[Congressional Record Volume 146, Number 130 (Tuesday, October 17, 2000)]
[Extensions of Remarks]
[Page E1808]
From the Congressional Record Online through the Government Publishing Office [www.gpo.gov]




   CONFERENCE REPORT ON H.R. 4205, FLOYD D. SPENCE NATIONAL DEFENSE 
                 AUTHORIZATION ACT FOR FISCAL YEAR 2001

                                 ______
                                 

                               speech of

                             HON. BOB RILEY

                               of alabama

                    in the house of representatives

                      Wednesday, October 11, 2000

  Mr. RILEY. Mr. Speaker, last year's Defense Appropriations Act (FY 
00) contained $10 million for the specific purpose of improving the 
safeguards for storing classified material held by Department of 
Defense contractors. It is with deep regret that I must report that the 
Pentagon refused to release these funds which expired on September 30, 
2000. The Assistant Secretary of Defense for Command, Control, 
Communications and Information, Arthur Money, sent me and a number of 
other House and Senate members a letter on why the Pentagon chose to 
ignore the direction of Congress.
  Mr. Speaker, beyond the fact that the Clinton/Gore Administration 
defied the law, their rationale for not complying with a federal 
security standard is troubling and their basis unfounded. First, on the 
issue of cost, DOD claims that upgrading existing security containers 
controlled by contractors by replacing old vulnerable mechanical locks 
with electronic locks that meet minimum federal security standards 
(FFL-2740A) would be cost prohibitive. The referenced report of the 
Joint Security Commission II sites an industry estimate from five 
contractors that is based on an inflated retail price of the electronic 
lock which is popularly called the ``X07'' or ``X08'' lock, rather than 
the wholesale price which would be the price of the lock in this 
upgrade program. This is not the first time that DOD has overestimated 
the cost of the program in an effort to resist implementation. In 1993, 
DOD grossly overestimated the cost of upgrading its own mechanical 
locks at $500 million, but the internal upgrade only actually cost $59 
million. Based on the number of classified containers held by defense 
contractors, a lock upgrade program would cost between $45 million and 
$60 million, depending upon how the program was managed.
  Secondly, on the issue of threat Mr. Speaker, the physical security 
threat to classified materials that exists with these 1950's vintage 
mechanical locks cannot be overstated. The threat is why the GSA 
established a federal standard in 1989 that requires locks on secure 
containers to withstand an attempt of twenty man-hours of surreptitious 
entry. Currently, an ``insider'' or foreign agent with readily 
available technology can determine the combination of a mechanical lock 
in a matter of minutes. Since this ``safe cracking'' can be done 
without detection on a mechanical lock, no one would ever know that an 
``insider'' possessed the combination to access classified information 
including sensitive computer hard drives, laptops and access codes. To 
combat this problem, all new secure containers are fitted with the X08 
lock (the only lock that meets the federal standard), but there are 
still thousands of mechanical lock containers and, worse yet, bar-
locked file cabinets that are being used by contractors to protect our 
nation's classified information. Until all existing secure containers 
are upgraded with modern electronic locks, gaping security lapses will 
continue. No perimeter security apparatus involving guns, gates, 
guards, alarms, check points and other physical security barriers will 
protect against the ``insider'' threat to antiquated mechanical locks.
  The Defense Intelligence Agency (DIA) has identified 27 foreign 
intelligence organizations that have the capability to penetrate these 
old mechanical locks without leaving a visible trace. These espionage 
organizations would likely use ``insider'' agents for this purpose. In 
fact, Mr. Money's view that the ``insider'' threat is of greater 
concern than the threat of covert entry to a safe or vault is precisely 
why the electronic lock upgrade is needed. The X07/X08 lock now 
possesses features that help ensure accountability and control access. 
More importantly, the lock also has the capability to be equipped with 
a time/date stamp feature which would automatically record who entered 
the safe and when. This audit trail feature is already used with great 
success by large corporations. By adding this feature to the federal 
requirements, we add another important counter espionage tool to this 
virtually impenetrable lock.
  I certainly understand the many competing interests that DOD must 
juggle within a constrained budget, but I cannot accept the Pentagon's 
view of contractor lock upgrades as being unnecessary, cost prohibitive 
or without commensurate security benefit. The growing volumes of 
classified information contained in moveable media (i.e. laptop 
computers, hard drives, back-up tapes, etc.) that is used by the 
national security agencies and their contractors, and the need to 
properly secure this classified material, cannot be pushed aside as a 
trivial matter. If the Department of Defense shows leadership in the 
proper handling of classified material, I'm certain that government and 
contractor employees will take a more serious attitude toward the 
proper stewardship of the Nation's secrets. The United States cannot 
afford another security lapse like the missing NEST hard drives at Los 
Alamos or the missing laptops at the State Department.

                          ____________________