Statement of Gen (ret.) Eugene E. HabigerMr. Chairman and distinguished members of the Committee, thank you for the opportunity to appear before you today to testify on the Department of Energy's FY 2001 budget request for the Office of Security and Emergency Operations (SO).
Director, Office of Security and Emergency Operations
U.S. Department of Energy
Before the Senate Appropriations Committee
Energy and Water Development Subcommittee
FY 2001 Appropriations HearingsMarch 28, 2000
This past year the Department took unprecedented steps to address major internal security problems and we have made significant progress in fixing those problems. Publication of the Cox and Rudman reports emphasized the urgency for needed change in the way the Department performed its security responsibilities. As the Rudman report correctly concluded, security at the Department had suffered from diffused authority and inattention. The confidence and trust of both the American people and Congress began to fade when enormous negative media coverage brought national attention to security-related incidents at the national laboratories. Combined with DOE's historical track record of security deficiencies, criticism of the Department as an ineffective and incorrigible agency incapable of reforming itself prevailed as public sentiment.
The Secretary directed an abrupt end to this unacceptable situation and in May 1999 announced his Security Reform Package - the most sweeping reform of security programs in the Department's history. This comprehensive plan, which included the creation of the Office of Security and Emergency Operations, gave DOE the tools and authority needed to detect security infractions, correct institutional problems and protect America's nuclear secrets. Of paramount importance, was the need to change the security culture at DOE and establish a program to re-energize and restore confidence in the Department's security program.
Fiscal Year 2001 Budget Amendment
Today, I will focus my testimony on the current budget before the Committee. However, before I do that, I feel the need to say a few words about an FY 2001 Budget Amendment that will be submitted to the Congress soon. This amendment will provide the Department, for the first time, with a unified separate budget for its safeguards and security program. It will provide the Department with the funding authority to help strengthen DOE-wide safeguards and security, allow better management of funds, and provide visibility to the Department's commitment to appropriately fund safeguards and security throughout the complex. We believe this action, coupled with the Department's commitment to change the security culture, refocus its commitment to security, and the establishment of the Office of Security and Emergency Operations, will correct institutional problems and ensure that we protect America's nuclear secrets.
Strong security is based on a foundation of clear line-management authority, responsibility and accountability. To implement change, one of the first steps required was to address the control and accountability, or lack thereof, of security activities within the Department. Currently, safeguards and security activities are funded from overhead accounts at the DOE national laboratories and other facilities. There is no single source for reviewing or accounting for the security budget. To remedy this and to strengthen my ability to manage the responsibilities of this office, in August 1999 the Deputy Secretary directed that the DOE FY 2001 budget request include Safeguards and Security as a specifically identified, direct-funded activity within SO, which the pending budget amendment will accomplish.
Fiscal Year 2001 Budget Request
Now, let me turn to the FY 2001 budget request of $340.4 million that is before this Committee today. This request represents an increase of 16.5% over our Fiscal Year 2000 funding level. The majority of this increase funds additional requirements in Cyber Security, Critical Infrastructure Protection and Program Direction. The FY 2000 level of $292.2 million includes an additional $8.0 million supplemental request. This additional $8.0 million identified in FY 2000 is sought to provide adequate staffing for the new Office of Security and Emergency Operations and to support cyber-security improvements.
The Office of Safeguards and Security (OSS) ensures the protection of the Department's Special Nuclear Material, classified information, and facilities against theft, sabotage, espionage and terrorist activity. As part of the Security Reform, we have developed improved security policy and provided assistance to sites in implementing these revised policies. We are modifying current technologies for safeguards and security application and developing new safeguards and security technologies based on identified user needs.
For Fiscal Year 2001, this program's budget request of $60.2 million reflects increases in response to the U.S. policy on counterterrorism, for the initial implementation of nuclear/chemical/biological (NBC) programs across the DOE complex, by providing NBC protection, training and chemical/biological detection equipment. Our Information Security program has expanded its information assurance forensics analysis capabilities to support investigations and prosecutions of unauthorized disclosures of classified information. We have increased our focus on development of physical security technology applications to address vulnerabilities at DOE sites, and on the testing of delay tactics for use around the DOE complex.
Unclassified foreign visits and assignments to Department of Energy national laboratories are vital to ensure that U.S. scientists remain knowledgeable of developments throughout the scientific world. Consequently at the end of last fiscal year, we established a new Office of Foreign Visits and Assignments. This Office has made tremendous strides in implementing the appropriate balance between enabling international scientific exchange while ensuring the protection of national security interests. A number of changes have occurred in the way we manage foreign nationals who visit our facilities. Specific changes include: involving counterintelligence, nonproliferation, export control and security officials at the national laboratories in the review process authorizing visits and assignments from foreign nationals; extending security oversight measures to DOE headquarters and DOE-sponsored off-site visits and assignments; granting the Secretary of Energy sole authority to approve visits and assignments from terrorist-list countries; and removing authority for facility directors to grant waivers of the DOE security requirements. FY 2001 funding will be used to upgrade a centralized tracking system for all foreign visitors or assignees at DOE facilities. It will also be used to enhance education and awareness activities at DOE facilities to ensure that all personnel are fully cognizant of the responsibilities associated with hosting foreign nationals.
The Security Investigations program is requesting $13.0 million in FY 2001. The request funds background investigations for DOE-wide federal employees, headquarters support services, protective force contractors, and miscellaneous non-federal personnel, who, in the performance of their official duties, require a security clearance permitting access to Restricted Data, National Security Information, or Special Nuclear Material. Offsets of $20.0 million will be provided by four other program offices (Defense Programs, Environmental Management, Nuclear Energy, and Science). In FY 2001, the offset program organizations will be severely impacted due to language contained in the National Defense Authorization Act for Fiscal Year 2000 (S.1059, Section 3144). Background investigations on individuals who are employed in certain sensitive positions must now be conducted by the Federal Bureau of Investigation (FBI) rather than the Office of Personnel Management (OPM) at a much higher price. There has been no funding increase to support our field contractor requirements. Without the necessary funding, the Department may need to submit a notification letter to Congress regarding a program funding increase for the third year in a row.
Under the authority granted in Public Laws 105-261 and 106-65, the Office of Nuclear and National Security Information continues its program to review other-agency documents scheduled for declassification under Executive Order 12958, to determine if they contain sensitive nuclear design information, i.e., Restricted Data and Formerly Restricted Data. The office also continues its effort to declassify the Department's own archived documents under the President's Executive Order on classification and declassification. Our responsibility to the American people under these initiatives is twofold: protecting the nation's most sensitive nuclear design information from inadvertent release; and eliminating excessive secrecy through the declassification of documents not warranting protection.
The declassification budget request for FY 2001 is $4.2 million more than our FY 2000 appropriation, representing a 25% increase over the FY 2000 funding level. The majority of this increase is required to implement P.L. 106-65, section 3149, which supplements P.L. 105-261 and requires the Department to audit an additional 450 million pages of documents at the National Archives and Records Administration (NARA) which have already been declassified by other agencies and designated for release by NARA. To date, the Department has audited in excess of 64 million pages of documents under these two statutes and, in the process, has discovered erroneously declassified documents containing Restricted Data and Formerly Restricted Data. To date, the audits have prevented the inadvertent release of significant amounts of sensitive nuclear weapon design information.
Also in support of its program under P.L. 105-261 and P.L. 106-65, the Office of Nuclear and National Security Information conducts Restricted Data/Formerly Restricted Data training courses for other- agency declassification reviewers. These courses are designed to alert other-agency reviewers of the presence of critical nuclear weapon design information which may be embedded in documents earmarked for declassification. We have already trained over 1,000 reviewers; during this fiscal year, over 150 reviewers have attended these training courses. We project an additional 500 reviewers will attend the courses through the end of this fiscal year.
As hundreds of millions of pages of data are reviewed for release throughout government, the Department's program to ensure the appropriate protection of information so vital to the nation's security must be maintained.
Critical Infrastructure Protection
The Department created the Office of Critical Infrastructure Protection to direct DOE's responsibilities under the national mandates of Presidential Decision Directive 63 regarding work with industry to develop and implement a plan to protect against, mitigate, respond to, and recover from attacks that would significantly disrupt the nation's energy infrastructure. The FY 2001 request of $13.0 million supports policy and R&D activities necessary to fulfill these responsibilities.
An important DOE mandate is to assure reliability and security of the energy grid. The nation's energy infrastructures (electric power, oil and gas) are susceptible to threats from natural, accidental, and intentional sources. The threats are directed at both physical and cyber assets of the energy sector. Recent trends toward increasing complexity and interconnectedness of the energy sector serve to increase the potential for significant disruptions to energy supply, if an element of the infrastructure is damaged, destroyed, or otherwise compromised. Because the energy grid is the life blood of our nation's critical infrastructures, such significant disruptions can have major impacts on the economy, human health and safety, and national security. Operating under the guidance of PDD-63, DOE funds activities to address and remedy the energy sector's vulnerability to the increasing diversity of threats.
Focused on the thrust areas of Analysis and Risk Management and Protection and Mitigation Technologies, the critical infrastructure program will result in real-time control mechanisms, integrated multi- sensor and warning systems, and risk management and consequence analysis tools that will help the national energy sector address the physical and cyber threats to, and vulnerability of, the energy infrastructure. DOE also will develop infrastructure interdependence tools to improve the capability to assess the technical, economic and national security implications of cascading energy infrastructure disruptions and to improve the reliability and security of the nation's interdependent energy grid. This program will involve collaboration between DOE and the major stakeholders, including private sector owners of energy elements, other federal agencies involved in critical infrastructure protection, and state and local governments. The capabilities of the national laboratories, academia, and private research organizations will be used to develop and implement the program.
When our office was established in July 1999, a single cyber security organization, under the direction of the Chief Information Officer, was included to address the pervasive lack of attention to our cyber security practices in a world of increased computer hacking and cyber terrorism. The $30.3 million requested for the Cyber Security Program in FY 2001 is an increase of $17.0 million over the FY 2000 request. This increase provides policy and planning, training, technical development, and operations to provide consistent principles and requirements that line management can implement for the protection of classified and unclassified information used or stored on Departmental Information Systems. The policies for the protection of this information will ensure that classified and unclassified information is protected consistently across the various elements of the Department in a cost-effective manner and consistent with the protection of this information in paper form.
A goal of the program is to implement enterprise-wide training to a broad audience of individuals responsible for implementing Cyber Security programs and protection measures. These include, but are not limited to managers, system administrators, Cyber Security professionals, and general users. Training will use commercial and government off-the-shelf materials where available. The FY 2001 request provides for an increase in Computer Incident Response Capability (CIAC at LLNL) from 15 to 25 contractor staff to provide cyber security incident response, analysis of cyber intrusions and attempted intrusions, and warning capability for the Department.
A large portion of the funds will support the Cyber Security Core Architecture engineering and deployment, which will enable the program to implement baseline Cyber Security capabilities at 12 sites. The Public Key infrastructure (PKI) Initiative started in Fiscal Year 2000 will be enhanced to operate and expand inter-site PKI capability for the protection of unclassified data in transit, as well as limited capability for protection of unclassified data in storage. The PKI Initiative will also provide Departmental infrastructure to support token or biometric authentication.
The program will also provide for Departmental cyber security tools and capabilities to support the establishment of a limited testing capability for commercial off-the-shelf (COTS) cyber security products prior to being deployed in the Department. There is a continuous need to evaluate and potentially modify COTS cyber security products: (1) to ensure that the application of these products does not significantly interfere with primary organizational or computer missions, and (2) to identify weaknesses in COTS products that must be mitigated to ensure a consistent, comprehensive cyber security implementation.
The FY 200l budget request for the Office of Emergency Operations is $93.6 million. This represents a $5.94 million technical adjustment over the FY 2000 appropriation. This adjustment restores much needed funding for the Radiological/Nuclear Accident Response program.
The Office of Emergency Operations serves as the central organization within the Department of Energy for all emergency functions. To carry out this role, the office employs the necessary command, control and communications capabilities augmented by trained response personnel to ensure the successful resolution of an emergency event affecting Departmental operations and activities. In addition, the office ensures that the Department's seven unique assets (Aerial Measurement System, Atmospheric Release Advisory Capability, Accident Response Group, Federal Radiological Monitoring and Assessment Center, Nuclear Emergency Search Team, Radiological Assistance Program and Radiological Emergency Assistance Center/Training Site) are in place to provide an appropriate response to any DOE facility or nuclear/radiological emergencies within the U.S. or abroad. These capabilities are organized into an integrated set of radiological emergency response assets which provides overall program management and the organizational structure during both emergency and non- emergency conditions for the personnel, equipment, and activities that collectively comprise the program.
For FY 200l, by prioritizing our program efforts, we will continue to improve and expand our capabilities to effectively plan for and respond to an emergency event. For example, we will: increase the number of Department-wide drills and exercises and evaluate our readiness to implement the Department's emergency management system; improve our atmospheric release plume modeling capability; expand the number of sites and technical features of the Emergency Communications Network; and increase our training of emergency management personnel at the Emergency Operations Training Academy.
The Fiscal Year 2001 request for Program Direction of $89.4 million will provide the salaries, benefits, travel, support services, and related expenses associated with overall management, oversight, staffing and administrative support necessary to carry out the Security and Emergency Operations Program. This represents an increase of $7.6 million over the FY 2000 appropriation and requested supplemental. The requested increase in funds would provide additional staff and cover their associated costs (including inflation).
Today, the Department has raised its level of consciousness regarding security activities that led to the deterioration of security awareness and education. We now function in a security environment decidedly different from the one we faced a decade earlier. We cannot directly control or alter the threats to the security interests entrusted to our care. What can be controlled, however, is our ability to plan, train, and respond should these threats ever materialize. The changing security environment and other threats over the past decade have fundamentally altered the Department's security perspective and posture. This is a significant challenge, but one that the Department of Energy must be prepared to meet.
The bottom line is clear... The Department has made significant progress over the past year in standing up a new security organization. We're seeing a change in the culture and an improved level of security awareness. With the support, cooperation and buy-in of other program offices across the DOE complex, the initiatives that the Secretary has put forth are working. Our professionals are committed to serving their country in an environment that produces the very best science within a framework of security that is effective, but not unjustifiably intrusive.