[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
CYBERSECURITY: THE DEPARTMENT OF THE INTERIOR
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
INFORMATION TECHNOLOGY
AND THE
SUBCOMMITTEE ON THE INTERIOR
OF THE
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
FIRST SESSION
__________
JULY 15, 2015
__________
Serial No. 114-52
__________
Printed for the use of the Committee on Oversight and Government Reform
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
______________
U.S. GOVERNMENT PUBLISHING OFFICE
97-789 PDF WASHINGTON : 2015
________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
JASON CHAFFETZ, Utah, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, Jr., Tennessee CAROLYN B. MALONEY, New York
JIM JORDAN, Ohio ELEANOR HOLMES NORTON, District of
TIM WALBERG, Michigan Columbia
JUSTIN AMASH, Michigan WM. LACY CLAY, Missouri
PAUL A. GOSAR, Arizona STEPHEN F. LYNCH, Massachusetts
SCOTT DesJARLAIS, Tennessee JIM COOPER, Tennessee
TREY GOWDY, South Carolina GERALD E. CONNOLLY, Virginia
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
CYNTHIA M. LUMMIS, Wyoming TAMMY DUCKWORTH, Illinois
THOMAS MASSIE, Kentucky ROBIN L. KELLY, Illinois
MARK MEADOWS, North Carolina BRENDA L. LAWRENCE, Michigan
RON DeSANTIS, Florida TED LIEU, California
MICK, MULVANEY, South Carolina BONNIE WATSON COLEMAN, New Jersey
KEN BUCK, Colorado STACEY E. PLASKETT, Virgin Islands
MARK WALKER, North Carolina MARK DeSAULNIER, California
ROD BLUM, Iowa BRENDAN F. BOYLE, Pennsylvania
JODY B. HICE, Georgia PETER WELCH, Vermont
STEVE RUSSELL, Oklahoma MICHELLE LUJAN GRISHAM, New Mexico
EARL L. ``BUDDY'' CARTER, Georgia
GLENN GROTHMAN, Wisconsin
WILL HURD, Texas
GARY J. PALMER, Alabama
Sean McLaughlin, Staff Director
David Rapallo, Minority Staff Director
William McGrath, Interior Subcommittee Staff Director
Troy Stock, IT Subcommittee Staff Director
Melissa Beaumont, Clerk
Subcommittee on Information Technology
WILL HURD, Texas, Chairman
BLAKE FARENTHOLD, Texas, Vice Chair ROBIN L. KELLY, Illinois, Ranking
MARK WALLER, North Carolina Member
ROD BLUM, Iowa GERALD E. CONNOLLY, Virginia
PAUL A. GOSAR, Arizona TAMMY DUCKWORTH, Illinois
TED LIEU, California
Subcommittee on the Interior
Cynthia M. Lummis, Wyoming, Chairman
KEN BUCK, Colorado, Vice Chair BRENDA L. LAWRENCE, Michigan,
PAUL A. GOSAR, Arizona Ranking Member
BLAKE FARENTHOLD, Texas MATT CARTWRIGHT, Pennsylvania
STEVE RUSSELL, Oklahoma STACEY E. PLASKETT, Virgin Islands
GARY J. PALMER, Alabama
C O N T E N T S
----------
Page
Hearing held on July 15, 2015.................................... 1
WITNESSES
Ms. Sylvia Burns, Chief Information Officer, U.S. Department of
the Interior
Oral Statement............................................... 4
Written Statement............................................ 7
Ms. Mary Kendall, Deputy Inspector General, U.S. Department of
the Interior
Oral Statement............................................... 11
Written Statement............................................ 13
APPENDIX
Office of Personnel Management Mission Statement, submitted by
Rep. Lieu...................................................... 40
July 9, 2015 Dept. of the Interior Response to the Office of the
Inspector General Report, submitted by Chairman Hurd........... 42
Nov. 26, 2013 Dept. of the Interior, Office of the Inspector
General Report on Faisal Ahmed, submitted by Chairman Hurd..... 51
Colleen M. Kelley, National President, Statement of the National
Treasury Employees Union, submitted by Chairman Hurd........... 54
Statement of Congressman Gerald E. Connolly (VA-11), submitted by
Chairman Hurd.................................................. 57
Office of the Inspector General, U.S. Department of the Interior
Report: Security of the U.S. Department of the Interior's
Publicly Accessible Information Tehnology Systems, submitted by
Chairman Hurd.................................................. 59
CYBERSECURITY: THE DEPARTMENT OF THE INTERIOR
----------
Wednesday, July 15, 2015
House of Representatives,
Subcommittee on Information Technology, joint with
the Subcommittee on the Interior,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 2:38 p.m., in
Room 2154, Rayburn House Office Building, Hon. Will Hurd
[chairman of the subcommittee] presiding.
Present from Subcommittee on Information Technology:
Representatives Hurd, Farenthold, Blum, Kelly, and Lieu.
Present from Subcommittee on the Interior: Representatives
Lummis, Russell, Palmer, Lawrence, and Cartwright.
Mr. Hurd. The Subcommittee on Information Technology and
the Subcommittee on the Interior will come to order. And,
without objection, the chair is authorized to declare a recess
at any time.
Good afternoon. Thanks for being here today. Sorry for the
delay. You all know how it is here in Washington. This is an
important hearing. In the wake of the data breach of the Office
of Personnel Management, the committee remains deeply concerned
with the Federal Government's plan to address cybersecurity.
This do as I say, not as I do mentality is an affront to the
American people and leaves our Federal agencies and the PII of
millions at risk.
Today's hearing is the first in a series of hearings the
Subcommittee on Information Technology will hold to focus on
the cybersecurity posture of Federal agencies. This means not
only compliance with FISMA, but also responding to the
recommendation from an agency's inspector general, as well the
GAO.
I'm proud to hold this hearing jointly with Chairwoman
Lummis, Ranking Member Lawrence, and the Subcommittee of
Interior. And I am always thankful for Ranking Member Kelly and
the bipartisan way we have been able to approach cybersecurity
and other issues on this subcommittee.
The first hearing this committee held on the recent OPM
data breach I advised agency CIOs across the Federal Government
to pull out their past IG reports and get to work on addressing
the vulnerabilities that have been identified.
Ms. Burns, I hope you have come here today with a concrete
plan to address vulnerabilities in DOI's systems pointed out by
the IG and others.
The Department of Interior inspector general recently
conducted penetration tests of publicly accessible computer
systems and Web sites operated by DOI bureaus. What they found
is alarming and is largely what brings us here today. The IG
found nearly 3,000 critical and high-risk vulnerabilities in
hundreds of publicly accessible computers operated by DOI
bureaus. Let me repeat that number: 3,000.
Even more concerning, the IG found that because DOI did not
segment its publicly accessible systems from its internal
systems, hackers could exploit these vulnerabilities to access
internal or nonpublic DOI computer networks. DOI's internal
networks support mission-critical operation and contain highly
sensitive data. Not segmenting the public and the internal
networks from each other is a failure of basic cybersecurity
best practices.
We need and deserve better from Federal agencies and those
in charge of securing our digital assets. There's too much at
risk not to.
In addition, DOI hosted the OPM personnel file database
that was breached and resulted in 4.2 million former and
current Federal employees having their personal and private
information stolen. Since then, Director Archuleta has stepped
down and rightfully so.
Several questions about DOI's role in the breach remain
unanswered, including whether or not other agencies may have
been compromised, how many breaches exactly took place at DOI,
and whether or not the attackers are still in the system. Both
subcommittees look forward today to having some of those
questions answered.
In closing, it is no secret that Federal agencies have a
long way to go to improve their cybersecurity posture. We have
years and years of reports highlighting the vulnerabilities and
inactions of Federal agencies. We also have years and years of
recommendations from IGs, GAO, and experts in and out of the
government on how to address these vulnerabilities. Simply put,
we know what needs to be done, we just need to do it.
We need strong and capable leaders in place across the
Federal Government to upgrade IT systems and shore up the
current sorry state of cybersecurity at Federal agencies. We
need leaders who will listen to the recommendations of their
IGs and others and take appropriate corrective actions based on
those recommendations. The status quo is unacceptable. We need
leaders who can put a solid plan in place and then execute it.
I hope we have that type of leadership in place at DOI. I
welcome the witnesses and look forward to their testimony.
And now, I'd like to recognize my friend and the ranking
member, Ms. Kelly of Illinois.
Ms. Kelly. Thank you, Mr. Chairman, and welcome to the
witnesses.
Last month, the Oversight Committee held hearings on two
major OPM data breaches. We learned that the stolen personnel
records of over 4 million current and former Federal employees
were kept on servers hosted by the Department of Interior.
Hackers essentially not only gained access to OPM's personal
records, but in doing so they successfully penetrated the
Department's data center where the records have been stored.
Fortunately, an ongoing investigation into the OPM breach
has so far not uncovered any evidence that any of the
Department's data was stolen during the time period hackers had
access to the data center. But the fact that the Department's
computer systems were also hacked raises serious questions
about the strength of the Department's cybersecurity system.
Last week, the Department's inspector general provided the
general with a draft that identified security weaknesses the IG
found in many of the publicly accessible computers the
Department maintains. Computers such as these are primarily
used by the Department to share information with the public,
collaborate with business and research partners, and to provide
employees and contractors remote access to Department networks.
As the IG noted in his draft report, and I quote:
``Publicly accessible computers operated by Federal agencies
are prime targets for exploitation and are highly sought after
by criminals and foreign intelligence services.''
According to the IG, over the past several years hackers
and foreign intelligence services has been able to compromise
the Department's computer network by exploiting weaknesses in
its publicly accessible system. The IG's draft report provides
a clear warning about a serious security vulnerability in the
Department's publicly accessible computers.
As I pointed out in my opening remarks at the
subcommittee's first hearing this year, no organization is
immune from cyber attacks and data breaches. As we saw this
past year, sophisticated companies, from Anthem to JPMorgan
Chase, were all targeted and breached by cyber attackers.
I do want to acknowledge and thank Chairman Hurd for the
bipartisan approach he has taken on the issue of cybersecurity.
Mr. Chairman, I know we can work together to solve this.
Thank you, and I yield the balance of my time.
Mr. Hurd. Thank you, Ms. Kelly.
And now it is a pleasure to recognize Mrs. Lummis, the
chairwoman of the Subcommittee on the Interior, for her opening
statement.
Mrs. Lummis. Well, thank you, Chairman Hurd, for leading
this hearing.
As we know, the Department of the Interior hosted a
database for the Office of Personnel Management containing the
records of approximately 4.2 million current and former
government employees. Now, as we've seen, shared hosting can
reduce redundancy and costs for government IT needs. Also as
we've seen, however, it can result in increased vulnerability
if it's not properly managed.
So in this hearing, I look forward to learning more about
the response by Interior to the breach, their compliance with
the Federal Information Security Management Act and the Federal
Information Technology Acquisition Reform Act, and past and
future management decisions regarding recommendations by
inspectors general for improving cybersecurity.
So thanks again, Mr. Chairman.
And thank you, witnesses, for being here today.
I yield back.
Mr. Hurd. When Mrs. Lawrence, the ranking member of the
Subcommittee on the Interior, is here we'll recognize her for
her opening remarks. Until that time, I'd like to turn to our
witnesses and introduce them. And I'm also going to hold open
the record for 5 legislative days for any members who would
like to submit a written statement.
Mr. Hurd. I'm pleased to welcome Ms. Sylvia Burns, the
Chief Information Officer at the U.S. Department of the
Interior; Ms. Mary Kendall, Deputy Inspector General at the
U.S. Department of the Interior as well.
Welcome to you both.
It is also my understanding that our witnesses are
accompanied by two additional experts whose expertise may be
needed during questioning. And so I'd like to welcome Mr.
Jefferson Gilkeson, Director of IT Audits at the U.S.
Department of Interior, and Mr. Bernard Mazer, Senior Policy
Advisor in the Office of Inspector General at the U.S.
Department of Interior and the former Interior CIO.
Pursuant to committee rules, all witnesses will be sworn in
before they testify, including Mr. Gilkeson and Mr. Mazer. So
please rise and raise your right hands.
Do you solemnly swear or affirm that the testimony you are
about to give will be the truth, the whole truth, and nothing
but the truth?
Thank you. Please be seated.
Let the record reflect that all witnesses answered in the
affirmative.
In order to allow time for discussion, please limit your
testimony to 5 minutes. Your entire written statements will be
made part of the record.
And we're going to start with you Ms. Burns. You're now
recognized for 5 minutes for your opening remarks.
WITNESS STATEMENTS
STATEMENT OF SYLVIA BURNS
Ms. Burns. Chairmen Hurd and Lummis, Ranking Members Kelly
and Lawrence, and members of the subcommittee, thank you for
the opportunity to discuss cybersecurity at the Department of
the Interior. I am Sylvia Burns, and I have been the
Department's Chief Information Officer since August 24, 2014.
The Department and its bureaus serve as stewards of the
Nation's parks, wildlife refuges, and public lands. And as the
keeper of the history of this country, over 70,000 employees in
more than 2,400 operating locations, including many remote
areas, carry out the Department's mission across the United
States and its territories.
The Department is committed to cybersecurity and the
protection of our assets, including data. IT tools are of vital
importance to the delivery of the mission of the Department.
The security of those IT tools and systems is likewise critical
to our mission. All levels of our Department are engaged in the
efforts to improve our cybersecurity.
My office provides leadership to the Department and its
bureaus in all areas of information management and technology.
The Department's programs are many and varied. The Department's
current IT management and operations structure reflects the
decentralized nature of IT programs. My office is responsible
for the operation of many departmental systems and issues IT
policy, while bureaus and offices are each responsible for
their respective systems.
Each week the Department detects and prevents between 5
million and 6 million malicious connection attempts to exploit
vulnerabilities in its Internet perimeter and Internet-facing
systems. My office is working in partnership with the
Department's senior leadership and IT personnel in the bureaus
and offices to improve our ability to manage the risk of cyber
attacks while delivering the Department's mission.
I recently established a Department-wide cybersecurity
advisory group to support me in developing and implementing a
comprehensive, multipronged cybersecurity strategy and action
plan, which includes short, medium and long-term initiatives to
strengthen the Department's IT security posture.
We are in the process of adopting a more centralized
approach, managing IT across the Department. For instance, to
meet FISMA requirements, the Department will obtain access and
visibility into the entire Department network and will play a
more direct role in incident response working with its bureaus
and office and with US-CERT.
As a result of a secretarial order, FISMA and FITARA, DOI
achieve the following. Through the Continuous Diagnostics and
Mitigation investment funded by Congress through DHS, DOI
deployed capabilities to centrally manage vulnerability
patching at the Department level, which will greatly improve
cyber hygiene across our IT landscape.
As of June 26, the Department implemented strong
authentication for all privileged users. I am happy to report
that as of this morning we have achieved 75 percent of PIV
enablement for our unprivileged users. That was news.
The Department launched its data center consolidation plan
to support the OMB Federal Data Center Consolidation
Initiative. Data center consolidation reduces the Department's
IT footprint overall, consolidating smaller, noncore data
centers into DOI's larger and more robust core data centers,
allows us to more efficiently and effectively manage and
protect high value data.
The Department supports and appreciates the work of the
Office of the Inspector General in assessing and advising the
Department on its IT systems. We accept all of the OIG's
recommendations and will incorporate them into our action plan.
The impacted bureaus report that all vulnerabilities identified
in the report have been corrected.
The Department takes the privacy and security of its IT
systems and data very seriously. The Department immediately and
aggressively responded to the recent cyber intrusion resulting
in the loss of OPM data. We worked with interagency partners
who are addressing the broader cybersecurity threats to the
Federal Government to develop and implement an immediate
remediation plan specific to the threat. We incorporated
remediation actions, the OIG's recommendations, and
departmental IT improvements which were already underway into
the Department's overall IT strategy moving forward.
We will continue to be an active participant in the ongoing
efforts by the Federal Government to improve our Nation's
overall cybersecurity posture.
Chairmen Hurd and Lummis, Members Kelly and Lawrence, and
members of the subcommittee, this concludes my prepared
statement. I would be happy to answer any questions you have.
[Prepared statement of Ms. Burns follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Ms. Burns.
Now over to you, Ms. Kendall, for 5 minutes.
STATEMENT OF MARY KENDALL
Ms. Kendall. Mr. Chairman, Madam Chairman, Ranking Member
Kelly, and members of the subcommittees, good afternoon, and
thank you for the opportunity to testify today about the
results of our OIG audit on security of public-facing Web sites
at the Department of the Interior.
Although the OIG has had an IT oversight function for over
a decade, we have refocused our IT oversight efforts over the
past 3 years. In 2012, we began to transfer the responsibility
for conducting IT oversight to our Office of Audits,
Inspections, and Evaluations in order to standardize and track
our IT oversight of the Department, and we have since doubled
the number of IT professionals assigned to this oversight.
Our focus on IT oversight has evolved over the years from
periodic assessments and compliance reporting to using tools
and techniques to conduct ongoing monitoring of IT security
controls, an approach that enables responsible officials to
take timely risk-mitigation actions and make risk-based
decisions regarding the operation of their IT systems.
This is how we conducted the IT audit at issue in today's
hearing. The results of our efforts provided the bureaus with
real-time information necessary for them to take prompt action.
A future OIG follow-up audit will determine whether those
actions were effective at addressing the vulnerabilities
identified.
``Defense in depth'' is a widely recognized best practice
for protecting critical IT assets from loss or disruption by
implementing overlapping security controls. The concept of
defense in depth is that if one control fails, then another is
in place to either prevent or limit the adverse effect of an
inevitable cyber attack.
We found that three DOI bureaus had not implemented
effective defense in depth measures to protect key IT assets
from Internet-based cyber attacks. We found critical and high-
risk vulnerabilities in publicly accessible computers operated
by these bureaus. If exploited, these vulnerabilities would
allow a remote attacker to take control of publicly accessible
computers or render them unavailable.
In addition, we found that a remote attacker could then use
a compromised computer to attack the Department's internal
networks that host computer systems supporting mission-critical
operations and containing highly sensitive data. These
deficiencies occurred because the Department did not
effectively monitor its publicly accessible systems to ensure
they were free of vulnerabilities or isolate its publicly
accessible systems from its internal computer networks to limit
the potential adverse effects of a successful cyber attack.
The results contained in this report are the first in a
series of defense in depth. We made recommendations designed to
help the Department mitigate, identify vulnerabilities, and
strengthen security practices, reduce the opportunity for a
malicious attack, and minimize the impact and potential
opportunities to infiltrate nonpublic systems after a
successful attack. The Department concurred with all of our
recommendations and has begun to implement them.
We are preparing a public version of our report, but as we
continue to analyze the content, we determined that details of
our methodology, specifically the ``how we did our testing and
with what tools,'' and certain details of the results of our
testing, could cause harm to the Department and its IT assets.
We will therefore redact this information along with the
identity of the bureaus that were subject to our testing in the
public version of our final report, which will be posted on our
Web site.
As is our practice however, Chairmen Hurd and Lummis, we
will be glad to provide you with a copy of our full final
report at your request.
Mr. Chairman, Madam Chairman, ranking members, this
concludes my prepared remarks today. I am happy to try to
answer any questions you or members of the subcommittee may
have, but I would also be assisted by Mr. Gilkeson and Mr.
Mazer.
[Prepared statement of Ms. Kendall follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Hurd. Thank you, Ms. Kendall.
I would now like to recognize the ranking member of the
Interior Subcommittee, Mrs. Lawrence, for 5 minutes for opening
remarks.
Mrs. Lawrence. Thank you, Mr. Chairman. I want to thank you
for holding this hearing and examining the effectiveness of the
Department of Interior's cybersecurity practices. I also want
to thank our witnesses for speaking with us today. I know some
of you are returning.
Recent cyber attacks in public and private sectors
highlight the importance of enhancing information security
policies and controls. Although the Department of Interior has
not suffered a breach of its data in relation to cyber attacks
on OPM, information security weaknesses have been identified by
the inspector general and exploited by cyber attackers.
The Federal Information Security Management Act, or FISMA,
requires each Federal agency, and I will quote, ``each Federal
agency to develop, document, and implement an agencywide
program to provide information security for the information and
information systems that support the operations and assets of
the agency,'' end quote.
In the Office of Management and Budget annual report to
Congress on FISMA for fiscal year 2014, the Department was at
or above compliance standards for several areas of affected
information security. According to OMB's report, the Department
was given an overall cybersecurity assessment score of 92
percent, 16 percentage points higher than the average score for
reporting agencies, which was 76 percent.
However, I'm concerned that the Department was identified
as having weak profile, which means that the majority of
unprivileged users are allowed to log onto network systems with
a user ID and password alone. This is an increased risk of
unauthorized network access.
In closing, today's hearing provides an opportunity to gain
an understanding from our witnesses of the challenges the
Department faces, to learn what DOI is doing to correct their
information security deficiencies, and to find out what
Congress can do to help ensure that the Department has the
people and the resources it needs to enhance its information
security practices.
Mr. Chairman, thank you for holding this hearing, and I
yield back my time.
Mr. Hurd. Thank you, Mrs. Lawrence.
Now to begin our questioning portion of this afternoon, I'd
like to turn it over for 5 minutes to Mrs. Lummis, the chair of
the Interior Subcommittee.
Mrs. Lummis. Thank you, Mr. Chairman. Thanks again for
holding this hearing.
And welcome witnesses. Appreciate your being here.
Our committee recently learned through a report of
investigation about a high-level IT staffer at the Department
of Interior's Office of Law Enforcement and Security. His name
is Faisal Ahmed.
Ms. Kendall, can you please quickly summarize the findings
of this report?
Ms. Kendall. Chairman Lummis, thank you.
We have not analyzed the personal privacy security
implications of our report in this regard, and so I will not
identify the individual by name. But when the OIG was notified
that there was an individual in the Office of Law Enforcement
and Security who may have falsified his credentials, we
investigated these allegations and determined that in fact
there were two transcripts suggesting that he had both an
undergraduate and a master's degree which he did not have. The
person who was subject of this investigation resigned from the
position 3 days after we initiated our investigation.
Mrs. Lummis. And at the time was Mr. Faisal Ahmed--I'm at
liberty to disclose his name--was Mr. Faisal Ahmed the
Assistant Director for the Office of Law Enforcement and
Security heading the Technology Division?
Ms. Kendall. I believe that was his title.
Mrs. Lummis. Okay. Please continue.
Ms. Kendall. We did determine that there were two falsified
transcripts on the computer that we seized and that those
transcripts had been--the individual had requested that the
transcripts be included into his official personnel file. Also
understand, and this may or may not be in the report that you
received, I have since received some information that they may
have been submitted for an SES candidate development program.
But I understand that the individual was not an SES member as
the report may have suggested.
Mrs. Lummis. Now, we have reason to belief that Mr. Faisal
Ahmed is currently employed at the Census Bureau. Do you know
if this is true?
Ms. Kendall. We were not able to confirm that before the
hearing this afternoon.
Mrs. Lummis. Have you ever been contacted or have you ever
contacted the Census Bureau or Department of Commerce about Mr.
Faisal Ahmed?
Ms. Kendall. We were contacted by an Office of Personnel
Management investigator investigating the background of this
individual and provided that investigator with the information
that we had available in our files.
Mrs. Lummis. Now, it's my understanding from the report on
investigation on the Faisal Ahmed case that your office
presented this case to the Department of Justice, but they
declined to prosecute. Do you know anything about why they
declined?
Ms. Kendall. We rarely get reasons behind declinations for
prosecution, and I'm not aware of a reason behind this one.
Mrs. Lummis. Did anyone from your office have any
discussions with DOJ about this case?
Ms. Kendall. We typically either forward our report of
investigation and oftentimes have some discussion with the
prosecutors. I could not tell you specifically if we did in
this case.
Mrs. Lummis. I'm concerned that there may be an individual
who was in a high-level position, comparatively, it's high
ranking Senior Executive Services position, he had worked, as I
understand, at DOI since late 2007, and that he held a security
clearance. And so I'm a little concerned--well, I'm more than a
little concerned--that he had access to law enforcement
sensitive materials and other secure information, that he had
falsified his background, and that now it appears that he is
working for another Federal agency, the U.S. Census Bureau.
So there is additional fallout from the issues that have
been raised by the gentleman from Texas, Mr. Hurd, about this
hearing.
So as to these collateral matters also, I thank you kindly,
Mr. Hurd, for holding this hearing. I yield back.
Mr. Hurd. The gentlewoman yields back.
I'd now like to recognize my distinguish colleague from
Illinois and ranking member, Ms. Kelly, for 5 minutes.
Ms. Kelly. Thank you, Mr. Chairman.
Ms. Burns, the two data breaches OPM recently reported have
been particularly concerning to us because of the national
security risk involved. According to testimony you gave at a
recent hearing on the OPM data breaches, the OPM personnel
records that were compromised in one of those breaches were
hosted in the data center maintained by the Department of
Interior. Did the cyber attackers who gained access to those
records also gain access to the Interior Department data
center?
Ms. Burns. So the adversary had access to our data center.
It was exposed. There was no evidence based on the
investigation that was led by DHS, US-CERT, and the FBI, there
was no evidence that the adversary had compromised any other
data aside from the OPM data.
Ms. Kelly. Okay, so the same cyber intruder who breached
OPM's personal data, which the Department of Interior hosted on
its servers, also breached the defense's of the Interior
Department data center?
Ms. Burns. So this, the intrusion that you're referring to,
was a sophisticated breach. And my understanding, based on DHS'
assessment, was that the adversary exploited, compromised
credentials on OPM's side to move laterally and gain access to
the Department of Interior's data center through a trusted
connection between the two organizations.
Ms. Kelly. So the cyber intruder, did they gain access it
to DOI's data center through OPM or was it the other way
around?
Ms. Burns. The adversary gained access to DOI's
infrastructure through OPM, as far as I understand, based on
DHS's investigation.
Ms. Kelly. Has there been any investigation to determine
whether the Department's records were stolen once the attackers
gained access to the data center?
Ms. Burns. So I believe that that was part of DHS'
comprehensive investigation. When we first learned from them of
the intrusion, they came on board in April 2015, this year, and
they actually were on the ground with other interagency
partners at the site of the data center, collecting data and
forensics for approximately 3 weeks. They took that data back.
So the investigation was ongoing even as they were there.
But they took the data back. And my understanding from the
report that they issued to us was that there wasn't evidence of
further compromise of DOI's data in that data center.
Ms. Kelly. So there is no evidence that the Department's
data was stolen.
Ms. Burns. Correct, based on what DHS' report said. I would
defer to them, though, if you wanted to get into more detail,
because they did the detailed analysis, and they're really the
ones who are the author and the source of the investigation and
the findings. But that is my understanding based on reading the
report.
Ms. Kelly. In addition to hosting OPM's personnel records,
the Department hosts data from other agencies in its data
center. Is that correct? And, if so, which agencies?
Ms. Burns. Yes. Actually, the Department is a--the data
center in question, the biggest customer of the data center is
actually Interior. So it's the Interior Business Center, what
we call IBC. They're a shared service provider, and they are
the majority user of the data center. And we also host some
applications for the Office of the Secretary in the data
center.
Ms. Kelly. Okay. With the exception of the OPM's records,
was data from any of the other agencies, those places you
mentioned, compromised when hackers gained entry into the
Department's data center?
Ms. Burns. As I was saying before, based on my
understanding of the report from DHS and their forensics, there
was no evidence that any other data was exfiltrated from the
data center.
Ms. Kelly. From all that has happened and what you've gone
through, what do you feel are some of the key lessons that the
Department has learned.
Ms. Burns. So many lessons learned. So, as you can imagine,
when I as a CIO for the Department learned of the intrusion, it
was horrifying to me. And since that time I've been--my team
and I have actually been on a high alert, working probably 7
days a week, long hours, to take our lessons learned and do a
mitigation plan around it, a remediation plan that's
comprehensive.
So lessons learned include things that we were doing
already. So, for example, the whole need for two-factor
authentication, that's an important control that's needed. We
were already working on it, so it was a performance goal that
we had for the agency this year, and we had set those metrics
for all of our bureaus and offices to achieve certain targets
this year, and we were making slow progress to it.
When the incident happened, it just created a different
lens on looking at the need, and I think it made it crystal
clear to everybody why it was so critical that we achieve two-
factor authentication for, first of all, our privileged users,
but then also our unprivileged users.
And that's why we were aggressive about moving to getting
all of our privileged users using their PIV cards to
authenticate to their system. And as I mentioned in my
statement, we achieved that on June 26 as part of the Office of
Management and Budget 30-day cyber sprint. So it just
accelerated the work we had already started.
In addition to that, I was proud to say that we achieved--
actually it was at least 75 percent of unprivileged users
today.
So people have been working around the clock in my office,
but also in the bureaus and offices, because we shared our
lessons learned with our other counterparts in our bureaus and
offices, because we have to all own this problem, and it will
take all of us to fix the problem, and everybody has been
taking it seriously. So I'm very gratified by that.
Ms. Kelly. Thank you for sharing.
My time is up. I yield back.
Mr. Hurd. The gentlewoman yields back.
Now I would like to recognize my fellow Texan and
colleague, Mr. Farenthold from Texas, for 5 minutes for
questioning.
Mr. Farenthold. Thank you, Mr. Chairman.
We've heard testimony that there have been inspector
general reports dating back to 2014. We've been talking about
cybersecurity here in this committee since well before last
year. It's been a pretty critical issue. There are actually
some recommendations in the 2014 start of the--in the audit--
yet it looks like it really took this data breach to get you
guys moving on it.
Ms. Kendall or Ms. Burns, would you like to take just a
second and talk about, as a result of 2014, how much was done
and how much didn't get done out of the 2014 recommendations?
Ms. Burns, I'll let you----
Ms. Burns. So I wasn't CIO for the Department for the whole
time, but as the report was written I assumed the
responsibility of this role. We have been working hard, so for
me, when I first became CIO, I made cybersecurity a priority.
And part of that was because there were things that were
happening even before, right before I became CIO.
Mr. Farenthold. But, I mean, you got a huge breach that
came in and millions of Federal employees' personal information
got out. I mean, you can talk about making something a
priority, but it apparently wasn't or we wouldn't have had a
breach. Maybe it is impossible to completely stop a breach.
Can we just get a little bit of background, just so
everybody is clear on exactly what happened? The Department of
Interior, were you hacked or was it an insider or was it a
combination of both?
Ms. Burns. So from my understanding of DHS' investigation,
there was a compromise of an OPM privileged account. So there
were credentialed, high level--high--a privileged users
credentials were compromised and went from OPM----
Mr. Farenthold. Now, do we know if it was an insider job or
somebody just got his information, a brute force attack, or
some other way, or did he voluntarily share that with?
Ms. Burns. I don't have that information, and I would defer
to DHS, US-CERT, because----
Mr. Farenthold. So how did you all first find out about the
breach?
Mr. Burns. We first found out about the breach because DHS
contacted us in April and sat down with me and my CISO and told
me that they saw suspicious activity on our network.
Mr. Farenthold. So how confident are we that they're out
and that there are no trojans or malware still somewhere in the
system?
Ms. Burns. So, according to DHS, there is no evidence
anymore that there is malicious activity.
Mr. Farenthold. I assume you stepped up the monitoring.
Ms. Burns. Absolutely. Immediately.
So that said, we don't take anything for granted. We're on
high alert, because there is the possibility that another
breach could happen. And in our discussions with DHS our
remediation plan has to include our ability to quickly detect
when something bad is happening so that we can shut it down
quickly.
Mr. Farenthold. Now, we have also got a July 2015 report
that is saying there are potentially thousands of security
risks that are still out there. I mean, is all the software up
to date? Do you have the security software on all the
computers? You' making people change their passwords? How
confident are you that you've at least got the basics down?
Ms. Burns. So within the Office of the Secretary, directly
where the breach happened, some of the things we did is
remediation, included things like password reset. If you're
referring to the IG's report that referenced the
vulnerabilities, as soon as we learned about them, I talked
with the bureaus in question immediately about them. And as of
before the report was actually issued, which I think is going
to be soon, the bureaus corrected all the vulnerabilities that
were identified in that report.
And so as a follow-up to that, we would like the--I
appreciate what the IG is talking about doing in terms of
followon to ensure that they check to make sure the
vulnerabilities are clearly corrected permanently.
Vulnerabilities, though, it's a process. So it's not
something that's a one-time hit. You have to continually do it.
It's a process that you have to manage. You have to continually
scan, look at what weaknesses exist, categorize the weaknesses
so you know what's critical and high, and deploy your resources
to the most critical weaknesses that you have that can have the
broadest impact on the organization.
Mr. Farenthold. All right, so we're videotaping this and
it's being broadcast on C-SPAN 8, the Ocho, or somewhere. The
video is out there. If you could talk to your fellow CIOs at
other government agencies and give them some piece of advice so
this doesn't happen to them, what would be the top two or three
things you would tell them? I'll let you answer that and yield
back when you're complete.
Ms. Burns. Okay. First of all, I think that to get this
problem fixed that we have in the whole Federal Government it
takes strong leadership and drive, but it also takes everybody
to help with this. Because cybersecurity isn't isolated to IT.
Cybersecurity is a responsibility of everybody. Nobody can
abdicate their responsibilities there or else we put ourselves
at risk. So that's one thing.
Another thing that I would say is that the FISMA metrics
are right, but they are not the only thing that we need to be
doing. They're one lens of what we have to be doing, but there
is much more.
And I think we have to act in the real world. So it can't
be this paper-based exercise that we go through in checking
boxes. We actually have to do things like what the IG did,
which is get people to actually--it's kind of the red team,
blue team type concept--of getting professionals to actually
try to attack us, but in a safe environment, so that we can
actually understand what the weaknesses are and put them on a
list and do something about them quickly.
That would be my advice to my fellow CIOs.
Mr. Farenthold. Thank you very much. And I'll yield back.
Mr. Hurd. Thank you, Mr. Farenthold.
Now I'd like to recognize Mr. Cartwright from Pennsylvania
for 5 minutes.
Mr. Cartwright. Thank you, Chairman Hurd.
And welcome to all of our witnesses to are subcommittee.
Ms. Burns, I'm going to ask you some questions. Now, I want
you to understand, when I ask you a question, if you don't know
the answer, it's all right to say, ``I don't know,'' because
accuracy is the most important thing we're after here.
And I share Mr. Farenthold's sentiment that a record is
being made today, and I want you to feel free to go back and
look at these questions, and if you have more information,
provide the information to the subcommittee subsequent to this
hearing. Will you do that.
Ms. Burns. Yes.
Mr. Cartwright. Ms. Burns, in your testimony from the June
16 hearing regarding the OPM breach, you indicated that the
Department of the Interior houses data for the OPM in the
Interior Department's data center. Am I correct in that?
Ms. Burns. Yes.
Mr. Cartwright. When did the Interior Department first
begin hosting data for OPM?
Ms. Burns. From my understanding in talking with my staff,
OPM started to become--first became a customer of the
Department in 2005.
Mr. Cartwright. Okay. Is this under some kind of agreement?
Ms. Burns. There is a memorandum of understanding between
the two organizations.
Mr. Cartwright. Would you send us a copy of that, please?
Ms. Burns. We can, yes.
Mr. Cartwright. Now under that agreement, what is the
Department of the Interior's role in providing cybersecurity
for the data that it hosts?
Ms. Burns. So the Department's role--the Department offers
OPM our IT infrastructure, so its hosting services, that's what
they're consuming from us as a customer. Our responsibilities
in terms of security go around securing the IT infrastructure.
So that means we provide the data center, which has facilities
base, right, the physical security. It has the power and
cooling, hardware, the servers, operating system, potentially
even the database, and also support services to help OPM just
maintain the actual infrastructure in terms of, like, system
administrators, database administrators, that kind of thing.
Mr. Cartwright. I don't mean to interrupt you, but the
question is, under the agreement by which the Department of the
Interior hosts OPM on its computers, how is cybersecurity
treated under that agreement?
Ms. Burns. So the Department of the Interior, we provide
the infrastructure. We are responsible for security the
infrastructure. That includes the network connection between us
and OPM.
Mr. Cartwright. Okay.
Ms. Burns. And we encrypt our connection between OPM and
us.
Mr. Cartwright. How about money? Does the Department of the
Interior receive any revenue from OPM for hosting their records
on your data center?
Ms. Burns. Yes, OPM is a customer and we provide our
services as a full cost recovery system.
Mr. Cartwright. Good. How much do you get?
Ms. Burns. I have to get back to you on that. I'm not sure.
Mr. Cartwright. Thank you.
Now, in the June 16 hearing you also testified, quote:
``DOI also performs shared services for other agencies,''
unquote. Is that correct?
Ms. Burns. Yes.
Mr. Cartwright. Okay. Can you help us understand why the
Department is performing data hosting services for other
agencies as well?
Ms. Burns. Yes. So shared services is a concept of creating
more robust centralized points of service around specific
activities. IT is one of them, but there are others. And it's
because you can gain economies of scale. So it's less expensive
and more efficient to a customer to consume the service from a
provider like that at a better rate. And also, because we can
aggregate capabilities in that area of expertise, in this case
IT----
Mr. Cartwright. So the other agencies could store their own
data, but it's a cost savings if it's all in Interior, is that
it?
Ms. Burns. It could be for them. They'd have to look at the
business case for that.
Mr. Cartwright. How many other agencies does the Interior
Department do this for?
Ms. Burns. So the primary customer that Interior--what we
have in the data center is really the Interior Business Center,
so it's an internal customer.
Mr. Cartwright. I'm looking for a number. How many agencies
does Interior do this for?
Ms. Burns. Can I get back to you on that?
Mr. Cartwright. Please, please.
Mr. Cartwright. How long has the Department been hosting
data for other agencies?
Ms. Burns. I don't know the answer to that question.
Mr. Cartwright. Okay. You'll get back to us?
Ms. Burns. Yes.
Mr. Cartwright. Okay.
Now, does the Department provide this hosting function
under a similar arrangement, similar to the agreement with OPM?
Ms. Burns. Yes.
Mr. Cartwright. So you'll have separate agreements for each
of the other agencies?
Ms. Burns. Yes.
Mr. Cartwright. Can you get us copies of those as well,
please?
Ms. Burns. We can follow up on that, yes.
Mr. Cartwright. Thank you.
And I yield back, Mr. Chairman.
Mr. Hurd. Thank you. The gentleman yields back.
Now I'd like to recognize Mr. Russell from Oklahoma for 5
minutes.
Mr. Russell. Thank you, Mr. Chairman.
Ms. Burns, the IG found that a remote hacker could exploit
vulnerabilities in public accessible computers to attack
internal or nonpublic Department of Interior computer networks.
Why weren't the two systems not segmented from each other?
Ms. Burns. So several years ago--actually, if you would
indulge me, I need to go back a little bit in history for the
Department of the Interior.
In 2001 there was, if you're familiar with the Cobell
lawsuit, the Cobell litigation. It was a situation regarding
Indian trusts. And as a result of it, there was a breach that
caused a decision to disconnect several--it started with
disconnecting the Department from the Internet, and it
ultimately resulted in about, like, five other bureaus and
offices within DOI from being disconnected from the Internet
for about 6-1/2 years.
And in this environment, because of just the fear of being
disconnected, all the bureaus and offices in the Department
basically created sort of the modes and protections around
themselves organizationally from an IT perspective. And in
essence, you couldn't really work together easily in that
environment because they were trying to protect themselves from
being associated with trust data.
In 2008, the Department reconnected those organizations
back to the Internet, and what it came to find was that the
organizations within the Department of Interior had difficulty
just doing basic day-to-day work together because of these
security controls that were put all around their IT
infrastructure. And that initiated an effort to optimize our
network. And actually this was not during my tenure, so I'm
speaking in the past.
Mr. Russell. And if I can, on that, so we optimized it, but
we also optimized it for hackers.
And I guess, Mr. Mazer, you were the CIO for 4 years before
Ms. Burns took over. So what efforts, if any, did you undertake
to address these issues when you were in charge?
Mr. Mazer. Thank you for the opportunity to respond.
Mr. Russell. Can you move the microphone closer to you?
Mr. Mazer. As Ms. Burns noted, the bureaus are very
segmented, they are very fractionated. Before my arrival we
embarked upon an effort to say it would be great to have one
Department of Interior network providing telecommunications
services on behalf of everyone. That started about 10 years
ago. There's still ongoing activities that are underway.
But something that emerged out of that was protection on
what we call the perimeters. And the perimeters on the network
were for--it was the bureaus are making the determination that
they would provide protection on the perimeters. At the TICs,
the Trusted Internet Connections, is the Department provides
protection on incoming and outcoming traffic, but one of the
results of the report showed that it is--if people set up Web
site servers inside our environment they are liable for
exploitation into Interior network operations.
And so, I always counseled, whenever we had an incident--
and we had an incidents, whether its malware or APT, advanced
persistent threats--was when our team became aware of it we
would work with that Bureau and all that to remove the
particular affected server from there.
I also encourage people that were hosting Web sites:
Please, for gosh sakes, get off of the environment, put
yourself into a separate enclave. So one of the efforts that
occurred during my tenure is the Department embarked upon a
cloud solution for public Web sites. So the DOI.gov quite a few
of the Web sites that we are seeing, they are all migrating to
a public--a government cloud service provider that has a
FedRAMP moderate categorization on those activities.
Mr. Russell. And I guess we see--Intel 101 says
compartmentalization is good, because it creates barriers. It
also creates efficiency problems, we acknowledge that. So my
question for Ms. Kendall or Mr. Gilkeson, as I yield back my
time at the conclusion, is how do we balance the optimization
with the security and what would you recommend for the fix?
Ms. Kendall. I think Mr. Mazer identified the cloud as
being one of the fixes. We had several recommendations, six, I
believe, total in this report, but the cloud was one of them.
The other was to remove these outward-facing computer systems
from being connected to the inside of Interior's systems so you
could provide information to the public, to the outside without
access or connectivity and compromise to the internal.
Mr. Russell. Thank you. I yield back my time, Mr. Chairman.
Mr. Hurd. Thank you, sir.
I'd now like to recognize Ms. Lawrence from Michigan for 5
minutes.
Mrs. Lawrence. Thank you, Mr. Chair.
Ms. Burns, what is the Department's plan and time line for
implementing the IG's recommendations?
Ms. Burns. So we're doing some things immediately. I have
already--as soon as I saw the draft report and what findings
and recommendations were, I started to talk with all of our
bureau IT leaders about things that we needed to do. So we are
engaged in conversations with our bureaus and offices right now
about things that we want them to do right away to mitigate the
situation that was identified in the IG's report.
That's a short-term action, because of the real issues,
right, and the threats, the vulnerability, the weakness it
presents to the Department. There is longer-term things that we
need to do, and some of those longer-term things go to things
like network segmentation.
A form of network segmentation, as in the previous
question, is creating what they call DMZs, what they call an--
it's a demilitarized zone, it's basically a safe place, right,
to put externally facing systems and configure them in a
certain way where they are secure and they don't do what was
described in the IG's report.
So some of the immediate actions that we have, we can tell
everybody, give them guidance on what they need to do right
now. Longer term, I believe we need to move to a consolidated
enterprise-wide DMZ for publicly facing systems, and as the
IG's office was also saying, embracing the cloud more for our
systems.
Mrs. Lawrence. Do you, sitting here today before this body
in this hearing, do you see any obstacles that would stop you
from addressing these concerns or would cause you a challenge
that we need to know about?
Ms. Burns. Right now I think we're--I feel very fortunate
in that we have the full cooperation of the organization at
every level. If there's one big impediment, it would be that,
it would be resistance, I'm happy to say right now, and I think
it's because of just the stark reality of the threats and it
hit home for DOI, that everybody is cooperating and doing the
right thing and they want to do the right thing. So leading
that effort I think will be easier because we have the full
cooperation at all levels.
Mrs. Lawrence. The first recommendation for the CIO is to
require and enforce the secure development and management of
all publicly available IT systems.
Mr. Burns, what are you doing to require and enforce
information security improvements across the various bureaus of
the Department? I'm sorry, Mrs. Burns.
Ms. Burns. Thank you. Thank you.
So actually I have to thank you all for passing FITARA,
because I think FITARA is pivotal legislation that helps us to
drive the consolidation and centralization of the things that
we're talking about today.
I think some of the--one of the biggest challenges that the
Department has is the fact that you have all the different
separate operating environments for IT. That has to come under
kind of a single presence of mind, if you will, under the CIO.
And so there are challenges in the bureaus and offices even
with programs who are in far-flung places in the country who
are doing whatever they're doing because it's the best way they
know to do their job, but they're not getting any direction,
central direction from their bureau and from the Department.
I think that FITARA positions us to fix that problem, and
the Department is very committed to following through and
taking advantage of all the provisions of FITARA.
Mrs. Lawrence. Mr. Mazer, you're the former Interior CIO.
Do you agree that there are challenges to dealing with multiple
bureaus? And do you feel that we are on target to meeting the
requirement to enforce security improvements?
Mr. Mazer. I used to work in intelligence, so it's always
trust, but verify within the IG. We looked at, when we did this
one particular job or activity on the Web inspection, that was
just one area of vulnerability in the broad surface of what
could confront the Department.
Web sites are very easy to do hacks on, they are very easy
to do activities on. We do want to do examinations on how well
the credentials, are people using two-factor authentication,
are they having too many--are there too many elevated
privileges for users on applications.
We're looking at activities like we're all in a mobile
world, what does everyone have when they're taking things away
with them? We're looking at assuring that there is mobile
device management put in place on any particular devices that
our people are looking at.
We are also looking at interconnection agreements in terms
of what will we have with different agencies if we are acting
as a shared services type of providers. And in some of those
interconnection agreements and all, if they have those, we want
to assure that they are coming underneath a Trusted Internet
Connection, those TICs that provide that perimeter protection
from the outside world.
Some of the agencies might be doing direct circuits, they
might be encrypted, they might not be. Some agencies are using
a thing that is called MTIPS, which is outside of an agency's
way of monitoring Internet traffic.
So it remains to be seen. We are very gratified and pleased
by the progress of the Department in responding to the Web
inspection activity. When the Department in the past would do
these things, during Ms. Burns' tenure or mine, the ability to
do scans on those network perimeters was very limited. We might
only use just one particular scanning tool or another scanning
tool that might come up with a couple of hundred
vulnerabilities. If you had an organized advanced persistent
adversary that used a variety of tools, it really illuminated
to the Department and all that the steps that need to be taken.
Mrs. Lawrence. Thank you.
I yield back.
Mr. Hurd. Mr. Blum, you're recognized for 5 minutes.
Mr. Blum. Thank you, Chairman Hurd.
And I'd like to thank the panel for being here today and
giving us your insights on these most critical issues.
Ms. Burns, I believe 20 of the 29 IG recommendations made
in fiscal year 2013 in the audit remains open. Many of these
are basic cybersecurity recommendations, as you're well aware,
such as implementing third-party vendor security patches,
maintaining an up-to-date information systems inventory, and
utilizing approved and authorized solutions for remote access.
When do you expect to address these recommendations?
Ms. Burns. So those are on a rolling list that my team
keeps and we monitor very closely with specific targets. I'd
have to go back and look specifically to see what our plans
are, what we had as the date for doing that.
Ms. Burns. But I would say that with all the events of the
past few months there's heightened attention to all things
related to cybersecurity. We were already working on, for
instance, clauses to contracts that would include security
provisions. And so those things were already underway.
Mr. Blum. Do you plan on implementing all of them?
Ms. Burns. We would like to implement the things that--I
think if we agree with them, we want to implement them.
Mr. Blum. Did many of these stem from before your tenure as
CIO?
Ms. Burns. Yes, sir.
Mr. Blum. So that would be Mr. Mazer then, is that correct?
Mr. Mazer. That would be correct.
Mr. Blum. What did you do, Mr. Mazer, in your tenure to
address these? Twenty of the 29 remain open today. What did you
do to address these during your tenure?
Mr. Mazer. What we would do with, regardless of any
weaknesses or we'd call them program objectives and milestones,
is we literally receive thousands of weaknesses.
What I did during my time, and it appears that it is
continuing, is we set up a particular organization, sub-
organization within the OCIO that monitored all audit and GAO
and weakness findings. And then we pressed upon the bureaus or
the office that was responsible for them on completion dates.
And then there was a continuous follow-up on whether or not
they are finishing those recommendations to be completed.
Some recommendations can't be finished within 2 months, 4
months. Some might take a particular year because it might have
to take a clause and a contract change.
Mr. Blum. Twenty of 29 seems to be a big number to me, and
they're still open today.
Mr. Mazer. If you look at open findings or open audit
actions in all that, there is literally--there might be several
hundred of those. There are normal things that are either a
weakness in all that, that need to be corrected, and then they
will be corrected. The bureaus have always been or the office
who is responsible for that are always pressed to get updates,
they are requested for updates as to when those things are
going to be done.
Mr. Blum. The IG felt these were important enough to put
them on a list. And it seems like the list, it never makes it
to the top of the list. And it sounds like it hasn't for years.
That concerns me. Does it concern you, Mr. Mazer?
Mr. Mazer. It very much concerns me. When we looked at
things like--we call the term POAMs, forgive the abbreviation--
there are literally thousands of them. One of the things that
we were looking at and it is still continuing under Mrs. Burn's
tenure is how many of these things are older than 6 months and
then what were the steps in all that, that needed to be to
complete those.
Mr. Blum. Were you eligible to receive a bonus over the
last 3 years as CIO?
Mr. Mazer. Yes, sir.
Mr. Blum. Did you receive a bonus in 2011?
Mr. Mazer. Yes, I did.
Mr. Blum. Did you receive a bonus in 2012?
Mr. Mazer. Yes, I did.
Mr. Blum. Did you receive a bonus in 2013?
Mr. Mazer. Yes.
Mr. Blum. Ms. Burns, did you receive a bonus in 2014?
Ms. Burns. Yes.
Mr. Blum. I have a minute left. My last question, Ms.
Burns, if there were another hack of the agency's servers in
the Department of Interior today, what could the hackers do?
What kind of damage could be done? Could they access other
areas of the Department of Interior servers? Could they access
other agencies' information if it happened today?
Ms. Burns. There are risks to the Department. And so it is
important for us, for me to be attentive to what's going on and
make sure that we do whatever is necessary to immediately--and
I'm not talking about waiting years, I'm talking about looking
at what could really happen to us and damage us and act
quickly. And that's something that I have been doing. I was
doing it during my tenure. But I think it is with sharpened
focus since over the past few months.
Mr. Blum. Are we still vulnerable? Is that a yes? Are we
still vulnerable? Can they still do serious damage today?
Ms. Burns. I think that all agencies are vulnerable.
Mr. Blum. Thank you are for your candor.
And with that, I yield back my time, Mr. Chairman.
Mr. Hurd. Thank you, Mr. Blum.
Votes are going to be called soon, and I think we can get
through the questioning before then. I would like to turn it
over to Mr. Lieu for 5 minutes.
Mr. Lieu. Thank you, Chairman Hurd.
Ms. Burns, at the Department of Interior's data center, you
don't house the CIA's list of covert spies at that data center,
correct?
Ms. Burns. Correct.
Mr. Lieu. And you don't house our Nation's classified
nuclear launch codes at that data center, correct?
Ms. Burns. Correct.
Mr. Lieu. In fact, you didn't house OPM's security
clearance database either at that data center, right?
Ms. Burns. Correct.
Mr. Lieu. And that's because you're not a national security
or intelligence agency, correct?
Ms. Burns. That's correct.
Mr. Lieu. So I am going to read you the mission statement
of your Department, which is: ``The Department of the Interior
protects and manages the Nations natural resources and cultural
heritage; provides scientific and other information about those
resources; and honors its trust responsibilities or special
commitments to American Indians, Alaska Natives, and affiliated
island communities.''
And with the indulgence of the chair, I would like to put
this into the record.
Mr. Hurd. So moved.
Mr. Lieu. Mr. Chair, I would also like to enter into the
record the mission statement of OPM, which is the following:
``Through our initiatives, programs, and materials, we seek to
recruit and hire the best talent; to train and motivate
employees to achieve their greatest potential; and to
constantly promote an inclusive workforce defined by diverse
perspectives. OPM provides human resources, leadership, and
support to Federal agencies and helps the Federal workforce
achieve their aspirations as they serve the American people.''
Mr. Lieu. OPM is not a national security or intelligence
agency either, isn't that correct?
Ms. Burns. It doesn't seem so.
Mr. Lieu. Right. So I just want to make a point that for
the same reasons we don't house our crown jewels of American
intelligence at Department of Interior, there is no way we
should be housing it in a human resources agency.
Now, I would like to move on to the actual database that
was breached at your data center, which was the 4.2 million
personnel records that were not the security clearance records.
OPM testified in one of the earlier hearings that they didn't
encrypt their information because it was in COBOL language and
they said they couldn't do that. But that's not true, right?
COBOL can, in fact, be encrypted. There is nothing that says
you cannot encrypt something written in COBOL, isn't that
correct?
Ms. Burns. I am not an expert in COBOL, so I can't answer
that question.
Mr. Lieu. If you could get information back to us on that,
that would be terrific.
Ms. Burns. Yes.
Mr. Lieu. And then let me ask you, when they breached the
systems through OPM into your data center, you said that no
other information was compromised. Is that because the hackers
found other information uninteresting? In other words, they
could have gone to all these other databases and they chose not
to? Or did you actually have protections there that prevented
them from going to other databases that you were housing and
storing?
Ms. Burns. So I can't speculate about the motives of the
attacker. What I know from the assessment that DHS performed,
and they are the best source to talk about the specifics of the
forensics that happened, there was no evidence of compromise of
other data aside from OPM.
Mr. Lieu. Let me ask this another way. If someone is in
your data center in one database, can they look at your other
databases of other agencies or of your own Secretary's
information?
Ms. Burns. So I would want to confirm this with my team,
but I believe the answer to that is no. We use access controls
and other methods to protect the data, other data in the data
center that is different, aside from the OPM data.
Mr. Lieu. Is that no now or no at the time or both?
Ms. Burns. I'm sorry, could you repeat it? I didn't hear.
Mr. Lieu. If it's no, was that also the case when this
breached happened?
Ms. Burns. Yes.
Mr. Lieu. Or was it fixed later?
Ms. Burns. No. It was always that way.
Mr. Lieu. Okay. Thank you.
And then let me conclude by commending you. You said
something that I found important. You said: We own this
problem. So I appreciate that you said that. It shows that you
understand that it is not the responsibility of foreign enemies
or hackers to protect our systems, it is our responsibility;
that you understand the gravity of this issue; and that your
view is we are going to try to prevent breaches, and that you
are not going to measure your success by happening to find a
breach 4 months later or a year later, that you are going to
try to prevent these breaches in the first place.
So I appreciate that and look forward to working with you.
Ms. Burns. Thank you, sir.
Mr. Lieu. I yield back.
Mr. Hurd. The gentleman yields back.
Mr. Palmer from Alabama for 5 minutes.
Mr. Palmer. Thank you, Mr. Chairman. And I would like to
thank the witnesses for coming.
Ms. Burns, I think it's been established that there were
known vulnerabilities and that the Department of Interior had
suffered actual attacks that exploited some of these
vulnerabilities prior to your team coming in, is that correct?
Ms. Burns. I'm sorry, I can't hear you. Can you repeat the
question? Sorry.
Mr. Palmer. Okay. What I was saying is, is that there were
known vulnerabilities and that the Department of Interior had
suffered actual attacks that exploited these vulnerabilities
prior to your coming on, is that correct?
Ms. Burns. I believe that is correct.
Mr. Palmer. So you knew that there were vulnerabilities.
And you are also aware, I would assume, that the Sakula
malware, which has been tied to the OPM attack, had been also
tied to the Anthem cyber attack. Were you aware of that?
Ms. Burns. I participated in briefings with DHS and OPM.
Mr. Palmer. Did it not occur to you that you needed to
evaluate the vulnerabilities at DOI for a potential cyber
attack from what we knew in terms of the malware that was used
in the Anthem attack?
Ms. Burns. So I think I need to clarify that from my
understanding of the incident that involved OPM----
Mr. Palmer. I'm talking about going back. You knew there
were vulnerabilities, you knew that there had been prior
attacks. We also knew that the Sakula malware had been used in
the Anthem attack. Did no one, did it not occur to anyone that
such an attack on the scale of the Anthem attack might could
occur at DOI?
Ms. Burns. So I think that we have to be, as I said, on
alert about the dangers that are out there in terms of
cybersecurity.
Mr. Palmer. No, ma'am. That's a yes or a no. You either did
the due diligence or you didn't.
Ms. Burns. Could I, if I could, with greatest respect, just
clarify that the breach from OPM into DOI did not happen
because of a vulnerability in DOI's data center. It happened
because of compromised credentials of a privileged user on
OPM's side that then moved into DOI's environment. So it was
not because of a vulnerability.
Mr. Palmer. Well, all right. Thanks for making that
clarification.
Mr. Mazer, you were the Chief Information Officer for 4
years before Ms. Burns took over. What efforts, if any, did you
undertake to address these issues when you were in charge?
Mr. Mazer. When I assumed the role of the CIO at the
Department of the Interior, the Department of Interior was
basically predicated, the CIO's office was a policy shop. The
CIO's office would promulgate policy to the respective bureaus
and offices to assure that they were taking care of things like
security, capital planning, enterprise architecture, systems
life cycle development.
I embarked upon--for 6 months we worked on a draft, it
became known as the 3309 Secretarial Order, which says we need
to consolidate Clinger-Cohen functions, like capital planning,
enterprise architecture, and security underneath one CIO. And
then we also stated that we need to move common infrastructure
that everyone uses underneath one particular entity. We worked
on a strategic plan. Arising out of the strategic plan, we
settled on things that we called service towers.
Mr. Palmer. I've only got a minute left.
Mr. Mazer. Yes, sir. I'm sorry.
Mr. Palmer. I appreciate the detail of the answer. And if
you'd like to put the balance of that in writing and provide it
to the committee, you're welcome to do so.
Mr. Mazer. I'd be more than delighted. Okay.
Mr. Palmer. I'd also like to know, was the database that
the Interior hosted, including the OPM, encrypted?
Ms. Burns.
Ms. Burns. I'm probably not the right person to ask about
that because OPM is the owner of the data. And I, in sitting in
the testimony with the previous OPM Director, I just heard her
testimony that she said the data was not encrypted. So I get my
information from that. I would have to check with my technical
team.
Mr. Palmer. Do you have any idea how many serious breaches
DOI has suffered in 2014?
Ms. Burns. I'm sorry, could you repeat that?
Mr. Palmer. So far for this year, how many breaches have
you suffered? Do you have any idea?
Ms. Burns. In 2015?
Mr. Palmer. In 2014-2015.
Ms. Burns. So that--I can't answer that. We have a
distributed IT environment, as I said, and there is a--it was
cited in the IG's report that there was a--reports of
incidents, I think they referred to some incidents in the
report, that were reported by the bureaus and offices that my
office doesn't necessarily have visibility into. So we have to
do research into them. In order to answer your question, I
would have to go back and look further at that.
Mr. Palmer. Would you be willing to let the committee know
that?
Ms. Burns. Yes.
Mr. Palmer. Thank you.
I yield, Mr. Chairman.
Mr. Hurd. Thank you, sir.
I'd like to yield myself 5 minutes.
I just want to be clear, Ms. Burns, because you make a good
point and I want to make sure everyone recognizes that. The bad
guys got access to a credential that was OPM and they used that
credential to gain access to the data housed at the Department
of Interior. So that they used those credentials that had
natural access to the information that was breached, is that
correct?
Ms. Burns. That's correct.
Mr. Hurd. So they didn't take advantage of any
vulnerability other than getting access to that user name and
password.
Ms. Burns. That's my understanding, sir.
Mr. Hurd. Thank you.
This recent vulnerability assessment that the inspector
general did, who called for that?
Ms. Kendall. We initiated it ourselves, sir.
Mr. Hurd. Okay.
And, Ms. Burns, how much of the IT budget for Department of
Interior do you control? First question, what's the IT budget
roughly for all of DOI?
Ms. Burns. So the IT budget overall, we report
approximately a billion dollars a year.
Mr. Hurd. So of that billion dollars, how much do you, as
the CIO of the Department, have access to?
Ms. Burns. I would say it's----
Mr. Hurd. Roughly.
Ms. Burns. It's approximately less than $200 million.
Mr. Hurd. So you are the CIO of the entire Department and
you have access to less than $200 million. Isn't that a
problem?
Ms. Burns. I think that the provisions that you gave us in
terms of authorities to CIOs in FITARA, whereby I have to
approve IT spending, helps. Even though I don't have the money,
all the funds for the IT portfolio in my direct budget, it
gives me significant influence.
Mr. Hurd. You have a little bit more control, is what you
are saying.
Ms. Burns. Yes.
Mr. Hurd. Now, let's focus on the assessment that was done.
The draft report that we have access to said that nearly 3,000
critical and high-risk vulnerabilities in publicly accessible
computers operated by three DOI bureaus was found, is that
correct?
Ms. Burns. Yes.
Mr. Hurd. Have all those been remediated?
Ms. Burns. From my understanding, yes.
Mr. Hurd. But I also have information that indicates--and,
Ms. Kendall, you may be able to confirm this--that the
Department of Interior's total number of publicly accessible
computer is unknown because the Department doesn't perform
discovery scans of their publicly accessible information, is
that correct?
Ms. Kendall. I believe that's correct based on what we
conducted in terms of----
Mr. Hurd. So that number could be significantly higher than
3,000?
Ms. Kendall. It could be.
Mr. Hurd. And there could be----
Ms. Kendall. No, I'm sorry, I believe the 3,000--and I'll
ask this--was the vulnerabilities.
Mr. Hurd. The total vulnerabilities?
Ms. Kendall. Yes.
Mr. Hurd. Okay. So the number of publicly accessible Web
sites that have these vulnerabilities is higher than what it is
because we don't know the total summation of those?
Ms. Kendall. It could potentially be, yes.
Mr. Hurd. So I would have liked--and, again, if this is
publicly accessible information, those three bureaus that's
doing it, that is not classified information because the bad
guys can figure that out. That's just a point for me. Because I
would have liked those three CIOs to be here, because they
probably have a budget probably larger or in line with yours,
is that correct, Ms. Burns?
Ms. Burns. I can't tell you. I don't have that information
with me right now.
Mr. Hurd. So the remediation of those three bureaus, was
that overseen by your office or was that overseen by CIOs from
these varies bureaus?
Ms. Burns. The remediations ultimately would have been
overseen by--so we don't call them CIOs, we changed that when
that secretarial order was issued. We call them Assistant
Directors for Information Resources. And they--so they head IT
in the bureaus. But I would tell you that IT in the bureaus is
not centralized under them. So while they would oversee the
mitigation of the vulnerabilities that you're talking about,
those vulnerabilities could have resided at a lower program
level that was outside of the chain of command of the bureau.
Mr. Hurd. Mr. Gilkeson, maybe you're the right one. Isn't
that pretty outrageous for designing management control of an
IT system?
Mr. Gilkeson. It's certainly not optimal, Mr. Chairman, I
would say.
Mr. Hurd. I'll take that.
Mr. Gilkeson. It's a very--it's a highly decentralized
organization. I think that's kind of coming through.
Mr. Hurd. Is there a move afoot, Ms. Burns, to centralize
some of this information?
Ms. Burns. Yes, there is, sir. Under FITARA and our
implementation plan for FITARA, there are plans to bring that
more under a centralized management.
Mr. Hurd. And I would like, without objection, to submit
the Department of Interior's response to the IG report to the
record.
Mr. Hurd. And in this report, they talk about--you all talk
about how long it's going to take to fix all the problems that
the IG report identified. When do you think all those are going
to be done?
Ms. Burns. Some of it is dependent on resources because I
have limited staff to be able to do stuff. I think that at the
same time it's my obligation to be prudent about how we use the
money that we have, and that includes leveraging the bureaus
and offices as much as possible to be able to fulfill the fixes
that go along with the recommendations.
So, as I said, we do the best we can with the resources
that we get. There are some immediate things that we can do to
protect us against the immediate threat. And, as I mentioned,
I'm already talking with the bureaus and offices about those
things so we can take immediate action.
Mr. Hurd. Great.
Ms. Burns. The longer term things do have cost.
Mr. Hurd. And, Ms. Burns, I want to join my colleague from
California in thanking you for taking responsibility for this.
And you said something else in your opening remarks that I am
going to have to go back to the record and write down: This not
just a paper-based exercise, you've got to roll up your sleeves
and actually do something. And I appreciate that mentality. But
I also want to make sure that--what were the people that you
called, they're not CIOs of bureaus anymore, Assistant----
Ms. Burns. We call them ADIRs.
Mr. Hurd. Let your ADIRs know that they should be sitting
alongside you as well. And I appreciate you being here to
answer the questions for the folks that are all in the
organization of DOI who have the responsibility for fixing some
of these issues. And I recognize it is not necessarily all in
your area of control as it should be.
And so we want to make sure that we continue looking at
things like FITARA and FISMA and how we can strengthen your
control over these issues, because we are going to be holding
you responsible. And if we are going to hold you responsible,
you should have the tools to fix the network.
So I want to appreciate everyone for coming out today. This
is an important topic. I'd like to yield a minute to my
colleague from Texas.
Mr. Farenthold. Thank you. I realize we are in a hurry for
votes. I was next door dealing with the excessive regulation in
the EPA. But Jeff from my office says both Ms. Burns and Ms.
Kendall spoke positively about moving more information and more
of the IT to the cloud.
And I just wanted to get both of you all to quickly tell me
if there is anything that Congress can do to help enable that
and move that along.
Ms. Burns. From my perspective, I am appreciative for what
you did with enacting FITARA and the new version of FISMA. I
think they help us greatly. And before I would ask you to do
anything more, I would say let us take the tools that you have
given us and try to do the best we can to make them work in our
organizations.
Mr. Farenthold. Ms. Kendall, do you want to add anything?
Ms. Kendall. I would only add that when we briefed staff on
this report, one of the questions was what kind of financial
resources need to come along to make these things happen. And
the IG does not make those recommendations. But I would
encourage the Department to provide that information to you as
well because I think it is very much resource driven.
Mr. Farenthold. Thank you all for being here. And thank you
for your work.
Mr. Hurd. Without objection, I would like to provide the--
put the IG report on Faisal Ahmed on the record. And without
objection, so ordered.
Mr. Hurd. And I'd like thank our witnesses for taking the
time today and appearing before us. This is an important issue
and something that this subcommittee is going to continue to
investigate.
And, Ms. Burns, you know, this is--we are here to be
supportive and make sure that you have all the tools you'll
need to do your job.
Thank you all. And the subcommittees stand adjourned.
[Whereupon, at 4:01 p.m., the subcommittees were
adjourned.]
APPENDIX
----------
Material Submitted for the Hearing Record
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]