly lowered its senior leadership vacancy 
rates. It has developed a promising new approach for reviewing 
its IT investments. We have also seen substantial senior-level 
support for a series of plans to help ensure that DHS's 
missions are supported by a sound management infrastructure.
    In particular, the Department's June 2012 strategy for 
addressing its high-risk designation is a good road map for 
taking DHS to where it wants to be. Looking ahead, DHS needs to 
show continued progress executing this ambitious agenda. Now, I 
know that ``management'' is not the most exciting word in the 
world, but it is vital.
    In fact, management is the glue that holds DHS together, 
the daily missions of the various DHS components, and the 
threats that they address very widely. To ensure the Department 
works as one, DHS needs a clear common vision, a unified 
management structure, and the ability to make tough, risk-based 
resource decisions to ensure that strategies drive budgets and 
not the other way around.
    DHS has made important strides achieving these goals, but 
the Department still has a great deal of work ahead. Improving 
how it manages its resources will help DHS carry out its vital 
missions and help secure the homeland.
    Mr. Chairman, thank you for the opportunity to testify this 
morning. I look forward to your questions.
    [The prepared statement of Mr. Maurer follows:]
                 Prepared Statement of David C. Maurer
                           September 20, 2012
department of homeland security.--continued progress made improving and 
          integrating management areas, but more work remains
    Chairman King, Ranking Member Thompson, and Members of the 
committee: I am pleased to be here today to discuss the Department of 
Homeland Security's (DHS) efforts to strengthen and integrate its 
management functions. DHS now has more than 200,000 employees and an 
annual budget of almost $60 billion, and its transformation is critical 
to achieving its homeland security and other missions. Since 2003, GAO 
has designated the implementation and transformation of DHS as high-
risk because DHS had to combine 22 agencies--several with major 
management challenges--into one Department, and failure to effectively 
address DHS's management and mission risks could have serious 
consequences for our National and economic security.\1\ This high-risk 
area includes challenges in strengthening DHS's management functions--
financial management, acquisition management, human capital, and 
information technology (IT)--the effect of those challenges on DHS's 
mission implementation, and challenges in integrating management 
functions within and across the Department and its components.
    \1\ GAO, High-Risk Series: An Update, GAO-03-119 (Washington, DC: 
January 2003); GAO, High-Risk Series: An Update, GAO-09-271 
(Washington, DC: January 2009); High-Risk Series: An Update, GAO-07-310 
(Washington, DC: January 2007); and High-Risk Series: An Update, GAO-
05-207 (Washington, DC: January 2005).
    In November 2000, we published our criteria for removing areas from 
the high-risk list.\2\ Specifically, agencies must have: (1) A 
demonstrated strong commitment and top leadership support to address 
the risks; (2) the capacity (that is, the people and other resources) 
to resolve the risks; (3) a corrective action plan that identifies the 
root causes, identifies effective solutions, and provides for 
substantially completing corrective measures in the near term, 
including but not limited to steps necessary to implement solutions we 
recommended; (4) a program instituted to monitor and independently 
validate the effectiveness and sustainability of corrective measures; 
and (5) the ability to demonstrate progress in implementing corrective 
    \2\ GAO, Determining Performance and Accountability Challenges and 
High Risks, GAO-01-159SP (Washington, DC: November 2000).
    On the basis of our prior work, in a September 2010 letter to DHS, 
we identified, and DHS agreed to achieve, 31 actions and outcomes that 
are critical to addressing the challenges within the Department's 
management areas and in integrating those functions across the 
Department to address the high-risk designation.\3\ These key actions 
and outcomes include, among others, obtaining and then sustaining 
unqualified audit opinions for at least 2 consecutive years on the 
Department-wide financial statements; validating required acquisition 
documents in accordance with a Department-approved, knowledge-based 
acquisition process; and demonstrating measurable progress in 
implementing its IT human capital plan and accomplishing defined 
outcomes.\4\ In January 2011, DHS issued its initial Integrated 
Strategy for High-Risk Management, which included key management 
initiatives (e.g., financial management controls, IT program 
governance, and procurement staffing model) to address challenges and 
the outcomes we identified for each management area. DHS provided 
updates of its progress in implementing these initiatives in later 
versions of the strategy--June 2011, December 2011, and June 2012. 
Achieving and sustaining progress in these management areas would 
demonstrate the Department's ability and on-going commitment to 
addressing our five criteria for removing issues from the high-risk 
    \3\ See appendix I for a summary of the 31 actions and outcomes.
    \4\ An unqualified opinion states that the audited financial 
statements present fairly, in all material respects, the financial 
position, results of operations, and cash flows of the entity in 
conformity with generally accepted accounting principles.
    My testimony this morning, as requested, will discuss our 
observations, based on prior and on-going work, on DHS's progress in 
achieving outcomes critical to addressing its high-risk designation for 
the implementation and transformation of the Department.
    This statement is based on prior reports and testimonies we issued 
from June 2007 through September 2012 and letters we submitted to DHS 
in March and November 2011 providing feedback on the Department's 
January and June 2011 versions of its Integrated Strategy for High-Risk 
Management.\5\ For the past products, among other methodologies, we 
interviewed DHS officials; analyzed DHS strategies and other documents 
related to the Department's implementation and transformation high-risk 
area; and reviewed our past reports, issued since DHS began its 
operations in March 2003. All of this work was conducted in accordance 
with generally accepted Government auditing standards; more-detailed 
information on the scope and methodology from our prior work can be 
found within each specific report. This statement is also based on 
observations from our on-going work related to DHS IT investments.\6\ 
For this work, we analyzed recent cost and schedule performance for 
DHS's major IT investments as reported to the Office of Management and 
Budget as of March 2012. We will report on the final results of this 
review later this month. We are conducting this work in accordance with 
generally accepted Government auditing standards. Those standards 
require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and 
conclusions based on our audit objectives. We believe that the evidence 
obtained provides a reasonable basis for our findings and conclusions 
based on our audit objectives.
    \5\ See the related products list at the end of this statement.
    \6\ This review is being conducted at the request of this 
Committee's Subcommittee on Oversight, Investigations, and Management; 
and Senator Thomas Carper, Chairman, Subcommittee on Federal Financial 
Management, Government Information, Federal Services and International 
Security of the Senate Committee on Homeland Security and Governmental 
dhs has made progress in addressing its management challenges, but has 
          significant work ahead to achieve high-risk outcomes
    Since we designated the implementation and transformation of DHS as 
high-risk in 2003, DHS has made progress addressing management 
challenges and senior Department officials have demonstrated commitment 
and top leadership support for addressing the Department's management 
challenges. However, the Department has significant work ahead to 
achieve positive outcomes in resolving high-risk issues. For example, 
DHS faces challenges in modernizing its financial systems, implementing 
acquisition management controls, and improving employee satisfaction 
survey results, among other things. As DHS continues to mature as an 
organization, it will be important for the Department to continue to 
strengthen its management functions, since the effectiveness of these 
functions affects its ability to fulfill its homeland security and 
other missions.
    Financial management.--DHS has made progress in addressing its 
financial management and internal controls weaknesses, but has been 
unable to obtain an unqualified audit opinion on its financial 
statements since the Department's creation and faces challenges in 
modernizing its financial management systems. DHS has, among other 
   reduced the number of material weaknesses in internal 
        controls from 18 in 2003 to 5 in fiscal year 2011;\7\
    \7\ A material weakness is a significant deficiency, or a 
combination of significant deficiencies, in internal control such that 
there is a reasonable possibility that a material misstatement of the 
entity's financial statements will not be prevented or detected and 
corrected on a timely basis. A significant deficiency is a deficiency, 
or combination of deficiencies, in internal control that is less severe 
than a material weakness, yet important enough to merit attention by 
those charged with governance. A deficiency in internal control exists 
when the design or operation of a control does not allow management or 
employees, in the normal course of performing their assigned functions, 
to prevent, or detect and correct, misstatements on a timely basis.
   achieved its goal of receiving a qualified audit opinion on 
        its fiscal year 2011 consolidated balance sheet and statement 
        of custodial activity for the first time since the Department's 
    \8\ A qualified opinion states that, except for the effects of the 
matter(s) to which the qualification relates, the audited financial 
statements present fairly, in all material respects, the financial 
position, results of operations, and cash flows of the entity in 
conformity with generally accepted accounting principles. The matter(s) 
to which the qualification relates could be due to a scope limitation, 
or the audited financial statements containing a material departure 
from generally accepted accounting principles, or both.
   established a goal of obtaining an audit opinion on all of 
        its fiscal year 2012 financial statements; and
   expanded the scope of the annual financial audit to the 
        complete set of fiscal year 2012 financial statements, which 
        DHS believes will help it to obtain an unqualified opinion for 
        fiscal year 2013.\9\
    \9\ DHS's complete set of financial statements consist of the 
Balance Sheet, Statement of Net Cost, Statement of Changes in Net 
Position, Statement of Budgetary Resources, and Statement of Custodial 
    However, DHS continues to face challenges in financial management. 
For example, DHS anticipates difficulties in providing its auditors 
transaction-level detail to support balances reported in its fiscal 
year 2012 financial statements in order to obtain an opinion on its 
financial statements. This is due to, among other things, components 
not retaining original acquisition documentation or enforcing policies 
related to recording purchases and making payments. DHS also 
anticipates its auditors issuing a disclaimer in their fiscal year 2012 
report on internal controls over financial reporting due to material 
weaknesses in internal controls, such as lack of effective controls 
over the recording of financial transactions related to property, 
plant, and equipment.
    In addition, in December 2011, DHS reported that the Federal 
Emergency Management Agency (FEMA), U.S. Coast Guard (USCG), and U.S. 
Immigration and Customs Enforcement (ICE) have an essential business 
need to replace their financial management systems, but DHS has not 
fully developed its plans for upgrading existing or implementing new 
financial systems at these agencies. According to DHS's June 2012 
version of its Integrated Strategy for High-Risk Management, the 
Department plans to extend the useful life of FEMA's current system by 
about 3 years, while FEMA proceeds with a new financial management 
system solution, and is in the process of identifying the specific 
approach, necessary resources, and time frames for upgrading existing 
or implementing new financial systems at USCG and ICE. Without sound 
processes, controls, and systems, DHS faces long-term challenges in 
obtaining and sustaining an unqualified opinion on both its financial 
statements and internal controls over financial reporting, and ensuring 
its financial management systems generate reliable, useful, timely 
information for day-to-day decision-making. We currently have on-going 
work related to DHS's efforts to improve its financial reporting that 
we expect to report on in the spring of 2013.\10\
    \10\ We are doing this work at the request of the Subcommittee on 
Federal Financial Management, Government Information, Federal Services 
and International Security of the Senate Committee on Homeland Security 
and Governmental Affairs.
    Acquisition management.--DHS has made progress in the acquisition 
management area by enhancing the Department's ability to oversee major 
acquisition programs. For example:
   DHS has established eight Centers of Excellence for cost 
        estimating, systems engineering, and other disciplines to bring 
        together program managers, senior leadership staff, and subject 
        matter experts to promote best practices, provide expert 
        counsel, technical guidance, and acquisition management tools; 
        and each DHS component has established a Component Acquisition 
        Executive (CAE) to provide oversight and support to programs 
        within the component's portfolio.
    According to DHS, as of June 2012, 75 percent of the core CAE 
        support positions were filled.
   In March 2012, DHS completed the development of a 
        Procurement Staffing Model to determine optimal numbers of 
        personnel to properly award and administer contracts. In June 
        2012, DHS reported that it is taking steps to implement the 
        staffing model throughout headquarters and the components.
   DHS included a new initiative (strategic sourcing) in its 
        December 2011 Integrated Strategy for High-Risk Management to 
        increase savings and improve acquisition efficiency by 
        consolidating contracts Department-wide for the same kinds of 
        products and services. The Office of Management and Budget's 
        Office of Federal Procurement Policy has cited DHS's efforts 
        among best practices for implementing Federal strategic 
        sourcing initiatives. Earlier this month, we reported that the 
        Department has implemented 42 strategically-sourced efforts 
        since the Department's inception.\11\ According to DHS data, 
        the Department's spending through strategic sourcing contract 
        vehicles has increased steadily from $1.8 billion in fiscal 
        year 2008 to almost $3 billion in fiscal year 2011, 
        representing about 20 percent of DHS's procurement spending for 
        that year.
    \11\ GAO, Homeland Security: DHS Has Enhanced Procurement Oversight 
Efforts, but Needs to Update Guidance, GAO-12-947 (Washington, DC: 
Sept. 10, 2012).
    However, DHS continues to face significant challenges in managing 
its acquisitions. For example:
   Earlier this week, we reported that 68 of the 71 program 
        offices we surveyed from January through March 2012 responded 
        that they experienced funding instability, workforce 
        shortfalls, and/or changes to their planned capabilities over 
        the programs' duration.\12\ We have previously reported that 
        these challenges increase the likelihood acquisition programs 
        will cost more and take longer to deliver capabilities than 
    \12\ GAO, Homeland Security: DHS Requires More Disciplined 
Investment Management to Help Meet Mission Needs, GAO-12-833 
(Washington, DC: Sept. 18, 2012).
    \13\ GAO, Department of Homeland Security: Assessments of Complex 
Acquisitions, GAO-10-588SP (Washington, DC: June 30, 2010).
   Our recent review of DHS acquisition management also 
        identified that while DHS's acquisition policy reflects many 
        key program management practices that could help mitigate risks 
        and increase the chances for successful outcomes, it does not 
        fully reflect several key portfolio management practices, such 
        as allocating resources strategically.\14\ DHS plans to develop 
        stronger portfolio management policies and processes, but until 
        it does so, DHS programs are more likely to experience 
        additional funding instability, which will increase the risk of 
        further cost growth and schedule slips. We recommended that DHS 
        take a number of actions to help mitigate the risk of poor 
        acquisition outcomes and strengthen the Department's investment 
        management activities. DHS concurred with all of our 
        recommendations and noted actions it had taken or planned to 
        address them.
    \14\ GAO-12-833.
    Human capital management.--DHS has taken a number of actions to 
strengthen its human capital management. For example:
   DHS issued human capital-related plans, guidance, and tools 
        to address its human capital challenges, including a Workforce 
        Strategy for 2011-2016; a revised Workforce Planning Guide, 
        issued in March 2011, to help the Department plan for its 
        workforce needs; and a Balanced Workforce Strategy tool, which 
        some components have begun using to help achieve the 
        appropriate mix of Federal and contractor skills.
   The Department implemented two programs to address senior 
        leadership recruitment and hiring, as we reported in February 
        2012.\15\ While DHS's senior leadership vacancy rate was as 
        high as 25 percent in fiscal year 2006, it varied between 2006 
        and 2011 and declined overall to 10 percent at the end of 
        fiscal year 2011.\16\
    \15\ GAO, DHS Human Capital: Senior Leadership Vacancy Rates 
Generally Declined, but Components' Rates Varied, GAO-12-264 
(Washington, DC: Feb. 10, 2012).
    \16\ GAO-12-264.
   DHS developed outreach plans to appeal to veterans and other 
        underrepresented groups.
    While these initiatives are promising, DHS continues to face 
challenges in human capital management. For example:
   As we reported in March 2012, based on our preliminary 
        observations of DHS's efforts to improve employee morale, 
        Federal surveys have consistently found that DHS employees are 
        less satisfied with their jobs than the Government-wide 
        average.\17\ DHS has taken steps to identify where it has the 
        most significant employee satisfaction problems and developed 
        plans to address those problems, such as establishing a 
        Department-wide Employee Engagement Executive Steering 
        Committee, but has not yet improved employee satisfaction 
        survey results. We plan to issue a final report on our findings 
        later this month.\18\
    \17\ GAO, Department of Homeland Security: Preliminary Observations 
on DHS's Efforts to Improve Employee Morale. GAO-12-509T (Washington, 
DC: Mar. 22, 2012).
    \18\ We are doing this work at the request of this Committee's 
Subcommittee on Oversight, Investigations, and Management; and Senator 
Susan Collins, Ranking Member of the Senate Committee on Homeland 
Security and Governmental Affairs.
   As we reported in April 2012, changes in FEMA's workforce, 
        workload, and composition have created challenges in FEMA's 
        ability to meet the agency's varied responsibilities and train 
        its staff appropriately.\19\ For example, FEMA has not 
        developed processes to systematically collect and analyze 
        agency-wide workforce and training data that could be used to 
        better inform its decision making. We recommended that FEMA, 
        among other things, identify long-term quantifiable mission-
        critical goals, establish lines of authority for agency-wide 
        workforce planning and training efforts, and develop systematic 
        processes to collect and analyze workforce and training data. 
        DHS concurred with our recommendations and reported actions 
        underway to address them.
    \19\ GAO, Federal Emergency Management Agency: Workforce Planning 
and Training Could Be Enhanced by Incorporating Strategic Management 
Principles, GAO-12-487 (Washington, DC: Apr. 26, 2012).
    Information technology management.--DHS has made progress in 
strengthening its IT management, but the Department has much more work 
to do to fully address its IT management weaknesses. Among other 
accomplishments, DHS has:
   strengthened its enterprise architecture;\20\
    \20\ An enterprise architecture can be viewed as a blueprint for 
organizational transformation and IT modernization.
   defined and begun to implement a vision for a tiered 
        governance structure intended to improve program and portfolio 
        management, as we reported in July 2012;\21\ and
    \21\ GAO, Information Technology: DHS Needs to Further Define and 
Implement Its New Governance Process, GAO-12-818 (Washington, DC: July 
25, 2012).
   established a formal IT Program Management Development Track 
        and staffed Centers of Excellence with subject matter experts 
        to assist major and non-major programs.
    Based on preliminary observations from our review of DHS's major 
at-risk IT acquisitions we are performing for the committee, these 
improvements may be having a positive effect. Specifically, as of March 
2012, approximately two-thirds of the Department's major IT investments 
we reviewed (47 of 68) were meeting current cost and schedule 
commitments (i.e. goals).
    DHS has made progress, but the Department has much more work to do 
to fully address its IT management weaknesses. For example, the 
Department needs to:
   finalize the policies and procedures associated with its new 
        tiered governance structure and continue to implement this 
        structure, as we recommended in our July 2012 report;\22\
    \22\ GAO-12-818.
   continue to implement its IT human capital plan, which DHS 
        believed would take 18 months to fully implement as of June 
        2012; and
   continue its efforts to enhance IT security by, among other 
        things, effectively addressing material weaknesses in financial 
        systems security, developing a plan to track and promptly 
        respond to known vulnerabilities, and implementing key security 
        controls and activities.
    Management integration.--DHS has made progress in integrating its 
individual management functions across the Department and its component 
agencies. For example, DHS has put into place common policies, 
procedures, and systems within individual management functions, such as 
human capital, that help to integrate its component agencies, as we 
reported in September 2011.\23\ To strengthen this effort, in May 2012, 
the Secretary of Homeland Security modified the delegations of 
authority between the Management Directorate and their counterparts at 
the component level. According to DHS, this action will provide 
increased standardization of operating guidelines, policies, 
structures, and oversight of programs. Additionally, DHS has taken 
steps to standardize key data elements for the management areas across 
the Department to enhance its decision making. For example, in April 
2012, the under secretary for management appointed an executive 
steering committee and tasked this committee with creating a ``Data 
Mart'' to integrate data from disparate sources and allow the 
dissemination of timely and reliable information by March 2013. 
Further, consistent with our prior recommendations, DHS has implemented 
mechanisms to promote accountability for management integration among 
Department and component management chiefs by, among other things, 
having the Department chiefs develop written objectives that explicitly 
reflect priorities and milestones for that management function.\24\
    \23\ GAO, Department of Homeland Security: Progress Made and Work 
Remaining in Implementing Homeland Security Missions 10 Years after 9/
11, GAO-11-881 (Washington, DC: Sept. 7, 2011).
    \24\ GAO, Department of Homeland Security: Actions Taken Toward 
Management Integration, but a Comprehensive Strategy Is Still Needed, 
GAO-10-131 (Washington, DC: Nov. 20, 2009).
    Although these actions are important, DHS needs to continue to 
demonstrate sustainable progress in integrating its management 
functions within and across the Department and its components and take 
additional actions to further and more effectively integrate the 
Department. For example, DHS recognizes the need to better integrate 
its lines of business. The Integrated Investment Life Cycle Model 
(IILCM), which the Department is establishing to manage investments 
across the Department's components and management functions, is an 
attempt at doing that. DHS identified the IILCM as one of its most 
significant management integration initiatives in January 2011. 
However, the June 2012 update reported that this initiative is in its 
early planning stages, will be phased in over multiple budget cycles, 
and requires additional resources to fully operationalize. In September 
2012, DHS reported that it has developed draft policy and procedural 
guidance to support implementation of the IILCM and now plans to begin 
using aspects of this new approach to develop portions of the 
Department's fiscal years 2015 through 2019 budget.
    DHS strategy for addressing GAO's high-risk designation.--In 
January 2011, DHS issued an agency-wide management integration 
strategy--the Integrated Strategy for High-Risk Management--as we 
recommended in our March 2005 report on DHS's management integration 
efforts.\25\ DHS's most recent version of the strategy, issued in June 
2012, greatly improved upon prior versions and addressed feedback we 
previously provided by, for example, identifying key measures and 
progress ratings for the 18 initiatives included in the strategy and 
the 31 outcomes.\26\ We believe the June 2012 strategy, if implemented 
and sustained, provides a path for DHS to address our high-risk 
    \25\ GAO, Department of Homeland Security: A Comprehensive and 
Sustained Approach Needed to Achieve Management Integration, GAO-05-139 
(Washington, DC: Mar. 16, 2005).
    \26\ GAO-10-131.
    DHS can further strengthen or clarify its Integrated Strategy for 
High-Risk Management to better enable DHS, Congress, and GAO to assess 
the Department's progress in implementing its management initiatives 
by, among other things: Determining the resource needs for all of the 
corrective actions in the strategy; communicating to senior leadership 
critical resource gaps across all initiatives; and identifying program 
and project risks in a supporting risk mitigation plan for all 
    Going forward, DHS needs to continue implementing its Integrated 
Strategy for High-Risk Management and show measurable, sustainable 
progress in implementing its key management initiatives and corrective 
actions and achieving outcomes. We will continue to monitor, assess, 
and provide feedback on DHS's implementation and transformation efforts 
through our on-going and planned work, including the 2013 high-risk 
update that we expect to issue in January 2013.
    Chairman King, Ranking Member Thompson, and Members of the 
committee, this concludes my prepared statement. I would be pleased to 
respond to any questions that you may have.
    Appendix I: Summary of Actions and Outcomes for Addressing the 
Implementing and Transforming the Department of Homeland Security High-
                               Risk Area
    On the basis of our prior work, in a September 2010 letter to the 
Department of Homeland Security (DHS), we identified 31 actions and 
outcomes that are critical to addressing the challenges within the 
Department's management areas and in integrating those functions across 
the Department, thus addressing the high-risk designation. This 
appendix provides a summary of the 31 actions and outcomes.
                          financial management
    1. Maintain top management commitment to correcting weaknesses.
    2. Address internal control, business process, and systems 
    3. Commit sufficient resources to implement financial system 
        modernization and complete a full-scope audit of the 
        Department's basic financial statements.
    4. Expand scope of financial statement audit to include an opinion 
        on all of the Department's basic financial statements.
    5. Sustain clean opinions for at least 2 consecutive years.
    6. Comply with the Federal Financial Management Improvement Act of 
    7. Embrace best practices for financial system modernization.
    8. Establish contractor oversight mechanisms for financial system 
    9. Successfully implement new or upgrade existing financial systems 
        as needed throughout the Department, including the U.S. Coast 
        Guard (USCG), Federal Emergency Management Agency (FEMA), and 
        U.S. Immigration and Customs Enforcement (ICE).
                         acquisition management
    1. Validate required acquisition documents in a timely manner at 
        major milestones, including life-cycle cost estimates, in 
        accordance with a Department-approved, knowledge-based 
        acquisition process.
    2. Improve component acquisition capability.
    3. Establish a Joint Requirements Council or a similar body.
    4. Ensure a sufficient number of trained acquisition personnel are 
        in place at the Department and component levels.
    5. Establish and demonstrate measurable progress in achieving goals 
        that improve programs' compliance with the Department's 
        established processes and policies. For major acquisitions, 
        demonstrate that actual cost and schedule performance are 
        within baseline thresholds.
                        human capital management
    1. Implement a human capital strategic plan.
    2. Link workforce planning to other Department planning efforts.
    3. Enhance recruiting to meet current and long-term needs.
    4. Base human capital decisions on competencies and performance.
    5. Seek employees' input to strengthen human capital approaches and 
    6. Improve scores on the Office of Personnel Management's Federal 
        Employee Viewpoint Survey.
    7. Assess and improve training, education, and development 
                   information technology management
    1. Demonstrate achievement of stage 4 of GAO's Enterprise 
        Architecture Management Maturity Framework (that is, completing 
        and using an enterprise architecture for targeted results).
    2. Establish and implement information technology (IT) investment 
        management best practices.
    3. Establish and implement IT system acquisition management 
    4. Show progress in implementing the IT strategic human capital 
    5. Demonstrate for at least two consecutive investment increments 
        that cost and schedule performance is within the established 
        threshold baseline for major investments.
    6. Enhance the security of internal IT systems and networks.
                         management integration
    1. Implement actions and outcomes in each management area.
    2. Revise management integration strategy to address 
        characteristics we previously recommended, such as set 
        implementation goals and a time line to monitor progress.
    3. Establish performance measures to assess progress made in 
        achieving Department-wide management integration.
    4. Promote accountability for management integration among 
        Department and management chiefs through the performance 
        management system.

    Chairman King. Thank you, Mr. Maurer.
    Now I will recognize myself for questions. I would ask this 
question of each of you. Mr. Baker gave the Department an A as 
far as thinking seriously about keeping terrorists out. I would 
like to ask each of you, though, how effective do you think DHS 
has been in making itself part of the counterterrorism 
community, the intelligence community, and receiving the 
cooperation from the other big players?
    What appeared to be my personal experience at the time, at 
least anecdotally, they were not getting the respect early on. 
They were considered, you know, the new kids on the block. Has 
that improved, and how well-integrated are they into a cohesive 
counterterrorism system?
    Mr. Skinner.
    Mr. Skinner. I do agree that early on they did not get the 
respect that they should have. At the time I left, I think they 
were still facing challenges with bringing something to the 
table, so to speak, in the intelligence community. A lot of 
this dealt with the simple issues of trust. Other issues were 
just the mere nature of what they were bringing to the table.
    It was historic data. It wasn't something, a strategic 
dialogue, as to where the challenges were. I think someone hit 
on this earlier today. That we need to do a better job of 
actually stepping back and thinking the what-ifs that can occur 
in this country. Also the things that we can be doing better 
with regard to infrastructure.
    So in my assessment, I think we have a very, very long way 
to go yet in the intelligence community as far as being a major 
player, at least at the time I left about 18 months ago.
    Chairman King. Thank you.
    Secretary Baker.
    Mr. Baker. Well, I used to say that--at the beginning of 
DHS, your assessment is quite correct. I once described hiring 
Charlie Allen as the equivalent of the Mets hiring Casey 
Stengel. It gave us more credibility than we had before, but we 
still have a long way to go.
    DHS is an unusual participant in the intelligence 
community. There are a lot of participants who are basically 
takers of intelligence and analysts of the intelligence that 
they get. Then there are some very big producers of 
intelligence. DHS is neither of those things. It does analyze 
intelligence, and it does produce intelligence of a sort. 
Particularly travel data.
    That has proven to be increasingly useful. So my sense is 
that, indeed, there is a little bit of tension between them and 
NCTC over who is in charge of gathering and using this data. 
You know, if you have turf tension that suggests you are 
contributing something that somebody else would like to be 
    So I think they have moved forward substantially. One area 
they are not yet maximizing their opportunities in is cyber, 
where we know a lot about the attackers. We learn that by using 
law enforcement authorities. DHS has all these law enforcement 
investigators, Secret Service and ICE, that should be carrying 
out law enforcement investigations strategically to learn more 
about our attackers and then embarrass them as dramatically as 
    My sense is that the law enforcement guys are all overdoing 
their investigations without a lot of coordination and a lot of 
strategy from NPPD and the cyber operations. We could 
contribute more if we were a little more strategic about how we 
used our law enforcement resources.
    Chairman King. Thank you.
    Mr. Cilluffo.
    Mr. Cilluffo. Clearly, intelligence is the lifeblood for 
our campaign against terrorism in all facets. I would argue 
that I probably take a less positive view in terms of where the 
Department is writ large. First, I don't think we have the 
equivalent. We all know National intelligence estimates in 
terms of racking and stacking capabilities of our adversaries 
    We have intelligence estimates that look at threats to the 
homeland. But what do we have where you have a legitimate home-
grown threat? The foreign-domestic divide is blurring today. 
Social technology and everything else makes it very difficult. 
The word over here has an effect over there, and vice versa.
    So I would argue the emphasis should be pushing out our 
capabilities to support and enable our fusion centers on the 
front lines. State and local law enforcement is ultimately best 
positioned and, in many cases, most competent to deal with 
these issues.
    The joint regional intelligence groups that the FBI is 
standing up, we have got to find ways to make sure that all 
these pieces can, in fact, come together. To take National 
data, to put it into local context. Ultimately, that is 
translating that data for our State and local authorities who 
are best positioned to address these issues.
    On the cyber side, we have a long ways to go. I mean, if 
you look back since 9/11, I would argue the greatest 
breakthroughs which no one is really talking about in our 
counterterrorism efforts have been the synchronization of 
Titles 10 and Title 50; basically, where the intelligence 
community meets the defense establishment.
    Cyber. This is an area where we clearly need to look at 
some of those same synchronizations of authorities and 
capabilities. Doesn't exist at the State and local. Then when 
you start looking at the homeland, in particular, I think 
Stewart captured it. NSA has got the capability, DHS has the 
authority. NSA doesn't have many of the authorities, and DHS 
doesn't have many of the capabilities.
    How do we start bridging that gap in a way that is true to 
who we are as a country from a privacy perspective? I think 
that is the big issue we are all struggling with right now.
    Chairman King. Thank you.
    Mr. Maurer.
    Mr. Maurer. Yes. Mr. Chairman, I mean obviously, over the 
course of the last decade there have been a number of 
substantial changes in the overall structure of the 
intelligence community. I mean, sort of operating in parallel 
with a stand-up in operation of DHS was the creation of the 
NCTC, the standing up of OD&I, the fundamental restructuring 
and refocus of the FBI.
    All these things were happening simultaneously. DHS is 
clearly at the table as part of this on-going effort. I 
wouldn't characterize them as playing their leading role. In 
some respects, appropriately so. FBI is late on some things, 
for example. We issued a report earlier this morning looking at 
DHS's central efforts to improve information sharing of 
terrorist-related information.
    What we found there was encouraging. We think that DHS is 
on a good path on that front. They have shown good leadership. 
We are concerned about their lack of metrics to be able to 
establish whether or not they are making progress towards their 
goals. But we think they are off to a good start in that 
    So we will be certainly watching that area, as well. That 
is another one of our high-risk issues, and DHS is one of 5 
main agencies that play in that realm.
    Chairman King. Thank you.
    My time has expired. I would ask you if you could get back 
to me in writing. I have two quick questions. No. 1: How 
significant is it that the Saint Elizabeths project has been 
pushed back? How important is it for the Department to have, 
you know, one coherent central location?
    Second: Is there any way that the progress of DHS could be 
compared to the growth of the Defense Department after World 
War II? Are they on the same path?
    With that, I yield to the gentleman. If you can get back to 
me in 30 days, in writing, I would appreciate it.
    The gentleman from Mississippi.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    Some will argue that the direction of this Department 
mirrors the direction it receives. Part of that direction comes 
from Congress. I have shared with you my concern about 
jurisdiction. But since we have four very qualified individuals 
to talk about the subject of jurisdiction and the Department, 
can you just share individually whether or not you believe it 
is a good thing for Congress to vest jurisdiction for DHS 
within one committee like a number of other departments have?
    Agriculture, just to talk a little bit about one, there are 
some small pieces elsewhere. But primarily, jurisdiction is 
there. I will start with you, Mr. Skinner.
    Mr. Skinner. Absolutely. My own experiences when I was the 
IG at DHS, people talk about over 100. I dealt with about 88 
committees and subcommittees. This is very time-consuming, 
resource-intensive. We receive, constantly, mixed messages as 
to the direction the Congress wanted the Department to go.
    It created, in my opinion, a lot of problems. Not only for 
our office, but this is also compounded when you look at it 
from a Department-wide perspective. Having to answer to so many 
different committees, so many different directions. The time 
spent, I think, can be better spent in building a better 
    But yes, absolutely. I think it would be very worthwhile if 
we could consolidate some of this oversight into one committee.
    Mr. Thompson. Mr. Baker.
    Mr. Baker. I completely agree. It is a sign of lack of 
seriousness that the Congress did not accept even the 9/11 
Commission recommendations on this regard. It is very 
disappointing that it has continued as long as it has, very 
    I do agree. Imagine trying to run a company and you have 88 
outside boards of directors you are held accountable to, none 
of whom agree in the common end-state. Well, everyone agrees 
that we want to make the country more safe, but with changes.
    I think it is debilitating. I don't think the Department 
can mature when it has so many different approaches in terms of 
oversight. The big issue, I would also suggest, is to be able 
to align budgets to priorities. You have got to also look at 
the appropriator-authorizer connect, which--I know, I chuckle 
    I sometimes say we have three parties in this country--
Republicans, Democrats, and Appropriaters. But at the end of 
the day----
    Mr. Thompson. You are correct.
    Mr. Baker [continuing]. That is a big issue.
    Mr. Cilluffo. That has certainly been an issue that DHS 
has--been a burden for them from the time the Department has 
been created. But I think as you know that, you know, GAO works 
for the Congress as a whole. Obviously, we are strong advocates 
of very aggressive and hands-on oversight.
    So we don't take a position on how Congress divides up its 
jurisdiction, other than to say that we are there to support 
making those decisions. So if there is any information we can 
offer to help with that, we would be glad to offer that. I will 
say that this problem is not necessarily unique to DHS, but it 
is probably unusual relative to other departments in the 
Executive branch.
    Mr. Thompson. Thank you. I would like just to go on the 
record in support of what Mr. Baker and the others have said. 
That the 9/11 report, Commission report, this is really the 
only thing that is still left outstanding. Is that somehow we 
all agree that it is outstanding, but we can't agree to do it.
    I think that is a failure on Congress' part to step up. I 
will just say for the record again, Mr. King--whether you are 
Chair or I am Chair--we need to send that letter again to our 
leadership, jointly signed by us, saying it should be done and 
already has been made part of the record. We agree on it.
    I look forward in January to authoring or coauthoring a 
letter indicating a continuing interest on our part for that 
consolidated jurisdiction.
    I yield back.
    Chairman King. The Ranking Member yields back.
    I recognize the gentleman from Alabama, the subcommittee 
Chairman, Mr. Rogers.
    Mr. Rogers. Thank you, Mr. Chairman.
    It is good to have Mr. Skinner and Mr. Baker back before 
us, as they have been many times in the past. I look forward to 
hearing from our other witnesses. As you all are aware, I chair 
the TSA subcommittee. We have held, as a part of our hearing 
process, three hearings on the procurement acquisition process, 
which has a problem in TSA. But it has a problem Department-
wide, as you all know.
    GAO just released its most recent report examining this 
acquisition process. One of the most disappointing facts, which 
we also found in our hearings, was that most of DHS's major 
programs reported their planned capabilities changed well into 
the procurement process. Which obviously costs money, but not 
just for the Department. But it costs money for the private 
    When you throw out these requests for proposals without 
talking to anybody first about what is possible, and then when 
they come back and say, ``Well, we can't do that, but here is 
what we can do,''--and they have spent several hundred thousand 
dollars--you say, ``Well, that is not what we want,'' and they 
pull it back, it is completely unfair to the private sector.
    But it also doesn't help us achieve the goals that we are 
trying to achieve with the Department. I am interested in your 
thoughts on what we can do to remedy that. What is practical?
    Let us start with Mr. Baker.
    Mr. Baker. I will not pretend to be an acquisition expert. 
But my overall view of the acquisition process of the various 
parts of the Department is, this has turned out to be something 
that only a truly mature agency can do well. CBP certainly has 
problems, but has managed its procurements better than most of 
the components of the Department.
    TSA, as a new agency, doesn't have the kind of depth of 
staff and experience to do it as well as CBP.
    Mr. Rogers. Right. Well, that is one of the things I have 
mentioned to them in the hearings, is you are exactly right. A 
mature department does it well. And the best example is DoD. 
They found all the potholes in the road, and they know how to 
get around them.
    I have urged TSA and DHS as a whole to model their process 
after DoD, and they pushed back hard against it. I don't 
understand why.
    Mr. Baker. You know, it is the process, it is certainly 
true, where DoD has been in every pothole that you can find out 
there. Part of it is just personnel. You need personnel who 
have been doing this and made some mistakes, and understand how 
those mistakes are going to play out, and who are not wooed 
away by contractors to get new business in the future.
    I have often thought that we ought to find a way to 
penalize people who hire our procurement officials in the first 
5 years of their service. Because part of the problem is having 
a real depth of staff.
    Mr. Rogers. Anybody else? Mr. Maurer.
    Mr. Maurer. Yes, I think the first thing that DHS needs to 
do is just follow their own policies and procedures on 
acquisition. One of the things we found in the report that was 
issued yesterday was that we actually gave their policies 
pretty good marks. Their best practice, the problem has been 
they haven't been consistently following them. If they followed 
their own rules they would have better outcome.
    Mr. Rogers. Why do you think that is?
    Mr. Maurer. Well, I think in the early years of the 
Department, and it continues even today, there is an overriding 
sense of urgency, which is important. It is part of their 
mission. But it leads to----
    Mr. Rogers. Purchasing puffer machines.
    Mr. Maurer. Puffer machines that don't work. It leads to 
rushing to failure. There has been a whole host of those. 
SBInet and ASP and CAARS. There is a whole alphabet soup of 
failed acquisitions that DHS has had over the years. This 
report is the latest example of that.
    I know the subcommittee--Mr. McCaul's subcommittee--
tomorrow is having a hearing on this to talk more in depth. So 
I think, yes, first-off DHS needs to follow their policies. I 
think they have some real shortages in terms of qualified staff 
to help oversee and review these acquisition programs.
    The third issue they really have to come to terms with is 
that they probably signed themselves up to purchase more 
acquisition programs than they are likely to be able to afford 
in outyears. I mentioned in my statement, there is almost $170 
billion in sort-of total life-cycle costs.
    That is a rough guess. I mean, they don't really know what 
they have signed themselves up for. If we are going to continue 
to face tough budget times, they are going to have to make some 
really hard decisions on where they are going to put their 
    Mr. Rogers. I agree. One of the things I have pushed them 
to do, though, and it is hard to get them to do, is to start 
conversing with the private sector in advance. To call the 
private sector in, do a notice on FedBizOpps or whatever. Bring 
them in, and say, ``Listen, these are the things we are trying 
to accomplish. What is possible?'' Get some dialogue going.
    Yes, sir.
    Mr. Cilluffo. Mr. Rogers. Beyond simply as it affects TSA, 
but generally speaking, metric performance measures. I don't 
mean to get too philosophical, but at the end of the day what 
gets measured gets done. But are we measuring what matters? It 
is that second set of questions that I think you can see 
improvement in the future.
    Wherein the Quadrennial Homeland Security Review aligns 
with a bottom-up review so you can actually--a policy without 
resources is rhetoric. But if you can actually match up the 
priorities from a budgetary standpoint, that is kind of the way 
the Department of Defense does it with the Palm process and 
with the QDR.
    One thing I might note though, that it took the Goldwater-
Nichols Act to be able to really prioritize those needs that 
were purple, that were across services, that were unique beyond 
any particular military service. The Department doesn't have a 
COCOM-like structure. Maybe it should. That is a different set 
of questions. But it doesn't at this point.
    Mr. Rogers. Excellent. Thank you.
    I yield back.
    Chairman King. The gentleman yields back.
    The gentleman from Michigan, Mr. Clarke, is recognized for 
5 minutes.
    Mr. Clarke of Michigan. Thank you, Mr. Chairman.
    Just to all of those who are testifying, my major concern 
is about the security of our power systems, our power grid, or 
airports, especially our municipal drinking water and sewage 
systems. A cyber attack on the industrial control systems that 
govern these assets could have a devastating impact on areas 
like metropolitan Detroit, especially if there was a cyber 
attack against our municipal drinking water and sewage system.
    If any of you have some thoughts on the type of policies 
that we could implement here to better protect the American 
people from such a cyber attack, that is information I would 
like to hear. I do have some specific questions. One issue, 
raised by Mr. Baker, about the role that private companies who 
are victims of a cyber attack could play in terms of funding 
Federal investigations into those attacks.
    Also, Mr. Cilluffo raised the issue of Iran and Hezbollah. 
Are there any specific instances or concerns that we should 
have regarding Iran and Hezbollah regarding a cyber attack on 
our country?
    I yield back my time.
    Chairman King. The gentleman----
    Mr. Clarke of Michigan. Well, I would like to get a 
response, and then I yield back my time afterwards.
    Mr. Baker. In terms of industrial control systems, you are 
absolutely right that practically everything that civilized 
life in Detroit or any other American city depends on is an 
industrial control system. Those systems, as the Stuxnet attack 
on Iran's Natanz enrichment facility shows, are vulnerable to 
attacks that can break the systems.
    No major city is going to survive in an orderly fashion if 
it has no power and no water and the sewers are not functioning 
properly. You can break all of those things with a properly 
designed attack. To prevent that, we need to make sure that our 
systems, to the extent possible, have been pulled off of the 
internet and that there are not internet connections.
    We need to talk to the software manufacturers and hold them 
to high standards in terms of how secure those systems are. 
They have never been secure because they didn't think they were 
connected to the internet. They are now discovering that they 
are. The hardware in those systems is also not secure, and we 
need a research agenda that will improve the security of the 
    Finally, in my personal view we are probably putting far 
too much emphasis on smart grid deployments today. We talked 
earlier, Mr. Maurer talked, about rushing to failure. Smart 
grids are connecting our power systems, and they offer some 
real savings. But they are connecting our entire power system 
to the internet in ways that we could end up regretting.
    So those are all things that I would suggest we begin 
immediately to pursue. I will come back to the private-sector 
issue if others finish in time.
    Mr. Cilluffo. Mr. Clarke, thank you for your question. I 
mean, this is a multifaceted set of issues. Clearly, we have 
seen attempts, and successful hacks, on supervisory data and 
acquisition systems. The underpinnings of our critical 
infrastructure is not only overseas, but those attempts are 
spiking domestically, as well.
    So in terms of critical infrastructure, yes. But I think 
you have got a bigger issue. Back to some of the acquisition 
questions, we haven't baked security into the design of our 
architectures. That is why I think, rightfully so, the House 
Intelligence Committee is asking very tough questions vis-a-vis 
Huawei, ZTE, and anyone else who could potentially have access 
to our backbone, our very critical infrastructures, that are 
most significant for computer network exploit, espionage, or 
potential attack.
    More needs to be done there. We have got to figure out what 
are the right carrots and what are the right sticks. We have 
talked a lot about the sticks, but I think there are some 
carrots; tax incentives, liability protections, if you meet a 
certain standard in BAR. Which I think should be initiated by a 
third party. I call it a Good Housekeeping seal of approval.
    So it is looking at what are the right carrots and sticks. 
Some critical infrastructures are more critical than others. 
Those that really affect our ability and could impede our 
ability to project power, deploy forces and, from a National 
security standpoint, I think take on a different set of issues.
    Very, very, very briefly on Iran. Yes, we have seen a lot 
of activity in this space. I recently testified--I see Mr. 
Lungren here--before one of his committee hearings specifically 
on Iran before all these unhelpful leaks in terms of what we 
have seen on the cyber side. They have stood up a cyber army, 
the Baseez and some of their proxies have been involved. There 
is a cyber Hezbollah that is involved in primarily intelligence 
    So there is reason to be concerned. There are attacks going 
on as we speak on some of our banking sectors that some people 
aren't sure where they are necessarily generating from; notably 
Bank of America, Chase, and others. So I think that is an area 
we need to be concerned about.
    But let us not treat all attacks the same. Hacking a 
website is like graffiti in cyberspace. It is bad, but it is 
not the same as attacking the very critical infrastructures or 
damaging the data that those systems run. So we have got to 
take some of those issues into consideration.
    Finally, there were attacks this summer on Saudi Aramco and 
on Qatari RasGas. To me, this is where I was talking about what 
sorts of products NPPD and INA could provide to the critical 
infrastructure owners. They should have taken those lessons 
learned and be able to share some of the signature data with 
our own critical infrastructures.
    I might note that a big thing I have been pushing is the 
Defense Industrial Base pilot, which right now is primarily 
focused on the defense contractors. I really feel that should 
be expanded to our critical infrastructure owners and 
operators; at least the most critical infrastructure owners and 
    Mr. Clarke of Michigan. Mr. Chairman, if we do have time I 
would like Mr. Baker--the opportunity to----
    Chairman King. Actually, we are running on this. I 
appreciate it, but let me just say I want to thank you for your 
service on the committee, Mr. Clarke. No one knows what the 
future holds, but it has been a privilege having you work with 
us on the committee. Even if you are on that side, and ask some 
tough questions sometimes.
    Mr. Clarke of Michigan. It is an honor to serve our country 
here, and it is an honor to serve with you in this panel. Thank 
    Chairman King. Thank you.
    The gentleman from California, our leader on cybersecurity, 
Mr. Lungren.
    Mr. Lungren. Thank you very much. Thank the panelists.
    I hope I am not contrarian in this. I have been on this 
committee for 8 years now, and been part of the oversight for 
the Homeland Security Department. Frankly, I think they are 
better now than they were back then. I think there has been 
improvement, there has been some maturation.
    I guess the question is: How far along are we in the 
maturing process? When we compare this to DoD, as was 
mentioned, it took a long time for us to have the 
reorganization of DoD to get where we are today. So I, frankly, 
have seen what I consider to be improvement.
    I believe we are safer today because of DHS, even with all 
the warts and the shortcomings that we have. So I wanted to 
start with that.
    The second thing I wanted to say is fusion centers. We have 
a fusion center in my district, which I have been out to see 
any number of times. I am impressed by the level of 
cooperation, collaboration, exchange of information and respect 
for all the participants--local, State, Federal, including DHS.
    Mr. Baker, have you seen that? What I see in the Sacramento 
region, is that the same as you have observed or that you have 
been made aware of around the country?
    Mr. Baker. Yes, there are some very successful fusion 
centers that are doing great work and that have really built 
deep relationships between DHS and local and State authorities. 
I have had people say if you have seen one fusion center you 
have seen one fusion center. They are very variable, and not 
all of them are as successful as the one in your district.
    But I think they have turned out to be an enduring 
institution. We may end up seeing consolidation or 
rationalization of some of them as the budget gets tighter. But 
it seems to me they have been a very valuable way for DHS to 
actually make a difference in local policing.
    Mr. Lungren. See, that is one of the concerns we have. When 
we look at budgets, there are those who look at things like 
that as the first thing to go. I don't think it ought to be the 
first thing to go. I think it ought to be one of the things 
that we try and make even better. Because in the area of 
terrorism, as in so much other things, much of the intelligence 
is gathered by people who weren't looking for terrorists as 
their first objective.
    Mr. Baker. Right.
    Mr. Lungren. There are so many more eyes and ears with 
local law enforcement than there are Federal agents. Part of 
our job is to make sure that we give the expertise, share the 
expertise, on the Federal level with those at the local and 
State level. Then, with the analysts--perhaps they are Federal 
analysts, perhaps they are analysts that come from other 
departments--but utilize that, that ability.
    I fear that when we run into these tough budget times that 
is the first thing to go because it is not a fancy gadget, it's 
not a new thing that comes out of S&T, even though I want 
things to come out of S&T. So I am concerned about that.
    In the area of cyber, one of the concerns I have had has 
been the tremendous personnel turnover we have seen within the 
cybersecurity mission within the Department. At the same time, 
I have been impressed most recently with an added robustness of 
that element of DHS. In part, because of the infusion of a good 
number of people from the private sector.
    So two questions for you, Mr. Cilluffo, and also Mr. Baker: 
What is the basis of the difficulty for us keeping people in 
the cybersecurity arena in DHS, No. 1? No. 2, do you think the 
failure of the Congress to get a statutory authority and an 
institutionalization of the lines of authority within the 
Executive branch on cybersecurity is, in fact, a serious 
problem? Or is it just something we can take care of by way of 
Executive Order?
    Mr. Cilluffo.
    Mr. Cilluffo. I will start, and I am just going to say one 
thing on fusion centers. Because we have done a number of 
surveys, the first surveys, to try to bring a little bit of 
science to the art of intelligence. I agree with your position 
100 percent.
    The one thing I would note that they are lacking, and the 
majority of them suggested as much, was analytical tradecraft 
and capability, No. 1. Second, their ability to do threat 
reporting on the cyber side is weak, and they need to build 
that up.
    But to your question on cyber retention, it is a huge 
issue. Not only at the Department of Homeland Security, but 
across the Department of Defense and the intelligence 
community. Because you have so many greater opportunities in 
the private sector. Not only financial, but sometimes less 
bureaucratic. One of the things I think we need to start 
thinking about in terms of authority is our active defenses, 
where you give other entities the ability to respond in real 
time, in certain circumstances, in accordance with our laws.
    So I don't think an Executive Order--I mean, this is an 
issue that is so important for our country, it is so important 
for all branches of Government to be able to acknowledge and 
recognize that this is a significant set of issues. I don't 
think you can just pay for it forward by Executive Order. I 
think it requires a debate, it requires a discussion.
    It is extremely important, looking to future, that you--I 
don't think you can promulgate it through an Executive Order 
alone. I think Congress has not only an opportunity, a 
responsibility, to address these issues.
    Mr. Baker. On personnel, look, this is a hot field and 
people who do well in it in Government are going to get lots of 
job offers. We do need to face the fact that we will have 
turnover at some point. I will note that NSA, where I have also 
worked, has addressed that issue by and large as a culture 
where they expect people to come in and spend 25 or 30 years 
doing what NSA does. They get some very talented people.
    They lose people, but they have held onto their people 
better than DHS cyber has. My suggestion would be, on this as 
on many other things, DHS needs to be borrowing personnel and 
capability from NSA, bringing them over, making them part of 
the career progression within NSA so that they can get the 
benefit of the talented folks that NSA has.
    On the question of Executive Order versus legislation, 
legislation would be better but I am a realist. I actually 
think the Homeland Security Act gave a lot of authority, at 
least within the civilian arm of the Federal Government, to 
DHS. What we have seen is, the President by and large seems 
prepared to back that up by saying no, I really want you to do 
what the Homeland Security Act conveyed to you.
    That is progress. So I have supported an Executive Order, I 
think it is a good idea. There are things that can't be fixed. 
The Rogers bill, CISPA would be a much better solution than any 
private or Executive Order solution to the information-sharing 
problem. I frankly think, though, we are in for a period of a 
year or more in which nothing is going to happen in Congress so 
we need to be looking at everything that can be done within the 
    I don't think we have gotten to the end of the things the 
administration can do to improve cybersecurity.
    Chairman King. The time of the gentleman is expired.
    The gentleman from New York, Mr. Turner. I am sorry, how 
did I forget? Here I am talking away to the temporary Ranking 
Member, who has ascended very quickly to the throne.
    The gentlelady from California, who has been a very close 
bipartisan worker on this committee, Ms. Hahn.
    Ms. Hahn. Thank you, Chairman King. I will start by adding 
my shout-out to my colleague from California, Mr. Lungren, on 
the necessity of our fusion centers. There is one in the Los 
Angeles region, as well, that is very significant.
    I would dare say many of the plots that have been foiled 
over the last years were a result of the information that was 
cobbled together in our fusion center. I think we, as Members 
of this committee, ought to be very clear and very precise in 
advocating for the continence of our fusion centers.
    I have appreciated the gentlemens' testimony, and your 
knowledge about our Department of Homeland Security and the 
future. I have a district that borders the largest port complex 
in our country, Los Angeles and Long Beach. To that end, I have 
been concerned about port security.
    In fact, my very first hearing here in the Homeland 
Security Committee was the 9/11 report card. At that time, it 
had come out that probably we were a little lacking. I would 
like to hear Mr. Baker's grade for port security in this 
    To that end, I will say thanks to Chairman King, and a real 
bipartisan support. I was able to pass my first bill this year, 
on asking the Department of Homeland Security to report back to 
Congress on assessment of our port security. I would love to 
hear your analysis of how we are doing.
    I tend to think it is still a very vulnerable entryway into 
our country through our Nation's ports. Specifically, I would 
like to know, generally, how you feel about that. But 
specifically, speaking of managing our resources, I have heard 
from a number of ports across this country that the port 
security grants, which I am a big advocate of.
    We have done things in this committee to continue port 
security grants. But some of the deadlines, some of the 
requirements, some of the, you know, burdens that, apparently, 
we are putting on port authorities to actually use these port 
security grants in an efficient way are hindering what I 
believe ultimately is the securing of our Nation's ports.
    So I would love to hear your assessment specifically of 
port security, and how we are managing our port security 
    Mr. Baker. So I can't give you much useful information 
about the grant management because I think I am out-of-date on 
that. I did participate heavily in the Port Security Act 
process and the implementation of that, and it's been continued 
by the next administration.
    On the whole, I would give that effort about a B. I think, 
given the amount of attention that has been put on that and the 
number of authorities--not just CBP, but also Coast Guard, that 
are available--the Department has done a reasonably good job of 
trying to improve port security. You know, obviously it has not 
been able to move inspection for nuclear weapons overseas the 
way one would like, and that isn't going to happen anytime 
    Not because of incompetence on the Department's part, but 
because, you know, we have to persuade our negotiating partners 
to do that. One of my biggest worries is that if we are looking 
for nuclear weapons, which is a fundamental part of our port 
security program, that may be smuggled into the United States 
we have pretty good mechanisms--not perfect, but pretty good 
mechanisms--for identifying those weapons if they come in in 
containers through the ports.
    We are much less well-protected against the possibility 
that someone will put that into a private jet and just file a 
plan for Teterboro and never get to Teterboro. Just set it off 
before they land it in the United States. We need an approach 
to nuclear weapon smuggling that looks not just at ports, but 
at all the ways people might smuggle stuff in.
    The joke is, the best way to get it in is to wrap it in a 
bale of marijuana. We need to be looking at all of those. I 
think actually we have done a better job of securing our ports 
against that threat than most of the other mechanisms by which 
people would bring a nuclear weapon in.
    Ms. Hahn. Any other members of the panel want to speak on 
port security?
    Mr. Maurer. We issued a report specifically on the Port 
Security Grant Program about a year or so ago, and highlighted 
some of the issues you pointed out. Specifically, it takes too 
long for the money to flow out to the actual recipients. I 
think the good news there, in a nutshell, is that FEMA and DHS 
are taking actions to address our recommendations.
    My understanding is, they are starting to make progress on 
that. So that is good news. The second point, real quickly, is, 
one of my colleagues from GAO, Steve Caldwell, recently 
testified on the overall state of port security. I think we 
would agree with Mr. Baker's assessment. Generally speaking, 
that has been one of the relative areas of success for DHS over 
the course of the last 10 years.
    Ms. Hahn. Thank you.
    Mr. Cilluffo. A very general point. Smuggling is smuggling 
is smuggling is smuggling, whether it is drugs, weapons, 
people, or whatever illicit or even licit goods in tough areas. 
So one area where I think beyond just ports that we need to be 
doing more is we are seeing hybrid threats. Is it terrorism, is 
it crime, is it this, is it that?
    At the end of the day, I think there is some real 
opportunity between the counternarcotics community and the 
counterterrorism community to further cooperate on some of 
these issues. Because again, the routes are going to be the 
same. The TTP, the terror tactics, might be the same. So how do 
we start bringing those worlds together?
    Ms. Hahn. Thank you.
    I yield back.
    Chairman King. The time of the gentlelady has expired.
    Now the gentleman from New York. Mr. Turner.
    Mr. Turner. Thank you, Mr. Chairman.
    One of the most important elements here in counterterrorism 
is intelligence. If you could give us a minute, maybe, on what 
you think can be done and improved for intelligence sharing. I 
am particularly taking this from a view as a New York 
representative, which comes both ways.
    The NYPD, as you may know, has its own intelligence 
operation. If you have a thought on the efficacy of that, and 
what are the things that could be improved upon in the next 
year or two. If you would be kind enough to begin, Honorable 
    Mr. Skinner. I would be happy to. That is one of the 
things. I think the biggest concerns I had dealt with the 
integration of our IT systems and creating a capability to 
communicate on a real-time basis. The Department, within 
itself, has problems just communicating across the various 
component lines.
    One of the biggest challenges--and I believe I alluded to 
this earlier--is our ability to then communicate on a real-time 
basis with our Federal partners and, particularly, with our 
State and local partners. The fusion centers, I think, is a 
good step forward to improving that communication capability. 
But I still think we have problems with getting access on a 
real-time basis, giving people the clearances so that they can 
communicate on a real-time basis, and developing a trust.
    Fusion centers, I think some operate very well. But again, 
we talk about do we need as many as we have? Probably not. Can 
we do a better job in consolidating those fusion centers and 
building on a cadre where they are most needed on a risk basis 
would be, I think, a step forward. But building an IT 
capability to allow us to communicate, I think, is one step 
that we need to continue to work on.
    Mr. Turner. How far away are we from that ideal?
    Mr. Skinner. Quite frankly, I think we are very far away.
    Mr. Turner. Thank you.
    Mr. Baker. You know, the New York police department is one 
of the crown jewels of our counterterrorism effort, and the 
only non-Federal agency that really provides an alternative 
model for how you respond to terrorism effectively. I was 
disappointed to see the Associated Press and a few other folks 
kind of sniping at NYPD and inviting Federal oversight as a way 
of kind of making them less effective.
    We should have more local law enforcement agencies that 
were learning from NYPD, that were willing to talk directly to 
the U.S. intelligence agencies. So I would say they should be a 
model, rather than somebody subjected to criticism.
    On information sharing, let me just highlight an area of 
information sharing that I think is far worse than the 
relationship with State and locals. It is information sharing 
on cyber intrusions where, in fact, law enforcement agencies 
know an enormous amount about who is doing them, what tactics 
they are using, why they are targeting people, and who they are 
    The targets are in the private sector. The sharing with the 
private sector at that level of detail, in my view, is nowhere 
near as good as it with State and locals on the 
counterterrorism mission.
    Mr. Cilluffo. I think Stewart and I are hanging out too 
much. NYPD is clearly the gold standard in this business. I 
might note, though, Ms. Hahn and others that if New York police 
department is the gold standard, LAPD is the silver standard.
    But once you get outside of New York, Los Angeles, Texas 
and some of these other areas, Arizona, you really have a mixed 
bag. At the end of the day, that is why I think we really do 
need to invest in the fusion centers. It could probably afford 
some culling to be able to build on the best.
    The last thing I want is the successful initiatives to be 
thrown out--the baby thrown out with the bath water--if we see 
the need to cut, and we are not going to cut the right ones. In 
essence, you are going to have entities that perhaps ought to 
be put on life support, and you have got the gems that are 
going to be stymied.
    New York has its own intelligence capabilities. They have 
an overseas presence. Very few police departments have an 
overseas presence. So I don't think it is even constructive to 
compare that--maybe LAPD--with the rest of the country. But as 
much as can lean forward, enable and support, it has been a 
target multiple times.
    Unfortunately, it is a target almost every day; much of 
which we don't read about. So I support that 110 percent. One 
thing on the intelligence picture writ large. I would argue 
that we need a true domestic intelligence estimate. We don't 
have regional threat assessments domestically for the Jihadi 
threat, for Islamist threats. The United Kingdom, for example, 
    I am not suggesting we need a security service or an MI5 in 
the United States. Actually, quite the opposite. Push the 
capabilities to our State and local authorities. One area where 
we are the best in the world, hands down, are JTTFs. But that 
is only when an investigation is open.
    Once we get the blip on the radar screen we are the best, 
period. But what about in that steady state, to be able to see 
what that threat environment looks like for the unknown 
unknowns. That, I think, we still have a lot of work to do. As 
much as we can invest in our State and local authorities, we 
ought to.
    Mr. Maurer. Very quickly, I think you should know 
information sharing is one of GAO's high-risk areas. So clearly 
there is a lot of work that still needs to be done there. We 
want to see closer collaboration among all the Federal partners 
and a greater ability to work with State and locals, as well.
    Chairman King. The time of the gentleman has expired.
    Again, Mr. Turner will be leaving the committee at the end 
of the day. I want to thank him for his service. He does an 
outstanding job, and I want to thank him for his dedication to 
the committee and to the people of New York overall.
    Also, let me associate myself with the remarks of Mr. Baker 
and Mr. Cilluffo on the NYPD. I just hope that the Associated 
Press and New York Times were listening.
    With that, I recognize the gentlelady lady from Texas, Ms. 
Jackson Lee, for 5 minutes.
    Ms. Jackson Lee. Let me also thank my colleague for his 
service, as well. I think, as the Ranking Member and the 
Chairman mentioned at the beginning of this hearing, we are 
committed in a bipartisan way to the security of this 
homeland--and, I would like to put on the record--for the 
greatest country in the world. I heard someone define us as the 
greatest democracy in the world. I am going to redefine us as 
the greatest country in the world.
    So I am very grateful for our commitment. I also want to 
associate myself with the comments ``maybe one day.'' I am 
going to ask for just a yes or no answer. That the streamlining 
of jurisdiction oversight of homeland security is imperative 
for a consistent and efficient and effective securing of the 
    Mr. Skinner, do you agree?
    Mr. Skinner. Yes.
    Ms. Jackson Lee. Mr. Baker.
    Mr. Baker. Amen.
    Ms. Jackson Lee. Mr. Cilluffo. Do I get it right?
    Mr. Cilluffo. Yes.
    Ms. Jackson Lee. GAO in particular, Mr. Maurer?
    Mr. Maurer. You know, we got to be agnostic on that one 
because we serve the whole Congress. I don't say that to dodge 
the question, but because I know this has been an issue that 
has been debated among the Members across the various----
    Ms. Jackson Lee. We will give you a pass.
    Mr. Maurer. Okay.
    Ms. Jackson Lee. Let me also indicate that I look forward, 
if we all return by way of election, to really look at this 
regional security threat concept. I think that is a very 
important new note to hear.
    I am going to try and ask a number of fast-moving 
questions, and try to get through all of you. May not, but let 
me start with Mr. Maurer. I hope you can comment that investing 
resources, or the utilization of resources funding, is crucial 
to some of the assessments that you have made.
    Do we need to continue the right and reasonable and 
effective and continued funding for Homeland Security?
    Mr. Maurer. Absolutely. You are going to need resources to 
achieve many of the things the Department wants to do. They are 
    Ms. Jackson Lee. That are still not done.
    Mr. Maurer. That are still not----
    Ms. Jackson Lee. And are crucial to securing the Nation.
    Mr. Maurer. Absolutely. They have made good progress so far 
to date. One of the biggest criticisms we have had of their 
plans to date, frankly, is the fact that they have resource 
limitations in executing those plans. Now some of that rests in 
the Department, quite frankly, and setting priorities on where 
they are going to spend the money that Congress appropriates to 
    Ms. Jackson Lee. The border, which is something that I have 
been particularly attentive to because I come from the State of 
Texas. Have we made improvements since, for example, 2005? I 
particularly remember enhancing the Border Patrol agent census, 
or population; adding more, and giving them enhanced equipment. 
Has that made a difference?
    Mr. Maurer. Yes, it has. There are certainly many more 
Border Patrol agents on the Southwest Border as well as the 
Northern Border. DHS continues to invest in enhancing the 
training that they receive, as well as the acquisition tools 
and the systems that they use in the course of their job.
    We still have a number of concerns about the technology 
enhancements DHS plans to make on the Southwest Border. The 
collapse of SBInet was a major failure for the Department, and 
we are watching what they are doing on that front very 
carefully right now.
    Ms. Jackson Lee. I think we would be very eager to know 
that even though we have the rise of drug cartels, gun 
trafficking, which we just heard the IG's report that I think I 
can put on the record. That the attorney general had no 
knowledge of the gun trafficking and the Fast and Furious 
    But we do know that there are elements that were not 
effective. But with all of that, getting those other agencies 
to collaborate, we can see in the future a secure border or a 
securer border?
    Mr. Maurer. It definitely depends on the execution among 
the various departments and agencies. That is certainly our 
hope, and we will be there to provide oversight to help assist 
the Congress in its own deliberation.
    Ms. Jackson Lee. All right. Gentlemen, I am going to give 
three questions and I would like you to answer. I see my time 
is--and I ask the Chairman for an indulgence. They could pick 
the ones that they would like.
    I do want to indicate that I would like to see the CERT1 
program improved--I don't think the outreach goes to minority 
communities sufficiently--and that is the response program 
during disasters. I think the procurement is way in need of 
repair in terms of outreach to small businesses.
    But these are the questions I would like. We have seen a 
rash of attacks or threats to universities, bomb threats. I 
believe we need an ombudsman or a focus inside Homeland 
Security that is an immediate response team to our 
universities. Some of these, obviously, are prank calls. Or at 
least they have been determined as that.
    But with the rash of incidences that have occurred, I would 
appreciate your comment. I would appreciate your comment on the 
importance of reaching out to Muslim-Americans and retaining 
and hiring them in the security process. I would appreciate 
your comment on the importance of homeland security and civil 
    Anyone want to start first?
    Chairman King. I would ask the gentlemen if they would try 
to, you know, give brief answers. Try to keep it in the next 2 
or 3 minutes.
    Ms. Jackson Lee. Mr. Chairman, I thank you.
    Mr. Baker, you are up.
    Mr. Baker. Okay. So I would say ombudsman to universities, 
or at least a place to call after you get a call you can't tell 
is crank or not, absolutely it is a great idea. It should be 
part of information sharing. Outreach to Muslims has been going 
on, should continue to go on and I think, on the whole, has 
been successful for the Department and the U.S. Government 
    On civil liberties and privacy, frankly if there were a job 
I wanted in Government it would be chief privacy skeptic. I 
think the privacy groups have not, on the whole, treated DHS 
well or its programs. We probably should be more skeptical 
about privacy claims than we are.
    Ms. Jackson Lee. All right. Well, Mr. Skinner.
    Mr. Skinner. I have nothing to add to what Mr. Baker just 
said. Very well put.
    Mr. Cilluffo. Just that I agree on the university side we 
need a bellybutton. I am not sure exactly how that looks like, 
but I am standing where I sit. I am at George Washington 
University now.
    Second, in terms of civil liberties, I don't think the 
debate has been cast as an either/or proposition. I don't think 
that is healthy. You can, and must, have both. When you start 
looking in the cyber domain in particular, there are going to 
be a lot of questions.
    But I agree with Stewart. Many of them are red herrings. A 
lot of them are not necessarily--that is not to suggest we 
don't take it seriously. We do. But I think most of the people, 
having been on the inside you hear more from your lawyers than 
you hear from the ops guys in terms of what it is you can and 
cannot do.
    That creates, to some extent, a chilling effect. Which is 
why, again, Congress, I think, has an opportunity and a 
responsibility to address some of these issues and move some 
    Ms. Jackson Lee. You should not take privacy lightly, 
    Mr. Cilluffo. Absolutely not. It is you build too many 
walls, the bad guys win by default because our way of life has 
been lost. That is what we are, is a federalist democracy, of 
    Ms. Jackson Lee. Mr. Maurer.
    Mr. Maurer. You definitely want to consider civil liberties 
as part of the overall approach to cybersecurity. Absolutely in 
agreement on that. Outreach to the Muslim community is 
absolutely vital. I agree with that, as well. I think it is an 
interesting concept you talk about for an ombudsman, and 
certainly worth looking into.
    Ms. Jackson Lee. Thank you very much. Mr. Chairman, thank 
    I yield back.
    Chairman King. The time of the gentlelady has expired.
    The gentleman from Texas, chairman of the Oversight 
Subcommittee, Mr. McCaul.
    Mr. McCaul. I thank the Chairman.
    I want to follow up on something Mr. Lungren talked about. 
That is, you know I think one of the greatest disappointments I 
think I, and this committee I think, share in is that the 
Congress did not pass cybersecurity legislation, which is so 
important. Every day that goes by without those authorities, 
more Americans are at risk.
    So I hope that if we can't get it done in this Congress we 
can certainly get it done next Congress. A very small point, 
and I want to go on to two other points.
    But, Mr. Baker, you mentioned an interesting idea. I think 
part of the problem is the perception that DHS just doesn't 
have the capability that NSA has. That probably is reality, 
too. So to put that faith and trust in DHS because I personally 
think, and I think Mr. Lungren and the Chairman agree, that a 
civilian authority is the more appropriate in a domestic sense 
rather than a military.
    Now, NSA can work with DHS and that is what you want. But 
how do you get NSA, you know, capability or NSA employees to 
come to DHS?
    Mr. Baker. So, in fact, some of that is happening. You 
know, I am an alumnus of both organizations, and may be the 
only one who has had a political appointment in both. But I 
don't think that you can bring staff over from NSA, detail them 
in. They are operating under DHS authorities and constraints, 
but they are bringing a raft of technical capability that 
otherwise it would be very hard for the Department to hire.
    What we need is enough technically competent people at the 
Department so they feel that they can take advice from NSA 
employees without fearing that they are getting a whole bunch 
of policy advice they don't see buried in the technical----
    Mr. McCaul. I like the detail approach. Because I think, 
again, they kind of have to earn the respect of the Congress 
for the Congress to give them those authorities. I think there 
is an issue with that. I personally think it should be more 
under civilian control.
    So, quickly, to move on, I am chairing a hearing tomorrow--
I think, Mr. Maurer, you are going to be there--on acquisition, 
procurement. You know, we still see all the silos that Mr. 
Skinner talked about. Yet, you know, it is still a very solid F 
in terms of the acquisitions. So we don't see--there were these 
recommendations that were made, you know, several years ago.
    But they don't seem to be followed. So you got a 
procurement process that has become very wasteful in its 
management. I mean, so overall how do you integrate this 
management together? But then how do you fix the procurement 
process? If you could answer it in a fairly short manner I 
would appreciate that.
    Mr. Maurer. Sure, absolutely. First off, I want to give 
good credit to my colleague, John Hutton. He will be the GAO 
witness tomorrow at your hearing. So he is taking the lead on 
this issue at GAO.
    But how to address the problem? First and foremost, DHS 
needs to follow its own rules. They haven't been doing that, 
that has been at the root of the problem. Second, they do need 
to do a better job of managing the overall portfolio, and start 
making the hard decisions and figuring out what they can 
actually afford out in the future.
    But a third issue, they need to do a better job of coming 
up with life-cycle cost estimates. That sounds wonky and down 
in the weeds, but what it basically means is figuring out the 
price tag. What is it going to cost to procure these different 
systems, and over how many years is that going to take? Until 
they come to grips with all three of these issues they are 
going to continue to have problems.
    Mr. McCaul. Okay. A final a point is, Mr. Cilluffo, you 
talked about regional threats. I think that is a very smart 
approach. I led a delegation down to Latin America, and we went 
to, you know, the tri-border area, a Jewish community center in 
Buenos Aires. As you know, the Saudi ambassador applied the 
Quds forces. They were going to hit the embassies--and Israel, 
Saudi, and Argentina.
    So we look a lot at the Middle East, but there is a lot 
going on right here, too. My kind of nightmare scenario is a 
strike from Israel, against Iran. With everything that is 
happening right now already, with these embassies already being 
targeted, you throw that cocktail on top of everything and it 
is a Molotov cocktail.
    I can see, you know, there will be ramifications to that. 
There will be a response. I can see the Hezbollah operatives 
not only there but in this hemisphere which we know are here. I 
can see them lining up.
    So is DHS prepared? Do you think they are even looking at 
this issue and planning to defend?
    Mr. Cilluffo. Mr. McCaul, you raise a number of very 
important points. I think as much as you can raise awareness in 
terms of the challenges you saw in the tri-border area would be 
helpful to the American people. Because we do have problems on 
our hands.
    It is not just in the tri-border area. Hezbollah has got a 
presence in the United States. In fact, the Los Angeles police 
department elevated the government of Iran and its proxies, 
notably Hezbollah, as a Tier I threat; highest threat level. 
NYPD has been leaning forward in terms of addressing some of 
these challenges.
    So I don't think it is only in response to some actions 
that Israel or others may take. I think that you are seeing an 
uptick in activity that, even short of that, warrants greater 
concern from the U.S. National security.
    Mr. McCaul. Then, in closing, I hope the Department is 
focused on this very aggressively in terms of defending the 
Nation rather than responding, or reacting to, a crisis.
    Mr. Cilluffo. I can tell you some are. I am not sure that 
is percolating throughout the entire Department. But I have 
worked with some folks who are recognizing that as a challenge.
    Mr. McCaul. I thank the Chairman.
    Chairman King. The gentleman yields back.
    I would just point out, as Mr. McCaul knows, and he was 
part of the hearing, we held a hearing--at least one hearing, 
full committee also, I think, some subcommittee involvement--on 
the whole issue of Hezbollah in this country. My impression was 
the same as yours. It is a serious threat not being taken 
seriously enough by everyone. By some, but not by all.
    With that, the gentlelady from California, Ms. Richardson, 
is recognized for 5 minutes.
    Ms. Richardson. Yes, thank you, Mr. Chairman.
    I just have two questions for Mr. Skinner. One, in fiscal 
year 2011 the Department entered into over 133,000 procurement 
transactions and over 81,000 thus far in 2012. I am concerned 
about the oversight of these transactions. On your watch, 
during the Department, we have obviously heard, and learned of, 
various problems of the procurement process, including 
contracts with SBInet, Deepwater, and Federal Protective 
Service contracts and Guard contracts.
    Yet the Department's management budget appears to leave 
little room for improved oversight during the procurement 
process. How can you improve upon your contract oversight?
    Mr. Skinner. It is, I think, very basic. That is, increased 
staffing. Because I think the acquisition management function 
within the Department when it stood up, and even today, as much 
as they are trying to build a capability is still grossly 
understaffed. I think as part of the procurement process, when 
you develop your strategic plans, your operational plans, as to 
what you are going to be buying in the outyears and in the 
current years, that we need to budget in, or factor in, the 
cost of the total procurement.
    Just not the cost that we pay the contractor, but the cost 
to provide oversight of those contracts. It is all part of the 
contract administration process.
    Ms. Richardson. Has that----
    Mr. Skinner. I do not think that is being done right now.
    Ms. Richardson. Is there anything you need us to do to be 
able to assist you to have that happen?
    Mr. Skinner. The authorities are there, the guidelines are 
there, the policies are there. They just simply need to be 
implemented. I think with additional staffing, we could do a 
better job of managing the contracts as opposed to just simply 
awarding and then reacting to problems.
    Ms. Richardson. Okay. So, Mr. Chairman, if you would be 
willing maybe the committee would want to consider requesting 
of the Secretary that as contracts are distributed that, as Mr. 
Skinner has suggested, that the oversight be included in the 
overall cost that is being considered.
    Then that way, they might be able to have adequate staffing 
to take control of the taxpayers' money, which I know you and 
all of us here are very concerned about.
    Chairman King. We will certainly consider that, and I will 
work with you and your office to try to bring that about.
    Ms. Richardson. Thank you, Mr. Chairman.
    The second question is: Mr. Skinner, on a scale of 1 to 10, 
how would you rate the Department of Homeland Security on its 
cybersecurity efforts? Meaning, where are there improvements 
most needed from the Department's perspective, and what 
legislation could we do to help you to better achieve those 
    Mr. Skinner. First, let me say I am probably the least 
qualified person to ask that question on this panel. But based 
on my observations when I was serving with the Department, they 
are making modest progress through their hiring efforts, their 
attention to the cybersecurity issues. But on a scale of 1 to 
10, I would have to give them something around a 4.
    We have a long, long way to go. I think one of the primary 
things, and it has been repeated several times this morning, is 
that we definitely could use legislation to help guide the 
    Ms. Richardson. Okay. Would anyone else like to give a very 
brief response that wanted to chime in?
    Mr. Cilluffo. Just to piggyback Mr. Skinner's comments, 
General Alexander, when asked very specifically where the U.S. 
readiness was on a scale from 1 to 10, said a 3. So it is 
pretty much in line with some of that thinking. He is the 
commander of Cyber Command, and director of the National 
Security Agency.
    I do feel this is a big area that the United States--we are 
not any further along than our homeland community was shortly 
after 9/11.
    Ms. Richardson. Wow.
    Mr. Cilluffo. The difference is, is we know the risks. So I 
think we have got a responsibility to move.
    Mr. Baker. I can just add, if the people who are attacking 
us for getting grades from their governments they would get at 
least a 6. So we are losing ground to the attackers.
    Ms. Richardson. Mr. Chairman, I know that when 
appropriations come forward in the House, typically where we 
look to add more programs, Members of Congress will typically 
take money out of the management and oversight or salary bucket 
of a particular department. Take money from there and, you 
know, fund for another program.
    I would be more than willing to join you of us educating 
our colleagues that in this particular area of cybersecurity--
we can't speak to every area--but the impacts of these cuts to 
the staffing in particular is really hindering the ability to 
move forward. If you would like to join me, or suggestions on 
how we might do that, I would welcome that.
    Thank you, sir.
    Chairman King. Be delighted to work with you. The time of 
the gentlelady has expired.
    Before I go on to Mr. Marino, I just want to acknowledge, 
in the audience, Robert Matticola, who is homeland security 
director for the New York waterway ferry in New York, and he 
has held that position since July 2008. It is obviously a job 
that is in the line of fire, and I want to commend you for your 
    Now the gentleman from Pennsylvania, former United States 
attorney, Mr. Marino is recognized for 5 minutes.
    Mr. Marino. Thank you, Mr. Chairman. I apologize for being 
late. I am trying to get to all of my committee hearings today.
    Gentlemen, it is a pleasure. As my distinguished Chairman 
stated, I have been in law enforcement and I have been there 
for 19 years. So I know what our men and women go through. I 
have been out there on the front line with them, I have their 
backs. I have worked closely with all the agencies throughout 
my career.
    You know, it is easy for us and anyone else to Monday-
morning-quarterback our men and women and our agents on the 
line and in the field. Just unfortunate that much of the 
information and much of our operations--and I still say ``our'' 
because I still feel I am part of law enforcement, I will 
always be--has to be kept close to the chest because we don't 
want the enemy knowing what is going on out there.
    But each one of you can respond to my question, if you 
would like to. Are our agents, are our people in the field, 
fully equipped with what they need to do what we expect them to 
do? Equipment, training, et cetera?
    Mr. Skinner, would you like to start?
    Mr. Skinner. I believe because of the rapid buildup within 
our law enforcement community, particularly with CBP and ICE 
over the past 5 to 6 years, that we are still behind the curve 
as far as providing the types of training and the degree of 
training that they need.
    As far as equipping them, I also believe that our 
infrastructure is trailing our hiring. We are hiring faster 
than we can build an infrastructure to support them. Third, as 
far as supervision and management, as we hire so many people so 
rapidly that brought some of our more experienced--or what we 
have done is, in essence, taken very inexperienced individuals 
and put them in supervisory and management roles.
    That was the only alternative they had at that time. That 
does not mean to be a criticism. But all in all, I think we 
still have to catch up to the hiring.
    Mr. Baker. I don't have anything to add to that.
    Mr. Cilluffo. I would just underscore field bias, field 
bias, field bias. As much as we can lean forward, if you look 
at the military community, the intelligence community, and 
other communities that have gone through similar issues 
commanders intent; push the capability down to the pointy end 
of the spear.
    In this case, I think the big potential gap is, we need to 
enhance our analytical capacity so State and local can--so they 
are not going in with--not blind, but with less vision, given 
the fog of crises and situations. So push to State and local. 
That is my one takeaway. DHS's role in that is significant and 
important, but it is really about looking at State and local 
authorities as their force multipliers. They are our boots.
    Mr. Maurer. I think DHS definitely deserves some credit, 
particularly in the last couple of years, in coming to grips 
with its management problems. It gets right to your question. 
They are trying to do a better job with procurements, they are 
trying to do a better job with training, they are trying to do 
a better job with all the different entities working as one 
unified whole within DHS as well as their interagency partners.
    They are definitely not where they want to be or where they 
need to be, and they fully recognize that. But I am just 
encouraged by the fact they are paying more attention to sort 
of these basic fundamental resource and management issues.
    Mr. Marino. I understand that, being in the field, there 
are many agencies and many different types of work that has to 
be done. But can you give me a ball-park figure? We talked 
about training--and behind the curve on that--to adequately 
train our people on the front lines. Whether it is ICE, you 
know, whether it is DEA or whoever is--and Homeland Security 
protecting our borders, or even overseas.
    How much time are we talking about for training?
    Mr. Maurer. I don't know if you can put an exact time frame 
or dollar figure on it because training is an on-going thing. I 
mean, it is not only bringing in new Border Patrol agents. It 
is continuing to offer training throughout that person's 
    Mr. Marino. But I mean, you know, bringing someone in 
initially. I know training is on-going, and should be. But let 
me put it this way. I don't think there is any agency with whom 
I have worked where it is a 6-week training course and you are 
ready to rock and roll.
    Is that a correct statement? A significant amount of time 
is required?
    Mr. Skinner. Absolutely yes, there is significant time 
required. I almost equate it to like a boot camp. Because when 
you bring someone in, you are giving them basic training. But 
as you progress, you are going to have to receive additional 
training. That training has to be kept up-to-date.
    It is just not a one-shot deal. It is constant.
    Mr. Marino. Totally agree.
    Mr. Skinner. So there is a lot--the more investment we make 
in our training, the better performance we are going to get 
from our employees.
    Mr. Marino. Thank you, gentlemen.
    I yield back.
    Chairman King. The gentleman yields back.
    I want to thank all the witnesses for their testimony 
today. I think this is one of the most thoughtful and 
substantive hearings we have had. Your testimony was really 
invaluable. I think as Members of the committee, we often tend 
to focus on issues that are particularly important to us, a 
component to the Department that are important to us, or parts 
of the Department where particular errors have been made.
    I think you were able to bring it together today and really 
show us the Department as a whole, its weaknesses and its 
strengths. As Mr. Lungren said, I think significant progress 
has been made. It is important to keep that in mind. But at the 
same time, we have to, you know, continue to make more 
progress. Especially address some of the more significant 
    But at the same time, I think it is important that we let 
the public know, really, the overall job that DHS is doing. 
Because too often, when it comes time for budget cuts or 
whatever, people look upon DHS as not really contributing that 
much. The fact is, despite its persistence, al-Qaeda has not 
been able to perpetrate an attack on the scale of 9/11 in the 
past 11 years. The DHS has been a vital component of that.
    So with that, I want to thank you for your testimony. I 
would also want to thank the Members of the committee who were 
here today. Some Members may have additional questions for the 
witnesses, and we would ask you to respond to those in writing. 
The hearing record will be held open for 10 days.
    Without objection from the distinguished acting Ranking 
    Ms. Hahn. No objection.
    Chairman King [continuing]. The committee stands adjourned.
    [Whereupon, at 12:03 p.m., the committee was adjourned.]

                            A P P E N D I X


      Questions From Chairman Peter T. King for Richard L. Skinner
    Question 1. Will you please share your views on the importance of 
the completion of the St.Elizabeths project to the Department's efforts 
to consolidate operations and its potential impact on the Department's 
    Answer. In my opinion, the inability of the Department to complete 
the St. Elizabeths project as originally planned should have little, if 
any, impact on the Department's efforts to consolidate operations and, 
most certainly, should not adversely impact its performance. 
Consolidating the Department's components ``under one roof'' so to 
speak is an issue of convenience, not one of performance, particularly 
in today's IT environment of borderless networks, where any employee 
should be able to connect with anyone or any information from anywhere, 
using any device. Housing ``people'' in one location may make it 
convenient for officials to conduct face-to-face meetings, but it will 
not address the real challenges facing the Department, and that is 
consolidating and integrating management support systems and 
operations. Consolidating operations and improving performance are 
``management'' issues, not ``logistical or housing'' issues.
    Question 2a. How would you compare the creation and maturation of 
the Department of Homeland Security to date to that experienced by the 
Department of Defense in the decade after its establishment?
    Do you believe that now, almost 10 years after its creation, the 
Department should have matured more quickly and its components should 
be operating more effectively and efficiently?
    Answer. While the creation of the Department of Homeland Security 
may be the largest Government reorganization since the creation of the 
Department of Defense, it pales in comparison to the enormity of the 
challenges faced by DoD upon its creation. Accordingly, in my opinion, 
the Department of Homeland Security has, and should have, matured more 
rapidly to date than the Department of Defense in the decade after its 
    I believe that now, almost 10 years after its creation, the 
Department should have matured more quickly and its components should 
be operating more effectively and efficiently. During its first 3 years 
of existence, neither the Congress nor the administration gave the 
Department the resources needed to properly support the programs and 
operations inherited from its legacy agencies. In particular, its 
management support functions were shortchanged, i.e., the financial, 
information technology, acquisition, human resources, and grants 
management functions. During the second 3 years of its existence, both 
the Congress and the administration increased the Department's funding 
for its management support functions, but, while making modest 
improvements, it fell far short of its goal to establish a cohesive, 
efficient, and effective organization. For example, the Department is 
still unable to obtain a clean opinion on its financial statements and 
internal controls; its components are still struggling to upgrade or 
transition their respective IT infrastructures; resources needed to 
implement acquisition policies are still lacking; and, it is impossible 
to determine whether the Department's grant programs are actually 
improving our Nation's homeland security posture. During the past 3 
years, budget constraints have impeded the Department's ability to make 
any significant headway and build on the modest improvements made since 
its creation. The Department's new challenge will be to sustain the 
progress already made and at the same time continue to make necessary 
    Question 2b. How much longer is the argument that bringing together 
so many Federal agencies a legitimate explanation for the Department's 
    Answer. Bringing together so many Federal agencies should no longer 
be a legitimate explanation for the Department's shortcomings. The 
Department had many opportunities to address its management challenges, 
but, for a myriad of reasons, it failed to do so. Although some were 
out of its control, many opportunities were lost due to poor management 
decisions or just plain indecision. Unless the Department stays focused 
on its shortcomings, it will be harder than ever to find solutions to 
strengthen critical management support functions and, ultimately, to 
ensure the success of its homeland security mission.
       Questions From Chairman Peter T. King for Stewart A. Baker
    Question 1. Will you please share your views on the importance of 
the completion of the St. Elizabeths project to the Department's 
efforts to consolidate operations and its potential impact on the 
Department's performance?
    Answer. As noted in my testimony before the committee, one of the 
greatest challenges facing the Department of Homeland Security going 
forward will be developing a framework to enable proper coordination 
among all of the Departments big and proud components. Department 
leadership has done a good job at bringing the various components 
together to respond to major crises, but coordination on day-to-day 
issues is very much lacking. The St. Elizabeths Campus project, by 
bringing together the leaders of all of DHS's components under one 
roof, is critical to addressing this larger Departmental challenge. 
Placing component and Departmental leadership in the same office space 
will, I believe, go far in building a unified organizational culture 
and providing daily opportunities for DHS components to work together 
    Question 2a. How would you compare the creation and maturation of 
the Department of Homeland Security to date to that experienced by the 
Department of Defense in the decade after its establishment?
    Do you believe that now, almost 10 years after its creation, the 
Department should have matured more quickly and its components should 
be operating more effectively and efficiently?
    Answer. The Department of Defense's history illustrates just how 
difficult integrating all of the components at DHS will be. When DoD 
was formed in the late 1940s out of the Department of War and the 
Department of Navy, both of which had been established in the 1700s, 
DoD at least had the advantage of an existing unified office space and 
the recent experience of coordinating operations during World War II. 
All the same, it took years for DoD's leadership to establish its 
authority within the entire Department. As late as the Cuban Missile 
Crisis in 1962, Secretary McNamara's authority over the Navy was still 
in doubt. When the Secretary asked Admiral Anderson:

``what would happen if a Soviet ship refused to stop or resisted 
boarding. Anderson answered angrily, `This is none of your goddamn 
business. We've been doing this since the days of John Paul Jones, and 
if you'll go back to your quarters, Mr. Secretary, we'll handle this.' 
''--Dobbs, One Minute to Midnight: Kennedy, Khrushchev, and Castro on 
the Brink of Nuclear War (2008).

    I'm quite confident that today, just 10 years into the Department, 
no DHS component head would dare to say that to the Secretary of 
Homeland Security, even though several of the components have been 
carrying out their missions as long as the Navy.
    Question 2b. How much longer is the argument that bringing together 
so many Federal agencies a legitimate explanation for the Department's 
    Answer. The understandable challenges of post-merger integration at 
DHS, however, do not excuse component or Departmental leadership from 
fulfilling their missions. Responsibility for building the Department's 
capacity and accomplishing its objectives still has to lie with 
individual components or offices at DHS. To the extent that individual 
parts of DHS are underperforming, they should be held individually 
accountable for making the necessary programmatic and staffing changes 
to turn the Department around.
      Questions From Chairman Peter T. King for Frank J. Cilluffo
    Question 1. Will you please share your views on the importance of 
the completion of the St. Elizabeths project to the Department's 
efforts to consolidate operations and its potential impact on the 
Department's performance?
    Answer. While I am not fully up to speed on all of the developments 
surrounding the St. Elizabeths project, I am of the view that 
consolidating operations in a single location could have a range of 
salutary benefits, including the prospect of synergies between and 
among offices and individuals that derive simply from physical 
proximity (through increased daily interactions, etc). In addition to 
tangible advantages, such as the facilitation of communications between 
and among offices and individuals, there are likely to be intangible 
advantages as well, such as a greater sense of unity of mission and the 
boost to morale that may occur as a result of co-location (which may 
engender a greater sense of esprit de corps).
    However, there are a range of factors that may affect the timing of 
completion of the St. Elizabeths project, including of course the 
current budgetary situation; hence it may be some time before the 
project's benefits come to fruition. Let me underscore, though, that 
future developments should not come at the expense of the Department's 
operating budget. Having said that, perhaps the most forceful and vivid 
argument in favor of timely completion of the St. Elizabeths project is 
as follows: Just imagine the Department of Defense without the 
Pentagon, or the CIA without the George (H.W.) Bush Center for 
Intelligence in Langley, Virginia.
    Question 2a. How would you compare the creation and maturation of 
the Department of Homeland Security to date to that experienced by the 
Department of Defense in the decade after its establishment?
    Do you believe that now, almost 10 years after its creation, the 
Department should have matured more quickly and its components should 
be operating more effectively and efficiently?
    Question 2b. How much longer is the argument that bringing together 
so many Federal agencies a legitimate explanation for the Department's 
    Answer. There are certainly some similarities between the 
Department of Homeland Security and the Department of Defense in the 
context described above (creation and maturation a decade after 
establishment). In both instances, it took time to synchronize each of 
the following--operations, planning, strategy, etc.--from an 
organization-wide perspective. Likewise, both cases evidence the pace 
at which a cohesive organizational culture takes shape; this is not 
something that appears or grows overnight.
    Notably, for the Defense Department, thinking purple is a mindset 
and action posture that took time to cultivate and instill; and even 
then, in order to genuinely root itself required legislation (the 
Goldwater-Nichols Department of Defense Reorganization Act of 1986) and 
a supporting incentive structure that tied education and training, 
interagency rotations, promotion and professional advancement to 
``jointness.'' Given that DHS initiatives in the realm of education and 
training, for example, remain nascent, it is no surprise that there are 
still some bumps in the road when it comes to execution and 
implementation in an effective and efficient manner. On paper and in 
principle, 10 years may seem like a long time. Yet that first decade of 
DHS' existence has been marked by unprecedented and almost constant 
challenges. The fact that DHS was created at a time of crisis, and also 
evolved in such a climate, suggests that an extended interval may be 
warranted in order to judiciously evaluate its progress.
    Having said that, DHS as an enterprise needs a sharper focus and a 
greater prioritization of its activities, to include more and better 
alignment of budgets with priorities. In addition, DHS has yet to 
define its Office of the Secretary, writ large. Compare the Defense 
Department, whose counterpart Office for Policy (OSD/Policy) for 
example, serves a robust and genuine Department-wide, cross-cutting 
function. This is the bar which DHS should, and must, aim to reach.
    Indeed, the Defense Department today is the gold standard when it 
comes to plans and planning, after-action reflection, and a range of 
other matters. Both regional and functional/thematic approaches to a 
range of complex challenges are successfully integrated and 
incorporated into outputs, including budgeting for future years. Yet 
there was a time when DoD's ability to bring these various pieces 
together so effectively was in some question; and this was so despite 
the fact that military endeavors permit a type of mandating vis-a-vis 
Service members that civilian entities do not. The challenge at hand is 
thus compounded: While DoD is founded upon the science of command and 
control, DHS must rely instead on cooperation and coordination, and the 
art of persuasion, to successfully achieve its ends.
    Accordingly, I would submit that DHS remains a work in progress, 
but one that must be evaluated in context, with due regard for the 
substantial challenges that the Department has faced in past, and which 
it will continue to face in future--including an inhospitable climate 
of financial austerity, coupled with a rapidly evolving threat spectrum 
that encompasses both cyber and kinetic components.
       Questions From Chairman Peter T. King for David C. Maurer
    Question 1. Will you please share your views on the importance of 
the completion of the St. Elizabeths project to the Department's 
efforts to consolidate operations and its potential impact on the 
Department's performance?
    Answer. We have previously reported that consolidation or co-
location of Federal Government offices or functions--a goal of the St. 
Elizabeths project--may result in several benefits, including more 
effective and efficient operations. In 2011, we reported that co-
locating services can result in improved communication among programs, 
improved delivery of services for clients, and elimination of 
duplication.\1\ For example, programs can be co-located within one-stop 
centers or electronically linked, which affords the potential for 
sharing resources and cross-training staff. In 2006, we reported that 
DHS's plans to co-locate its headquarters, its component headquarters, 
and their respective staffs and operations centers at one location 
could further enhance collaboration among DHS's component agencies.\2\ 
DHS has also identified that consolidating most of its headquarters 
operations at St. Elizabeths would enhance communication, increase 
efficiency, facilitate mission integration, and foster a ``One DHS'' 
    \1\ GAO-11-92.
    \2\ GAO-07-89.
    However, given the constrained budget environment, the future of 
the St. Elizabeths project is uncertain. In December 2011, DHS 
estimated the project would take 4 to 5 years longer to complete and 
cost about $600 million to $700 million more than originally planned, 
largely due to shortfalls in funding. At that time, DHS estimated that 
the project would be completed in 2020 or 2021. In March 2012, DHS 
reported that it was in the process of revising its plan of options for 
completing the St. Elizabeths project, and would continue analyzing 
options throughout the summer. One option, which includes large 
segments based on the original construction plan, would take 6 years 
longer to complete and cost more than $700 million more than originally 
planned. Under this option, DHS estimated planned construction will be 
completed in 2022 at an overall cost of about $4 billion.
    In addition, while headquarters consolidation may result in gained 
efficiencies, under DHS's current plan, not all headquarters offices 
and components will be located at St. Elizabeths. For example, although 
all of the Secretary's office and the Federal Emergency Management 
Agency and the U.S. Coast Guard headquarters staff will be relocated, 
only the headquarters leadership of five major DHS components--U.S. 
Immigration and Customs Enforcement, U.S. Customs and Border 
Protection, Transportation Security Administration, U.S. Secret 
Service, and U.S. Citizenship and Immigration Services--will be moved. 
Headquarters staff from these five components will remain in other 
locations around the National capital region, which limits the 
potential benefits of consolidation.
    Finally, since the planned completion date of the St. Elizabeths 
project could be 10 years in the future, DHS will not reap the planned 
benefits of consolidation for some time. During the interim, we believe 
DHS should continue to focus on executing its plans for addressing 
GAO's designation of implementing and transforming DHS as a high-risk 
issue. Doing so will enhance the management platform for the entire 
Department and better position DHS to carry out its various missions in 
a more efficient and effective manner.
    Question 2a. How would you compare the creation and maturation of 
the Department of Homeland Security to date to that experienced by the 
Department of Defense in the decade after its establishment?
    Do you believe that now, almost 10 years after its creation, the 
Department should have matured more quickly and its components should 
be operating more effectively and efficiently?
    Question 2b. How much longer is the argument that bringing together 
so many Federal agencies a legitimate explanation for the Department's 
    Answer. As DHS continues to implement plans to address its long-
standing management challenges, it can learn from the experience of 
other departments, including the Department of Defense (DoD). 
Specifically, since its creation in 1949, DoD has worked to unify the 
Department, enhance its management practices, and foster a joint 
approach to operations and decision making. However, it is also 
important to note that some of DoD's experiences may not be appropriate 
for DHS. For example, as of October 2012, 63 years after DoD's 
creation, it remains on GAO's high-risk list for seven management-
related topics, including financial management, weapon systems 
acquisition, and business systems modernization. In addition, several 
important aspects of DoD's organization and approach are devoted to 
deterrence, combat operations, and other National security missions 
that, while complimentary to DHS's homeland security focus, differ 
significantly from the day-to-day operations and requirements of DHS's 
components. DHS can certainly learn from DoD's experience, but should 
exercise care in appropriately selecting and applying those lessons 
that can be best applied to DHS.
    Prior to DHS's creation, we reported that building a common, 
unified Department from several legacy agencies represented a 
significant challenge that would take several years to achieve.\3\ This 
has proven to be the case. DHS has remained on GAO's high-risk list 
since it began operations in 2003.
    \3\ GAO-03-260.
    Since its creation, DHS has implemented key homeland security 
operations and achieved important goals in many areas to create and 
strengthen a foundation to reach its potential. DHS has made important 
progress, particularly on the mission side. For example, DHS:
   Implemented the U.S. Visitor and Immigrant Status Indicator 
        Technology program to verify the identities of foreign visitors 
        entering and exiting the country by processing biometric and 
        biographic information;
   Developed and implemented Secure Flight--a program for 
        screening airline passengers against terrorist watch list 
        records--and new programs and technologies to screen 
        passengers, checked baggage, and air cargo;
   Assessed risks posed by chemical, biological, radiological 
        and nuclear threats and deployed capabilities to detect these 
        threats; and
   Created new programs and offices to implement its homeland 
        security responsibilities, such as establishing the U.S. 
        Computer Emergency Readiness Team to help coordinate efforts to 
        address cybersecurity threats.
    But at the same time, our work has identified three key themes--
leading and coordinating the homeland security enterprise, implementing 
and integrating management functions for results, and strategically 
managing risks and assessing homeland security efforts--that have 
impacted the Department's progress since it began operations.\4\ DHS 
had successes in all of these areas, but our work found that these 
themes have been at the foundation of DHS's implementation challenges 
and need to be addressed from a Department-wide perspective. As DHS 
continues to mature, more work remains for it to strengthen the 
efficiency and effectiveness of those efforts to achieve its full 
    \4\ DHS defines the homeland security enterprise as the Federal, 
State, local, Tribal, territorial, non-governmental, and private-sector 
entities, as well as individuals, families, and communities, who share 
a common National interest in the safety and security of the United 
States and the American population.
    Of particular note, DHS continues to face several management 
challenges. For example, DHS's major acquisitions programs face 
challenges that increase the risk of poor outcomes, such as cost growth 
and schedule delays. Additionally, DHS has been unable to obtain an 
audit opinion on its internal controls over financial reporting due to 
material weaknesses in internal controls. Further, despite DHS efforts 
to improve employee morale, Federal surveys have consistently found 
that DHS employees are less satisfied with their jobs than the 
Government-wide average.
    DHS has several initiatives underway that, if fully implemented and 
sustained, could help address the Department's management challenges. 
For example, as I noted in my September 2012 testimony before this 
committee, DHS's Integrated Strategy for High-Risk Management 
identifies 18 key initiatives and corresponding corrective action plans 
for addressing the Department's management challenges and improving 
operational efficiency through better integration of people, 
structures, and processes. This strategy provides a path for moving DHS 
from where it is now--a large Department with several management 
challenges--to where it wants to be--a unified Department, supported by 
integrated management functions. DHS must now focus on executing the 
strategy. Doing so is important because building a solid management 
foundation will help DHS carry out its homeland security missions.