COMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN CYBER HOUSE IN ORDER ======================================================================= HEARING before the SUBCOMMITTEE ON OVERSIGHT AND INVESTIGATIONS of the COMMITTEE ON COMMERCE HOUSE OF REPRESENTATIVES ONE HUNDRED SIXTH CONGRESS SECOND SESSION __________ JUNE 13, 2000 __________ Serial No. 106-157 __________ Printed for the use of the Committee on Commerce U.S. GOVERNMENT PRINTING OFFICE 65-910CC WASHINGTON : 2000 COMMITTEE ON COMMERCE TOM BLILEY, Virginia, Chairman W.J. ``BILLY'' TAUZIN, Louisiana JOHN D. DINGELL, Michigan MICHAEL G. OXLEY, Ohio HENRY A. WAXMAN, California MICHAEL BILIRAKIS, Florida EDWARD J. MARKEY, Massachusetts JOE BARTON, Texas RALPH M. HALL, Texas FRED UPTON, Michigan RICK BOUCHER, Virginia CLIFF STEARNS, Florida EDOLPHUS TOWNS, New York PAUL E. GILLMOR, Ohio FRANK PALLONE, Jr., New Jersey Vice Chairman SHERROD BROWN, Ohio JAMES C. GREENWOOD, Pennsylvania BART GORDON, Tennessee CHRISTOPHER COX, California PETER DEUTSCH, Florida NATHAN DEAL, Georgia BOBBY L. RUSH, Illinois STEVE LARGENT, Oklahoma ANNA G. ESHOO, California RICHARD BURR, North Carolina RON KLINK, Pennsylvania BRIAN P. BILBRAY, California BART STUPAK, Michigan ED WHITFIELD, Kentucky ELIOT L. ENGEL, New York GREG GANSKE, Iowa TOM SAWYER, Ohio CHARLIE NORWOOD, Georgia ALBERT R. WYNN, Maryland TOM A. COBURN, Oklahoma GENE GREEN, Texas RICK LAZIO, New York KAREN McCARTHY, Missouri BARBARA CUBIN, Wyoming TED STRICKLAND, Ohio JAMES E. ROGAN, California DIANA DeGETTE, Colorado JOHN SHIMKUS, Illinois THOMAS M. BARRETT, Wisconsin HEATHER WILSON, New Mexico BILL LUTHER, Minnesota JOHN B. SHADEGG, Arizona LOIS CAPPS, California CHARLES W. ``CHIP'' PICKERING, Mississippi VITO FOSSELLA, New York ROY BLUNT, Missouri ED BRYANT, Tennessee ROBERT L. EHRLICH, Jr., Maryland James E. Derderian, Chief of Staff James D. Barnette, General Counsel Reid P.F. Stuntz, Minority Staff Director and Chief Counsel ______ Subcommittee on Oversight and Investigations FRED UPTON, Michigan, Chairman JOE BARTON, Texas RON KLINK, Pennsylvania CHRISTOPHER COX, California HENRY A. WAXMAN, California RICHARD BURR, North Carolina BART STUPAK, Michigan Vice Chairman GENE GREEN, Texas BRIAN P. BILBRAY, California KAREN McCARTHY, Missouri ED WHITFIELD, Kentucky TED STRICKLAND, Ohio GREG GANSKE, Iowa DIANA DeGETTE, Colorado ROY BLUNT, Missouri JOHN D. DINGELL, Michigan, ED BRYANT, Tennessee (Ex Officio) TOM BLILEY, Virginia, (Ex Officio) (ii) C O N T E N T S __________ Page Testimony of: Gilligan, John M., Chief Information Officer, U.S. Department of Energy.................................................. 12 Habiger, Eugene E., Director, Office of Security and Emergency Operations, U.S. Department of Energy............ 10 Podonsky, Glenn S., Director, Office of Independent Oversight and Performance Assurance, accompanied by Bradley A. Peterson, Office of Cyber Security and Special Reviews, U.S. Department of Energy.................................. 6 (iii) COMPUTER INSECURITIES AT DOE HEADQUARTERS: DOE's FAILURE TO GET ITS OWN CYBER HOUSE IN ORDER ---------- TUESDAY, JUNE 13, 2000 House of Representatives, Committee on Commerce, Subcommittee on Oversight and Investigations, Washington, DC. The subcommittee met, pursuant to notice, at 9:10 a.m., in room 2123, Rayburn House Office Building, Hon. Fred Upton (chairman) presiding. Members present: Representatives Upton, Burr, Bilbray, Bryant, Bliley, (ex officio), Stupak, Green, and DeGette. Also present: Representative Wilson. Staff present: Tom Dilenge, majority counsel; Anthony Habib, legislative clerk; Clay Alspach, legislative clerk; Edith Holleman, minority counsel; and Brendan Kelsay, minority research analyst. Mr. Upton. Good morning, everyone and welcome. Today's alarming news story may change the focus of this morning's hearing a little bit. Americans everywhere want absolute assurances that our nuclear secrets remain just that, secret. Sadly, today's headlines are indeed startling regarding the missing disks and the unsuccessful attempts of answering the many questions that are now out there. How can these disks be missing after more than a month with only as many as 86 individuals, 26 being unescorted, having access to these highly classified disks? Real security is going to require additional changes in how DOE and its labs control their classified data, whether in hard copy or on computer disk. Our hearing today, coupled with this news from Los Alamos, shows how far the Department, in its lapse, still must go to make security the priority that everyone wants it to be. This subcommittee will hold a hearing to continue its year- long review of cyber security practices at the Department of Energy. This time, our focus is not on the Department's nuclear weapons labs--which have received the lion's share of attention and have made real improvements in computer security since last year--but on DOE headquarters itself. Unfortunately, the current situation at DOE headquarters is little better than where the labs were a year ago, a startling and troubling revelation given the Secretary's professed commitment over 1 year ago to make security, and cyber security in particular, a top priority throughout the Department. We'll hear today once again from Mr. Glenn Podonsky, whose office conducts independent reviews of DOE security practices, including the latest audit of headquarters cyber security completed last month. At our last hearing on DOE's security issues, Mr. Podonsky's office promised in response to Congresswoman Wilson's questioning to initiate an expedited review of headquarters cyber security, and I am pleased that he's with us to report to the subcommittee on the findings of this audit. In particular, we will hear that the headquarters computer network has many significant and easily exploitable vulnerabilities that render it both susceptible to internal and external threats. As with the labs, we will hear once again about the lack of internal security controls to limit the ability of authorized and unauthorized users, including some foreign nationals, to move freely among the various program office systems to compromise sensitive information. On this unified network is not only the Secretary's office but also key program functions, such as defense programs, nonproliferation and national security, security operations, counterintelligence, the general counsel and inspector general, and even Mr. Podonsky's office. While these offices' classified data is physically separate from the unclassified network, the audit does raise concerns about whether the tighter controls that were ordered more than a year ago by the Secretary to limit the transfer of classified data to the unclassified systems have in fact been implemented at DOE's own headquarters. As with the labs, we'll also hear about deficiencies in certain fire walls and intrusion detection systems. While no Internet fire wall is ever 100 percent foolproof, it is important that a sytem be able to quickly detect and block this spread of unauthorized entries into the network. By this important measure, DOE falls significantly short of the mark. From a management perspective, the audit essentially finds that no single person or entity is in charge of this network, an amazing finding in and of itself, and most likely the root cause of the technical problems uncovered by this audit. It appears that much like other Federal agencies the committee has looked at, the chief information officer at DOE is the chief in name only. Given Secretary Richardson's reorganization last summer, which elevated the CIO and gave him responsibility for all cyber security efforts throughout the Department, I would have thought that the CIO would have also received the authority to mandate certain minimum requirements and corrective actions to vulnerable systems. Instead, we now find out that the CIO lacks, according to the audit, ``real and perceived authority to order changes,'' a view apparently shared by the CIO himself. I know I must speak for many members of this committee when I say that I find the whole situation bewildering. How could DOE headquarters, which was the catalyst for the security changes at the nuclear weapons labs last year, leave its own systems so vulnerable to misuse; and why is the Department's CIO so powerless to change the situation? These and many other questions will be explored at today's hearing, and I welcome our panel of witnesses. In particular, I look forward to the testimony of General Habiger, DOE's security czar, and Mr. Gilligan, DOE's CIO, on what technical and management changes DOE intends to make to fix these serious problems and on what timetable. I am glad to see that after we'd noticed this hearing last week, the Department immediately moved to give this CIO new powers over the headquarters network; and I hope he uses that power to quickly and effectively gain control over this important cyber system. At this point, I yield to my friend from Michigan, Mr. Stupak, the acting ranking member for this morning's hearing. Mr. Stupak. Thanks, Mr. Chairman, and thanks for holding this important hearing. Yesterday, I was prepared to give an opening statement regarding cyber security at the Department of Energy, but after reading the New York Times yesterday, I was forced to substantially change my statement. I'm very concerned that the Department of Energy has no idea what happened to two hard drives containing classified information about our nuclear weapons program. According to the New York Times, the hard drives contained detailed specifications about U.S. and Russian nuclear weapons. However, what is more concerning is the laissez-faire attitude Los Alamos National Laboratory and the Department of Energy have displayed in trying to ascertain what happened to highly classified information. In the article, a senior Energy official is quoted as saying, ``In my opinion, it's premature to call this a security breach.'' Well, I, for one, think it is a security breach and has definitely been breached and no one can say what has happened to the hard drives, who had control of the hard drives or who last had access to them. I have to tell you, in my hometown of Menominee, Michigan, if I want to check out a library book at the Menominee Public Library, you have to have a library card and they make a record if you remove the book; and if you keep the book too long, they send you a notice asking you to return it. Eventually, they charge you late fine. Most Americans would find it hard to believe that Menominee Public Library has a more sophisticated tracking system for ``Winnie the Pooh'' than Los Alamos has for highly classified nuclear weapons data. That is exactly the situation we're faced with. Mr. Curran, the Director of the Department's Counterintelligence Office, is quoted as saying, ``At this point, there is no evidence that suggests espionage is involved in this incident.'' How are we going to find out? Does Mr. Curran expect someone from Baghdad or Beijing to call them next year and ask for a software update? We need to get the answers from the witnesses on a number of issues. Why did it take Los Alamos National Laboratory 3 weeks to alert the Department of Energy that the hard drives were missing? How were these hard drives and computers stored? A couple of months ago the State Department lost highly classified information on nuclear weapons. Now Los Alamos has misplaced highly classified information. This is not a joke. We're talking about highly classified nuclear weapons data. I have been a critic of the lack of security at our nuclear weapons laboratory at Lawrence Livermore, Los Alamos and other facilities. Other members have come to me and asked me to tone it down; I will once the national labs take the security breaches seriously. I believe it's time to take--make security at our national labs a military priority and not a civilian afterthought. Mr. Chairman, we need answers and we need results. While I understand the witnesses are prepared to discuss cyber security at the Department of Energy, I intend to ask questions about the latest loss of our Nation's nuclear secrets, and I hope I will get some answers to my questions today. Thank you, Mr. Chairman. Mr. Upton. I recognize Mr. Bliley for an opening statement. Chairman Bliley. Thank you, Mr. Chairman. Since allegations of spying at Los Alamos first surfaced early last year, this committee and the American public have been subject to a steady stream of press releases, action plans, tough talk and photo ops from Secretary Richardson and senior DOE officials, designed to show a commitment to security at the Department of Energy. They have crisscrossed the country, making lots of visits to the nuclear weapons labs, demanding reforms and upgrades to security systems, particularly computer systems; and we've been told that the Department's contractors have, ``gotten the message,'' ``zero tolerance,'' for poor security. I certainly don't mean to belittle these efforts because they have had some positive effect, particularly when combined with this committee's aggressive oversight and the bright media spotlight. But despite the travels and television appearances, the Secretary apparently hasn't checked his own headquarters office. Effective leadership requires making sure your own house is in order when demanding others clean up theirs. Today, we are witnessing nothing less than a failure of leadership. A recent internal inspection by the Department's independent cyber security team, prompted by Congresswoman Wilson's request during our last oversight hearing on this matter, has revealed real flaws in the cyber security program at the Department's own headquarters that should have been corrected a long time ago. Indeed, the Department knew about many of these flaws for some time before this latest inspection occurred yet failed to fix them. That doesn't seem like zero tolerance to me, and it highlights serious management failures. Indeed, one of the key findings in this report is that the Department, in executing its cyber security program at headquarters, has ignored the most basic principle of computer security, that a network is only as strong as its weakest link. Individual DOE program offices essentially set their own rules on security, which results in real differences in levels of security. This situation puts the entire DOE network, which contains a large amount of sensitive information, at serious risk of compromise or misuse. Whatever the DOE spin on this is, there can be little doubt that the latest audit of cyber security is a terrible embarrassment to the Department and to the administration. How could such a situation exist at DOE if security is really a top priority? The audit report concludes by stating that senior management attention is needed to fix the problems plaguing the Department's cyber security system. I am not sure how much more senior we can get than the Secretary, who supposedly has been focused on security at least since the spy scandal erupted over a year ago. I think it is time he and the rest of the Department focused equal attention on eliminating risks closer to home. Finally, I just want to say a word about the recent revelations of missing classified data from Los Alamos. It is alarming that, despite the alleged focus on security over the last year, it appears the Department of Energy and its labs still have a long way to go before the American public can or should feel confident that our nuclear secrets are safe in their hands. Several months ago, I requested the General Accounting Office conduct an investigation into whether DOE and its labs have proper procedures in place to control and account for their classified documents and electronic media. The latest news from Los Alamos suggests that, whether or not this missing data is eventually recovered, the answer is no. Thank you, Mr. Chairman. Mr. Upton. Thank you, Mr. Chairman. Mrs. Wilson. Mrs. Wilson. I ask unanimous consent to be allowed to sit in on this hearing of the Oversight and Investigations Subcommittee. Mr. Upton. Without objection, so ruled. Would the gentlelady like to make an opening statement? Mrs. Wilson. Yes, Mr. Chairman, I would. Thank you, Mr. Chairman, for letting me sit in on this subcommittee hearing. I am not normally on the Subcommittee on Oversight and Investigations. I have a particular interest and concern on the issue of cyber security at our national laboratories. In fact, this hearing and the testimony that we're going to hear today is the result of an inquiry that I made at a previous hearing about security at DOE headquarters. Because as all of us know, a system is only as strong as its weakest wall. And if we focus only on cyber security of systems out on the periphery of the Department of Energy and not those at DOE headquarters, we haven't strengthened the security system in the Department of Energy. I understand that we will hear testimony today about cyber security at the headquarters of the Department of Energy on its unclassified systems. That inquiry parallels those that have previously been made at the outer rings of the Department of Energy, including at our national labs. We do not yet know how secure the classified systems are at DOE headquarters, but the preliminary reports that I have seen about the testimony we're going to hear today are troubling. It means that Department of Energy has been out looking at all of its contractors and subcontractors, and at the periphery of its organization, being critical, and rightly critical, while it didn't have its own house in order. General Habiger, you and I were trained in some of the same places, with similar kinds of ethics and values, and I think both of us believe in leadership by example. And I am glad that you're now looking at the Department of Energy headquarters and trying to lead by example. But I am a little sorry that it took this kind of prodding to get the Department of Energy to do so. With respect to information systems and cyber security and computer security, all of us know that it must be systemic. It is by its nature systemic, and computer security has to be looked at as a whole and not just in pieces. I suspect that is one of the problems at the Department of Energy. Every little fiefdom within the Department of Energy runs its own show, and part of it is weak. I do want to say something, just briefly, about the reports yesterday from Los Alamos National Laboratory. Folks from Los Alamos came to my office yesterday to give me preliminary information about the loss of classified data at Los Alamos National Laboratory, and I find it deeply troubling. We don't yet know a lot about what happened, and I support the ongoing investigation to find out. I have also requested that the Intelligence Committee, on which I sit, hold an immediate classified briefing on what was lost and what we know at this point. There are a number of questions that I still have. They're inappropriate to ask in an unclassified forum, and I will be asking those questions in the House Permanent Select Committee on Intelligence as early as this week. There is one thing, though, that this most recent incident underscores for me, and that is the need to move forward rapidly with the implementation of the NNSA and the confirmation of General John Gordon to lead it. At the moment, the nuclear weapons complex in this country is in a state of limbo, of neither being part of the Department of Energy nor having a real head of its own. That is unsustainable if we want that organization to move forward, to improve security at our national labs and our nuclear weapons complex, and to come up with a concerted plan for the future. Thank you, Mr. Chairman. Mr. Upton. Thank you. Well, gentlemen, as you know, as you have testified before, we have a long-standing tradition of taking testimony under oath before this subcommittee. Do you have any objection to that? Voices. No. Mr. Upton. And committee rules allow you to be represented by counsel if you wish such. Do you desire to have counsel representation? Voices. No, sir. Mr. Upton. In that case, if you would now stand and raise your right hands. [Witnesses sworn.] You are now under oath, and as you heard at the beginning, I guess we're going to allow you to take a little extra time in delivering your testimony. Mr. Podonsky, we'll start with you. Welcome back. TESTIMONY OF GLENN S. PODONSKY, DIRECTOR, OFFICE OF INDEPENDENT OVERSIGHT AND PERFORMANCE ASSURANCE, ACCOMPANIED BY BRADLEY A. PETERSON, OFFICE OF CYBER SECURITY AND SPECIAL REVIEWS, U.S. DEPARTMENT OF ENERGY Mr. Podonsky. Thank you, Mr. Chairman. I appreciate the opportunity to---- Mr. Upton. If you could just pull the mike a little bit closer, that would be terrific. Mr. Podonsky. I appreciate the opportunity, Mr. Chairman, to appear before this committee to discuss our April inspection of unclassified cyber security systems at the DOE headquarters. As you know, the Office of Independent Oversight and Performance Assurance provides the Secretary of Energy with an independent view of the effectiveness of safeguards and security, emergency management, and cyber security policies and programs throughout the DOE complex. With me this morning is Mr. Brad Peterson, the head of my cyber security office. In the past, DOE sites often focused on making information easily available and computer systems easy to use, which frequently led to cyber security receiving a low priority. Also, DOE policy was not always followed, which allowed implementation of computer systems in ways that did not provide for effective security. Particularly disturbing to us was the situation in 1994 at Los Alamos when my office pointed out that the classified network had connections to the unclassified network, posing the risk that an authorized user could download large quantities of classified information to an unclassified computer with little chance of detection. Over the past 15 years, the DOE headquarters has often received less than satisfactory ratings in many areas, including cyber security. Until Secretary Richardson's involvement, the program offices were in some cases unwilling to commit resources to enhance security. Recent results, however, have been more positive. A number of cyber security upgrades and other initiatives have been completed or are under way. The results of our inspection in April indicate that important deficiencies still need to be addressed. Many program offices have cyber security programs that would be considered effective if they were not connected to less effective networks. Generally, the main headquarters fire wall is effective; however, several Web servers managed by individual program offices are located completely outside the fire wall boundary. Most were found to be vulnerable to hacking, and some have vulnerabilities that could allow any Internet user to gain system administrator-level privileges and subsequently deface or shut down the Web site. Headquarters has not developed overall cyber security procedures or minimum requirements for each network segment on the network. The fragmented management systems and practices currently in place are a root cause of many identified weaknesses. While the chief information officer has attempted to address many of these weaknesses, the effectiveness of these initiatives has been limited due to lack of real or perceived authority. This fragmentation results in part from weaknesses in policy, which does not address the unique situation at headquarters or establish overall responsibilities and authorities. My office is continually expanding its ability to conduct network performance testing, using tools we have acquired or developed. We currently have an extensive cyber security laboratory dedicated to testing cyber security features. We also conduct regular inspection of cyber security systems at DOE sites. We will conduct an inspection of the classified cyber security at DOE headquarters next month in conjunction with a comprehensive inspection of all the safeguards and security policies and programs at the headquarters. We also will continue to follow up and work closely with General Habiger's office as they work to clarify and enhance cyber security policy and guidance. Although much work remains, it is clear that a positive trend in classified cyber security has been established at the headquarters and that DOE headquarters has heard the wake-up call from the Secretary and from the congressional committees. Cyber security is receiving a significantly higher level of attention from senior management than in the years gone past, and we are seeing more improvements that could not have been made without management support and the Secretary's involvement. Finally, our independent oversight function as a direct report to the Secretary has a mechanism in place, a mandated corrective action plan, that ensures independent oversight findings will be addressed. With these measures, we expect the identified weaknesses will be corrected. Thank you, Mr. Chairman. [The prepared statement of Glenn S. Podonsky follows:] Prepared Statement of Glenn S. Podonsky, Director, Office of Independent Oversight and Performance Assurance, U.S. Department of Energy Thank you Mr. Chairman. I appreciate the opportunity to appear before this committee to discuss our Independent Oversight activities as they relate to unclassified cyber security at DOE Headquarters. The Office of Independent Oversight and Performance Assurance is responsible for providing the Secretary of Energy with an independent view of the effectiveness of DOE policies and programs in the areas of safeguards and security, emergency management, and cyber security. My remarks this morning will focus on the recent Independent Oversight inspection of unclassified cyber security systems at the DOE Headquarters, which was conducted in April 2000. I will also briefly summarize some historical perspectives to provide a background on how we got to where we are today. Finally, I will discuss our plans for upcoming inspections at DOE Headquarters, follow-up activities, and other initiatives. Historical Perspectives. From the early days of computer networks, DOE has historically struggled with the area of cyber security. For a variety of reasons, such as the emphasis on intellectual freedom and open exchange of ideas, DOE sites, in the past, often focused on making information easily available and computer systems easy to use. This often led to situations in which cyber security received a lower priority than user convenience or operational efficiency. There were also instances where DOE and contractor management did not follow DOE policy and allowed sites to implement computer systems in ways that did not provide for effective security. A particularly disturbing example was the situation in Los Alamos in 1994 when my office pointed out that the classified network had connections to the unclassified network, which posed a risk from an insider. Using these connections, an authorized user could download large quantities of classified information to an unclassified computer with little chance of detection. During most Oversight inspections over the last 15 years, the DOE Headquarters has performed poorly, often receiving less than satisfactory ratings in many areas, including cyber security. In many cases, until Secretary Richardson's involvement, Headquarters program offices were unwilling to commit resources to enhance security or to implement the same requirements they imposed on the field. Recent results, however, have been more positive. Headquarters has completed a number of cyber security upgrades and has other initiatives underway. Before talking about the results of the recent Headquarters inspection, I would like to take a moment to share with you some of the techniques we use for evaluating the effectiveness of cyber security programs. We began to use automated tools to performance test security features in 1995. This use of technology was a quantum step forward and dramatically increased our ability to test network security. Using automated network scanning tools, we are able to test thousands of systems and all network connections and features in a period of a week. Previously, such an effort would have taken a year or more. We have continually expanded our ability to conduct performance tests of networks using tools that we have acquired or developed on our own. For example, we have software programs--referred to as ``war dialers''--that can test every phone line at a DOE site in a matter of days to determine whether unauthorized modems exist. If present, such modems could be located and used by hackers to bypass the firewall to gain access to information or destroy data. We currently have an extensive cyber security laboratory dedicated entirely to testing cyber security features. We conduct regular inspections of the implementation of cyber security at DOE sites. We have expanded our methods to include a program of unannounced inspections and penetration testing. Most recently, we have been implementing what is commonly referred to as a RED Team approach, in which we use a variety of techniques to perform detailed tests of a site's cyber security features. These tests include penetration testing by experts who are thoroughly familiar with the latest hacker techniques and methods. Our assembled team of inspectors, together with our cyber security laboratory, enables us to conduct penetration testing on par with some of the best known hackers. With this extensive testing capability, it is not surprising that we continue to find weaknesses in implementation. Many DOE sites recently have established their own programs for regular scans of their networks and tests of their security features. This is one of the most positive trends in DOE, because an ongoing, effective self-assessment program is essential to effective network security. In addition to the rigorous performance testing of systems, our inspections also include an evaluation of the programmatic, management system elements that are the essential foundation of a cyber security program. By looking at such elements as leadership, risk management, procedures and performance evaluation, we are able to identify not only specific technical deficiencies, but also underlying root causes, which must be addressed to prevent recurrence of the problems. Summary of the April inspection of HQ unclassified cyber security systems The results of our April Headquarters inspection of unclassified cyber security indicate that important deficiencies need to be addressed. Many program offices have cyber security programs that would be considered effective if evaluated on their own merits (that is, they would be effective if they were not connected to less effective networks of other organizations). Within several program offices, leadership and support for cyber security are good, and roles and responsibilities are well defined. Much of the recent improvement can be attributed to the attention and efforts of Secretary of Energy and the DOE Chief Information Officer to improve cyber security across the complex. The Chief Information Officer has been aggressive in creating policy and has taken an active role in addressing DOE-wide problems. The CIO has worked to strengthen cyber security within the Headquarters and improve the security of the network backbone and main firewall. The CIO has also supported the Headquarters program offices through efforts such as regular scanning of networks to identify vulnerabilities that need corrective action. Despite recent progress, weaknesses continue to exist in several important aspects of the Headquarters cyber security program. Weaknesses regarding the backbone switches and individual systems throughout the network were identified. Our testing demonstrated how a malicious insider could exploit these weaknesses. The results of these tests demonstrate the need for continued vigilance of network security. Generally, the main Headquarters firewall was effective. However, several Web servers are managed by individual program offices and are located completely outside the firewall boundary. Most of these servers were found to be vulnerable to common hacking exploits, and some contain vulnerabilities that could allow any Internet user to gain system administrator-level privileges, and subsequently deface or shut down the Web site. To demonstrate this possibility, we exploited one of the vulnerabilities and gained system administrator-level privileges to one of the servers. There is also some concern that the risk of alternate pathways into the network that could allow unauthorized access has not been evaluated. The potentially exploitable vulnerabilities in the Headquarters network result from a number of weaknesses in the unclassified cyber security program. Headquarters has not developed overall cyber security procedures (such as policies for modems or foreign national access) or procedures to establish minimum requirements for each network segment on the network. There is no formal process for evaluating performance and for self-identifying and correcting vulnerabilities in the overall network. Additionally, Headquarters risk assessments have not been rigorous. The fragmented management systems and practices currently in place are a root cause of many of the programmatic weaknesses and technical vulnerabilities. While the DOE Chief Information Officer has attempted to address many of the weaknesses associated with this fragmentation, we determined that the effectiveness of these initiatives has been limited due to the lack of real and perceived authority. This fragmentation results in part from weaknesses in policy, which does not address the unique situation at DOE Headquarters or establish overall responsibilities and authorities for Headquarters. The 25 individual LAN segments, covering 29 different program offices, have widely varying levels of effectiveness. While some program offices have established effective practices, others have poor configuration management practices, ineffective policies and procedures, and ineffective intrusion detection strategies. Because of the configuration of the overall network (that is, the logical connections among all systems with few security barriers between segments), the overall system is only as good as the weakest link. In effect, the potentially effective practices of some program offices are largely negated by the ineffective practices of other program offices. To summarize the results of our inspection, the increased focus on cyber security and the positive measures that have been implemented at DOE Headquarters have resulted in significant improvements in cyber security. However, additional improvements are needed, with particular emphasis on assessing and managing risk and on addressing vulnerabilities that can be exploited from within the internal network. Plans for Independent Oversight Follow-up and other DOE Initiatives We will be performing follow-up activities to determine whether identified weaknesses have been addressed. Although in the early stages of their corrective actions. Headquarters personnel have been generally responsive to the inspection findings and have started corrective actions. In a related effort, we will be conducting an inspection of the ``classified'' cyber security program at DOE Headquarters in July 2000 in conjunction with a comprehensive inspection of Headquarters' safeguards and security policies and programs. Independent Oversight will also continue to work with the Office of Security and Emergency Operations as they work to clarify and enhance cyber security policy and guidance. Although much work remains, it is clear that a positive trend has been established at DOE Headquarters in the area of unclassified cyber security. While continued, close Independent Oversight attention is warranted, there are several reasons to be cautiously optimistic that this positive trend will continue. For example, it is clear that DOE Headquarters has heard the wake-up call from the Secretary and Congressional Committees. Cyber security is receiving a significantly higher level of attention from senior management than in the past, and we are seeing some improvements that could not have been made without management support and the Secretary's personal involvement. In addition, the Office of Security and Emergency Operations and the DOE Chief Information Officer have indicated a willingness to improve policies and guidance to ensure there is a clear and unambiguous basis for holding line management accountable for effective security. Finally, our Independent Oversight function, as a direct report to the Secretary, has a mechanism in place--the mandated corrective action plan--that ensures Independent Oversight findings are addressed. With these measures, we have reason to be optimistic that identified weaknesses will be corrected. Thank you Mr. Chairman; this concludes my comments. Mr. Upton. General Habiger. TESTIMONY OF EUGENE E. HABIGER, DIRECTOR, OFFICE OF SECURITY AND EMERGENCY OPERATIONS, ACCOMPANIED BY JOHN M. GILLIGAN, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY Mr. Habiger. Mr. Chairman, distinguished members of this subcommittee, thank you for the opportunity to appear before you today to testify on Mr. Podonsky's Office of Independent Oversight and Performance Assurance report on our headquarters. While not always pleasant to hear, these reviews are essential in our ongoing efforts to ensure that we protect our information systems and the information they process. I readily acknowledge and accept the findings of this review. As recognized by the review itself, we have made much progress in the headquarters unclassified security program over the past 2 years. The Office of Chief Information Officer, under the very capable leadership of John Gilligan, has moved aggressively to address DOE-wide problems to include the establishment of new policy governing our unclassified systems. At headquarters, John and his staff have made significant improvements in the security of the network backbone and our main firewall. Despite this progress, however, I acknowledge there is room for improvement. I also want to be straightforward with you and freely admit that over the past year our focus has been directed at our defense facilities and then our other large sites. As a result, headquarters has not received the same level of attention. This level of attention is directly correlated to the funds appropriated to us for cyber security. As part of our fiscal year 2000 Budget Amendment Request that I was personally involved with in July of last year, we asked for $35 million to address our cyber security needs, but were appropriated only $7 million. With such a shortfall, some hard decisions had to be made. Mr. Chairman, I now quote from my sworn testimony of October 26 of last year in front of this very committee, ``Congress has, up to this point, failed to fund the Department's fiscal year 2000 full budget amendment in order for us to make near- and long-term fixes. We have valid requirements in the area of cyber security to buy hardware, encryption equipment and to train our systems administrators. Simply stated, we have been given a mandate, but not the resources to accomplish that mandate.'' I cannot in retrospect tell you that if we had received the additional $28 million we requested back in July that we would have no cyber security discrepancies, but I can assure you, Mr. Chairman, that in my judgment they would not have been of the same order of magnitude. Consequently, the headquarters unclassified cyber security initiatives were given lower priority in light of more pressing needs at our field sites. Granted, not all of the issues identified were the result of funding shortfalls. Where limited funds were not an issue, we moved quickly to take corrective action. In addition, the Deputy Secretary recently directed that the Office of Chief Information Officer serve as the central cyber security authority for the headquarters. This action addresses the recommendations to establish the necessary management structure to implement an effective cyber security program at our headquarters. Additionally, we are implementing longer-term actions to improve the efficiency of the cyber security program by adopting best security practices and a more proactive risk assessment program. I want to assure you that we are fixing the shortfalls identified in the independent oversight review. Headquarters should and will set the standard for the rest of the Department on how it implements security of our unclassified systems. Thank you, Mr. Chairman. [The prepared statement of Eugene E. Habiger follows:] Prepared Statement of Eugene E. Habiger, Director, Office of Security and Emergency Operations, U.S. Department of Energy Mr. Chairman and distinguished members of the Subcommittee, thank you for the opportunity to appear before you today to testify on the Office of Independent Oversight and Performance Assurance's report entitled, ``Unclassified Cyber Security Review of Department of Energy Headquarters.'' While not always pleasant to hear, these reviews are essential in our ongoing efforts to ensure that we protect our information systems and the information that they process. I readily acknowledge and accept the findings of the Independent Oversight review. As recognized by the review itself, we have made much progress in the Headquarters unclassified cyber security program over the past two years. The Office of the Chief Information Officer, under the very capable leadership of John Gilligan, has moved aggressively to address DOE-wide problems to include the establishment of new policy governing our unclassified systems. At Headquarters, John and his staff have made significant improvements in the security of the network backbone and main firewall. Despite this progress, however, there is room for improvement. I also want to be straightforward with you and freely admit that over the past year our focus has been directed at our defense facilities and then our other large sites. This level of attention is directly correlated to the funds appropriated to us for cyber security. As part of our FY 2000 Supplemental Budget Amendment request, we asked for $35 million to address our cyber security needs, but were appropriated only $7 million. With such a shortfall, some hard decisions had to be made. Mr. Chairman, I now quote from my sworn testimony of October 26, 1999 in front of this committee: ``. . . Congress has, up to this point, failed to fund the Department's FY 2000 full budget amendment in order to make near and long term fixes. We have valid requirements in the area of cyber security to buy hardware, encryption equipment and to train our systems administrators . . . Simply stated, we have been given a mandate but not the additional resources to accomplish that mandate.'' I cannot in retrospect tell you that had we received the additional $28M we requested back in July of last year, that we would have had no cyber security discrepancies . . . but, I can assure you that they would not have been of the same order of magnitude. Consequently, the Headquarters unclassified cyber security initiatives were given lower priority in light of more pressing needs at our field sites. Granted, not all of the issues identified were the result of funding shortfalls. Where limited funds were not an issue, we moved quickly to take corrective action. For example, the Deputy Secretary recently directed that the Office of the Chief Information Officer serve as the central cyber-security authority for Headquarters. This action addresses the recommendation to establish the necessary management structure to implement an effective cyber-security program at Headquarters. Additionally, we are implementing longer-term actions to improve the efficiency of the cyber security program by adoptingbest security practices, and a more proactive risk assessment program. I want to assure you that we are fixing the shortfalls identified in the Independent Oversight review. Headquarters should and will set the standard for the rest of the Department on how it implements security of its unclassified systems. With your permission, I would now like to yield to John Gilligan, the Chief Information Officer of the Department of Energy, to elaborate on how we are progressing on our Headquarters efforts. Mr. Upton. Mr. Gilligan. TESTIMONY OF JOHN M. GILLIGAN Mr. Gilligan. Thank you, Mr. Chairman and distinguished members of the subcommittee, for the opportunity to appear before you today. My testimony will focus on actions we have taken across the Department to improve the level of cyber security protection in our systems and networks. I will also discuss the cyber security weaknesses that have been identified in the headquarters during the recent review by the Department's independent oversight organization, as well as our efforts to remedy these identified weaknesses. I am pleased to say that the state of cyber security at the Department of Energy is far better today than it was a year ago. A year ago there was clear evidence that the Department's cyber security efforts, in particular for our unclassified computer systems, had not kept pace with the rapid proliferation of network connection and increasing threats. Our policies were outdated, cyber security compromises at some sites led to significant work disruptions, and we did not have awareness of cyber security threats or adequate training of our work force to deal with these threats. These concerns were reported in congressional hearings and other forums. This was a painful wake-up call for the Department, but a necessary one. During the past year, each DOE organization has focused on improving awareness of cyber security threats and installing improved security controls. I have seen enormous progress in how unclassified information is protected and a significant increase in the awareness of cyber security issues at all levels within the Department. While we have worked this issue aggressively, cyber security is not a quick fix and more needs to be done. However, the security protection in the Department is improving rapidly, and I appreciate the opportunity to discuss our progress. Since the spring of 1999, the Secretary of Energy and I have emphasized the Department-wide focus on cyber security. The initial focus was on our defense laboratories and production facilities, with aggressive programs to upgrade and verify fixes at these facilities last summer and fall. This focus has subsequently been extended to all DOE sites. Over this period, the Department has completely restructured its cyber security program. Actions taken include the following: Creating a single Department-wide cyber security office under me as the Department's Chief Information Officer; requiring work stand-downs at all sites to conduct security awareness training; developing and issuing four new cyber security policies and two new cyber security guidelines; instituting a set of cyber security metrics which permit us to evaluate progress at each site; doubling the size and increasing the role of the central DOE security incident and early warning capability, our computer incident advisory capability located at Lawrence Livermore Laboratory; having each DOE site develop a detailed site-specific cyber security plan describing the implementation of cyber security protection at the site; deploying a number of security training programs Department wide to improve the security skills of our systems administrators and a separate training course provided to our line managers. Finally, each site has significantly upgraded its protection through the use of firewalls and intrusion detection software, stronger passwords, improved system configuration controls and reconfiguration of system and network connectivity to reduce vulnerabilities. In addition, the Secretary has created a proactive, independent security assessment organization, the Office of Independent Oversight and Performance Evaluation, reporting directly to him, to provide an independent review of security throughout the complex. For the past year, this independent oversight office has been conducting thorough reviews of cyber security effectiveness at DOE sites. As Chief Information Officer, I am a key customer of the products of the independent oversight reviews. I rely on these reviews to provide me with an objective assessment of the effectiveness of the cyber security at our sites and the effectiveness of the CIO cyber security policies. In essence, the independent oversight reviews provide critical feedback to me on how the individual sites are progressing with cyber security upgrades, and my staff often participates in the reviews. Since last summer the independent oversight organization has conducted 13 reviews. In those instances where significant vulnerabilities were identified, my policy staff and I have worked with the site and the line management organizations to ensure that there is rapid resolution. Action plans for fixing problems identified in the independent oversight reviews are tracked by the DOE Security Council that is chaired by the DOE Security Czar General Habiger. In cases where there are significant weaknesses identified, a rapid follow-up review by the independent oversight team is scheduled. We have done such follow-up reviews at a number of our facilities over the past year. These follow-up reviews provide me and other senior Department officials with clear evidence that those sites are, in fact, making rapid progress to remedy the identified cyber security problems. In April of this year, the DOE independent oversight office conducted a review of the headquarters unclassified cyber security program. This assessment included a programmatic review and testing of controls to prevent or limit access to the headquarters information network against the external threats, such as unauthorized system hackers, and internal threat, for example, Department employees. As you have heard from Mr. Podonsky, the review found that, although unclassified cyber security at headquarters has significantly improved in the past 2 years, there are still significant deficiencies that need to be addressed. In particular, the review found that many program offices within the headquarters have effective cyber security programs. However, because all DOE headquarters networks are interconnected, an office with weak security can undermine the otherwise effective processes and controls of the better managed offices. A number of individual headquarters offices were found to have ineffective cyber security programs. Weaknesses identified in the review included the following: A lack of headquarters-wide procedures on configuration management; the absence of consistent policy on external connections, modems and foreign national access; the lack of minimum cyber security requirements for each local area network in the headquarters; lack of a formal process to evaluate performance and self-identify and correct cyber security vulnerabilities; headquarters risks assessments had also not been done rigorously and had not considered the shared risks of the headquarters network. In my assessment, the root cause for most of the reported cyber security problems was the failure to treat the headquarters as an interconnected and interdependent set of systems and network, that is, an integrated site. This problem started to become apparent earlier this spring when I found that each office in the headquarters had produced separate cyber security plans as required by DOE's new unclassified cyber security policy. The reviews by my office of many of these plans indicated serious weaknesses. These were documented and forwarded back to the individual organizations. In addition, as we began to collect metrics on cyber security implementation, the metrics submitted from some headquarters offices indicated that they had significant weaknesses in their cyber security implementation programs. These findings were shared with the respective headquarters management, and we began evaluating approaches to improve our approach within the headquarters. The findings of the independent oversight review confirmed these earlier indications of problems. The Office of Independent Oversight has recommended immediate and long-term actions to address the headquarters cyber security issues identified in its review. I support these recommendations. Immediate actions include designating a single focal point for headquarters cyber security as well as establishing appropriate processes and procedures across the headquarters. Longer-term actions include taking steps to improve the efficiency of cyber security programs by adopting best security practices and a more proactive risk management program. Steps that are being taken to address the recommendations made by the Office of Independent Oversight are as follows: On June 8, the deputy-secretary directed the Office of the CIO to serve as central cyber security authority for all computers and networks within the Department of Energy headquarters site, and I have submitted that memorandum as a part of the testimony. This action is the necessary and important first step to begin to manage headquarters as a single entity and to institute consistent site-wide approaches for securing our computers and networks. Specifically, the CIO operations organization, headed by Mr. Patrick Hargett who has joined me, which currently provides computer and networking support to a number of headquarters organizations, including the Office of the Secretary, the CIO, Security and Emergency Operations, Management and Administration, the Chief Financial Officer and a number of other offices, will assume responsibility for all cyber security policies, processes and procedures for the entire headquarters site. These policies, processes and procedures will be coordinated through a headquarters cyber security working group that my office will form. Each headquarters office will also be represented on this working group and will be an integral part of the cyber security forum. In addition, my office, as the central cyber security authority for headquarters, will undertake the following efforts: develop, implement and enforce formal network connection policies; develop, manage, operate and enforce an integrated security configuration management process; develop, manage and implement a security self-assessment process for headquarters offices; and centrally manage the security of headquarters, the network perimeter, including all firewalls and be responsible for performing intrusion detection, vulnerability scanning and auditing on the headquarters information technology infrastructure. I have made a commitment to the Secretary that we will implement fixes to the significant vulnerabilities identified in the independent oversight review of the headquarters within 60 days. Consistent with our practices when we find a site that has significant weaknesses, I have asked the Office of Independent Oversight to reassess the headquarters in early fall to verify that we have resolved the serious weaknesses that were identified in the April review. The Secretary has requested regular updates on progress to close the headquarters vulnerabilities. In summary, the cyber security program in the Department of Energy in June 2000 bears little resemblance to the program in place just a year ago. We have put updated cyber security policies in effect, our security training has improved the effectiveness of our system administrators and informed our management of upgraded cyber security threats, each site has upgraded its security controls and have improvement plans to be executed as resources are available, and a review and follow-up process using the Secretary's independent oversight function permits the Department to objectively assess our status. Although we have made great process, there is room for improvements. Clearly, the review of the headquarters shows that we have significant weaknesses that require immediate attention. Moreover, the Department believes that the headquarters must set the standard for the rest of the Department on how it implements security of its cyber systems. The Secretary and I are fully committed to ensuring that the headquarters is a model for the rest of the Department. Beyond fixing the clear weaknesses, the Department is moving to strengthen security in a number of areas. Current focus areas for improvement are eliminating the use of clear text reusable passwords, implementing consistent security architectures at each site, using automated tools to review firewall and intrusion detection logs to identify and then automatically block access from Internet sites that are attacking DOE sites, and automated distribution of software patches to make the process of patching vulnerabilities more rapid and reliable. We know that there is no silver bullet fix for cyber security. Success in this area will take continued focused efforts to deal with the increasing complexity of the threats and the rapid evolution of technology. Successes will also take resources. I note that as a part of the Department's fiscal year 2000 Budget Amendment request, we asked for additional funding to address our pressing security needs for our unclassified computers, but, as General Habiger noted, we were only appropriated a small portion of what was requested. While many of the issues identified in the review of the headquarters and other DOE sites are not the result of lack of funding, accelerating implementation of protection mechanisms does take additional resources. We look forward to continuing to work with the Congress to fund our important cyber security programs, and we commit to providing you continued visibility on our progress. Thank you. [The prepared statement of John M. Gilligan follows:] Prepared Statement of John M. Gilligan, Chief Information Officer, U.S. Department of Energy introduction Thank you Mr. Chairman and distinguished members of the Committee for the opportunity to appear before you today. My testimony will focus on actions we have taken across the Department to improve the level of cyber security protection in our systems and networks. I will also discuss the cyber security weaknesses that have been identified in the Headquarters during the recent review by the Department's Independent Oversight organizations, as well as our efforts to remedy these identified weaknesses. I am pleased to say that the state of cyber security at the Department of Energy (DOE) is far better today than it was a year ago. A year ago, there was clear evidence that the Department's cyber security efforts, in particular for our unclassified computer systems, had not kept pace with the rapid proliferation of network connections and increasing threats. Our policies were outdated, cyber security compromises at some sites led to significant work disruptions, and we did not have awareness of cyber security threats or adequate training of our workforce to deal with these threats. These concerns were reported in congressional hearings and other forums. This was a painful wake-up call for the Department, but a necessary one. During the past year, each DOE organization has focused on improving awareness of cyber security threats and installing improved security controls. I have seen enormous progress in how unclassified information is protected and a significant increase in awareness of cyber security issues at all levels within the Department. While we have worked this issue aggressively, cyber security is not a quick fix and more needs to be done. However, the security protection in the Department is improving rapidly, and I appreciate the opportunity to discuss our progress. Since the spring of 1999, the Secretary of Energy and I have emphasized a Department-wide focus on cyber security. The initial focus was on our Defense laboratories and production facilities with aggressive programs to upgrade and verify fixes at these facilities last summer and fall. This focus has subsequently been extended to all DOE sites. Over this period, the Department completely restructured its cyber security program. Actions taken include the following: Creating a single, Department-wide Cyber Security Office under me as the Department's Chief Information Officer. Requiring work ``stand downs'' at all sites to conduct security awareness training. DDOC> [106th Congress House Hearings] [From the U.S. Gover two new cyber security guidelines. Instituting a set of cyber security metrics which permit us to evaluate progress at each site. Doubling the size and increasing the role of the central DOE security incident and early warning capability, our Computer Incident Advisory Capability (CIAC) located at Lawrence Livermore Laboratory. Having each DOE site develop a detailed, site-specific cyber security plan describing the implementation of cyber security protection at the site. Deploying a cyber security training program Department-wide to improve the security skills of our Systems Administrators and a separate training course provided to line managers. Finally, each site has significantly upgraded its protection through the use of firewalls and intrusion detection software, stronger passwords, improved system configuration controls, and reconfiguration of system and network connectivity to reduce vulnerabilities. In addition, the Secretary created a proactive independent security assessment organization, the Office of Independent Oversight and Performance Evaluation, reporting directly to him to provide an independent review of security throughout the complex. For the past year, this Independent Oversight office has been conducting thorough reviews of cyber security effectiveness at DOE sites. As CIO, I am a key customer of the products of independent oversight reviews. I rely on these reviews to provide me with an objective assessment of the effectiveness of the cyber security at our sites and the effectiveness of the CIO cyber security policies. In essence, the Independent Oversight reviews provide critical feedback to me on how individual sites are progressing with cyber security upgrades, and my staff often participates in the reviews. Since last summer, the Independent Oversight organization has conducted 13 reviews. In those instances where significant vulnerabilities were identified, my policy staff and I have worked with the site and the line management organization to ensure that there is rapid resolution. Action plans for fixing problems identified in the Independent Oversight Reviews are tracked by the DOE Security Council that is chaired by the DOE Security Czar, General Habiger. In cases where there are significant weaknesses identified, a rapid follow-up review by the Independent Oversight team is scheduled. We have done such follow-up reviews at a number of our facilities over the past year. These follow-up reviews provide me and other senior Department officials with clear evidence that those sites are, in fact , making rapid progress to remedy the identified cyber security problems. independent oversight review In April of this year, the DOE Independent Oversight office conducted a review of the Headquarters unclassified cyber security program. The assessment included a programmatic review and testing of controls to prevent or limit access to the Headquarters information network against the external threat (such as unauthorized system, i.e., hackers) and the internal threat (i.e., Department employees). As you have heard from Mr. Podonsky, the review found that, although unclassified cyber security at Headquarters has significantly improved in the past two years, there are significant deficiencies that need to be addressed. In particular, the review found that many program offices within the Headquarters have effective cyber security programs. However, because all DOE Headquarters networks are interconnected, an office with weak security can undermine the otherwise effective processes and controls of the better-managed offices. A number of individual Headquarters offices were found to have ineffective cyber security programs. Weaknesses identified in the review included the following: A lack of Headquarters-wide procedures on configuration management; The absence of consistent policy on external connections, modems, and foreign national access; The lack of minimum cyber security requirements for each Local Area Network in the Headquarters; Lack of a formal process to evaluate performance and self- identify and correct cyber security vulnerabilities; Headquarters risk assessments had not been rigorous and had not considered the shared risk of the Headquarters network. In my assessment the root cause for most of the reported cyber security problems was the failure to treat the Headquarters as an interconnected and interdependent set of systems and networks that is an integrated ``site''. This problem started to become apparent earlier this spring when I found that each office in the Headquarters had produced separate cyber security plans as required by DOE's new unclassified cyber security policy. The reviews by my office of many of these plans indicated serious weaknesses. These were documented and forwarded back to the individual organizations. In addition, as we began to collect metrics on cyber security implementation, the metrics submitted from some Headquarters offices indicated that they had significant weaknesses in their cyber security programs. These findings were shared with the respective Headquarters management, and we began evaluating approaches to improve our approach within the Headquarters. The findings of the Independent Oversight review confirmed these earlier indications of problems. The Office of Independent Oversight has recommended immediate and long-term actions to address the headquarters cyber issues identified in its review. I support these recommendations. Immediate actions included designating a single focal point for Headquarters Cyber Security, as well as establishing appropriate processes and procedures across Headquarters. Longer-term actions include taking steps to improve the efficiency of the cyber security program by adopting best practice security practices and a more proactive risk assessment program. department response to independent oversight report Steps that are being taken to address the recommendations made by the Office of Independent Oversight are as follows. On June 8, 2000, the Deputy Secretary directed the Office of the CIO to serve as the central cyber security authority for all computers and networks within the DOE Headquarters site (see attachment). This action is the necessary and important first step to begin to manage Headquarters as a single entity and to institute consistent site-wide approaches for securing our computers and networks. Specifically, the CIO Operations Organization, which currently provides computer and networking support to a number of Headquarters organizations including the Office of the Secretary, the CIO, Security and Emergency Operations, Management and Administration, the CFO and a number of other offices, will assume responsibility for all cyber security policies, processes, and procedures for the entire Headquarters site. These policies, processes and procedures will be coordinated through a Headquarters Cyber Security Working Group that my office will form. Each Headquarters office will be represented on this Working Group and will be an integral part of this cyber security forum. In addition, my office, as the central cyber security authority for the Headquarters, will undertake the following efforts: Develop, implement and enforce formal network connection policies; Develop, manage, enforce and operate an integrated security configuration management process; Develop, manage and implement a security self-assessment process for Headquarters offices; and Centrally manage the security of the Headquarters network perimeter, including all firewalls, and be responsible for performing intrusion detection, vulnerability scanning and auditing on the Headquarters IT infrastructure. I have made a commitment to the Secretary that we will implement fixes to the significant vulnerabilities identified in the Independent Oversight review of the Headquarters within sixty days. Consistent with our practices when we find a site that has significant weaknesses, I have asked the Office of Independent Oversight to reassess the Headquarters in early fall to verify that we have resolved the serious weaknesses that were identified in the April review. The Secretary has requested regular updates on progress to close the Headquarters vulnerabilities. conclusion In summary, the cyber security program in the Department of Energy in June of 2000 bears little resemblance to the program in place just a year ago. We have put updated cyber security policies in effect; our security training has improved the effectiveness of our system administrators and informed our management of upgraded cyber security threats; each site has upgraded its security controls and have improvement plans to be executed as resources are available; and a review and follow-up process using the Secretary's Independent Oversight function permits the Department to objectively assess our status. Although we have made great progress, there is room for improvements. Clearly, the review of the Headquarters shows that we have significant weaknesses that require immediate attention. Moreover, the Department believes that the Headquarters must set the standard for the rest of the Department on how it implements security of cyber systems. The Secretary and I are fully committed to ensuring that the Headquarters is a model for the rest of the Department. Beyond fixing the clear weaknesses, the Department is moving to strengthen security in a number of areas. Current focus areas for improvement are eliminating the use of clear-text reusable passwords, implementing consistent security architectures at each site, using automated tools to review firewall and intrusion detection logs to identify and then automatically block access from internet sites that are attacking DOE sites, and automated distribution of software patches to make the process of patching vulnerabilities more rapid and reliable. We know that there is no silver bullet fix for cyber security. Success in this area will take continued and focused effort to deal with the increasing complexity of the threats and the rapid evolution of technology. Success will also take resources. I note that as a part of the Department's FY 2000 Supplemental request, we asked for additional funding to address our pressing security needs for our unclassified computers, but as General Habiger noted, we were only appropriated a small portion of what we requested. While many of the issues identified in the review of the Headquarters and other DOE sites are not the result of lack of funding, accelerating implementation of protections mechanisms does take additional resources. We look forward to continuing to work with Congress to fund our important cyber security programs and we commit to providing you continued visibility on our progress. Thank You. Mr. Upton. Thank you. I would just note that the House was in session and voting until nearly midnight last night. We also have a number of subcommittees that are also meeting at this time, and by unanimous consent I will ask that all members of the subcommittee will have an opportunity to enter their opening statement into the record. You will see a number of members coming in and out. We're going into session, I know, at 10. I don't expect votes for a while as we complete yet another long day today on the Labor, HHS appropriation bill. General Habiger, I know that you're prepared for some of the questions that we're going to have in light of the opening statement by Mr. Bliley, Mr. Stupak and myself with regard to the missing disks and the hard drives; and I happen to find it, as I read the morning papers this morning, fairly incredulous that it appears as though these disks have been missing for a number of weeks. Only 86 individuals had access to these disks, in fact; and, of those 86, only I believe 26 were allowed to have unescorted access to the disks. A number of members of this subcommittee traveled to look at all the labs earlier this year. We visited extensively, I thought, Los Alamos. We had a number of meetings with your staff and others before we came, terrific staff support as well. Could you describe the vault? And I don't know that we visited this particular vault where these were taken. At Los Alamos, the vault we did visit, we went through this long drive through these almost mountain passes and went through security that was very well armed and photo ID. I mean, it was extensive to get in. In fact, I think it took us about 20 minutes to actually get into the vault because of the security. We probably spent more time going through the security to get into the vault than we actually spent in the vault. And I don't know whether that was the vault--you know the groundwork much better because you have been there, I'm sure, a number of times. Is that the vault, the one that actually goes into almost into the mountain where these two disks were taken? Mr. Habiger. No, sir. The vault in question is in the main building, technical area three, they call it. Mr. Upton. Is that where Wen Ho Lee's office is? Mr. Habiger. Yes, sir. There are three levels of protection before you get into the vault itself. I'd rather not go into the details in open session, but let me tell you that there are extensive security procedures that are in place at each level of in-depth security that would preclude anyone except those that are authorized to be in that area to gain access to the vault. The vault itself serves about--is relatively small, about 10 feet wide and about 20 foot long. Mr. Upton. Now, as I understand it, these two disks---- Mr. Habiger. Two hard drives. Mr. Upton. Two hard drives that are missing were, in fact, in a locked bag, is that right, inside the vault? Mr. Habiger. Yes, sir. Mr. Upton. And in fact, the bag itself was, in fact, compartmentalized, with locked compartments within the bag; is that right? Mr. Habiger. Yes, sir. Mr. Upton. The way that I understand it is, when it was discovered, the empty compartment was, in fact, locked; is that right? Mr. Habiger. Yes, sir. Let me just back up a little bit and explain the scenario. The fire at Los Alamos began on, as I recall, Thursday, May 4. On the evening of May 7, Sunday, late, nearly midnight, the decision was made to go into the vault by two individuals who are authorized unescorted access into that vault to take the kit--the kit is a kit used by the Nuclear Emergency Search Team, NEST, to rapidly deploy to situations that require some of our Nation's best minds to look at an improvised nuclear device or perhaps a stolen nuclear weapon. These individuals pull on-call duty. We have members of our scientific community at both Los Alamos, Livermore and Pantex on duty, on call 24 hours a day, 365 days a year. In order to ensure that that capability was still available to respond very rapidly, the decision was made to go into the vault late Sunday night as the fire began to burn out of control. They went into the vault, they inventoried--and you can inventory the hard drives by just feeling them. They're a little bigger than a deck of cards, about two-thirds as wide as a deck of cards. They could not feel the hard drives in the locked container. There are three kits. They were in kit No. 2. They immediately went into kit No. 3 to pull out two hard drives. One's the primary. The second hard drive is the backup. They took the two hard drives, the two containers out of kit three, put it in kit two and immediately evacuated the area and put the kit two with the kit three hard drives in a more secure--by secure I'm talking about safe, out of harm's way in relation to the fire. They immediately reported to other individuals on the NEST team that they went into the vault, they couldn't find the hard drives to kit two, and, as you recall, on Monday, May 8, the lab was shut down completely because of the life-threatening aspects of the fire. The lab did not come back up until Monday, May 22; and when the labs started back up again on Monday, May 22, it was not all 10,000 people going back to work. It was a gradual buildup of activity. The first things that were looked at were the safety considerations. I will also tell you that during this entire course of the fire, I was in contact--along with Deputy Secretary Glauthier, we had people on duty 24 hours a day, and the security systems were up and running the entire time. Now there were certain situations where we had to pull guards out of certain areas and put them out of harm's way, but we still had a credible security at all of the facilities there, to include this vault. So the labs started up on Monday, May 22. On Wednesday, May 24, a full-scale search was begun within the X division and anyplace that the NEST activity could have taken place. We were informed on the evening of June 1 that those hard drives were missing. Ed Curran, the Director of Counter Intelligence, immediately went to the FBI headquarters and informed them. Deputy Secretary Glauthier was in communication with Dr. Browne at the laboratory. On Monday, during a video teleconference with Dr. Browne, it was determined that Dr. Browne indicated that he had intensely searched the facility and could not find the two missing hard drives. At that point, Deputy Secretary Glauthier directed that I, with Ed Curran, go to FBI headquarters, which we did. We met at around noon with senior officials at the Bureau. It was determined that we jointly do an investigation, DOE and the FBI. At 8:30 that night, Monday night, I was in Los Alamos. At 7 o'clock the next morning, we had a sizable number of FBI agents, about 15, 10 DOE personnel; and we started at 7 o'clock Tuesday morning; and we didn't finish up until nearly midnight that night. Our first interviews began that first day. I was recalled--I was actively engaged until this past Saturday. I was asked to come back to testify at this hearing. I came back Sunday, and I plan on going back tomorrow. Mr. Upton. When you say that there was an intensive search for these disks, was there an intensive search between May 8 and May 22? Mr. Habiger. No, sir, because the lab was completely shut down. And you had to be there--and I went there--I went there on May 19, as I recall. I flew over the site; and I will tell you, sir, that it was life threatening. There was absolutely no activity except security and fire fighting that went on from that period--essentially from May 7 through May 22. Mr. Upton. But the individuals that had access to the disks, 26 folks who had unescorted access, they weren't then at the facility, right? They all left? Mr. Habiger. Yes, sir. Yes, sir. And there's no indication whatsoever--see, there's a log that is created based upon the entry procedures, again which I'd rather not go into here. A telephone call has to be made. That call is recorded. Passwords have to be given. It's an elaborate process. Mr. Upton. Right. But was any effort taken with the 26 people that had access to that until the May 22? I mean, what I'm saying is those people weren't there, those 26 people. They went someplace where it was safe. You knew that the disks were missing since May 8. The lab was closed from May 8 to May 22. Those individuals who had access and actually could have perhaps retrieved or taken those disks went someplace where it was safe. Was any effort taken by the Los Alamos security folks to, in fact, interview any of those 26 people during the fire? Mr. Habiger. No, sir. The total focus during that period was the--saving the laboratory from destruction from the fire. Mr. Upton. But we knew that disks were missing before the fire took place. Mr. Habiger. Sir, there were a relatively small number of individuals that knew that. You will have to talk to lab personnel--and, again, we are trying to determine through a series of interviews, the FBI and Department of Energy--at last count over 90 interviews had been accomplished, interviews that last anywhere from 30 minutes to 3 hours since Tuesday of last week. Those interviews continue as we speak. Mr. Upton. Are polygraphs being used on those interviews? Mr. Habiger. They will be beginning tomorrow, yes, sir. Mr. Upton. Mr. Stupak. Mr. Stupak. Thank you, Mr. Chairman. General, you speak of kit No. 2 as having the missing hard drives. Is there a kit No. 1? Mr. Habiger. Yes, sir. Mr. Stupak. Is that all intact? Mr. Habiger. Yes, sir. Mr. Stupak. Okay. So the one we're talking about is kit No. 2? Mr. Habiger. Absolutely. Mr. Stupak. Once you get into the area where the kits are stored, where this NEST kit is stored, aren't the keys to get into these bags just hanging right there on the wall? Mr. Habiger. Sir, there are two sets of keys. There's a set of keys on the wall, and there's a set of keys attached to the kit. Mr. Stupak. So once you get to the kit area you can have access to those kits either by taking the keys off the wall or ones on the kit; is that right? Mr. Habiger. Yes, sir. Mr. Stupak. And the people who are in there, there are 26 who had to be escorted and about 60 others who did not need to be escorted? Mr. Habiger. Fifty-seven. Sixty's close enough. Mr. Stupak. So then when the kit--when it was discovered that kit No. 2 was missing the hard drives and you had the fire, there was no attempt to ascertain from these possibly 56, 57 people and the other 26 people what they did with it during this time? Mr. Habiger. Sir, the access to the vault is, as I mentioned, very tightly controlled. Anyone who goes into the vault during off-duty hours has to go through this elaborate procedure to get into the vault where it's documented. There is also a log in the vault for those people who are not allowed unescorted access, that they have to sign in. So those 57 individuals, whenever they went in, they'd have to sign in on a log. They couldn't go in by themselves. I went--when I went to the vault, had to sign in on a log, and I was escorted. Mr. Stupak. And hopefully everyone signed in, but we don't know if everyone signed in. Second, you mentioned off duty. What about regular business hours? Do people sign in all the time then? Mr. Habiger. Let me back up, sir. Those kinds of questions are being asked now. I have seen the logs. I can't confirm---- Mr. Stupak. They may be asked now, but I guess the part that still puzzles me, why weren't they asked between May 8 and May 24 when the fire got under control? Why did it take almost 2 weeks before anyone started asking the questions? These 56 people or 26 people weren't out fighting the fire, were they? Certainly you had access to them. They could have asked these questions. I would think on May 8 when you're missing the kits, two hard drives from these computers, there'd be some concern and start asking questions. While you have the fire, I'm sure you're not out there fighting the fire. I'm sure someone would have at least started some investigation instead of waiting until June 1 to notify the FBI that everyone's returned, we still can't find these things. I guess that is the laissez- faire attitude that I really have problems with. Mr. Habiger. Well, sir, these kinds of questions that you're asking are good questions. And as a result of the investigation, which, by the way, is a criminal investigation at this point, we will find the answers to these questions; and we will take the appropriate action. The lab director will take the appropriate action. Mr. Stupak. In the Washington Post this morning you said, and if I can quote you, the disks and the hard drives missing at Los Alamos were probably misplaced or lost rather than stolen. How did you reach that conclusion? Mr. Habiger. Sir, I'd rather not go into that in this session. Mr. Stupak. Well, you know, you talked to the Post about it. That is certainly in open session. Mr. Habiger. Yes, sir. I will stand by that statement based upon---- Mr. Stupak. Was that the official line or do you have something to back it up? Is the official line that, well, it must be misplaced or lost rather than stolen or do you really have some proof, without getting into it, that they were, in fact, misplaced? Mr. Habiger. It's my judgment, sir, based upon my exposure over the past week of working nearly 15, 16 hours a day and being an integral part of the process. Mr. Stupak. Okay. Has anyone yet told you or anyone else that the disks were set down or misplaced and just can't remember where they were? Do you have any idea who was the last person who had access to this kit No. 2? Mr. Habiger. Sir, there's no requirement to inventory the disks. As a matter of fact, because of changes in security policies across the entire government, there's very little requirement to inventory classified material. Mr. Stupak. So if I get in the vault, I take kit No. 2, I don't have to sign out--don't have to sign it out or anything? Mr. Habiger. No, sir. Mr. Stupak. So my library book in Menominee is more secure than these disks once I get access, get my hands on it? Mr. Habiger. Sir, the individuals who have access to those kits are dedicated, loyal Americans. Mr. Stupak. I don't dispute that, but you can't dispute we have two of them missing. Mr. Habiger. Yes, sir. Mr. Stupak. You can't dispute that when they took them out there's no procedure in place to identify even who took them out. Once you get to the magic ring, you take the magic ring and you leave, and there's no check-out of that. Mr. Habiger. But you have to get to the magic ring. Mr. Stupak. Right. It sounds like it wasn't too difficult, if you have about 80 or 90---- Mr. Habiger. There are 26 people who had access, uncontrolled access, unescorted access. Mr. Stupak. Okay--26 unescorted access, and then another 56 or 57 who would have to be escorted. And I guess our concern is, if it's 26 who have unescorted and if they're missing the-- May 7 or May 8 and they come back May 24, because they were good people, no one thought it was necessary to check with those 26 what happened in the interim? Mr. Habiger. No, sir. I think it was a focus on a catastrophic event that was occurring, that many people's lives were at risk. Mr. Stupak. I don't disagree with that, but do you think it was a mistake not to at least begin an investigation to try to figure out where they were, if someone honestly misplaced them we could get them back here, so you wouldn't be back here answering my questions? Mr. Habiger. Sir, that is one of my questions that we'll have answered as a result of our investigation. Mr. Stupak. General, last May, Secretary Richardson said there was a, ``zero tolerance security policy.'' He said, ``no security infractions are acceptable, and penalties would be strengthened.'' These would include, ``verified unintentional or reckless breaches that create a significant risk of a national security compromise or that displays a wilful disregard for security procedures.'' That was May 11, 1999. Is that policy still in place today? Mr. Habiger. It certainly is, sir. Mr. Stupak. Is what happened at Los Alamos with kit No. 2 a security infraction or is it an oversight by a scientist? At a minimum, you would have to agree the information has left its proper secured location, has it not? Mr. Habiger. Sir, I will tell you that when we find the answer to the question as to who was responsible, I guarantee you that that individual will be dealt with appropriately under the Secretary's very aggressive policy of zero tolerance. Mr. Stupak. You would agree with me at a minimum right now we have information that has left its proper secured location, it left the vault, that hard drive, kit No. 2, correct? Mr. Habiger. Yes, sir; and what we're trying to find out is how that happened and where those hard drives are today. Mr. Stupak. Now in the same area--that is the same place where Wen Ho Lee worked, and he's not been charged with espionage but security breaches involving weapons information, and he's been in solitary confinement in a Federal prison for many months. It appears from the public statements being made by DOE officials that they're already trying to say that this situation is somehow different, someone just lost the information. Is that how a zero tolerance policy is to be enforced? Mr. Habiger. Congressman Stupak, we don't know. We've been at this for 7 days. I'd like to think that the aggressive action of both the Federal Bureau of Investigation and Department of Energy will get us some answers soon. Frankly, the polygraphs, being the next step, will allow us to do that. Mr. Stupak. Sure, I hope we do get to the bottom of it, but I guess it's a little bit like I've been hammering away for the last couple of years. I've been on this subcommittee now for 6 years. There seems to be this attitude or atmosphere at our labs that things happen, you know. And we try to get some answers, and we'll come back and report to Congress. But we really don't see anything changing. When we say in May 1999 there's zero tolerance and we come back to a situation like this--and I don't know how you can say this is any different than May 1999. It should be zero tolerance. Someone lost the information. Mr. Habiger. Sir, and as soon as we find out who lost the information, who misplaced the information, you can--I can guarantee you that very swift, appropriate action will be taken. Mr. Stupak. Thank you for the extra time, Mr. Chairman. Mr. Upton. You're welcome. Mr. Bryant. Mr. Bryant. Thank you, Mr. Chairman. I apologize to the panel for being late, but we had, as the Chairman said, other commitments. So I haven't had the benefit of hearing all your statements. I have looked through some of the statements. I do, like my colleague from Michigan, both colleagues from Michigan, the Chairman and Mr. Stupak, have concern here. It is much like when your house gets broken into, the police officers come out and say, well, you know, we're going to find out what happened here, and we are going to work long and hard hours to get there, and if we catch them we're going to punish them severely. Given the nature of what's been missing here, it's not a burglary of a home; and given the nature of the zero tolerance policy and given the nature of the history of who we're talking about here, it is very disappointing to hear those same things: Well, we're going to find out what happened, and we're working hard to do it right now, 16 hours a day, and when we get them we're really going to punish them. But I think maybe, General, one of things you said struck me, and it may be an example of this attitude that my friend, Mr. Stupak, refers to. I think you start with the presumption, and that's the key word, the presumption that because we've got good dedicated Americans there, there's an answer. Rather than the presumption that there's been a criminal activity, or something very important is missing, and we better really get going here very quickly. I think that's the example, is the investigation, which anybody that knows, any basic investigatory techniques knows you don't wait 3 weeks to start an investigation after a crime such as this occurs. You get right on it. And I realize there were exigent circumstances involved here, but it just seems to me to have delayed the actual investigation questioning of all those people that had access to this room should not have occurred. I don't know that it was necessary at your level that this occurred, this decision was made, but at some level of security at Los Alamos, that that decision was made that, it's probably, ``somebody's got it home or using it at home or something like that,'' and that may not have been proper, but the presumption, or the assumption, was there's a good reason out there. Somebody's got it, rather than it could have been taken--it could have been stolen. Somebody could have taken it out, had access. Again, I think it's the mindset that because these people are good, dedicated Americans who work hard out there, that somebody could not commit a criminal act. Therefore some 2 to 3 weeks we had a delay in the investigation which, if somebody has wrongfully taken it out, it could be no telling where now. We might get that person eventually, and punish them, but this country has lost something very important. Let me go back if I could, Mr. Podonsky, to questions. In your report, you recommend that the department consider mandating a standdown at all external Web service until significant vulnerabilities are identified or clarified during the inspection that occurred during your inspection and a correction is made to these. Why did you recommend this standdown, and has that been done by the Department of Energy? Mr. Podonsky. First of all, we put that recommendation in what we call our opportunities for improvement as the feedback loop to provide the office that we're inspecting, or the Office of Responsibility, to consider that which would be John Gilligan's office. In Mr. Gilligan's corrective actions plan, it does not appear that they are planning to do a standdown. They have other solutions that they have in mind to address the issue that we have identified. We recommended the standdown, getting to the first point of your question, because we felt that until they can do their risk assessment, we would not know what vulnerabilities existed. Mr. Bryant. But you have made recommendations in the report, I'm looking here at a question that says--this is kind of skipping on down--six further cyber security enhancements were announced in May 1999 by the Secretary, that they were transferred informally to the management and may have resulted in confusion and lack of implementation. What does that mean to you? What do you know about that? Mr. Podonsky. Well, the six further enhancements, there was a nine-point plan, the TriLab nine-point plan from the results of last spring. In addition to the nine-point plan, there were six enhancements that the Secretary put out. Those enhancements were not put out as a policy. They were put out in memorandum form. We took that from an inspection standpoint to mean that they should be followed and should be further memorialized into policy. Mr. Gilligan's office, during last summer, was looking into that and memorializing those things. We felt that the same thing we were doing in looking at it out at the sites and field should be applicable at the headquarters as well. Mr. Bryant. There was an issue also about Web pages, some of the Web pages being inside the security wall and some being outside. Are you familiar with that issue? Mr. Podonsky. Yes. I am. Let me ask my office director for cyber security to address that. Mr. Peterson. That also really relates to your first question on the standdown--that relates to your first question on the standdown. The recommendation was to standdown the headquarter's Web servers located out of what's referred to as the DMZ or the screen subnet. Those we found to have significant vulnerabilities that could either result in a Web defacement or somebody taking over those systems and using them to illicitly attack another Internet entity, and our recommendation was then to do a standdown. We thought it would take a day or two to fix those and then put them back on line securely. Mr. Bryant. What is the date of your report that recommends the standdown? When did you recommend that? Mr. Peterson. Our initial draft report went out the last week in April. Mr. Bryant. Let me go over to Mr. Gilligan. Could you respond to some of these issues, especially some of the recommendations, the implementation of the policy from DOE on those six additional points? Could you just respond in general to those? Mr. Gilligan. Yes, sir, I would be happy to do that. First let me address the Web pages. As the report accurately points out, we have a subset of the Web pages that are supported by headquarters organizations that are in the highly protected enclave we call a screen subnetwork. They've been there for the past year. Those are viewed as being very secure. There is another set of Web pages that are supported by individual organizations. They are managed by those individual organizations and some of them were found to have significant weaknesses. The recommendation of the independent oversight organization was that a rapid remedy was to standdown, that is, take the Web pages off the Internet and to fix them, that is, fix them individually. The recommendation that I provided to the Deputy Secretary and the Secretary was not to continue to manage these as separate entities, but to move all of the Web pages within the headquarters into this protected area, the screen subnetwork that was found by the independent oversight penetration team to be extremely well protected. Mr. Bryant. Has that been done? Mr. Gilligan. That is in the process of being done at present that consists of moving the software, moving, in some cases, the physical computers into the screen subnetwork in order to ensure they are adequately protected. My judgment was that the standdown was not an immediate action. It was warranted because the vulnerability that exists within the headquarters as a result of these Web pages is relatively minor. The threat to the headquarters is that these Web pages could be defaced, which is an embarrassment. There is no loss of operational ability as a result of a Web page not operating. The other potential vulnerability is that a Web page, or any computer, could be used as a platform for attacking other sites, and in this case, attacking sites outside the Department of Energy, because the Department of Energy's computers are well protected from our Web sites, that is, there is no trust relationship. So we made the decision to rapidly move these Web pages into the screen subnetwork in order to provide the security that I felt was a better solution. Addressing the second issue which you raised, which was the six further enhancements. The six further enhancements were published by the Secretary with something I contributed to last summer. We have, in fact, embodied those six further enhancements in our policies. The recommendation of the Independent Oversight Group was that perhaps additional policy is needed in order to ensure that all sites clearly understand what is to be implemented in these six further enhancements. Six further enhancements discuss things like providing configuration control of all computers, providing scanning of the networks, reviewing audit logs and conducting regular audits. All of those requirements are, in fact, codified in our policies. It is the view of my office that rather than change and add to the policies, what we need is guidelines, that is, how to implement the policies on these six further enhancements, again, that are covered in our policies so that there is no ambiguity and we are moving forward to implement that. Mr. Bryant. Mr. Chairman, my time is finished. Before I conclude my statement, I would like to ask unanimous consent to add a White House release with regards to the memorandum from the heads of executive departments and agencies and the subject is action by Federal agencies to safeguard against Internet attacks. It's dated March 3, 2000. Mr. Upton. Without objection. [The memo appears on pg. 46.] Mr. Upton. The Chair would note that we have two votes on the floor, and I will ask Ms. DeGette whether she would prefer now using 5 minutes or come back after the two votes. Ms. DeGette. Mr. Chairman, I might as well ask my questions now. We still have over 10 minutes. Thank you. Thank you, Mr. Chairman. General, I would like to follow up on some questions Mr. Stupak was asking you. I guess we're all glad that you're investigating the situation, but given the fact that you discovered the disks missing on May 7, and no one was really told until May 22, and now there's an investigation, I guess I'm wondering what is your timeframe at this point for completing the work you're doing? Mr. Habiger. Let me back up, if I may, and tell you--and this relates to Congressman Bryant's question about the timelines between the evening May 7 when the hard drives were discovered missing, and the evening of June 1 when I was notified--or we were notified at DOE headquarters. That is not a good scenario. Someone should have informed us much earlier on in the process. Ms. DeGette. I agree, like maybe May 7 or early on May 8, but that's not my question. Mr. Habiger. I want you to know here you had a situation where you had the lab on the verge of burning down. Ms. DeGette. Sir, I understand. I understand what your explanation is for why there was no notification, but my question is, what is your timeframe now for completing the work that you are doing to figure out what happened and how to avoid it in the future? Mr. Habiger. At this point, the FBI is now in the lead for the investigation. Ms. DeGette. We're glad about that, too, but what is their timeframe? Mr. Habiger. Ma'am, I was called back to take part in this hearing. They begin polygraph examinations beginning tomorrow. They are moving very, very aggressively. I cannot give you an end date. Ms. DeGette. Mr. Chairman, I would just make a request that this committee would consider another oversight hearing in 30 days just to examine the progress. This is such a serious national issue, I think that we should keep monitoring. Mr. Upton. You're right. Ms. DeGette. Thank you, Mr. Chairman. Let me ask you a few more questions. I understand the fire was there when these drives were discovered missing. Where were the kit 2 and the kit 3 hard drives stored during the fire? Where were those stored? Mr. Habiger. They were stored in another technical area in a very secure vault. Ms. DeGette. At the Los Alamos site? Mr. Habiger. Yes. Ms. DeGette. And out of risk of fire? Mr. Habiger. Yes, ma'am. Ms. DeGette. You had said that it was chaotic because of the fire, and that's why your office wasn't informed. Was the lab director informed at that time? Mr. Habiger. No, ma'am. I cannot--I've got some information third-hand, but I don't think Dr. Browne was informed until toward the end of the period, the very end of the period. Ms. DeGette. Until close to May 22 or June 1? Mr. Habiger. After that just a few days before June 1. Ms. DeGette. Do you have any sense why that happened? Mr. Habiger. No, ma'am. I would defer to Dr. Browne. Ms. DeGette. Was Mr. Curran--DOE's counterintelligence specialist informed? Mr. Habiger. No, ma'am. Ms. DeGette. Who, if anyone, was informed? Mr. Habiger. On the evening of June 1 is when we first discovered that there was a problem. Ms. DeGette. To your knowledge, between May 7 and June 1, no one higher up was informed? Mr. Habiger. That's absolutely correct. Ms. DeGette. Is what you were investigating why that happened? Mr. Habiger. The primary concern is to get this classified data back. Ms. DeGette. I would agree, but in my experience, when you've got classified data in the form of disks and it's gone from May 7 until June 1, it's going to make the job of getting that data back much more difficult. Would you not agree? Mr. Habiger. I couldn't agree more. Ms. DeGette. So therefore, it would seem to me that a second, and almost equally high priority would be trying to determine why the gap, the almost month--the 3-week gap, occurred because in the future, if you have gaps like this, it would make it virtually impossible to get data back, correct? Mr. Habiger. I would put the priorities getting the information back, finding out who was responsible for that data, or those hard drives being put in a place where they shouldn't have been. And then the third priority is your area that you're getting into now. Ms. DeGette. General, there is a clear protocol in place that required contractors like the University of California and program offices to inform your office immediately when this type of classified information is missing, correct? Mr. Habiger. Within 8 hours. Ms. DeGette. Within 8 hours. And have you ever been informed of these kinds of breaches in the past? Mr. Habiger. Yes. Ms. DeGette. Was it done within 8 hours? Mr. Habiger. Yes. Ms. DeGette. Do you think this is just a one-shot situation or do you think there is a bigger problem? Mr. Habiger. At this point I don't know because the focus, as I said, has been where are the hard drives, who is responsible. The process will take its turn and we'll take the appropriate action. The lab director will take the appropriate action. Ms. DeGette. Mr. Podonsky, do you have any views on that issue? Mr. Podonsky. We have not been involved in this investigation, so to answer the question, we have no--we don't have any more information than what you've heard this morning. Ms. DeGette. Now, we've heard that Mr. Curran has told the press that there's no evidence that this is espionage, and someone else said the disks are just lost. Do we have any evidence that this is not espionage or theft for money? Mr. Habiger. Ma'am, before you came in, I covered that in a very generic sense, and this is not the forum to get into it, but looking at what we know at this point, it does not appear, as Mr. Curran pointed out, to be espionage. Ms. DeGette. I assume you would want to treat this as a potential case of espionage. Mr. Habiger. That's correct. I'm not speaking for the Federal Bureau of Investigation, but that's how the case would be characterized by them. Ms. DeGette. Thank you. Thank you, Mr. Chairman. Mr. Upton. The Chair would note there are at least two votes on the House floor. We'll recess until 10:50. [Brief recess.] Mr. Upton. We do not expect votes for an hour or 2, so we'll be done by then, I hope. Mr. Burr is recognized for questions. Mr. Burr. Thank you, Mr. Chairman. General, welcome again. Mr. Habiger. Good to see you again, sir. Mr. Burr. Glenn, we always welcome you back. I'm hopeful there's a point where maybe we're not sending you out to do evaluations, that, in fact, we're confident on the process that we've got. Clearly with the news cycle in the last 24 hours, there are some questions that I've got to ask about that probably would be better directed at the General. And I'll try to get refocused back on the DOE headquarters issue. General, it's been stated that there was a date that they knew that these drives still existed in a secure vault. Was that April 7? Mr. Habiger. On April 7, sir, there was an inventory by members of the team, the NEST team, in which the individual who conducted the inventory has indicated that he saw the disk. Another inventory was conducted on April 27, and the individual at that time, a different individual, didn't actually see the disks. His statement was along the lines, if the disks were not there, it would have created a very aggressive reaction. So he remembers doing the inventory, but he doesn't remember actually seeing the disks. Mr. Burr. Without getting into specifics about what were on these disks, we know they were related to NEST scenarios. Is there any reason to believe that an individual at the facility would have needed access to that particular disk for purposes of something they were working on? Mr. Habiger. From the information I've been exposed to in a relatively short period of time, those disks were taken out from time to time to be updated with more current information, and they were taken out by certified people for training purposes. Mr. Burr. When I was at Los Alamos, we didn't visit that particular vault. We did do several vaults. We also did a reference room or library room and the security was extremely tight, even for us to enter. And we walked through their scenario of if an individual--if a scientist at the facility wanted to take out that information, what's the process they would go through? There was one person in that room whose responsibility it was to account for everything. Things checked out, to make sure they were checked back in. I'm sure there was additional security to make sure it didn't go offsite. My question would be, what was the process in this particular vault when an individual took something out and then replaced it. Is there a record that we can go back to? Mr. Habiger. No, sir, there's not. Mr. Burr. Can you explain to me why for the reference room, the library room that was frequently used, that we would have a process that followed the movement of these papers, but why there wouldn't be a process that followed the movement of hard drives? Mr. Habiger. My observation goes along these lines. The vault you're talking about, you're talking about virtually thousands of people who have access, and the vault I'm talking about, the people who had unescorted access to these kits was less than 30. Mr. Burr. Does it not--in hindsight, I'm not asking you to put yourself before it--in hindsight, does it seem like a reasonable recommendation that we track who removes that type of sensitive information and when, and potentially when they return it? Mr. Habiger. Yes, sir. This is one of the many things that we are looking at to change as a result of this particular incident. Mr. Burr. Is it the responsibility of DOE officials at Los Alamos or the University of California officials? Mr. Habiger. University of California. Mr. Burr. To account for all the items? Mr. Habiger. Yes, sir. Mr. Burr. Let's go back to this period of delay, and we all followed the fire. Should we be worried that there was a security breakdown during this fire episode at Los Alamos? Mr. Habiger. I talked on a regular basis to the director of security at Los Alamos during the fire. All security systems were up. Some compensatory measures had to be taken in a couple of areas which I was fully in agreement with. Mr. Burr. If I understand it, correct me if I'm wrong, this vault facility is in the main building? Mr. Habiger. Yes, sir. Mr. Burr. I guess close to where that library reference room was? Mr. Habiger. Yes, sir. Mr. Burr. Just simply because of the work space, and that was not a building that was left unsecured at any time. Mr. Habiger. At any time, no, sir. Mr. Burr. Was it ever a building that was evacuated of the people? I remember it being so far away from the forest. Mr. Habiger. During the fire, there was no one in that building, but the security systems were all up and running. Inside that vault, Congressman Burr, were sensors, motion sensors, infrared sensors that had to be turned off before anyone had access to the vault. Mr. Burr. Clearly, there was no indication of a security breach that happened? Mr. Habiger. No, sir. Mr. Burr. Let's go to this delay in notification. What is the explanation that the University of California supplied DOE on why they waited so long to tell DOE officials? Mr. Habiger. We have not gone down that path. As I indicated, I think, just before you came in, I was not pleased with the length of time that it took before I was notified, before my office was notified, which was on the evening of June 1. During my almost week's stay at Los Alamos, we were focused on three major considerations, the first being where are the disks, and who is accountable for the disks not being where they are supposed to? As we go down the path and we have a very structured inquiry process, part of that process is to come up with explanations for the kinds of things that you are identifying now. Mr. Burr. I don't want to seem too simplistic, but I put myself in charge of the Los Alamos lab. I envision being in a situation where there's a month's delay before I notify the Department of Energy that high level security hard drives are missing, and I envision the first question that I'm asked, why did it take you so long to inform us? I would take for granted that question was asked. If there wasn't an answer, that's fine, but clearly I think that--we have reason to be concerned because the last time we saw a delay like this was whether we sold a computer to an exporter of Chinese relationship and, you know, when we got through the whole process, we learned that the delay in notification, especially of us, was in hopes that they would retrieve it before anybody found out about it. Is this one of those situations where there was a hope by officials that the University of California and at Los Alamos that they would find the disk and not have to report it? Mr. Habiger. I don't want to put words into Dr. Browne's mouth, but my observation is that scenario that you're just describing. Mr. Burr. Let me--I thank you for that. I do. I don't think it's any member's intent that we are going to solve this case today, but we appreciate your willingness to let us explore some of the questions. Mr. Chairman, do I have time to go into some of the headquarters' questions? Mr. Upton. Can we go another round and you can do that? Mr. Burr. I would be happy to do that. Mr. Upton. Mrs. Wilson. Mrs. Wilson. Thank you, Mr. Chairman. Again, I appreciate your willingness to let me ask some questions here today. As I said in my opening statement, I don't intend to go into some of the details of the most recent incident in Los Alamos, because the questions that I want to ask are very specific, and I don't think that the answers would be appropriate in an open forum. But I think we have summarized pretty clearly what the questions are from this committee's point of view and from my point of view. What happened to those hard drives? Is there a compromise to America's national security? Who is accountable for it? And how are we going to make the systemic changes needed to make sure it doesn't happen again? And did the notification procedure work? As I understand it, John Browne, the director of the lab, didn't even know they had a problem until May 31, which is the day before he informed you which means there's a problem lower down within the lab on processes of notification. I understand completely that an investigation could not have been done fully until after the fires were under control, and I think all of us in this room understand that, that you can't do the arson investigation until the fire is out. At the same time that doesn't preclude prompt notification that we may have a problem, and I think those are all legitimate questions we're going to be seeking answers to. I'd like to focus on a couple of other things from your testimony in the time that I have available. First, this question of funding for cyber security at the Department of Energy. I note from the testimony, particularly General Habiger, yours, concerning the need for supplemental funds. I went back and checked my records, because this was an important issue for me. According to my records for fiscal year 2000, the supplemental requested by the administration--now, you may have asked for more money from the Office of Management and Budget, but it may not have gotten approved--because the administration requested $4 million for cyber security from the Congress. I thought that was way too low, and so several of us from this Congress met quietly with folks who know a little about cyber security and the problems at the nuclear weapons labs, and they confirmed that that was way too low. I made a request of the Appropriations Committee in the Congress for $90 million in supplemental funds for cyber security for the Department of Energy, and the House approved $45 million for cyber security. That's currently sitting over in the Senate, and pieces of it may be pulled out and added on to one of the bills that we're about to work on in the next couple of weeks here. I guess what I want to know is, what are you talking about with $35 million? Is that what you asked OMB for and are you now going to continue to support the administration's $4 million request? Are you going to support what the House put into the bill, which is $45 for cyber security immediately? Mr. Habiger. We're talking about fiscal year 2000 amend- ment---- Mrs. Wilson. Current fiscal year, yes. Mr. Habiger. We submitted a request for $65 million for security in the Department of Energy in that supplemental, $65 million. We received $10 million of that $65 million. Thirty- five million of that was for cyber security. The $10 million that we got was not directed toward cyber security. I personally directed that $7 million of that $10 million be dedicated to cyber security. That is what, as I understand it, Congresswoman Wilson, came over on July 13 of last year. Mrs. Wilson. July 13, 1999? Mr. Habiger. Yes, ma'am. Mrs. Wilson. You're talking about 1999 money, not 2000 money? Mr. Habiger. Supplemental 19--an amendment for fiscal year 2000 that was submitted on July 13. Mrs. Wilson. Gentlemen, without meaning any disrespect, I think you may want to go back and talk to your budgeters about which years we are talking about, and which supplementals we are talking about, because there was a supplemental request for cyber security for the current fiscal year, we are in fiscal year 2000, and it was for $4 million from the administration. That was the request. We upped it to 10 times as large. Mr. Habiger. It was--the fiscal year 2000 we submitted on the July 13, 1999, an amendment. Mrs. Wilson. You are talking about when the budget was initially passed for the current year. I am now talking about the supplemental that is pending in this House currently. The administration only asked us--after all of the Cox report, after all of you went out to look at the labs, after we got all of the reports in that said we were way under our estimate of what we're going to need for cyber security--and the administration's request for a supplemental for what we need right now, today, to get moving and get this thing fixed was $4 million. My sense was that was way too low, so we upped it to 10 times that amount, and we're going to vote on it here. What do you want me to vote on? You want me to back off on this and go with the administration at a $4 million supplemental request or do you want me to keep fighting? Mr. Habiger. I would like you to keep fighting. Mrs. Wilson. Thank you, sir. With respect to this diagram that we see over here, it has a number of firewalls around the top of it and yet it's got a number of connections at the bottom of it which seem to go to other areas within the Department of Energy and contractor facilities and so forth where they don't appear to be firewalls. Could you talk to me about the vulnerability of the DOE unclassified systems through those other areas? Mr. Peterson. For the classified systems or for the--I'm sorry, the contractor facilities, what we're specifically talking about there are local contractor support in the Washington, DC area so a program office would establish a connection with a local supporting contractor. That's not to imply that those go out to the national laboratories or other sites. The other connection that's shown up there for the DOE business net is to 38 different DOE field sites throughout the country. Now, some of those field sites are collocated behind firewalls with other sites. For example, at Oak Ridge, you'd have collocated there Y 12 and Oak Ridge National Lab, but for the Albuquerque field office, there's no connection to Sandia or Los Alamos. So it's going to vary, but specifically, talking about the connections to the DOE Federal facilities. We have a concern because you're exactly right, there's not a firewall at the headquarters junction where you have these connections, and then they become logically part of your headquarters' internal network. There's no firewalls or security features to prevent access from those remote sites. These--each one of these facilities may have their own firewall. They may have modem connections which then provide pathways into the internal headquarters network, and our concern has been that that risk has not been adequately addressed and considered. Mrs. Wilson. I ask unanimous consent to ask this one final question. Does that mean that someone can get access to the contractor facility, and then from there get into the DOE unclassified system? Mr. Peterson. That would be a concern, yes. Mrs. Wilson. Thank you, Mr. Chairman. I would like to enter into the record the report of dissenting additional views of the Emergency Supplemental Appropriations Act for the year ending September 30, 2000, where it states very clearly that with respect to cyber security, the committee recommendation for cyber security activity is $49 million, an increase of $45 million over the administration's request of $4 million. Mr. Upton. Without objection. Mr. Green? Mr. Green. Thank you, Mr. Chairman. I ask unanimous consent to place my statement into the record. Mr. Upton. Without objection. Mr. Green. General, you seem to want to tell us that the problems at the headquarters are not the fault of poor ma