[Senate Hearing 112-219]
[From the U.S. Government Printing Office]
S. Hrg. 112-219
INFORMATION SHARING IN THE ERA
OF WIKILEAKS: BALANCING SECURITY
AND COLLABORATION
=======================================================================
HEARING
before the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
of the
ONE HUNDRED TWELFTH CONGRESS
FIRST SESSION
__________
MARCH 10, 2011
__________
Available via the World Wide Web: http://www.fdsys.gov/
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
66-677 WASHINGTON : 2012
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri JOHN ENSIGN, Nevada
JON TESTER, Montana ROB PORTMAN, Ohio
MARK BEGICH, Alaska RAND PAUL, Kentucky
Michael L. Alexander, Staff Director
Christian J. Beckner, Associate Staff Director for Homeland Security
Prevention and Protection
Jeffrey E. Greene, Senior Counsel
Nicholas A. Rossi, Minority Staff Director
Brendan P. Shields, Minority Director of Homeland Security Policy
Luke P. Bellocchi, Minority Counsel
Trina Driessnack Tyrer, Chief Clerk
Patricia R. Hogan, Publications Clerk and GPO Detailee
Laura W. Kilbride, Hearing Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman............................................ 1
Senator Collins.............................................. 3
Senator Brown................................................ 14
Prepared statements:
Senator Lieberman............................................ 29
Senator Collins.............................................. 31
WITNESSES
Thursday, March 10, 2011
Hon. Patrick F. Kennedy, Under Secretary for Management, U.S.
Department of State............................................ 4
Teresa M. Takai, Chief Information Officer and Acting Assistant
Secretary for Networks and Information Integration, U.S.
Department of Defense, and Thomas A. Ferguson, Principal Deputy
Under Secretary for Intelligence, U.S. Department of Defense... 7
Corin R. Stone, Intelligence Community Information Sharing
Executive, Office of the Director of National Intelligence..... 9
Kshemendra Paul, Program Manager, Information Sharing
Environment, Office of the Director of National Intelligence... 11
Alphabetical List of Witnesses
Ferguson, Thomas A.:
Testimony.................................................... 7
Joint prepared statement with Teresa Takai................... 44
Kennedy, Hon. Patrick F.:
Testimony.................................................... 4
Prepared statement........................................... 33
Paul, Kshemendra:
Testimony.................................................... 11
Prepared statement........................................... 59
Stone, Corin R.:
Testimony.................................................... 9
Prepared statement........................................... 52
Takai, Teresa M.:
Testimony.................................................... 7
Joint prepared statement with Thomas Ferguson................ 44
APPENDIX
Thomas E. McNamara, Former Program Manager of the Information
Sharing Environment at the Office of the Director of National
Intelligence, prepared statement............................... 68
Markle Task Force on National Security in the Information Age,
prepared statement............................................. 72
Responses to post-hearing questions for the Record from:
Mr. Kennedy.................................................. 81
Ms. Takai and Mr. Ferguson................................... 86
Ms. Stone.................................................... 102
Mr. Paul..................................................... 105
INFORMATION SHARING IN THE ERA
OF WIKILEAKS: BALANCING SECURITY
AND COLLABORATION
----------
THURSDAY, MARCH 10, 2011
U.S. Senate,
Committee on Homeland Security and
Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 3:06 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I.
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Collins, and Brown.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. The hearing will come to order. Good
afternoon and thanks for your patience. We just were able to,
Senator Collins and I, vote early. And I want to apologize in
advance. I am going to have to step out for about 15 minutes in
about a half-hour, but I shall return.
In just 6 months and a day, we will mark the 10th
anniversary of the attacks of September 11, 2001, and we will
honor the memory of the nearly 3,000 people who were murdered
that day in America.
Our mourning over their deaths has always been compounded
by the knowledge that those attacks might have been prevented--
certainly that was the implication of the 9/11 Commission
Report--had our intelligence and law enforcement agencies
shared the disparate facts they had gathered, enabling us to
connect the dots.
To prevent this from happening again, Congress passed
several laws intended to strengthen information sharing among
critical Federal agencies. Those acts included the Homeland
Security Act, the Intelligence Reform and Terrorism Prevention
Act (IRTPA), and the USA PATRIOT Act.
Since then, the Executive Branch, I think, has made
significant improvements in its information-sharing systems,
and there is no question that far more information is now
available to partners in other agencies who have a legitimate
need for it.
All this intelligence is further brought together at key
nodes, such as the National Counterterrorism Center (NCTC),
where it can be examined by intelligence specialists from a
variety of agencies working together under one roof. And as a
result, we have seen a number of successes in recent domestic
and military counterterrorism operations that I think were
thanks to that kind of information sharing, and I am going to
cite some examples in a moment.
But this Committee's recent report on the Fort Hood attack
shows that information sharing within and across agencies is
nonetheless still not all it should be, and that allowed in
that case a ``ticking time bomb,'' namely Major Nidal Hasan,
now accused of killing 13 and wounding 32 others at Fort Hood,
to radicalize right under the noses of the Department of
Defense (DOD) and the Federal Bureau of Investigation (FBI). So
we need to continue improving our information-sharing
strategies.
Now I fear the WikiLeaks case has become a rallying cry for
an overreaction for those who would take us back to the days
before September 11, 2001, when information was considered the
property of the agency that developed it and was not to be
shared.
The bulk of the information illegally taken and given to
WikiLeaks would not have been available had that information
not been on a shared system, so the critics of information
sharing argue.
But to me this is putting an axe to a problem that requires
a scalpel and misunderstands what happened in the WikiLeaks
case and I think misstates the solution to the problem. We can
and must prevent another WikiLeaks without also enabling
Federal agencies, in fact, perhaps compelling Federal agencies
to reverse course and return to the pre-September 11, 2001,
culture of hoarding information.
We need to be smarter about how information is shared and
appropriately balance security concerns with the legitimate
needs of the users of different types of information. Methods
and technologies for doing so already exist. Some of them I
gather have been put into place since the WikiLeaks case, and
we need to make sure that we utilize them as fully as possible
across our government.
The bottom line is we cannot walk away from the progress we
have made that has saved lives. I will give you a couple of
quick examples.
U.S. Special Forces and elements of the intelligence
community have shared information and worked exceptionally well
together in war zones to combat and disrupt terrorist groups
such as al-Qaeda in Iraq and the Taliban in Afghanistan. And
that would not happen without information sharing.
Here at home, we have used information sharing to enhance
the role of State, local, tribal, and private sector entities
in our fight against terrorists. And those efforts have paid
off--most recently in the case of a chemical supply company in
North Carolina that alerted the FBI to suspicious purchases by
a Saudi Arabian student in Texas who turned out to be building
improvised explosive devices.
So we need to fix what is broken without going backwards.
Today I look forward to hearing from each of our witnesses
about what they are planning to do to improve the security of
classified networks and information, while still ensuring that
information is shared effectively in the interest of our
Nation's security.
I would also like to hear how Congress can work with you on
these efforts either with legislation or through more targeted
funding. Efficiently sharing classified information while
effectively securing that information is critical to our
Nation's security and our national values. We can and must have
both.
Senator Collins.
OPENING STATEMENT OF SENATOR COLLINS
Senator Collins. Thank you, Mr. Chairman.
Effective information sharing among Federal law enforcement
and civilian and military intelligence agencies is critical to
our security. The 9/11 Commission found that the failure to
share information across the government crippled efforts to
detect and potentially prevent the attacks on September 11,
2001. Improving this communication was a critical part of the
Intelligence Reform and Terrorism Prevention Act that Senator
Lieberman and I authored in 2004.
The WikiLeaks breach should not prompt a knee-jerk reaction
on the sharing of vital information and its use by those
analysts who need it to do their jobs. We must not let the
astonishing lack of management and technical controls that
allowed a private in the army to allegedly steal some 260,000
classified State Department cables and some 90,000 intelligence
reports to send us back to the days before September 11, 2001.
Unfortunately, we continue to see agency cultures that
resist sharing information and coordination with their law
enforcement and the intelligence counterparts. Almost 10 years
after September 11, 2001, we still witness mistakes and
intelligence oversights reminiscent of criticisms predating our
reforms of the intelligence community. Among those cases where
the dots were not connected and information was not effectively
shared are Abdulmutallab, the so-called Christmas Day bomber,
and Nidal Hasan, the Fort Hood shooter.
At the same time, as the Chairman has pointed out, there
have been several cases that underscore the incredible value
and benefit of information sharing, and an example is, as the
Chairman has noted, the case of Mr. Zazi, whose plans to bomb
the New York City subway system were thwarted.
As such successes remind us, we must not allow the
WikiLeaks damage to be magnified twofold. Already the content
of the cables may have compromised our national security. There
have been news reports describing the disclosure of these
communications as having a chilling effect on our relationships
with some of our closest allies. More important, however, they
likely have put at risk some of the lives of citizens,
soldiers, and partners.
Longer lasting damage could occur if we allow a culture to
re-emerge in which each intelligence entity views itself as a
separate enterprise within the U.S. counterterrorism structure,
with each attempting to protect what it considers to be its own
intellectual property by not sharing it with other
counterterrorism agencies. If those stovepipes reappear or
worsen, we will certainly be in more danger.
Such a step backward would run counter to the policy goals
embodied in the 2004 Intelligence Reform Act, articulated by
law enforcement and the intelligence community leadership, and
underscored in multiple hearings before this Committee; and,
that is, to effectively detect and thwart terrorists, the
``need to share'' must replace the ``need to know.''
I would also like to hear today about the possible
technological solutions to the problems that allowed for the
disclosures to WikiLeaks. For example, my credit card company
can detect out-of-the-ordinary charges on my account almost
instantaneously. Yet the military and intelligence communities
were apparently unable to detect more than a quarter million
document downloads in less than 2 months. Surely, the
government can make better use of the technology currently
employed by the financial services industry.
It is also notable that the intelligence community was
already required to install some audit capabilities in its
systems by the 2007 homeland security law, which we authored,
that could well have included alerts to supervisors of
suspicious download activity. Had this kind of security measure
been in place, security officers might have detected these
massive downloads before they were passed on to WikiLeaks.
Technology and innovation ultimately should help protect
information from unauthorized disclosure, while facilitating
the appropriate sharing of vital data.
I would also like to explore today the implementation of
role-based access to secure classified information. Instead of
making all information available to anyone who has access to a
classified system, under this model, information is made
available in a targeted manner based on individuals' positions
and the topics for which they are responsible. Access to
information not directly relevant to an individual's position
or responsibilities would require the approval of a supervisor.
We must craft security solutions for the 21st Century and
beyond. We live in a world of Twitter and instantly viral
videos on YouTube. We must strive to strike the appropriate
balance that protects classified and sensitive information
while ensuring the effective sharing of vital data. We can use
the most cutting edge technology to protect the traditional
tools of statecraft and intelligence--those tools of
relationships and information.
Thank you, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Collins, for that
thoughtful opening statement.
I want to thank the witnesses who are before us for coming,
also for the thoughtful written testimony you have submitted to
the Committee, which will, without objection, be included as
part of the record.
Now we will begin with Patrick Kennedy, who is Under
Secretary for Management at the Department of State. Welcome,
Mr. Kennedy.
TESTIMONY OF HON. PATRICK F. KENNEDY,\1\ UNDER SECRETARY FOR
MANAGEMENT, U.S. DEPARTMENT OF STATE
Mr. Kennedy. Thank you very much. Chairman Lieberman,
Ranking Member Collins, and Senator Brown, thank you for this
opportunity to address information sharing after WikiLeaks and
to discuss Executive Branch efforts to ensure that information
is shared effectively yet securely and in a manner that
continues to advance our national security. The State
Department and our interagency partners have long been working
to obtain both appropriate information sharing and protection,
and after WikiLeaks, we have focused renewed attention on
achieving these dual objectives.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Kennedy appears in the Appendix
on page 33.
---------------------------------------------------------------------------
From my perspective, serving over 30 years with the State
Department, both overseas and in Washington, and also serving
as the first Deputy Director of National Intelligence for
Management, I especially appreciate your efforts to address
with us the challenges of information sharing and security. I
can assure you that we at the State Department remain committed
to fully sharing our diplomatic reporting within the
interagency with safeguards that are reasonable, pragmatic,and
responsible.
For diplomatic reporting, the State Department has
historically communicated between Washington and overseas posts
through messages which convey internal deliberations relating
to our foreign relations and candid assessments of overseas
conditions. This reporting provides the State Department and
other U.S. Government agencies crucial information essential to
advancing our national interests, and we continue to this day
to share this reporting through automatic dissemination to over
65 U.S. Government agencies.
In late November 2010, when the press and WikiLeaks
announced the release of purported State Department cables, we
immediately established a 24/7 WikiLeaks Working Group of
senior State Department employees; we did suspend the Secret
Internet Protocol Router Network (SIPRNet) to Net Centric
Diplomacy, the database of State Department cables, while
retaining all of our other distribution systems to other
agencies. We also created a mitigation team to address policy,
legal, and counterintelligence issues.
For continued mitigation efforts, both within the State
Department and interagency, we continue to deploy an automated
tool that monitors State's classified network to detect
anomalies not otherwise apparent, backed up by a staff who
analyze these anomalies. Cable distribution has been limited to
the Joint Worldwide Intelligence Communications System and our
traditional system that reaches out, as I said, to 65 agencies.
We are now evaluating other systems for distribution, such as a
searchable database that relies on metadata.
The State Department has continued to work with information
management issues interagency through the Interagency Policy
Committee (IPC), chaired by the White House's Special Adviser
for Information Access and Security, as well as through
existing IPCs.
The challenges of grappling with the complexities are
threefold.
The first is ensuring information-sharing policies are
consistently directing the use of technology to solve problems,
not the other way around. Post-September 11, 2001, the focus
was on providing technical solutions to information sharing. As
a result, technical experts were asked to develop solutions to
the barriers. The post-WikiLeaks environment reminds us that
technology is a tool to execute solutions but it is not in
itself the answer. Simply put, we must more consistently sort
out what we need to share before determining how to share it.
Connecting systems and networks may provide the means to share
information, but we must still manage and share this content in
an effective and efficient way, as both of you mentioned in
your opening statements.
The national security community must do a better job of
articulating what information is appropriate to share with the
widest appropriate distribution and what is more appropriately
confined to a narrower audience across the community in order
to ensure adequate safeguards. The State Department believes
that the way in which we share messages through our traditional
means of dissemination and the steps we have taken since
November are leading us firmly in that direction.
The second main challenge involves each agency's rigorous
adherence to existing and improved information security
policies, as both of you have noted. This includes improved
training in the use of labels to indicate appropriate breadth
of dissemination. The Executive Order on classified information
establishes the basic levels of classification. From that
foundation, individual agencies may still have their own
captions that denote how information should be disseminated
because obviously not every person with a security clearance
needs every piece of worldwide information. Agencies that
receive information need to understand how to handle that
captioned information so that it is not inappropriately made
available to too wide an audience.
The Office of Management and Budget (OMB) has directed
agencies to address security, counterintelligence, and
information issues through special teams. We believe that our
Mitigation Team serves as a model for broad, cross-discipline
coordination, or governance because it brings together the
various subject matter experts. Many information-sharing and
security issues can be resolved at the agency level as long as
there are standards in place for agencies to execute. For the
most part, standards have been created by existing interagency
bodies, but there are some areas where further coordination is
needed.
The third main challenge involves the coordination, or
governance, of information management. Numerous interagency
groups are wrestling with the issues related to technological
aspects of information sharing, such as those dealing with
standards, data standards, systems, and networks. Others are
wrestling with the policy decisions of who should have access
to what information. New interagency governance structures to
coordinate information sharing have been developed, including
those focused, as you rightly note, on sharing with State,
local, and tribal governments, as well as with foreign
partners. In keeping with the first challenge, these new
structures should maintain or increase focus on defining the
content to be shared and protected as well as on the technology
which is to be shared and used. Each agency must be confident
that security processes and procedures are applied in a uniform
and consistent manner in other organizations. And, in addition,
it must be understood that material originating in one agency
will be treated by other agencies in accordance with mutually
understood handling instructions.
The State Department shares information with the intent of
providing the right people with the right information at the
right time. We will continue to share our diplomatic reporting
in order to advance our national security information. We
recognize the imperative to make diplomatic reporting and
analysis available throughout the entire interagency community.
The State Department will continue to do this in order to
fulfill our mission.
We remain committed to both appropriately sharing and
protecting critical national security information, but this
commitment requires, as you have noted, addressing multiple,
complex issues. We must find the right policies; we must find
the right technologies; and we must continue to share.
Thank you for this opportunity to appear before you today.
I look forward to working with you on the challenges and would
be pleased at the right time to respond to any questions you
might have. Thank you.
Chairman Lieberman. Thanks very much, Secretary Kennedy.
Now we are going to hear from Teresa Takai, Acting
Assistant Secretary for Networks and Information Integration,
Chief Information Officer, U.S. Department of Defense. Welcome.
TESTIMONY OF TERESA M. TAKAI,\1\ CHIEF INFORMATION OFFICER AND
ACTING ASSISTANT SECRETARY FOR NETWORKS AND INFORMATION
INTEGRATION, U.S. DEPARTMENT OF DEFENSE, AND THOMAS A.
FERGUSON, PRINCIPAL DEPUTY UNDER SECRETARY FOR INTELLIGENCE,
U.S. DEPARTMENT OF DEFENSE
Ms. Takai. Thank you, sir. Thank you for that introduction.
Chairman Lieberman, Ranking Member Collins, and Senator Brown,
thank you for the invitation to provide testimony on what the
Department of Defense is doing to improve the security of its
classified networks while ensuring that information is shared
effectively.
---------------------------------------------------------------------------
\1\ The joint prepared statement of Ms. Takai and Mr. Ferguson
appears in the Appendix on page 44.
---------------------------------------------------------------------------
As noted, I am Teri Takai, and I serve as the principal
adviser to the Secretary of Defense for Information Management,
Information Technology, and Information Assurance, and as such
am responsible for the security of the Department's networks
and then coordinating the Department's mitigation efforts in
response to the WikiLeaks incident.
With me is Tom Ferguson, Principal Deputy Under Secretary
for Intelligence. He serves as the principal staff adviser to
the Under Secretary of Defense for Intelligence and is
responsible for policy and strategic oversight of all DOD
intelligence, counterintelligence, and security policy, plans,
and programs, as delegated by the Under Secretary for
Intelligence. In this capacity, Mr. Ferguson oversees the
development and implementation of the Department's information-
sharing policies.
Mr. Ferguson and I have submitted a detailed statement for
the record, but I would like to briefly highlight a few of the
Department's efforts to better protect its sensitive and
classified networks and information while ensuring its ability
to share critical information with other partners and agencies
is continued.
Immediately following the first release of documents on the
WikiLeaks Web site, the Secretary of Defense commissioned two
internal DOD studies. The first study directed a review of DOD
information security policy. The second study focused on
procedures for handling classified information in forward-
deployed areas. Results of the two studies revealed a number of
findings, notably that: Forward-deployed units maintained an
overreliance on removable electronic storage media; second,
roles and responsibilities for detecting and dealing with an
insider threat needed to be better defined; and, finally,
limited capability existed to detect and monitor anomalous
behavior on classified computer networks.
The Department immediately began working to address the
findings and improve its overall security posture to mitigate
the possibility of another similar type of disclosure. The most
expedient remedy for the vulnerability that led to WikiLeaks
was to prevent the ability to remove large amounts of data from
the Department's secret classified network using removable
media, such as discs, while allowing a small number of
computers to retain, under strict controls, the ability to
write removable media for operational reasons. The Department
has completed disabling the write capability on all of its
SIPRNet machines except for approximately 12 percent that
maintain that capability for operational reasons, largely in
deployed areas of operation. The machines that maintain write
capability are enabled under strict controls, such as using
designated kiosks with two-person controls.
We are also working actively with National
Counterintelligence Executive on its efforts to establish an
information technology insider detection capability and an
Insider Threat program. Mr. Ferguson's organization is leading
that effort for the Department of Defense, and they have been
developing comprehensive policy for a DOD Counterintelligence
Insider Threat Program.
In addition, DOD is developing Web-enabled information
security training that will complement DOD's mandatory annual
information assurance training, and the Joint Staff is
establishing an oversight program that will include inspection
of forward-deployed areas.
As DOD continues efforts to improve our information-sharing
capabilities, we will strive to implement the mechanisms
necessary to protect the intelligence information without
reverting back to pre-September 11, 2001, stovepipes. DOD is
working closely with its interagency partners, several of whom
join me here today, to improve intelligence information sharing
across the government while ensuring the appropriate protection
and safeguards are in place.
I would like to conclude by emphasizing that the Department
continues to work towards a resilient information-sharing
environment that is secure through both technological solutions
and comprehensive policies. Mr. Ferguson and I thank the
Committee for the opportunity to appear before you today, and
we look forward to answering your questions.
Senator Collins [presiding]. Thank you.
Mr. Ferguson, I am told that you do not have a prepared
statement. Is that correct?
Mr. Ferguson. That is correct. Ms. Takai has a nicer voice
than I do and has given our joint statement.
Senator Collins. Thank you.
Before I turn to our next witness, we have been joined by
Senator Brown, and I just wanted to give him an opportunity for
an opening statement if you would like to have one.
Senator Brown. Thank you. I am actually eager to hear from
the witnesses and ask questions, but thank you for the offer.
Senator Collins. Thank you. Then we will proceed.
Our next witness is Corin Stone, who is the Intelligence
Community Information Sharing Executive from the Office of the
Director of National Intelligence (ODNI). We welcome you.
Please proceed with your testimony.
TESTIMONY OF CORIN R. STONE,\1\ INTELLIGENCE COMMUNITY
INFORMATION SHARING EXECUTIVE, OFFICE OF THE DIRECTOR OF
NATIONAL INTELLIGENCE
Ms. Stone. Thank you, ma'am. Chairman Lieberman, Ranking
Member Collins, and Senator Brown, thank you for inviting me to
appear before you today to discuss the intelligence community's
progress and challenges in information sharing. I want to first
recognize the Committee's leadership on these important issues
and thank you for your continued support as we address the many
questions associated with the need to share information and the
need to protect it. Your leadership and oversight of
information sharing, especially as we come up to the 10-year
anniversary of September 11, 2001, has been invaluable. I look
forward to our continued participation and partnership on this
complex and vitally important issue.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Stone appears in the Appendix on
page 52.
---------------------------------------------------------------------------
As the Intelligence Community Information Sharing
Executive, I am the Director's focal point for all intelligence
community information-sharing matters, providing guidance,
oversight, and direction on information-sharing priorities and
initiatives across the community. In that capacity, I work in
coordination with my colleagues at the table and across the
community on comprehensive and strategic management information
sharing, both internally and with all of our mission partners.
My main focus today concerns information that is derived
from intelligence sources and methods or information that is
reflected in the analytic judgments and assessments that the
intelligence community produces. I want to be clear, though,
that our concern for the protection of information is not only
narrowly focused on sources and methods.
As we have seen recently through WikiLeaks, the
unauthorized disclosure of classified information has serious
implications for the policy and operational aspects of national
security. We all have networks that must be secured, and as
technology continues to advance, my colleagues and I remain
deeply committed to keeping up with the ongoing challenges we
face.
I am acutely aware that our major task is to find what the
Director of National Intelligence (DNI) has termed ``the sweet
spot'' between the two critical imperatives of sharing and
protecting information. Every day our officers work tirelessly
to tackle challenges of increasing complexity in a world that
is interconnected, fast-paced, and ever changing, sharing vital
information with each other, customers and partners, leading to
better prepared senior policymakers across the Executive Branch
and Congress.
It is important to note that the community's work on these
complicated questions predates the recent unauthorized
disclosures by WikiLeaks. As you know, the challenges
associated with both sharing and protecting intelligence are
not new and have been the subject of major effort in the
intelligence community for years. However, these latest
unauthorized disclosures underscore the importance of our
ongoing and comprehensive efforts to address these evolving
challenges.
Working with the whole of government to address these
issues, the intelligence community's strategy involves three
interlocking elements.
The first is access, ensuring that the right people can
discover and have access to the networks and information they
need to perform their duties, but not to information that they
do not need.
The second element is technical protection, technically
limiting the ability to misappropriate, manipulate, or transfer
data, especially in large quantities.
And the third area is auditing and monitoring, taking
actions to give the intelligence community day-to-day
confidence that the information access granted to our personnel
is being properly used.
As we work to both share and protect networks and
information, we must never lose sight of the sweet spot. As we
continue to increase how much information is shared, we must
also increase the protections in place to ensure information is
being properly used and safeguarded. This is the only way to
create the necessary trust and confidence in our systems that
will foster appropriate information sharing. It is a matter of
managing risk, and people, policies, processes, and technology
all play important interconnected roles in managing that risk.
However, it is also important to note that while all of our
capabilities can reduce the likelihood and impact of
unauthorized disclosures, in the final analysis our system is
based on trust--trust in the individuals who have access to
classified information and trust that they will be responsible
stewards of this Nation's most sensitive information.
Whether classified information is acquired by a computer
system, a classified document, or simply heard in a briefing or
a meeting, we have had bad apples who have misused this
information before, and we will, unfortunately, have them
again. This reality does not mean we should err on the side of
not sharing; rather, we must put all proper safeguards in
place, continue to be forward leaning to find a threat before
disclosures occur, be mindful of the risks, and manage those
risks with the utmost diligence.
Thank you for the Committee's time, and I welcome your
questions.
Senator Collins. Thank you.
Our final witness on the panel this afternoon is Kshemendra
Paul, who is the Program Manager for Information Sharing
Environment of the Office of the Director of National
Intelligence. Welcome, Mr. Paul.
TESTIMONY OF KSHEMENDRA PAUL,\1\ PROGRAM MANAGER, INFORMATION
SHARING ENVIRONMENT, OFFICE OF THE DIRECTOR OF NATIONAL
INTELLIGENCE
Mr. Paul. Thank you, Chairman Lieberman, Ranking Member
Collins, and Senator Brown. Thank you for the opportunity to
speak about our efforts to effectively share and protect
information at every level of government. Thank you for your
attention to information-sharing reform efforts and your
support of my office's mission. I also want to recognize my
fellow panelists, key partners in government-wide efforts to
further strengthen information sharing and protection.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Paul appears in the Appendix on
page 59.
---------------------------------------------------------------------------
As the WikiLeaks story emerged, concerns were voiced that
the information-sharing efforts would suffer a setback. This
Administration is committed to strengthening both information
sharing and information protection. While complex and
challenging, we do not see these goals as conflicting. Guidance
throughout the Executive Branch has been consistent. We need to
accelerate information sharing in a responsible and secure way.
The WikiLeaks breach is not principally about information-
sharing challenges. A bad actor allegedly violated the trust
placed in him. While we cannot always stop bad actors, we can
and must take this opportunity to reassess our posture, our
progress, and our focus related to improving and strengthening
information sharing and protection.
The challenges highlighted by the WikiLeaks breach are
complex and go to deeply rooted issues: First, the perpetuation
of agency-based, bilateral, and fragmented solutions versus
common and comprehensive approaches to information sharing and
protection; second, the need to improve our counterintelligence
posture and some of the other technical considerations that my
fellow panelists have talked to; and, finally, while the breach
involves classified information, we need to be mindful that the
root cause issues and the sensitivities extend to sensitive but
unclassified information also. It is a whole-of-government
problem, not just a classified national security problem.
I would like to clarify the information-sharing environment
and my role. The purpose of the information-sharing environment
is to improve the sharing of terrorism-, homeland security-,
and weapons of mass destruction-related information across
Federal, State, local, and tribal agencies and with our
partners in the private sector and internationally.
The information-sharing environment spans five communities:
Defense, intelligence, homeland security, law enforcement, and
foreign affairs. It is defined as a cross-cutting, horizontal,
data-centric, trusted information-sharing and protection
capability. My role is to plan for and oversee the agency-based
buildout, and manage the information-sharing environment. But
my office is not operational. Agencies own the mission,
agencies set policies and procedures, and agencies make the
investments that interconnect our networks, databases,
applications, and business processes. These agency-based
contributions together form the information-sharing
environment.
The law grants the program manager's role governmentwide
authority. This authority is exercised primarily two ways:
First, I am the co-chair of the White House's Information
Sharing and Access Interagency Policy Committee; through that
role, we work through policy and oversight issues; and, second,
through my partnership with the Office of Management and
Budget.
We are being deliberate and collaborative in our approach
to further strengthening information sharing and protection. We
have put an emphasis on governance and outreach. My office,
together with my mission partners, is leading the refresh of
the 2007 National Strategy for Information Sharing. We are
using this opportunity to leverage common mission equities to
drive common policies and capabilities. And we are
orchestrating specific agency-led sharing and protection
initiatives with our partners.
We believe this work provides a framework for strengthening
efforts to address the root cause issues associated with the
WikiLeaks breach. These capabilities will result in further
assuring the proper sharing and protection of information.
Our work across mission partners is profiled in our annual
report to the Congress delivered every summer. I also encourage
those interested in following or influencing our efforts to
visit our Web site and to participate in upcoming online
dialogues aimed at shaping our future direction.
In closing, our efforts have been and continue to be
focused on accelerating information sharing in a secure and
responsible way. Effective information sharing and
collaboration are absolutely essential to keeping the American
people safe.
Thank you for the opportunity to participate in this
hearing. I also would appreciate any comments, directions,
support, or feedback that you can provide to me in my office.
My fellow panelists and I look forward to your questions.
Senator Collins. Thank you very much for your testimony,
and I thank all of the witnesses.
I want to express my personal frustration with this issue.
Our Committee has held hearings on the lack of information
sharing in the case of Abdulmutallab, where credible
information was given to our embassy in Africa but did not make
its way in a timely fashion to the National Counterterrorism
Center and, thus, Abdulmutallab was not listed on the No Fly
List. So there is an example of credible information that
should have been shared across government but was not.
Similarly, in our investigation into the Fort Hood attacks,
we found that credible information about Major Hasan's
communications with a known terrorist suspect was not shared by
the Joint Terrorism Task Force with the Army--another terrible
failure in information sharing.
Now, there have been successes as well. But I mention those
two failures to contrast and raise such questions with how an
Army private allegedly was able to download hundreds of
thousands of classified documents, cables, and intelligence
reports without being detected, and that baffles me. It also
frustrates me because in 2007, Senator Lieberman and I authored
homeland security legislation that included a requirement that
military and intelligence agencies install audit capabilities
with robust access controls on classified systems. And those
technologies that would enable us to audit information
transmission and authenticate identities for access control are
not new. They are widely used. And the serious cyber risks
associated with the use of removable media devices, such as
thumb drives, have been known for many years.
How did this happen? How could it be that a low-level
member of the military could download such a volume of
documents without it being detected for so long? That truly
baffles me. I do not know who to start with. Mr. Ferguson, do
you want to take a crack at that?
Mr. Ferguson. I will be the first in the pond. Let me take
it in a couple steps. Your question has a lot of parts to it.
The rank of Private Bradley Manning is really not so much
the issue. It was what his responsibilities were. He was there
to provide intelligence support for military operations. So we
do not base it necessarily on a rank structure. We base it on
what is his mission responsibilities to support the military.
To get to your question about how was he able to access so
much data, and then I will get to the part about what have we
done and why didn't we do what we could have done. The
situation in the theater is such that--or was. It has changed
now. But we took a risk, essentially is what it is. We took a
risk that by putting the information out there, share
information, provide agility, flexibility of the military
forces, they would be able to reach into any of the databases
on SIPRNet. They would be able to download that information,
and they would be able to move the information using removable
media across various domains, whether it is across security
domains or from U.S. systems to coalition systems. And we did
that so they could do this very rapidly.
Here in the Continental United States (CONUS) many of the
things you have talked about, about closing off open media
ports and so forth, actually have been in place for a decade or
more. If you go to many of the agencies, they actually are not
able to access those open ports. But the focus in the theater
was speed and agility, so we took that risk to allow not just
Private Manning but many people who are serving there to move
at that pace.
You asked about why we did not put in place capabilities
that were in your bill. In fact, as early as 2008, we started
to deploy what is called the Host Based Security System (HBSS),
as early as 2008. And at the time of Private Manning's alleged
activities, about 40 percent of the systems in CONUS actually
had that system in place. The systems were not--that was not
available in the theater.
Senator Collins. And why wasn't it?
Mr. Ferguson. Mainly because of a lot of the systems there
are, for lack of a technical term, cobbled together, and
placing those kinds of systems--they are not all equal. It is
sort of a family of systems there, and it is not just like
working for Bank of America where they have one homogeneous
system and they can insert things and take things out as it
works. You have multiple systems and putting in new intrusion
software or monitoring tools and so forth, you have to approach
each system differently. And that is part of the problem.
So basically to get away from that and not hold up the
ability to move information, they took on the risk by saying,
look, these people are cleared. They go through background
investigations, and, frankly, most of our focus was right about
outside intruder threat, not inside threat.
So in the end, to answer your questions--we had ourselves a
situation where we had information sharing at this level, and
we took the risk of having monitoring tools and guards and
passwords and so forth, as well as people did not fully
implement policies, they did not follow security rules down at
this level. So the problem is that is where we made our
mistake. We allowed this to occur when we were sharing
information at this level. So what we are trying to fix today
is not take this level of information sharing and moving it
down here, which you have referred to in your opening
statement, but take this and move it up here. And that is what
we are trying to do as rapidly as we can.
Senator Collins. Thank you.
Mr. Kennedy, Mr. Ferguson basically explained that DOD, in
the interest of making sure that the information was out there
in theater, took a risk, but that does not explain to me how
the private would have access to State Department classified
cables that had nothing to do with the country for which the
private was involved in intelligence activities. So how did it
happen that he had access to classified State Department
cables, involving countries that had nothing to do with his
intelligence responsibilities?
Mr. Kennedy. That is a very good question, Senator. Several
years ago, the Department of Defense and the intelligence
community came to the State Department and said, we need the
State Department--and actually they paid for it--to push out
reporting to SIPRNet, which is the Department of Defense
worldwide system, and to load a number of our cables onto a
Defense Department database that would be accessible to Defense
Department people. So in response to their request, we took a
selected element of our cables and pushed those out to the
Department of Defense's database.
To be blunt, we believe in the interest of information
sharing that it would be a grave mistake and a danger to the
national security for the State Department to try to define in
each and every one of the 65 agencies that we share our
diplomatic reporting analysis with to say that Private Smith
should get this cable, Lieutenant Jones should get that cable,
Commander X should get that cable. The policies that have been
in place between the State Department and other agencies is we
provide this information to the other agency. The other agency
then takes on the responsibility of controlling access by their
people to the material that we provide to them.
Senator Collins. I will come back to that issue, but I want
to first give an opportunity for my colleague, Senator Brown,
to ask his questions.
OPENING STATEMENT OF SENATOR BROWN
Senator Brown. Thank you. You are on a roll, though.
I have served in the National Guard for 31 years. I am a
Lieutenant Colonel. I am on the computers regularly, all that
good stuff, and I have to tell you, sometimes it is like brain
surgery getting on the computer, even for somebody like me who
is part of the senior staff, and had been a trial defense
attorney, just to log on, get access, go where I need to go,
and I still have not really gotten a satisfactory answer as to
how this private had complete and total access to the documents
he had. In my wildest dreams, I could not do what he did.
And then I see, he works 14 hours a day, no one cares.
Well, the average workload in that region is that and more for
many people.
My understanding, in doing my own due diligence, is that
there was a complete breakdown of command authority when it
came to instructing that soldier and people within that command
as to the do's and do not's with regard to information and
information sharing. There was no check or balance, and that
the amount of people that have access to that information has
grown by tens of thousands. Hundreds of thousands of people
have access to that information on any given day.
Is that accurate, that that many people have access to that
information? Whoever feels qualified to answer it, probably the
DOD folks.
Mr. Ferguson. Let me put it this way: The SIPRNet is a
command and control network, just like the Internet.
Senator Brown. I know what that is, I am in the military.
Can you explain to the listeners what that is?
Mr. Ferguson. What is the SIPRNet?
Senator Brown. Yes.
Mr. Ferguson. The SIPRNet is a command and control network
that maintains Department of Defense classified secret level
information that covers a whole portfolio of issues. It is not
just intelligence information, for one. It is operations data.
It is financial programmatic data, personnel data. It covers a
very large----
Senator Brown. It is everything.
Mr. Ferguson. It is everything. All that information is not
available to everyone who is on SIPRNet. A lot of that
information, in fact, is password protected. But there are
sites, just like going on the Internet, that if you click on
there, if you put in the search for that information and it is
not password protected, it is available to whoever is on the
SIPRNet.
Senator Brown. All right. So let me just take what you are
saying here--and that was not the case with this young soldier.
We are not just talking about that stuff where you just get
online and take that stuff. We are talking about that the young
person who had the ability to not only get that but all the
classified documentation as well. Correct?
Mr. Ferguson. He was able to get the classified information
that was not password protected. That is correct.
Senator Brown. Right. And is it true that there are
hundreds of thousands of people that have access to that
information still?
Mr. Ferguson. That is true.
Senator Brown. Once again, I am not a brain surgeon, but I
am an officer in the U.S. military, and I have difficulty
getting that stuff. Why haven't we locked down and basically
weeded through the people that have access, to make sure they
are all our friends? Where is the command and control in these
types of things?
Mr. Ferguson. The command and control, since the SIPRNet is
really a family of networks, the site owners decide, just like
on the Internet, who gets access to their particular site.
Senator Brown. Right. That is for the open stuff, but I am
not talking about that.
Mr. Ferguson. No. That is for secured information as well.
Senator Brown. All right.
Mr. Ferguson. So in the case, of course, of the State
Department information, that has now been removed from SIPRNet,
so that is not available for everybody to take a look at.
Senator Brown. I was kind of surprised they were even on
there.
Mr. Ferguson. Well, that was a request of the Department of
Defense and the DNI to put that information on or to make it
more accessible to people in the intelligence community.
Senator Brown. Is the reason why because--listen, I
understand the moving nature of the battlefield. I believe that
a lot of the command and control went away because of the
changing nature of the battlefield. They needed the information
very quickly. Is that a fair assessment?
Mr. Ferguson. That is a fair assessment.
Senator Brown. So knowing that, what checks and balances
have been put in place, notwithstanding that fact, what are we
doing?
Mr. Ferguson. What they have done--and Ms. Takai can talk
about the technology behind this. They have closed down all the
ports. They cannot remove the data. But they also are starting
to chart and narrow the data access based on mission
responsibility, for one. It is not going to be as simple as
just going in, turning off stuff, and just doing a big survey
of the SIPRNet, although that will probably occur. And then, of
course, the moving of the data, which was the big concern, is
now a two-man rule. As Ms. Takai pointed out, 12 percent of the
systems now have the ability to remove data and shift it to
another domain. The other 88 percent are shut down.
Senator Brown. Well, he used a thumb drive, right?
Mr. Ferguson. He used a compact disc (CD), actually. Oddly
enough, the thumb drives have been shut off for some time.
Senator Brown. That is what I thought. So it was a CD,
right?
Mr. Ferguson. It was CDs, that is right. He was downloading
the CDs. So we have a two-man rule.
Another key piece of this is--I do not know the word to
use--a failure on the part to monitor and follow security
regulations. It is as simple as that.
Senator Brown. Listen, I agree with you. I know there is a
protocol in place. I am still flabbergasted. I mean, here we
are, we have one of the biggest leaks in my lifetime or my
memory, at least, in the military, and we have a private who is
in trouble. I am a little curious. There seems to have been a
breakdown completely on that chain of command.
Mr. Ferguson. It did not work as well as we had hoped.
Senator Brown. And that being said, it has not worked as
well as you had hoped, is there anything like a red team or an
unannounced inspection? Or have you changed the protocol?
Mr. Ferguson. Actually there have been investigations
looking at the entire process for the entire theater. And a lot
of the changes have occurred in terms of the two-man rule,
shutting down of the ports, and other security training and so
forth has all occurred in the last 3 or 4 months. So, yes, they
have taken some pretty significant actions already.
If I may, I would like to pass it to Ms. Takai because she
can speak to some of the technology that is in place.
Senator Brown. And with that, I will take that testimony in
a second. But that being said, I know all the agencies are
actually awash with new guidelines and directives. Is there a
coordinated effort of some kind being made so that policy and
oversight are staying consistent, that agencies are not left to
guess who to listen to? Is there someone in charge that
basically is dictating what we are doing, why we are doing it,
how we are doing it, and then following up to say, yes, we are,
in fact, doing it? Is there anything like that going on?
Mr. Ferguson. Yes, I will give you a good example. Their
policies for security and use of material was spread across a
number of policy documents, so if you were sitting in a field
or you are in the United States and you wanted to find where
that policy was, you had to go search for it. In hindsight,
that was not a good way of approaching it. It worked that way
for years, decades.
One of the things we have done is we have updated those
policies, and we combined and consolidated them into a single
product. So there is only one place--it is a one-stop shop to
go get that. That came out of the Under Secretary of Defense
for Intelligence's office. So he sets the guidelines for that
information protection assurance and security parts.
In terms of setting rules for information sharing itself,
that is being done as a community-wide activity, not just with
the Department of Defense but with the DNI--this is an approach
with all the other agencies. So there is one initiative right
now underway, and, of course, each department is also looking
at it individually.
Mr. Paul. Can I amplify that?
Senator Brown. Yes, please, and then I just have one final
question, but sure, yes, absolutely.
Mr. Paul. So there is an ongoing White House-led process
right now looking at the WikiLeaks incident and potential
structural reforms. That has three main tracks that are going
on, and my panelists and I and others are involved in that
process.
The first part of it is looking at how to better balance
things like identity management and tagging of information more
consistently so you can do better kinds of access controls like
what were talked about in the opening statements.
The second is looking at the insider threat passbacks and
some of the technical considerations that we have talked about.
And the third is looking at how we strengthen governance
across the spectrum--so the hope is that in the coming weeks
and months we can come back and talk about the results of that
process.
Ms. Takai. Before I speak to the technology, just to follow
on to the governance issue, there is participation by all of
the organizations in a White House working group that reports
to the deputy's committee around the various activities to make
sure that we are well coordinated and that we are working
together.
Inside the Department of Defense, this is an item that is
high on the Secretary's list, and we provide ongoing reports to
him from the standpoint of the technology mitigation efforts
both to him and the Chairman of the Joint Chiefs of Staff
regarding our progress. So there is significant oversight.
There is significant guidance in terms of making sure that we
are taking care of this and we are following on to the
commitments that we have made both from a technology
perspective and working with Mr. Ferguson's area in terms of
making sure that the policies are updated. So I wanted to make
sure that I added that in response to the question.
Moving on to the technology, I think we have talked about
the Host Based Security System and the progress that we have
made thus far in terms of having that installed and making sure
that we can detect anomalous behavior in terms of individuals
who might get on to the network and download information, and
we are doing that in three ways. One is from a device
perspective. The Host Based Security System detects if, in
fact, a computer does have a device where information can be
downloaded so that we can validate that and ensure that it is a
part of the 12 percent of those computers that we believe need
that information in the field.
The second thing that we are doing is to look at what we
call an audit extraction module to follow on to Senator
Collins' question around how do we have the information and the
analytics to see anomalous behavior and we can catch it at the
time that it occurs. We are currently in testing. That software
is integrated with HBSS, and we will then be moving ahead to
roll that out across DOD.
The third thing that we are moving forward on, as you
mentioned, Senator Collins, is around really a role-based
process. We are going to be implementing a public key
infrastructure (PKI) identification similar to our current
Common Access Cards (CACs) that we have on our non-classified
network to all of the DOD users, and what that will do is give
us an opportunity over time to refine what information
individuals have access to. So sheer access to SIPRNet, for
instance, in this case, we will be able to, by looking at each
individual database, take it down to what information that
individual needed as opposed to having the network completely
open.
Senator Brown. I appreciate that, and just in closing, it
was not only dangerous, it is embarrassing what happened. You
know, it is embarrassing for our country some of the things
that were actually out there. And so there are a lot of lessons
there, but I appreciate the opportunity.
Thank you for having this hearing and participating and
allowing me to participate in it.
Senator Collins. Thank you.
Chairman Lieberman [presiding]. Senator Collins, thanks
very much for assuming the Chair. I apologize to the witnesses.
I appreciate the testimony. Let me ask a few questions, if
I might. In a speech that DNI General Clapper gave last fall,
he predicted that WikiLeaks was going to have a ``very chilling
effect on the need to share.'' After WikiLeaks began to release
State Department cables in late November, news headlines
forecasted a clampdown on information sharing, and this is what
we have been dealing with and you deal with in your testimony
as submitted.
I wanted to ask you if there are specific areas--and I
guess I would start with Ms. Stone and then any others. Are
there specific areas where you think the WikiLeaks case has had
a direct impact on information sharing other than the examples
cited in the prepared testimony by Mr. Kennedy of the State
Department removing its diplomatic cables from SIPRNet?
Ms. Stone. Thank you for that question, sir. My reaction is
that the most direct impact has been in the area of culture and
those people who are concerned about sharing information,
rightly so, and our ability to protect it. And, therefore, our
reaction to WikiLeaks must be to increase protection as well as
sharing. As we increase the protection, we also increase the
trust and confidence that people have that when they share
their information appropriately, it will be protected; we will
know where the information is; we will be able to pull that
information if it is inappropriately accessed; and we will be
able to follow up with appropriate repercussions if and when it
is misused.
So I think the most direct impact I have seen is not in a
specific tangible action, but more so that it has resulted in a
very clear need for us to increase the protections, to increase
trust and confidence to share more broadly; because--while
Director Clapper was very concerned--as we all were, that this
would have a chilling effect, we have all worked very hard,
both within the ODNI, within the intelligence community, and
across the government, to ensure that it does not have a
chilling effect; but that, in fact, as Mr. Ferguson said, as we
increase sharing, we also increase protection to develop that
trust and confidence.
Chairman Lieberman. That is good. Mr. Kennedy.
Mr. Kennedy. If I could, Mr. Chairman. I think there have
been two kinds of chilling effects. One, I think there has been
a chilling effect on the part of some foreign governments being
willing to share information with us, and that is obviously of
great concern to the State Department. We build our diplomatic
reporting analysis on the basis of trust; that when individuals
tell us things in confidence, we will share them in confidence
within the U.S. Government, that it will not go broader than
that. So that has been one chilling effect.
I think the State Department, though, has avoided the
chilling effect that you were directly addressing. For example,
if I might, during the period of time, we have posted, as you
all mentioned, some 250,000 cables to this database posted to
the DOD SIPRNet. During that same period of time, we
disseminated 2.4 million cables, 10 times as many, through
other systems to the 65 other U.S. Government agencies. And so,
therefore, while we stopped disseminating on SIPRNet for the
reasons that my DOD colleagues have outlined, we have continued
to disseminate to the intelligence community system, the Joint
Worldwide Intelligence Communications System (JWICS), and we
have continued to disseminate the same volume of material to
the same other agencies based upon their need for that
information. We do not hold anything back. This unfortunate
event has not caused us to hold anything back. We continue to
share at the same rate as we were sharing before because we
know that our information is essentially the gold standard.
There are more reporting and analysis officers and sources
and information from 265 State Department diplomatic and
consular posts around the world than any other agency, so it is
our intent to uphold our piece of national security and
obviously to be responsive to the very forceful and correct
legislation that you saw past, which is to share. We are
continuing to share using two other means.
Chairman Lieberman. Do any of the other three witnesses
want to comment, either in terms of specific areas of the
effect of WikiLeaks on information sharing or perhaps some more
indirect impact with people becoming more hesitant to work
across agency boundaries or even marking intelligence products
more restrictively? Mr. Paul.
Mr. Paul. Yes, in my role I have the opportunity to work
closely with our State, local, and tribal partners, and I just
want to report that the concerns about a chilling effect, they
share that. They share the concern, and we remain vigilant and
work with them to try to identify any challenges of that sort.
But so far with our partners, primarily FBI and DHS, there is a
lot of good sharing. Our different sharing initiatives continue
to move forward, things like the Nationwide Suspicious Activity
Reporting Initiative, the Nationwide Network of Fusion Centers,
and different initiatives of those ilk.
Chairman Lieberman. Good. Thanks for your answers to that.
Incidentally, one of the things I have found that I am sure
other Members of Congress have found in foreign travel that we
have done since the WikiLeaks leaks is that, somewhat in jest
but not really, often leaders of foreign countries that we are
meeting with will say, ``I hope this is not going to appear on
WikiLeaks.'' So they are hoping that there is a certain
confidence and trust in the exchange of information. And, of
course, we say, ``Oh, no.'' And then the person from the
embassy usually says, ``No, we have taken care of that
problem.'' But it did affect the trust of allies around the
world.
One of the things that Congress called for in the
Intelligence Reform and Terrorism Prevention Act was the use of
technologies that would allow ``role-based access'' to
information in government systems--in other words, that people
would have access to information necessary for their work, but
would not have overly broad access to information that they did
not need.
One of the key lessons, obviously, from WikiLeaks is that
we have not yet made enough progress toward that goal as we
need to, and if such capabilities had been in place on SIPRNet,
I presume Private Manning would never have had access to that
much information, if any at all.
Ms. Takai, maybe we will start with you. What are the key
challenges associated with implementing role-based access as I
have defined it across our classified and sensitive information
systems?
Ms. Takai. Thank you, Mr. Chairman. I would like to start
first by just giving you an update on where we stand at DOD in
terms of rolling out a PKI-based CAC card for SIPRNet.
Chairman Lieberman. Good.
Ms. Takai. We are in the process and, in fact, they are in
production, if you will, through our trusted foundry on those
cards. We are anticipating the completion of the rollout by the
end of 2012 so that all the individuals who today need SIPRNet
and use SIPRNet will have PKI identification.
Chairman Lieberman. Have you defined those terms while I
was away? Or would you want to do so now, PKI and the CAC card,
for the record?
Ms. Takai. Effectively the common access card is a card
that you actually utilize with your computer that actually
identifies you when you log on to the computer. So it is a much
more sophisticated password, if you will. It gives you a user
name and password, but it more clearly identifies you, and then
from that more clearly can identify the role that you play in
the organization and then through that the information to which
you should have access.
Chairman Lieberman. So that would all limit access based on
what the position of the card holder was and the presumed needs
to know of the card holder.
Ms. Takai. That is correct, sir. But to the second part of
your question in terms of our rollout plan and the steps that
we need to go through, the cards are actually rolled out to
each individual who has a computer, so our deployment plan is
to actually get the physical cards and the physical readers
installed on all of the computers for those individuals that
require access to SIPRNet.
The second thing is that through the trusted foundry we
have a manufacturing process for those cards, and they have a
capacity for a certain number of cards, so that also is a
factor.
So, again, in order for us to really complete 100 percent,
we have to take into account those two factors, and also the
fact that many of the computers where this is needed are, as
you could well imagine, in many locations around the globe. And
that is not only, of course, certainly on the ground, but on
ships and so on. So it will take us a while, by the end of
2012, to have that deployment complete.
But I think it is important to note, in addition to just
the physical deployment of the cards and on the various
computers, that it will then take us additional time to make
sure that we get the roles associated with the information
connected. So the cards give us the capability to do that, and
then we will continue the deployment to link the information to
that.
Chairman Lieberman. That is encouraging. Thanks. Senator
Collins.
Senator Collins. Thank you, Mr. Chairman. Just a couple
more questions.
Mr. Ferguson, when I think about the WikiLeaks incident, I
think not only of the failures of technology but also a failure
to focus on certain red flag behavior that was exhibited by the
suspect. And it reminds me very much of what our investigation
found when we looked into Major Hasan's behavior prior to the
massacre at Fort Hood.
If the media reports are correct, Private Manning exhibited
problems such as mental health issues, an assault on
colleagues, and the fact that supervisors had recommended that
he not be sent to the front lines.
These are all pretty big red flags, and I am wondering why
they did not lead to a restriction in his access to classified
information. I do not know whether you are the right person for
me to ask that question to, but my point is there is more than
just technology at stake here. If we have a high-ranking
official and we use the user role approach but that individual
becomes unstable or embraces Islamist radicalism or there is
some other reason that would cause the individual to pose an
insider threat, do we have the systems in place to catch that
individual?
Mr. Ferguson. Senator, I probably cannot really speak to
the specifics of Private Manning. It is an ongoing
investigation. However, your point, though, about a process to
identify behaviors that we should be concerned about, we have
taken a look at that, and the training that we had in place--
whether it was Hasan or this case--was not sufficient to give
his supervisors the pieces of data they would need to put
together and say this person is a problem, or in some cases to
take action when they did suspect something was wrong.
So what we have done in the Department is begin to shape
with new policy and direction how to better train supervisors
in how to best identify behaviors that would be of concern.
That is one piece, but they also have to be willing to take
action, and that is part of the other problem. It is not that
somebody might say that this behavior is irregular. It is also
in some cases a fear to take action, or it may reflect on them
as a failure or it may reflect on them in some other way. And
so there are two hurdles here. It is teaching people how to
identify the characteristics, but it is also teaching people
that the right thing to do is to take action.
Senator Collins. I am concerned because we have seen two
recent cases where tremendous damage was done, despite the fact
that there was ample evidence, it appears--I am less familiar
with the case we are discussing today--that something was
dramatically wrong. That is an issue that I am eager to pursue,
and I think your point about training is a very good one.
Mr. Paul, just for my last question, you mentioned in your
testimony that there is a fragmented approach to computer
security across the Federal Government, and I think I can speak
for the Chairman when I say that we could not agree with you
more, and that is one reason we have introduced our
cybersecurity bill which will apply to the civilian agencies
and also try to work with the private sector to develop best
practices. But our bill does not deal with the intelligence
community or the military computer systems.
You also in your testimony pointed out that you are not an
operational office at DNI and that you are heading a task force
on this issue. What are you telling us? Are you telling us that
the DNI needs more authority to prevent this fragmented
approach where one intelligence agency may have a totally
different approach to security, classification, and access than
the Department of Defense?
Mr. Paul. So when I was using the description of
``fragmentation,'' what I was referring to was that agencies
put in place specific agency-based solutions. Those solutions
serve for specific needs. But then when you look at more broad
information sharing and protection with other agencies, the
solutions tend to not work as well. An example of this is, as
we look at things like identity management frameworks--some of
my panelists have talked about identity management. That is
foundational to being able to do information sharing and
information protection. We have several different identity
management frameworks across the scope of the Federal
Government, our State and local partners, and so forth. Those
frameworks are mostly aligned, but we need to make sure that as
they get implemented, they are implemented in a way that is
consistent across all the different partners. If that does not
happen, then you run into challenges when information moves
across organizational boundaries.
The second part of your question was about my role in co-
chairing the Information Sharing and Access Interagency Policy
Committee. A key thing that we are trying to do in that group
is to harmonize policy frameworks across the different agencies
to make sure that on one hand, we have the consistent
framework, but on the other hand, we are not slowing down
operational considerations in those agencies so that the
variations that occur are truly because of mission requirements
and not because we are not effectively working together.
Senator Collins. Ms. Stone.
Ms. Stone. Thank you. If I could just add to that, across
the intelligence community we are working very hard to have
comprehensive guidelines and processes that are consistent and
interoperable. We are working on leveraging public key
infrastructure and attribute-based access control to have a
more comprehensive identity and access management. We are
standardizing data protection models to have several levels of
security, and we are working on an enterprise audit framework.
So within the intelligence community, while we may have
different systems, we are working very hard from the Office of
the Director of National Intelligence to more standardize and
ensure consistency across those networks. The way we then plug
in with the rest of the government--and, indeed, we must be
interoperable with the rest of the government, of course--is
through this interagency group that we are working on together
with everyone at the table and others to ensure that we can, in
fact, be coordinating and consistent with the other offices.
And we are still working through exactly what that looks like,
but that is certainly a concern that we are all very well aware
of.
Senator Collins. Thank you. Just two final concluding
comments. I would note that the Government Accountability
Office (GAO) continues to list information sharing,
particularly with regard to terrorism-related information, as a
high-risk activity, and it is on the high-risk list again this
year.
And, finally, as we look at the user role approach, which I
brought up in my opening statement and which we have commented
on today, we do have to be careful that does not translate back
to the bad old days where no one shared anything and where we
had stovepipes because we are defining who has access so
narrowly that we deny access to analysts who really need that
information.
So it is a very difficult task that you are all embarking
on, but in this day and age, that an individual could be able,
undetected for so long, to download and illegally distribute
hundreds of thousands of important cables, reports, and
documents is just inconceivable to me. So, clearly, we have a
long way to go to strike the right balance.
Thank you, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Collins, very much.
Thanks again for taking the chair while I had to leave.
Just a few more questions, and I want to follow up first
with one to you, Mr. Paul, following up on the question I asked
Ms. Takai before about role-based access. In your testimony,
you note the fact that there are at least five distinct
identity credential and access management frameworks in use by
Federal agencies, and, of course, that makes me wonder whether
that limits the ability to implementation the kind of role-
based access capabilities that the IRTPA required in systems in
a cost-effective way. I wonder if you could talk about what you
are doing, hopefully in cooperation, perhaps, with the other
witnesses here today, to harmonize those different access
frameworks.
Mr. Paul. Sure. Thank you for the question. There are these
five different frameworks, but they are really not that
different. They are different enough, though, that it requires
the attention of my office and other bodies--the Federal Chief
Information Officer Council, for example, and my colleagues
here--to make sure that as the frameworks get implemented in
the different agencies and with our State, local, and tribal
partners, that we do not allow for variations or that
variations are controlled and reflect mission requirements and
the like. So a focus of my office is to work with the
interagency, bringing together groups to make sure that as
these frameworks get implemented, they are implemented in a
consistent way.
Building on top of that, it is critical, as we look at
role- and attribute-based access controls that you both have
highlighted, that the framework for doing those, how we define
roles, how we, to use a colloquialism, tag data, how we tag
people, and that tagging occurs in different places. A person
may be tagged in one agency, data may be tagged in another, and
we want to be able to have that data move in an appropriate way
with policy enforcement. That means there needs to be a
consistent framework for how that happens, and coordination,
and this goes to some of what you have heard from me and others
about the importance of governance of the standards and
architecture approach. So those are contributions that are
catalyzed through the efforts of my office in close cooperation
with my mission partners.
Chairman Lieberman. Good. I urge you on in that.
Mr. Ferguson, I mentioned in my opening statement the great
successes that we have had in the past few years in Iraq and
Afghanistan in disrupting terrorist networks in those countries
with our military and intelligence agencies working very
closely together and doing so in a remarkably rapid way,
sometimes exploiting information from one raid or one source
and using it within an hour elsewhere, or quicker.
As you make changes to improve the security of classified
networks at DOD and in the intelligence community, are you
taking steps to ensure that those efforts will not diminish or
slow down our ability to carry out the kinds of operations I
have just described?
Mr. Ferguson. Yes, sir, absolutely. Even though the process
was to allow personnel working in a secured facility to access
the SIPRNet and pull down data and copy it through open media.
Chairman Lieberman. Right.
Mr. Ferguson. For example, so we could have more agility
and flexibility. We have gone back and taken a look at how that
process worked, and we have found that by creating just a kiosk
process and a two-man rule, we can still move at the same speed
and have the same agility without giving everybody the same
availability to the information and being able to pull the data
down and copy it. So it is very much in mind to make sure that
we do not hinder our ability to carry out the operations.
Chairman Lieberman. Good. Do you want to add anything, Ms.
Takai?
Ms. Takai. Yes, I would. I think one of the things that is
very important is that we continue to see the dramatic need for
information and information sharing by the warfighter and so,
if anything, the demand for that information continues to grow.
And so as we are looking at the technology, just to relate back
to what Mr. Paul said, part of our efforts are to ensure within
DOD we are eliminating our fragmented environment, which has
grown up over time, through our legacy base of the way that our
networks and our databases have grown up. And so I wanted to
make sure that I added that there was a relationship between
the work that Mr. Paul is doing and the work that we are doing
internal to DOD, and I am sure my partners here are all
undergoing the same thing. I think that is really what Ms.
Stone was talking about. And those things in combination with
being able to apply cybersecurity enhancements are really going
to give us an opportunity to get that information out there as
quickly as today and in some cases even faster than today, but
to do it in a secure way.
Chairman Lieberman. That is excellent. Let me ask a final
question. Based on the testimony you have provided, really in
what you are doing to respond to the challenges that were
illuminated by the WikiLeaks case, but also to protect the
information-sharing environment, one, have you seen any areas
where you think you would benefit from statutory changes? And,
two--and this is a question that I ask in a limited way in this
fiscal environment--are there any funds we should be targeting
to particular uses that we are not now doing to assist you in
responding to this crisis? Maybe we will start with Mr. Kennedy
and go down the table, if anybody has anything to say.
Mr. Kennedy. Thank you very much, Mr. Chairman. I cannot
think of any additional legislative authority. I think you have
done two things. You have given us the intent, and then you
have given us the command. And I think we know from what you
have said and what we know internally which way we should go.
On the funding, I can always say that an institution as
small as the State Department can always use additional funding
given the range of demands upon us. But I believe that we have
a role-based access system in place that we use to distribute
material within the State Department. If you are on the French
desk, you get one set of materials. If you are on the Japan
desk, you get another. As I mentioned earlier, we will continue
to push State Department reporting to the other agencies, but
it does, I will admit, put a burden on them to then take our
material which we have provided to Secretary of Defense, so to
speak, to DOD, and then to distribute that to their people
according to the roles that only they are capable of defining,
because I think it would be wrong for me to say which
individuals within an entity as large as the Defense Department
or as large as the DNI or the intelligence community which
analyst needs what. So we send it to them, and I think they may
be the ones who have to answer that second question about how
they are going to distribute it efficiently and effectively as
both you and Senator Collins have talked about.
Chairman Lieberman. Thanks. Ms. Takai, any legislative
recommendations or budget targeting?
Ms. Takai. In terms of the legislative question, I agree
with Mr. Kennedy. At this time we do not see any additional
legislation that we need. We are going through a review to
answer exactly that same question for the Secretary in terms of
is there any need for any change, not only additional funding
but a change in the cadence of the funding. And so once we have
that pulled together, we would be happy to share it with you.
Chairman Lieberman. I appreciate it. Mr. Ferguson.
Mr. Ferguson. I would have to agree on the legislative
side, and certainly as Ms. Takai has pointed out, as we go
through this process of putting in these capabilities, what
kind of funding needs I guess we have to identify what those
real costs are and come back.
Chairman Lieberman. Ms. Stone.
Ms. Stone. Similarly, on the legislative question, I think
we have what we need for now, although I would reserve the
right to come back if we discover we need something else.
And on the funding piece, again, we do have an interagency
process ongoing looking at exactly what we might do with
different options, so we would have to see where that comes
out. But I do believe there is at least something in the fiscal
year 2012 proposal submitted by the President to work on some
of these issues.
Chairman Lieberman. Good. Mr. Paul.
Mr. Paul. Just to echo Ambassador Kennedy, the laws and the
statutes that this Committee has championed provide an adequate
basis, a fine basis. I know in the context of the information-
sharing environment that it is my responsibility, there is
enough authority. It is an issue for me now of execution and
leadership.
Chairman Lieberman. Good. Thank you all. Senator Collins.
Senator Collins. Thank you.
Chairman Lieberman. Well, thanks very much, again, for your
prepared testimony and the oral testimony, and I emerge
encouraged that you are certainly dealing with the specific
series of vulnerabilities that the WikiLeaks/Manning case
revealed, and I presume in the nature of the modern world with
technology, innovation, and exploitation what it is, you will
also be thinking about the next way in which somebody might try
to take advantage of our information-sharing environment. But I
think that we have raised our guard in a sensible way and also
continue to share information, which we need to do, is what I
take away from this hearing, and I appreciate that very much.
The record will remain open for 15 days for any additional
questions or statements. With that, the hearing is adjourned.
[Whereupon, at 4:36 p.m., the Committee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] T6677.001
[GRAPHIC] [TIFF OMITTED] T6677.002
[GRAPHIC] [TIFF OMITTED] T6677.003
[GRAPHIC] [TIFF OMITTED] T6677.004
[GRAPHIC] [TIFF OMITTED] T6677.005
[GRAPHIC] [TIFF OMITTED] T6677.006
[GRAPHIC] [TIFF OMITTED] T6677.007
[GRAPHIC] [TIFF OMITTED] T6677.008
[GRAPHIC] [TIFF OMITTED] T6677.009
[GRAPHIC] [TIFF OMITTED] T6677.010
[GRAPHIC] [TIFF OMITTED] T6677.011
[GRAPHIC] [TIFF OMITTED] T6677.012
[GRAPHIC] [TIFF OMITTED] T6677.013
[GRAPHIC] [TIFF OMITTED] T6677.014
[GRAPHIC] [TIFF OMITTED] T6677.015
[GRAPHIC] [TIFF OMITTED] T6677.016
[GRAPHIC] [TIFF OMITTED] T6677.017
[GRAPHIC] [TIFF OMITTED] T6677.018
[GRAPHIC] [TIFF OMITTED] T6677.019
[GRAPHIC] [TIFF OMITTED] T6677.020
[GRAPHIC] [TIFF OMITTED] T6677.021
[GRAPHIC] [TIFF OMITTED] T6677.022
[GRAPHIC] [TIFF OMITTED] T6677.023
[GRAPHIC] [TIFF OMITTED] T6677.024
[GRAPHIC] [TIFF OMITTED] T6677.025
[GRAPHIC] [TIFF OMITTED] T6677.026
[GRAPHIC] [TIFF OMITTED] T6677.027
[GRAPHIC] [TIFF OMITTED] T6677.028
[GRAPHIC] [TIFF OMITTED] T6677.029
[GRAPHIC] [TIFF OMITTED] T6677.030
[GRAPHIC] [TIFF OMITTED] T6677.031
[GRAPHIC] [TIFF OMITTED] T6677.032
[GRAPHIC] [TIFF OMITTED] T6677.033
[GRAPHIC] [TIFF OMITTED] T6677.034
[GRAPHIC] [TIFF OMITTED] T6677.035
[GRAPHIC] [TIFF OMITTED] T6677.036
[GRAPHIC] [TIFF OMITTED] T6677.037
[GRAPHIC] [TIFF OMITTED] T6677.038
[GRAPHIC] [TIFF OMITTED] T6677.039
[GRAPHIC] [TIFF OMITTED] T6677.040
[GRAPHIC] [TIFF OMITTED] T6677.041
[GRAPHIC] [TIFF OMITTED] T6677.042
[GRAPHIC] [TIFF OMITTED] T6677.043
[GRAPHIC] [TIFF OMITTED] T6677.044
[GRAPHIC] [TIFF OMITTED] T6677.045
[GRAPHIC] [TIFF OMITTED] T6677.046
[GRAPHIC] [TIFF OMITTED] T6677.047
[GRAPHIC] [TIFF OMITTED] T6677.048
[GRAPHIC] [TIFF OMITTED] T6677.049
[GRAPHIC] [TIFF OMITTED] T6677.050
[GRAPHIC] [TIFF OMITTED] T6677.051
[GRAPHIC] [TIFF OMITTED] T6677.052
[GRAPHIC] [TIFF OMITTED] T6677.053
[GRAPHIC] [TIFF OMITTED] T6677.054
[GRAPHIC] [TIFF OMITTED] T6677.055
[GRAPHIC] [TIFF OMITTED] T6677.056
[GRAPHIC] [TIFF OMITTED] T6677.057
[GRAPHIC] [TIFF OMITTED] T6677.058
[GRAPHIC] [TIFF OMITTED] T6677.059
[GRAPHIC] [TIFF OMITTED] T6677.060
[GRAPHIC] [TIFF OMITTED] T6677.061
[GRAPHIC] [TIFF OMITTED] T6677.062
[GRAPHIC] [TIFF OMITTED] T6677.063
[GRAPHIC] [TIFF OMITTED] T6677.064
[GRAPHIC] [TIFF OMITTED] T6677.065
[GRAPHIC] [TIFF OMITTED] T6677.066
[GRAPHIC] [TIFF OMITTED] T6677.067
[GRAPHIC] [TIFF OMITTED] T6677.068
[GRAPHIC] [TIFF OMITTED] T6677.069
[GRAPHIC] [TIFF OMITTED] T6677.070
[GRAPHIC] [TIFF OMITTED] T6677.071
[GRAPHIC] [TIFF OMITTED] T6677.072
[GRAPHIC] [TIFF OMITTED] T6677.073
[GRAPHIC] [TIFF OMITTED] T6677.074
[GRAPHIC] [TIFF OMITTED] T6677.075
[GRAPHIC] [TIFF OMITTED] T6677.076
[GRAPHIC] [TIFF OMITTED] T6677.077
[GRAPHIC] [TIFF OMITTED] T6677.078
[GRAPHIC] [TIFF OMITTED] T6677.079
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
