Congressional Record: October 17, 2000 (Extensions)
Page E1808
CONFERENCE REPORT ON H.R. 4205, FLOYD D. SPENCE NATIONAL DEFENSE AUTHORIZATION ACT FOR FISCAL YEAR 2001 ______ speech of HON. BOB RILEY of alabama in the house of representatives Wednesday, October 11, 2000 Mr. RILEY. Mr. Speaker, last year's Defense Appropriations Act (FY 00) contained $10 million for the specific purpose of improving the safeguards for storing classified material held by Department of Defense contractors. It is with deep regret that I must report that the Pentagon refused to release these funds which expired on September 30, 2000. The Assistant Secretary of Defense for Command, Control, Communications and Information, Arthur Money, sent me and a number of other House and Senate members a letter on why the Pentagon chose to ignore the direction of Congress. Mr. Speaker, beyond the fact that the Clinton/Gore Administration defied the law, their rationale for not complying with a federal security standard is troubling and their basis unfounded. First, on the issue of cost, DOD claims that upgrading existing security containers controlled by contractors by replacing old vulnerable mechanical locks with electronic locks that meet minimum federal security standards (FFL-2740A) would be cost prohibitive. The referenced report of the Joint Security Commission II sites an industry estimate from five contractors that is based on an inflated retail price of the electronic lock which is popularly called the "X07'' or "X08'' lock, rather than the wholesale price which would be the price of the lock in this upgrade program. This is not the first time that DOD has overestimated the cost of the program in an effort to resist implementation. In 1993, DOD grossly overestimated the cost of upgrading its own mechanical locks at $500 million, but the internal upgrade only actually cost $59 million. Based on the number of classified containers held by defense contractors, a lock upgrade program would cost between $45 million and $60 million, depending upon how the program was managed. Secondly, on the issue of threat Mr. Speaker, the physical security threat to classified materials that exists with these 1950's vintage mechanical locks cannot be overstated. The threat is why the GSA established a federal standard in 1989 that requires locks on secure containers to withstand an attempt of twenty man-hours of surreptitious entry. Currently, an "insider'' or foreign agent with readily available technology can determine the combination of a mechanical lock in a matter of minutes. Since this "safe cracking'' can be done without detection on a mechanical lock, no one would ever know that an "insider'' possessed the combination to access classified information including sensitive computer hard drives, laptops and access codes. To combat this problem, all new secure containers are fitted with the X08 lock (the only lock that meets the federal standard), but there are still thousands of mechanical lock containers and, worse yet, bar- locked file cabinets that are being used by contractors to protect our nation's classified information. Until all existing secure containers are upgraded with modern electronic locks, gaping security lapses will continue. No perimeter security apparatus involving guns, gates, guards, alarms, check points and other physical security barriers will protect against the "insider'' threat to antiquated mechanical locks. The Defense Intelligence Agency (DIA) has identified 27 foreign intelligence organizations that have the capability to penetrate these old mechanical locks without leaving a visible trace. These espionage organizations would likely use "insider'' agents for this purpose. In fact, Mr. Money's view that the "insider'' threat is of greater concern than the threat of covert entry to a safe or vault is precisely why the electronic lock upgrade is needed. The X07/X08 lock now possesses features that help ensure accountability and control access. More importantly, the lock also has the capability to be equipped with a time/date stamp feature which would automatically record who entered the safe and when. This audit trail feature is already used with great success by large corporations. By adding this feature to the federal requirements, we add another important counter espionage tool to this virtually impenetrable lock. I certainly understand the many competing interests that DOD must juggle within a constrained budget, but I cannot accept the Pentagon's view of contractor lock upgrades as being unnecessary, cost prohibitive or without commensurate security benefit. The growing volumes of classified information contained in moveable media (i.e. laptop computers, hard drives, back-up tapes, etc.) that is used by the national security agencies and their contractors, and the need to properly secure this classified material, cannot be pushed aside as a trivial matter. If the Department of Defense shows leadership in the proper handling of classified material, I'm certain that government and contractor employees will take a more serious attitude toward the proper stewardship of the Nation's secrets. The United States cannot afford another security lapse like the missing NEST hard drives at Los Alamos or the missing laptops at the State Department. ____________________