[Senate Hearing 111-662]
[From the U.S. Government Printing Office]
S. Hrg. 111-662
MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER
DEFENSE
=======================================================================
HEARING
before the
FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT
INFORMATION, FEDERAL SERVICES, AND
INTERNATIONAL SECURITY SUBCOMMITTEE
of the
COMMITTEE ON
HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
of the
ONE HUNDRED ELEVENTH CONGRESS
FIRST SESSION
__________
OCTOBER 29, 2009
__________
Available via http://www.gpoaccess.gov/congress/index.html
Printed for the use of the
Committee on Homeland Security and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
53-852 WASHINGTON : 2010
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office, http://bookstore.gpo.gov. For more information, contact the
GPO Customer Contact Center, U.S. Government Printing Office.
Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, gpo@custhelp.com.
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware JOHN McCAIN, Arizona
MARK PRYOR, Arkansas GEORGE V. VOINOVICH, Ohio
MARY L. LANDRIEU, Louisiana JOHN ENSIGN, Nevada
CLAIRE McCASKILL, Missouri LINDSEY GRAHAM, South Carolina
JON TESTER, Montana ROBERT F. BENNETT, Utah
ROLAND W. BURRIS, Illinois
PAUL G. KIRK, JR., Massachusetts
Michael L. Alexander, Staff Director
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
Trina Driessnack Tyrer, Chief Clerk
------
SUBCOMMITTEE ON FEDERAL FINANCIAL MANAGEMENT, GOVERNMENT INFORMATION,
FEDERAL SERVICES, AND INTERNATIONAL SECURITY
THOMAS R. CARPER, Delaware, Chairman
CARL LEVIN, Michigan JOHN McCAIN, Arizona
DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma
MARK L. PRYOR, Arkansas GEORGE V. VOINOVICH, Ohio
CLAIRE McCASKILL, Missouri JOHN ENSIGN, Nevada
ROLAND W. BURRIS, Illinois
John Kilvington, Staff Director
Erik Hopkins, Professional Staff Member
Bryan Parker, Staff Director and General Counsel to the Minority
Deirdre G. Armstrong, Chief Clerk
C O N T E N T S
------
Opening statement:
Page
Senator Carper............................................... 1
Prepared statements:
Senator Carper............................................... 31
Senator McCain............................................... 34
WITNESSES
Thursday, October 29, 2009
Hon. Tom Davis, former U.S. Representative from the State of
Virginia....................................................... 4
Vivek Kundra, Federal Chief Information Officer, Administrator
for Electronic Government and Information Technology, U.S.
Office of Management and Budget................................ 12
Gregory C. Wilshusen, Director, Information Technology Security
Issues, U.S. Government Accountability Office.................. 14
John Streufert, Chief Information Security Officer, and Deputy
Chief Information Officer for Information Security, Bureau of
Information Resource Management, U.S. Department of State...... 16
Alphabetical List of Witnesses
Davis, Hon. Tom:
Testimony.................................................... 4
Prepared statement........................................... 36
Kundra, Vivek:
Testimony.................................................... 12
Prepared statement........................................... 39
Streufert, John:
Testimony.................................................... 16
Prepared statement........................................... 51
Wilshusen, Gregory C.:
Testimony.................................................... 14
Prepared statement........................................... 45
APPENDIX
Questions and responses for the Record from:
Mr. Kundra with attachments.................................. 58
Mr. Wilshusen................................................ 84
Mr. Streufert................................................ 92
Charts (2) provided for the Record............................... 99
MORE SECURITY, LESS WASTE: WHAT MAKES SENSE FOR OUR FEDERAL CYBER
DEFENSE
----------
THURSDAY, OCTOBER 29, 2009
U.S. Senate,
Subcommittee on Federal Financial Management,
Government Information, Federal Services,
and International Security
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:33 p.m., in
room SD-342, Dirksen Senate Office Building, Hon. Thomas R.
Carper, Chairman of the Subcommittee, presiding.
Present: Senator Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Good afternoon, everyone, and especially
good afternoon, Congressman Tom Davis, whose sister, niece, and
nephews live in the State of Delaware. We are grateful to you
for coming today and sharing with us your advice and counsel.
The issue du jour is cyber warfare. It isn't science
fiction. It is reality. Over the past few years, we have heard
alarming reports that criminals, hackers, even foreign nations
have deeply penetrated our government's most sensitive
networks, including the offices of some of us right here in
Congress.
In fact, just last week, the Congressionally-established
U.S.-China Economic and Security Review Commission reported
that China is strategically developing offensive capabilities
that could be used against us in a future military conflict.
Further, there have been reports that some of the previously
successful cyber attacks against agency networks may have left
behind what is commonly known as a back door, essentially a
technological means for the bad guys to get back into our
networks without anyone ever knowing about it.
These vulnerabilities could be used against us by those who
might want to do us harm by stealing sensitive information
stored on our military networks or by shutting down critical
networks just when we need them the most. Imagine the
terrifying scenario of a hacker creating uncertainty as to the
validity of the data residing on the Federal Aviation
Administration's (FAA) air traffic control systems. That is
exactly the kind of scenario I hope our hearing today prevents.
But the threat of a cyber attack isn't something new. In
fact, in 2002, Congress passed what is known as the Federal
Information Security Management Act (FISMA), to help prevent
many of the problems that we are going to be discussing today.
That legislation brought greater attention to the issue of
cyber security and it helped to establish greater
accountability within agencies. Overall, I think we would agree
that it is a step in the right direction.
However, some 7 years after the passage of FISMA and
approximately $40 billion later, I am troubled to learn that
the Office of Management and Budget (OMB) does not track how
much agencies spend on cyber security, nor does the agency
measure those expenditures and whether those expenditures
actually resulted in improved security. Even more troubling,
agencies may be constrained from implementing the most basic
cyber security best practice because of inflexible
requirements.
Now, allow me to put this into perspective. Federal
agencies have spent more on cyber security than the entire
gross domestic product of North Korea, who some have speculated
is maybe involved with some of those cyber attacks. That is
unacceptable.
Some of the problems with FISMA implementation are a direct
result of OMB's decisions over the years, while others are due
to agency neglect. Still other problems lay at the feet of
those of us here on Capitol Hill. In essence, there is blame
enough to go around for all.
However, at today's hearing, we have an opportunity to
discuss some concrete ways to correct some of those wrongs, and
that is what we are going to do.
For example, one wasteful and ineffective area that OMB and
agencies can target is what is known as the ``certification and
accreditation'' process. The certification and accreditation
process is essentially a process whereby agencies evaluate
every 3 years what defense security protections are in place to
prevent attacks on their systems. The process costs taxpayers
about $1.3 billion--that is billion with a ``b''--every year,
and it produces a good deal of paperwork that ends up stored in
binders in some clutter-filled rooms. In fact, those rooms look
a lot like this one. In fact, that is one of them. There are, I
think, others that look like it.
But we can see 3 years' worth of reports from the
Department of State, just one department, which cost them a
total of $38 million. These reports would be worth the price
tag if the tactics that hackers used were as static as the
words typed on a piece of paper. But hackers change how they
attack us daily and their numbers, unfortunately, continue to
grow.
And yet it seems like OMB thinks that a snapshot of agency
preparedness every 3 years will somehow defend our critical
networks. But instead, billions of dollars are spent every year
on ineffective and useless reports, similar to the chart
pictured here.\1\ Meanwhile, we continue to get attacked.
---------------------------------------------------------------------------
\1\ The chart referred to appears in the Appendix on page 99.
---------------------------------------------------------------------------
However, testifying today will be a representative from the
Department of State on our second panel who saw an opportunity
to spend his agency's cyber security budget more wisely.
Instead of spending money on ineffective paper-based reports,
the State Department decided to focus on developing a system
that monitored their global networks on a continuing basis.
If you take a look at the second chart that has just been
put up,\1\ we can see the results of the hard work at the
Department of State. According to that Department, they were
able to reduce the amount of risk to their agency by 90 percent
in a single year. I am told that this was achieved by
developing a system that makes sense, uses effective metrics,
and holds people accountable. In essence, the Department of
State can prove that they have better security at a fraction of
the cost that they were previously paying.
---------------------------------------------------------------------------
\1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
So as we progress through this hearing, I would like our
witnesses to keep in mind that moving to a model more like the
one at the Department of State requires no new legislation,
costs less than or the same as the current paperwork-laden
method, and will better protect our country. That is the kind
of cyber security that makes sense to me, and I suspect that is
the kind of cyber security that would make sense to most people
in this country.
In fact, my colleagues and I introduced a bill last
session, and we have introduced it again this year, which would
require all agencies to move to a proactive approach like the
one that the Department of State has taken.
In addition to requiring continuous monitoring of security
controls and putting a strengthened Chief Information Security
Officer in each agency, our bill would enhance the role of the
Department of Homeland Security in cyber security. The
Department would share information with agencies on where cyber
attacks have been successful so that they can better prioritize
their security enhancements.
Further, our bill would require agencies to use their
enormous purchasing power to persuade vendors to develop and
sell more secure IT products and services in the first place.
Again, our thanks to each of our witnesses. We certainly
look forward to what you have to say, share with us, and to
responding to our questions.
We will be joined as the afternoon goes on by others on our
Subcommittee, but rather than sit here waiting for them for
hours, we are going to dive right in with our first panel. As I
telegraphed earlier, we will receive our testimony from former
Congressman Tom Davis, who represented, I think, a
Congressional district in the Northern part of Virginia, a
State where I grew up. His service in the U.S. House of
Representatives--how many terms did you serve there?
Mr. Davis. Seven.
Senator Carper. Seven terms. Did it seem like eight?
Mr. Davis. It seemed like 20 at the end. [Laughter.]
Senator Carper. Congressman Davis was the principal author
of a number of pieces of legislation, but he was also the
principal author of the Federal Information Security Management
Act of 2002, lovingly called FISMA, which is the subject that
we are going to be discussing here today.
He also held numerous oversight hearings on the
implementation of FISMA and is considered an expert on the
issue. I would like for the record to show that my name and the
word ``expert'' have almost never been used in the same
sentence. [Laughter.]
We are pleased to have Mr. Davis with us, who is certainly
an expert on this issue and very knowledgeable about a bunch of
other things. It is a real pleasure to work with him. We are
trying to make some progress on, among other issues, figuring
out a path forward for the U.S. Postal Service.
But I understand that we will hear where you believe
improvements can be made with the agency implementation and
perhaps with the language itself, so we thank you for your
previous service to our country and for your willingness to be
of service again here today.
You are recognized to proceed for the next half hour--no, I
will ask you to keep it fairly close to 5 minutes, but if you
run a little over that, it is not going to trouble anybody too
much. So thanks so much for coming, and your entire statement
will be made part of the record.
TESTIMONY OF HON. TOM DAVIS,\1\ FORMER U.S. REPRESENTATIVE FROM
THE STATE OF VIRGINIA
Mr. Davis. Thank you, Chairman Carper. I really appreciate
your efforts to improve information security and I am grateful
for the opportunity to testify here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Davis appears in the Appendix on
page 36.
---------------------------------------------------------------------------
For 14 years, I represented the 11th District of Virginia,
the home of the Internet. I would note for the record that I
retired undefeated and unindicted.
Senator Carper. That is quite an accomplishment.
[Laughter.]
Mr. Davis. I was also honored to serve as a member of the
House Committee on Oversight and Government Reform, first as
the chairman of the District of Columbia Subcommittee, the
least sought after Subcommittee chairmanship in the House, then
as chairman of the Technology and Procurement Policy
Subcommittee, then 4 years as chairman and my last 2 years as
the ranking member. My Congressional service coincided with the
proliferation of the Internet and the explosion of new
capabilities that came along for both the public and the
private sector.
It was clear the revolution in interconnectivity had the
potential to fundamentally change governmental operations and
service delivery. However, it also created a new form of
vulnerability, one in which traditional protections of
geographic distance and physical strength were irrelevant.
For these reasons, I made information technology management
and security a focus of my work in Congress. Federal agencies
needed to take this threat seriously and ensure proper
procedures and tools were in place to protect information
systems. Similarly, Congress needed a clear picture of the
information security posture of the Federal Government in order
to conduct effective oversight.
FISMA, which I championed in 2000 and 2002 and which had
the concurrence from this Committee, was intended to help
provide such a framework. FISMA required Federal agencies under
the direction of the Office of Management and Budget to create
a comprehensive risk-based approach to information security
management. It further requires annual IT security reviews,
reporting, and remediation planning at Federal agencies. These
requirements were based on best practices, and in addition to
safeguarding information were intended to make security
management an integral part of an agency's operation.
At the time FISMA was enacted, no coordinated priority
existed to address the threat of cyber attacks. Technology was
evolving rapidly. Rather than taking a prescriptive approach,
we believed agencies needed to walk before they could run, and
putting procedures and protocols in place was an important
first step in protecting government's critical infrastructure.
Since its enactment, FISMA has undoubtedly served to
elevate the importance of information management and
information security in government, and I am proud of the
progress we have made. That said, there is room for updates and
improvement, and your legislation, I think, is a very positive
step in that direction. It is time to really take FISMA to the
next level.
While I believe the requirements listed in FISMA would be
components of any sound information security plan, the need at
present is to operationalize its implementation. This would
involve tools such as Red Team penetration tests. It would also
require appropriate performance measures and, as the time
between a penetration and detection, the time to deploy a
security patch once it has been released, and the time to
complete a root cause analysis when a security breach does
occur, I am pleased your language references both penetration
tests and performance measures.
Three other key ingredients: Responsibility, Authority, and
Accountability.
Chief Information Security Officers (CISOs), may be
responsible for overall information security planning, but they
can't be just the bad men when things go wrong. Responsibility
for an information security program permeates an organization,
from the head of the agency to every employee. Most of the
security breaches that have grabbed headlines in recent years
aren't the result of some evil cyber genius but Federal
employees failing to adhere to basic security protocols--a lost
laptop, a stolen Blackberry, computers never returned when an
employee leaves an agency. These can result in the personal
information of untold thousands being put at risk.
CISOs might have to come up with the protocols, but the
rank and file have to adhere to them. As Congress looks at
information security issues, it might be wise to consider
uniform procedures, training, and penalties to reduce theft,
loss, or other adverse events. I might add, in the private
sector, training is very critical in these areas and it is
drummed into employees at every level.
Your language gives CISOs authority to development,
implement, and enforce security measures. That is important.
There also have to be consequences, good and bad, for failures
and successes. That is one aspect of the accountability
component. The private sector provides some models. For
example, the payment card industry mandates compliance with
standards set by the PCI Security Standards Council. Failure to
adhere to these standards results in a business losing the
ability to conduct transactions with payment cards. Now, that
exact example isn't going to fit the Federal system, but we
need carrots and we need sticks that promote compliance and
punish negligence.
Another aspect of accountability deals with funding.
Federal Government spending has risen sharply in recent years,
but to what end? We have to link performance in this specific
instance, performance of information security products and
services, with spending decisions. Simply asking for more or
providing more isn't going to fix the problem, nor is it going
to serve the interest of the American people.
In closing, I would like to reiterate my appreciation for
the work you are doing on information security. The information
age is indeed a strange new world in which a mischievous
teenager could be just as dangerous as a terrorist organization
or malevolent government. I am committed to helping however I
can to make sure our Federal systems are up to the task and
that our oversight mechanisms are commensurate to the need, and
I think your legislation is a good step forward. Thank you.
Senator Carper. Thank you very much, Congressman.
I don't know if you have ever done this, but one of the
things I have done for a number of years as a new Senator here,
whenever it is one of my colleagues' birthdays, I actually call
them on the phone if we are not in session and just wish them a
happy birthday, track them down wherever they are, around the
country or really around the world. Those are calls that I
enjoy, and I think my colleagues do. I do the same thing with
members of my staff, former members of my staff and just family
and friends.
I don't know if this is true, but it is in my briefing
notes so it must be true--but I am told that today happens to
be the birthday of the Internet, and I was thinking about maybe
just sending an e-mail out and seeing how well it can get
around and cover as much of the Internet as we could----
[Laughter.]
But I understand that 40 years ago, I'm told, in 1969, the
first message was sent out on the Internet, and I understand
that the message also ended up crashing the Internet.
[Laughter.]
So today's hearing is timely.
I would just ask, Congressman Davis, as one of the
principal authors and Congressional overseers of the FISMA
legislation, you know all too well that there have been some
successes and some challenges since its adoption. For example,
it seems that OMB has historically focused on agency compliance
rather than on agency outcomes. And I must say, we are real
good at focusing on process and compliance rather than
outcomes.
Arne Duncan was just in Delaware, the Secretary of
Education, and he spent a fair amount of time at the University
of Delaware 2 days ago talking about the need for us in
education to focus not on process, but on outcomes. It turns
out that is not just in education, but it is in this regard, as
well.
Could you take a few minutes maybe and explain to us where
you think there are opportunities to improve agency cyber
security? It seems like the sophistication of the attacks
dramatically evolves every year. We just met with an agency
head in the current Administration who shared with us just how
many cyber attacks are occurring every day on his agency, on
the agency that he leads. It is alarming. But this training has
led to a huge increase in the number of reported breaches by
agencies.
As you know, I have been trying to lead the effort to
reform FISMA and really strengthen it to make it the
legislation that I think you, as its principal author, hoped it
would be so that agencies focus their limited resources on
improving security rather than just producing the kind of
paperwork that we see over here to my right.
Some of the improvements that we have been suggesting, such
as continuous monitoring, seem like they make a lot of sense,
and the best part of this idea is that it doesn't require a
bill to be passed by Congress. However, the previous
Administration didn't seem all that interested in making any
changes to the current reporting structure, at least not during
their final year. I think they just said, we will let the new
folks take care of that.
So that is a big way of leading me to this question, and I
would just ask, Congressman Davis, what are your thoughts on
this idea, and are there other opportunities that either us on
this Committee, Subcommittee, or the Administration should be
looking into?
Mr. Davis. Well, thank you. That is a pretty broad range,
but let me take a stab. Let me note first that in your second
panel, you look at the State Department and what they have
done. This is an agency that has paid careful attention to not
just compliance, but also operationally what to do, and I think
you are going to get some glimpse of some of the things that
can be done across other agencies when they give it the
appropriate attention.
You know, it is hard to legislate priorities. It has really
got to come from the Executive Branch, because our managers
have so many different things to do, so many boxes to check,
that at the end of the day, they make everything a priority and
nothing becomes a priority. And that is one of the
difficulties. This legislation will help, but if an
administration or an agency head doesn't buy into this, it is
difficult to make it really as operational as we would like it.
Anybody can check a box. That is not hard to do. But making
this a priority--and you will hear in the next panel, I think,
some good ideas on this.
You can't just involve the heads of the agencies or the
CISOs, as I have noted before. You need to get a buy-in at all
levels. This has to be part of what every employee does. It has
to be drilled into them through training. They have to
understand, anybody that deals with any entry point, any secure
network, that they have to really be on top of that 24 hours a
day.
A lot of our problems result from just plain negligence,
people that didn't take this seriously. It wasn't drilled into
them as part of their jobs. It means everybody has to be
trained, that really, our whole systems are vulnerable at our
weakest point, and our weakest point is any entry point, and
frankly, any employee.
I like the certification process you talk about in this
bill. I like the idea that using the purchasing power of the
government to not just drive down costs, but you can get a
congruity of products that way. One of the difficulties in
government is we are so stovepiped. We have agencies even
within agencies that aren't talking with each other. I think
using that purchasing power, maybe allowing the Group 70
Schedule in GSA to be utilized by States and locals--well, not
just Group 70, the schedules for any cyber products to be
included in that could be helpful in getting the same kind of
products that everybody is using appropriately certified. There
is just a lot of room here if we will make it a priority, and I
think you have included some of those in the bill.
Finally, the carrots and sticks are tough in government.
How do you reward? How do you punish the people that aren't
doing this? You can always do it through bonuses and you can do
it through promotions and those kind of things, but that has to
come from management. It has to come from a buy-in from the
top.
And you are right. We banged our head in the previous
Administration trying to take this to a different level and get
their interest in it. But what so often happens with
administrations, they have so many different things to do and
different agency heads, that without a lot of additional money,
this doesn't become the priority. They want to make sure that
they are advancing their mission and they will take a chance of
a cyber attack hoping it doesn't occur on their watch and spend
the money in other areas.
Senator Carper. I appreciate the kind words you have had to
say about the legislation we have reintroduced this year. If
you were on this side of the dais, where you sat for many
years, and had an opportunity to contribute to the legislation,
to amend it, to make better what we have introduced, any
thoughts of what you would do, or what you would have us do, to
strengthen it further?
Mr. Davis. I alluded to one part in my testimony and that
is the fact that we are losing a lot of information and a lot
of secure information just by employees and contractors
mishandling this information, taking computers home. In the
case of the Veterans Administration, the employee that took
this home that had his computer stolen, it wasn't even
encrypted. We have now changed that through protocols.
But we are still--we have lost Census information, we have
lost hand-helds. We have people leaving with their computers
from government and sensitive information and nobody has
bothered to get it back. I think writing that into law would be
very helpful in terms of those kind of protections and making
sure that at least we are not being careless about this. If we
are going to get penetrated and hit, make them earn it. Don't
make it easy. And I think sometimes, as I said, any careless
employee can lose confidential information if it is not handled
right. I think that ought to be written into this.
Senator Carper. Alright. Thank you.
I suspect you have been following the current debate about
whether there ought to be a cyber coordinator, which is
supposed to help prioritizing and align agency efforts. As you
know, FISMA clearly gives the responsibility for coordinating
the Federal Government's cyber security to OMB's Administrator
for E-Government. However, I am concerned that the people who
work in that office may not have the cyber security
qualifications that are needed or necessary to make sure that
agencies are cost-effectively securing their networks. In fact,
I am even more troubled that OMB has never asked, apparently,
how much money they spend on cyber security.
What are your thoughts on the role of the E-Government
office in the larger cyber security discussion, and what do you
believe should be the role of that office in overseeing agency
cyber security?
Mr. Davis. Well, you are going to hear from Vivek Kundra,
who is very able. He will have a perspective on that now,
having come to the Federal Government. He used to be with the
Commonwealth of Virginia, where he did an outstanding job. I am
glad the Administration has recognized his capability. So he
may have a little bit different perspective.
But coming from the legislative perspective on this, I
think you are spot on. The E-Government is the head of that
area. It may not have expertise in this particular area. Even
more important, I think, is navigating the land mines of
getting a consistency across government in terms of how this is
going to be implemented.
OMB, Homeland Security, I don't know how you want to pick
this. A Cyber Czar, though, or someone who has that particular
expertise and can navigate this so the Administration can get
everybody kind of marching to the same protocols, using the
same systems, instead of having it so stovepiped and
factionalized as it is now, is just a very important part of
solving this problem.
Senator Carper. Alright. Thanks.
Let me just follow up on that with another question that
relates to this. I understand that you have been briefed on
some of the benefits that the State Department has been able to
achieve with their new system. I was just wondering if there
were any risks associated with following that model. Sometimes,
as a recovering governor, we used to say that what would work
in Delaware may not work in Virginia. It may not work in
Missouri. It may work in Texas, but it works in Delaware. But
in some cases, there is one model that will serve in a variety
of different States, and in this case, agencies. But I wonder
if there are any risks with following the model that they have
pursued at the State Department? What do you see are some----
Mr. Davis. Well, I am not sure--first, I think State has
done just an outstanding job, and what they have done is they
have paid attention. They have taken the legislation seriously
and you have a dedicated cadre up there at the top that have
driven this.
What works at State may not work at Commerce. It may not
work in intelligence. I am not probably smart enough to know
that. But the one thing State has shown us is that when you get
agency officials that take this seriously, they can make a huge
difference. And, of course, State has been vulnerable to a
number of attacks, which I think has heightened their awareness
of this. I hope it doesn't take cyber attacks in some of these
other agencies to get them to up their awareness--but it is
just a good model of how you have people sitting around a room
thinking about what are their possible vulnerabilities and
coming up with a program to combat that.
Again, I don't know if I am qualified to talk about what
would work at different agencies and what the vulnerabilities
are, but that is just a good example. Their FISMA grade has
been excellent, not just because they checked the right boxes,
but because they have been operational in what they have done,
as well.
Senator Carper. OK. One of the things we are trying to
encourage agencies to do more of is this notion of continuous
monitoring, rather than just taking a snapshot every 3 years,
but to focus on this and monitor every day. Are there any
pitfalls with that that come to mind?
Mr. Davis. Well, the one pitfall when you are not just
monitoring it but when you are testing these is you run into
the Freedom of Information Act (FOIA) situation. You don't want
everybody to know what your vulnerabilities are. I think you
need to keep a cap on that so that you can make the appropriate
corrections.
The other thing I would add is there is a lot we can learn
from the private sector. The private sector has had to deal
with these issues even more than government, the banking
system, in particular, with the kind of penetrations that they
are getting, the hits they are getting. Opening up that
dialogue with the private sector is important to understand
what they have gone through and some of the innovations that
they have made. The difficulty comes in the FOIA laws. It comes
with antitrust. It comes from tort law and their ability to
share that information with us, and that is a dialogue, I
think, that needs to continue. But they can be a part. There is
a lot of expertise out there in the private sector we want to
harness and bring into government.
Senator Carper. Two more questions and I am all done. In
the Federal Information Security Management Act (FISMA) bill
that you helped to create, the Inspectors General are required,
I believe it is annually, to evaluate whether agencies are
doing the kind of security that they say they are doing in this
regard. For example, the Inspectors General use paperwork from
the certification and accreditation process to evaluate whether
agency security is really effective.
I understand that if all the agencies moved to an approach
like the one they have over at State, not much paperwork is
going to be produced. In fact, it seems to me that an Inspector
General could come at any time during the year, see whether the
agency's security is actually effective. I don't know if this
is a question you would be prepared to answer, but do you think
that is true, and what should be the role of the IGs in this?
Mr. Davis. Well, the IGs are independent. I mean, that is
the one reason that I think they are equipped to do this as
opposed to someone else who could be under the thumb of the
agency. You really want an independent to look at that. Now,
the IGs operate differently in different departments. They have
different burdens that they have to meet. But they bring an
independence to this which I think is critically important.
Senator Carper. And finally, you served on the House
Committee on Oversight and Government Reform for, I think you
said, maybe 14 years, as Chairman for 6 years, as Ranking
Member for another 2 years, and during that time, you and I
were able to work together to identify a couple of potentially
wasteful practices in the Federal Government, and I think in
one or two cases, we actually made some positive changes.
What do you see as the greatest opportunity for improving
the efficiency of cyber security spending in the Federal
Government?
Mr. Davis. Well, I think contracting. All this really comes
down to contracting, and when it is done ad hoc in stovepipes
by different agencies, not sharing information, not building it
together, you get a lot of systems that, at the end of the day,
some are better than others. They don't talk to each other. It
has to get coordinated.
One of the things I like about this bill is you use our
purchasing power together to drive those products and I think
that will bring it together much better than we have today. We
spend a lot of money. We don't always get what we want in
government contracting across the board. But in this particular
case, I think--I like your concepts that you have in this bill,
government using its power. I think that will drive a congruity
of products that is absolutely necessary in this case to get
this solved.
Senator Carper. Alright. Well, those are my questions. Some
of my colleagues who are waiting back in the anteroom until you
leave--no, they are not, but when some of my colleagues show
up, whether they show up or not, some of them are going to have
some questions that they would like to send along----
Mr. Davis. You can always get them to me. We are happy to
respond. You have a great second panel, as well, and thanks for
allowing me to share my views.
Senator Carper. It is great to see you. Thanks so much for
your previous service to our country, and not just for the
folks in Virginia, but also in Delaware and the other 48
States.
Mr. Davis. Thank you.
Senator Carper. Good luck. Take care.
The second panel is welcome to approach the table and take
your seats. Gentlemen, welcome. It is good to see you all, and
thank you for taking the time to be with us today.
I understand from Erik Hopkins, who has worked on this
legislation for a couple of years now, that we have on a dolly
up here some of the paperwork that kind of flows from--is it
just one agency? Not just from one agency, but from one system,
is that right, one system within one agency, their paperwork
from their certification and accreditations. If that is just
one system and one agency, I hate to think what would be the
case for the whole government.
Be careful, Mr. Streufert. You are not going to have a
place to sit here very soon. Well, that gives us some idea.
That is a fair amount of paperwork. And again, that is one
system and one agency. We wouldn't be able to see you guys--you
probably wouldn't be able to get in the room--if we had all of
them gathered here today.
Let me make some introductions to kick off our second
panel. We are going to hear from Vivek Kundra, who was
appointed Federal Chief Information Officer of the United
States by President Obama in March of this year. We are glad to
see you are still able to sit up and take nourishment and to be
here with us today. You look none the worse for wear.
As Congressman Davis mentioned earlier, prior to his taking
his current position, Mr. Kundra served in Mayor Fenty's
cabinet as the Chief Technology Officer for the District of
Columbia and in Governor Kaine's cabinet as Assistant Secretary
of Commerce and Technology for the Commonwealth of Virginia.
You are great to be here and we appreciate your service and
thank you for your presence.
Our next witness is no stranger before our Subcommittee.
Mr. Wilshusen. He is the Director of Information Security
Issues at the Government Accountability Office. We are told
today by our chaplain, Chaplain Barry Black, Chaplain for the
U.S. Senate, he said the words that people most enjoy hearing
in their lives is the sound of their own name. Among the words
that they least like to hear are their own name mispronounced,
so we will try to get your names right. But I will say, none of
your parents made this easy for a guy like me. [Laughter.]
So please bear with me. But I am told you have over 28
years of auditing, financial management, information systems
experience starting at the age of 12, and you have been at it
for quite a while. Before joining GAO in 1997, Mr. Wilshusen
held a variety of public and private sector positions, so we
thank you for coming back today.
Our last witness is John Streufert. Your name doesn't look
like ``Stroy-fert,'' but it is, isn't it? I bet it has been
mispronounced once or twice, hasn't it?
Mr. Streufert. Yes. Every day.
Senator Carper. You are the Chief Information Security
Officer at the Department of State. You are like our hero here
today, and we are here to celebrate what you have done and to
try to find out if it is something we can replicate in other
agencies.
I am told that since starting your current job, you have
been recognized for outstanding leadership and improving cyber
security at both the Department of State and the U.S. Agency
for International Development (USAID). In fact, Mr. Streufert
was a recipient of the Distinguished Presidential Rank Award in
2004 for his work at USAID, and I understand that you will show
us once again how we can improve cyber security, so good for
you.
With that having been said, we will turn to Mr. Kundra as
our first witness and ask you to proceed. Your statements will
be made part of the record, so feel free to summarize as you
wish. But you are recognized. Thank you.
TESTIMONY OF VIVEK KUNDRA,\1\ FEDERAL CHIEF INFORMATION
OFFICER, ADMINISTRATOR FOR ELECTRONIC GOVERNMENT AND
INFORMATION TECHNOLOGY, U.S. OFFICE OF MANAGEMENT AND BUDGET
Mr. Kundra. Good afternoon, Chairman Carper. Thank you for
the opportunity to testify on the Federal Information Security
Management Act and information security posture of the U.S.
Government.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Kundra appears in the Appendix on
page 39.
---------------------------------------------------------------------------
Our Nation's security and economic prosperity depend on our
digital infrastructure. The President's Cyberspace Policy
Review stated that cyber security threats are some of the most
significant economic and national security challenges of the
21st Century.
The groups of State and non-State actors that target U.S.
citizens, businesses, and Federal agencies is growing
exponentially. Daily, there are millions of attempts to attack
open ports and vulnerable applications across our government.
The Federal Government's current security posture does not
adequately confront the real-time threat factors that we face
on a daily basis. Hiring challenges, a focus on compliance, and
cumbersome reporting have inhibited effective cyber security
management. The Federal Information Security Management Act of
2002 raised awareness across the Federal Government regarding
information security, yet significant progress is essential
when it comes to execution.
To advance the Federal Government's security posture, the
Administration is taking steps in key areas, such as human
capital management, performance management, cost analysis, and
risk management. For example, in the area of human capital
management, we expedited the hiring authority for up to 1,000
cyber security professionals across the Department of Homeland
Security. This will enable DHS to recruit skilled cyber
analysts, developers, and engineers to secure our country by
securing our Nation against cyber attacks.
To enhance the performance monitoring, last week, we
actually launched CyberScope, an online platform for agencies
to submit security information that will allow us to analyze
and monitor the Federal Government's security posture in a
comprehensive manner. Prior to 2009, it took three full-time
employees to compile hundreds of spreadsheets that were e-
mailed to OMB by agencies in response to FISMA reporting
requirements. This laborious, unsecure process inhibited
insight into the security posture of the government. The
threats we face change daily, yet our legacy reporting
processes have been tied to manual, annual, and quarterly
processes to evaluate how secure we are.
The CyberScope platform will be leveraged to develop a
cyber security dashboard that will unlock the value of
agencies' submissions when it comes to FISMA reporting and also
the real-time posture across the Federal Government. Just as
the IT dashboard took us from a static, paper-based environment
to a dynamic, digital environment, the new cyber security
dashboard will provide the government with a real-time view of
threats facing us and our vulnerabilities.
For example, the State Department is supplementing its
FISMA reporting with a risk-scoring program that you alluded to
that scans every computer and server connected to its network
at least 36 hours on multiple security factors. Rather than
just conducting certifications and accreditations every 3
years, continued monitoring must be the norm across the
government.
To enable effective security cost analysis, we are asking
agencies for detailed security cost information for the first
time. We recognize that the best security is baked into the
systems and the architecture and investments that agencies are
making. Therefore, we see this as the beginning of the process
of obtaining relevant data. In the coming years, detailed cost
data combined with performance-based metrics will allow OMB and
agencies to effectively manage and make informed decisions when
it comes to risk.
To better manage risk, OMB has established a task force
that was launched last month to develop forward-leaning metrics
and making sure that those metrics are actually focused on
outcomes rather than process. To solicit the best ideas, we
have reached out across the Federal community as well as the
private sector. OMB plans to release the metrics for fiscal
year 2010 along with a road map of how we are going to move
from a culture of compliance to a culture of outcomes in the
first quarter of 2010. What gets measured gets done.
The threats we face are numerous, evolving faster than our
cyber defenses, and they have the potential to do great harm to
our cyber infrastructure. From the launch of CyberScope to the
hiring of up to 1,000 new DHS cyber security experts, the
Administration is committed to strengthening our cyber defense.
A secure, trusted computing environment in the Federal
Government is the responsibility of everyone involved, from
agency heads to those charged with oversight. It entails
employees, contractors, and the American people all working
together.
This will not be easy, nor will it occur overnight. Our
current actions represent important steps toward a strong cyber
defense and begin the shift from a culture of compliance to one
focused on real security to protect the digital infrastructure
that is so vital to our economic prosperity and national
security.
Thank you for the opportunity to testify. I look forward to
your questions.
Senator Carper. You bet. It is I who thank you.
Mr. Wilshusen, please proceed. Thank you, and welcome back.
TESTIMONY OF GREGORY C. WILSHUSEN,\1\ DIRECTOR, INFORMATION
TECHNOLOGY SECURITY ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Mr. Wilshusen. Mr. Chairman, thank you for the opportunity
to participate in today's hearing on how agencies can establish
cost effective cyber defense.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Wilshusen appears in the Appendix
on page 45.
---------------------------------------------------------------------------
FISMA, which was enacted in 2002, was intended to provide a
comprehensive framework for ensuring the effectiveness of
security controls over information resources that support
Federal operations and assets. It also requires agencies and
OMB to annually report on the adequacy and effectiveness of
agency information security programs and compliance with the
provisions of the Act. To help meet these requirements, OMB
established a uniform set of information security measures that
all Federal agencies report on annually.
Mr. Chairman, in light of questions about whether agencies
are measuring the right things in securing their systems, you
requested that GAO examine how organizations develop and use
metrics to assess the performance and effectiveness of their
information security activities. In a report being released
today, we describe the key types and attributes of information
security performance measures and the practices of leading
organizations in developing and using them, and compare those
measures and practices with those used by 24 major Federal
agencies and OMB.
Leading organizations and experts identified measures that
generally fell into three major types: Compliance, control
effectiveness, and program impact. They stressed the importance
of developing and using different types of measures to ensure
the measurement process is comprehensive and useful in
achieving their information security goals. They also reported
that all such measures generally have certain characteristics
or attributes. These attributes include being measurable,
meaningful, repeatable, and actionable.
Further, these organizations and experts indicated that the
successful development of measures depends on adherence to a
number of key practices, including focusing on risks, involving
stakeholders, assigning accountability for measures, and
linking them to business goals.
Mr. Chairman, we have determined that Federal agencies have
not always followed these key practices. While agencies have
developed measures that generally fall into each of the three
major types, on balance, they rely primarily on compliance
measures, which have a limited ability to gauge program
effectiveness. Agencies stated that, for the most part, they
predominately collected measures on compliance because they
were focused on measures associated with OMB's FISMA reporting
requirements.
In addition, while most agencies have developed some
measures that include the four key attributes identified by
leading organizations, these attributes were not always present
in all agency measures. Further, agencies have not consistently
followed key practices in developing measures, such as focusing
on risks.
Last, the measures established by OMB for FISMA reporting
purposes are primarily compliance-based. They focus on whether
control activity was implemented, not how well or how
effectively that control was implemented. Consequently, OMB's
report to Congress provides limited information about the
effectiveness of agencies' information security programs and
the security posture of the Federal Government.
In our report, we recommended that OMB provide direction
and guidance to agencies in developing and using measures that
better address the effectiveness of their information security
programs. We also recommended that OMB revise its annual FISMA
reporting guidance to require reporting on a balanced set of
performance measures, including measures that focus on
effectiveness of control activities and program impact, and to
revise its annual report to Congress to better provide
information on the effectiveness of agency security programs,
the extent to which major risks are being addressed, and
progress that has been made in improving the security posture
of the Federal Government.
OMB has generally agreed with our recommendations.
Implementing these recommendations will help to focus attention
on activities that will enhance the effectiveness of security
controls and improve the cyber defense of Federal computer
systems and information.
Mr. Chairman, this concludes my statement. I would be happy
to respond to any questions that you may have.
Senator Carper. Good. Thank you so much. Mr. Streufert, you
are number four.
TESTIMONY OF JOHN STREUFERT,\1\ CHIEF INFORMATION SECURITY
OFFICER AND DEPUTY CHIEF INFORMATION OFFICER FOR INFORMATION
SECURITY, BUREAU OF INFORMATION RESOURCE MANAGEMENT, U.S.
DEPARTMENT OF STATE
Mr. Streufert. Good afternoon, Chairman Carper. I am
pleased to have this opportunity to testify before the
Subcommittee regarding the Department of State's capabilities
for securing its global information and technology
infrastructure.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Streufert appears in the Appendix
on page 51.
---------------------------------------------------------------------------
The Department serves as the diplomatic front line in over
270 overseas posts by serving its 70,000 users with the
Worldwide Network and mission essential software applications.
The foreign policy mission makes an inviting target for attack
by highly-skilled cyber adversaries. However, the Department's
layered approach to risk management allows multiple levels of
protection.
In my role as the Chief Information Security Officer, I
have become intimately familiar with the benefits,
shortcomings, and promising opportunities to build upon the
current Federal Information Security Management Act of 2002.
Our goal is to ensure system security for diplomacy while
continuously improving the return on investment for each dollar
spent.
The passage of FISMA served as a game-changing event for
the Federal agency community. FISMA applies to all information
used on behalf of Federal departments and agencies on behalf of
American citizens. It established a holistic information
security program and also the responsibility of accounting to
oversight entities, including Congress. Together, these served
as valuable checks in determining the health of an agency's
information security program.
However, the Federal cyber landscape has changed in the
past 5 years. The implementation of Federal cyber security has
been typically undertaken through manual processes and
compliance checks, like in conducting an annual inventory of
systems, testing security not less than annually, reporting
quarterly on weaknesses to OMB and performing certification and
accreditation studies every 3 years.
Our cyber problems, though, have dramatically escalated in
severity and frequency. In a typical week, the Department of
State blocks 3.5 million spam e-mail and intercepts 4,500
viruses and detects over a million external probes to our
network. Of that number, in the past 2 years, the percentage of
malicious code attacks recorded at the Department of State on
trouble tickets has jumped from 38 percent in the year ending
August 2008 to 79 percent just 12 months later for that same
period. The volatility of changes to security-sensitive changes
has been equally problematic.
Ongoing demands for certification and accreditation studies
similar to this single system that I have shown the
documentation for here, amounted over 6 years to the
expenditure of $133 million, amassing a total of 50 shelf feet,
or 95,000 pages for just the 150 major information systems that
we were monitoring to this degree. This does not include the
databases for tracking system inventory or tracking the plans
of action and milestones to resolve the pending weaknesses.
This equates to the cost of the CSA report, not including the
related products, like the security plans, of roughly $1,400
per page.
And indeed, if there is any particular problem with this,
it is not the content of the report, it is the fact that you
could get a false sense of security that these snapshots
produce results on paper that are extraordinarily accurate but
out of date within days of being published, in fact, perhaps
out of date even in the time that it took to print these 2,000
pages.
In contrast, this month, the Office of Management and
Budget launched CyberScope, a secure streamlined interactive
data collection platform far more efficient in allowing and
also allowing research and analysis across Federal agencies.
The U.S. Chief Information Officer has similarly and in support
of this formed an interagency task force charged with
developing outcome-focused metrics for information security
performance by all Federal agencies and departments, including
the Department of State. Final metrics based on this work are
expected to be released later this fiscal year.
For its part, the Department began supplementing its FISMA
compliance reports and studies with a risk scoring program that
scanned every computer and server connected to its network not
less than every 36 hours on eight factors and twice a month for
safe configurations with software. This risk scoring program
utilizes best practices, such as the Consensus Audit
Guidelines, which was a collaborative effort between government
and industry.
To assess the vulnerabilities, we use the Common
Vulnerability Scoring System of the National Institute of
Standards and Technology and the Department of Homeland
Security, where scanning tools tag specific risks with point
values between zero and 10, with 10 being the highest
vulnerability. When the problem is resolved in this method,
risk points are deducted and a better score comes to the
technical team and organizations. This computation occurs no
matter where they are located across the world.
Since mid-July, overall risk on the Department's key
unclassified network, measured by the Risk Scoring Program, has
been reduced by 90 percent in overseas sites and 89 percent at
domestic sites, as the chart indicates.\1\ These methods have
allowed one critical piece of the Department's information
security program to move from snapshots in time to a program
that scans for weaknesses continually, identifies weak
configurations each 15 days, recalculates the most important
problems to fix in priority order on a daily basis, and issues
letter grades of A-plus through F monthly to managers so that
accountability for progress can be taken for every organization
as experience has indicated for them over the past 30 days. The
various score reports tabulate risk scores by region, compare
progress overseas to our domestic sites, and creates
enterprise-wide summaries for senior management.
---------------------------------------------------------------------------
\1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
In short, these details empower administrators with
targeted daily attention to conduct remediation and offer
summaries to empower experts to our executives to oversee the
most serious problems.
Mr. Chairman, I want to conclude by emphasizing that the
Department's policies, technologies, business processes, and
partnerships in place continue to evolve and continue to meet
the challenges as the threats change in the cyberspace
environment. I thank you and the Subcommittee for this
opportunity to speak before you today and would be pleased to
respond to any of your questions.
Senator Carper. Thanks, Mr. Streufert, for that testimony.
Thanks for being a good role model over at the State Department
and USAID for the rest of us.
I just want to start with this chart,\1\ and it looks like
a reduced risk of cyber vulnerabilities, about 89 percent at
the State Department headquarters from July 2008 to July 2009,
and 90 percent abroad. Did you anticipate this kind of progress
in a year when you were getting into this? Did you anticipate
this kind of a record of achievement?
---------------------------------------------------------------------------
\1\ The chart referred to appears in the Appendix on page 100.
---------------------------------------------------------------------------
Mr. Streufert. At the Agency for International Development
(AID), we had a similar progress, a two-thirds reduction in a
6-month period, so we had a feeling that it was possible but
had not yet tested this on the scale of an organization the
size of the State Department. We were certainly very pleased,
and at that point, we began discussing what had been found with
our colleagues.
Senator Carper. You mentioned this in your testimony. I
want you to go back. Kind of walk us through again why were you
so successful at the State Department and at AID before that?
What were the key elements again, please?
Mr. Streufert. This is an instance where support
beneficially comes from many parts of the organization. It
begins, as Congressman Davis indicated, with strong support at
the top, and I am pleased to say that the senior leadership of
the State Department has been very supportive at each step on
the way.
Senator Carper. When you say senior, how senior? What are
we talking about?
Mr. Streufert. Under Secretary for Management Patrick
Kennedy, and he has assembled an E-Government Oversight Board
for the Department of State. I have been able to speak on
progress before this group twice in the last year. So there has
been strong involvement from the top of the organization.
The next beneficial thing that one needs is the
coordination and----
Senator Carper. Why do you suppose the folks at the top
were so supportive?
Mr. Streufert. Well, we understand that strong information
security is essential for our mission. We are spread in 24 time
zones. The ability to send and receive information in support
of American citizens services, and in support of the passport
and visa process are vital to our mission. We understand that
we depend on the information systems, and therefore the
security related to them.
Senator Carper. OK. Other than support at the top, what
were the other key elements in your success?
Mr. Streufert. We brought together a coalition of 11
different organizations inside the State Department that worked
on technology matters, and that set the template where we could
begin our regular scanning. And after that point, when we
deployed the system, the fact that the individuals at each of
the embassies and consulates and headquarters organizations
could understand exactly what they needed to fix, it was of
substantial benefit to them to get some of the positive
reductions in risk points that the chart and our experience
indicates.
Senator Carper. Now, talk to us about other agencies being
able to replicate the success that you enjoyed at the State
Department. Other than cloning you, moving the agency heads
from State over to--cloning them and moving them into the other
agencies, how transferrable is this to other agencies? What do
you think might transfer and what might not?
Mr. Streufert. One item that we always mention in
discussion with other cabinet departments is that we used
information that was already being collected in our
organization for other purposes, including producing the
certification and accreditation reports. Eighty percent of the
information, as an example, was an outgrowth of what we needed
to manage our servers and personal computers already. So it was
simply a question of lifting that data up and out of where it
was at the local level and then putting it in the security
warehouse. Once there, our dashboard calculates grades and
shows the most serious problems that need to be worked on.
Since many of the other parts of the Federal Government
have this software, the primary things to work on are assuring
that all of the networks are connected and that they have the
support structures in place in order to put the security
information out to the managers who want to make the changes.
And I should hasten to add, the progress at the State
Department came from thousands of individuals that were working
every day on their most serious problems, and that is where the
progress indeed came from.
Senator Carper. Let me ask, first, Mr. Kundra, and then Mr.
Wilshusen about replicating this kind of success. How do we go
about doing that? In fact, it may be something you have already
begun. I don't know.
Mr. Kundra. Yes. We started talking about this back in
April, and within the Federal CIO Council, Susan Swart, who is
the CIO at the State Department, has been sharing this approach
with our colleagues. But if you look at what we are doing
across the Federal Government, CyberScope is the first step in
that direction in terms of if you looked at the previous
approach, it was manual, it was based on a lot of paperwork and
didn't really produce meaningful insight where we could slice
and dice information across the Federal Government so we could
compare what was happening at Health and Human Services versus
State versus DOD versus Department of Energy. The first step is
to make sure that we are getting data and information so we
could get meaningful insight.
The second part of that, which is the task force that we
are spending a lot of energy and we would love to share the
metrics with you and get feedback from the Congress at the end
of November, and these metrics are essentially going to be
focused on game changing ways where we can address real
security. So not necessarily asking the question, do you have a
patch management program, but getting to the point which is how
long does it take you to actually patch those systems.
And thinking about the Red Teams, it is not enough to just
say we have this file room that you pointed to. I talk about
how the files you see in that room are actually far more secure
than the very systems they are supposed to protect. So how do
we get Red Teams to validate that the information that is out
there, we are testing it against what we know in terms of
agencies and it makes it really difficult right now across the
Federal Government to spot patterns. So if we see a threat
vector that may start at the State Department, how do we know
we don't have the same threat vector at Health and Human
Services?
So we are in the early phases in terms of deploying a
Federal Government-wide approach. But the key here, as
Congressman Davis said, is to move away from this culture of
compliance and really move towards execution. How do we get
these things done and how do we apply some of these
methodologies? And I know that DHS and the National Institute
of Standards and Technology (NIST) are actually working with
the State Department to think through how this can be scaled
across other Federal agencies.
Senator Carper. Mr. Wilshusen, same question in terms of
replicability. What do you think we ought to be able to
replicate and why not?
Mr. Wilshusen. Well, I had the privilege of Mr. Streufert
giving me a presentation of his system last week, and so I
can't really attest to the accuracy of the data that he
presents, but a couple of things----
Senator Carper. Would you say that the accuracy is probably
pretty skeptical?
Mr. Wilshusen. Well, I just don't have data or evidence to
show that it is accurate. I can't say one way or the other. We
just haven't done the tests on that.
But what his system shows is a lot of promise. With regard
to replicability, one of the key aspects that it relies upon is
the ability to have automated tools in place that have the
capability to reach, touch, and then scan each of the devices
that are covered under this particular system. Now, the
Department of State has, according to their system, about
30,000 devices that are covered by this particular system.
It does at the present, as I understand it, cover Windows
workstations and servers. And so presumably, it might be able
to be replicated at other agencies to address those particular
servers if those other agencies allow a central point to be
able to go out and reach all those devices throughout the
entire organization, and that may or may not be the case. I
just don't know.
Senator Carper. Erik Hopkins, sitting right behind me, just
handed me a note that says, ``Agencies are making the decision
right now to spend another $1.3 billion to produce the
paperwork we see here. Is there anything we can do about
that?'' It is a pretty good question.
Mr. Wilshusen. It is, indeed. Certainly, as you know, FISMA
requires that agencies implement cost-effective solutions to
mitigate their risks, and one has to make the assessment, is
spending this amount of money on preparing presumably the
certification and accreditation documents appropriate?
If it is just to prepare paperwork, that is not really
cost-effective--the agency would not be receiving the true
value of the execution of the underlying processes that are
represented by that paperwork. Primarily, are they assessing
the risks? Are they developing and documenting controls that
mitigate those risks? And then are they providing the training
to staff, to implement those controls, testing and evaluating
those controls to make sure that they are operating as intended
and are effective? And then remediating deficiencies as those
become known?
Those are all activities that are required under FISMA with
regard to agencies' information security programs and some of
the activities that are required in order to go through the
certification and accreditation process. So if the process is
just to check off boxes on paperwork, then that is not very
useful. The important part is that the agencies are effectively
performing these processes in order to implement controls that
effectively protect their systems.
Senator Carper. Mr. Kundra.
Mr. Kundra. If I can add to that, I want to make sure as we
look at the paperwork that we are seeing here in systems that
the State Department is talking about and other agencies, I
agree in terms of the fact that the pendulum has definitely
swung too much towards a paperwork exercise. But I also want to
caution that some of these systems have very sensitive
information regarding the personal information of the American
people, Social Security numbers, and the processes conducted on
these systems are also very sensitive.
So although I recognize that there is a lot of paperwork
here, it is very important to make sure that this is also a
process that ensures accountability for the business owners in
terms of making sure that before a system goes online, have
they done a risk assessment? Have they thought about all the
risks? Do they have the right controls in place in terms of
running the system? Have they made sure that they have back-ups
and thought through the processes required to connect this to
other systems?
But what has happened, unfortunately, is a lot of agencies
are also treating this as a paperwork exercise rather than
saying, look, just like if an airplane were to take off, the
first flight, you would go through a number of checks, but
after it takes off, you need to make sure that you are
monitoring all the dials and the gauges to understand where you
are in the air. What has happened is, unfortunately, a lot of
agencies are substituting and are looking at these processes as
a 3-year exercise rather than saying, what do we do on an
ongoing basis after the system goes live? What do we do to make
sure that we are monitoring risk on a real-time basis?
Senator Carper. Alright. Mr. Wilshusen, did you want to add
anything else?
Mr. Wilshusen. Yes, I did. I would just echo what Mr.
Kundra mentioned is the fact that it is critical that agencies
provide a monitoring capability and test and evaluates the
effectiveness of their controls on a regular, current basis,
because the threats change, the vulnerabilities change daily.
Waiting every 3 years at specific points in time is not
adequately addressing those risks and threats. That is one of
the benefits of what Mr. Streufert has done at the Department
of State. As he mentioned, he is scanning his systems every 2
weeks to look for certain weaknesses and configuration changes
and that is an important control.
Senator Carper. When there is a penetration, sometimes
whoever the penetrator is leaves a back door to allow somebody
to come back in later on and create mischief. In a case where
that has happened, they have left a back door open. How would
your continuous monitoring and updating at the State Department
solve that problem, Mr. Streufert?
Mr. Streufert. This is a very critical question in
Congressman Davis's testimony as well as your own. The problem
is that there are back doors and then the action step of
deploying the Red Teams that do penetration tests trying to
break into the systems. We believe this concern and the
practice of penetration tests is so good and worth continuing
all across the government and expanding it, as your bill
indicates, is that when we did this at the State Department, we
found that 80 percent of the successful attacks which were
modeled in the penetration test were ethical hacking, as it is
called. We invite people to break in, though a surprise to us,
but with our understanding that it would be done. Eighty
percent of the successful attacks were based on known
vulnerabilities.
Senator Carper. Known to whom?
Mr. Streufert. Known to the National Institute of Standards
in this National Vulnerability Database that we use for
scoring. And so we know those problems are there. I would liken
it unto a burglar that can kick through a screen door to get
into a system and cause mischief, and once inside, what the
penetration tests show is that known vulnerabilities and weak
configurations, both referenced by Mr. Wilshusen in his
remarks, can allow lateral movement inside the networks.
So it is not that we will be able to prevent every attack.
It is that the higher that the risk score is by these methods
the National Institute of Standards and DHS have provided to
us, the more likely that we will be exposed to a very easy
attack. If it is within our control to change, and, in fact, we
prove that it is possible at the Department of State over a
period of just 12 months to have a significant effect, we
should do it as part of our responsibilities of protecting the
systems of the government.
Senator Carper. Alright. Thank you.
Mr. Wilshusen. This is consistent with the results of our
audits that we conduct at various different Federal agencies in
that we often find deficiencies that are related to unpatched
systems and other known vulnerabilities that have not been
corrected by the agencies. There have been a number of other
reports by private organizations that have consistently
reported that many successful attacks are based upon known
vulnerabilities for which patches have been available, some for
6 months or more. And so it is imperative that agencies take
appropriate steps to immediately address those vulnerabilities
and mitigate them before they can be exploited.
Senator Carper. Alright. Thank you.
I should have asked this question sooner, but I didn't. I
will go back to it now. Something that you said, Mr. Streufert,
kind of triggered this for me. When you look back to
Congressman Davis's presentation, some of the comments that he
made, is there anything there that you would want to go back
and kind of underline as especially important and noteworthy,
or something maybe you disagreed with?
Mr. Kundra. I think the approach of Red Teams, essentially
making sure that the government is focused on constantly trying
to find and penetrating our national infrastructure so that we
can get ahead of some of these threats, recognizing that if we
take an offense when it comes to our defense, we will be in a
much better situation than just having a strategy that focuses
on defense.
Senator Carper. OK. Mr. Wilshusen.
Mr. Wilshusen. I would agree with Mr. Kundra's remarks. I
would also agree with Mr. Davis's remarks related to having an
independent evaluation of agencies' information security
programs and that it is essential to have IGs be able to
examine and review the controls in the programs at their
particular agency. Having an independent evaluation is
critical, and in my mind, there are opportunities to improve
the effectiveness of those evaluations by assuring that they
are being performed in accordance with Generally Accepted
Government Auditing Standards and that they do, in fact,
include testing of the systems on a regular, frequent basis.
Senator Carper. OK. In other discussions we have had on the
issue of cyber security attacks and being ready for them and
being able to deter them or turn them back, some of the experts
we talk with have suggested that we simply need to do a better
job in contracting to make sure that the systems that we are
buying as a government, whether it is by agency or Federal
Government-wide, that they are better technology, just better
able by virtue of the way they are made and provided to the
agency to turn back attacks. I wonder to what extent did that
play a role in the State Department in terms of replicating, if
there are any lessons that we can take from that for the rest
of our government.
Mr. Streufert. I think that there are many ways that the
acquisition process could support this effort, and as we are
just in the beginning of the continuous monitoring phase of our
security programs in the government, we would want to take note
and try to get it right the first time.
One thing that the Department of State has already begun
implementing is the idea of associate contractor agreements
when we go out and compete our technical services work. This
idea was first employed in the Department of Defense with the
B-1B bomber, and the idea was that it was functionally
necessary for that airplane to hire many different contractors
that did the different parts of the airplane. But the question
was, would they be invited to work together, and so a clause
with associate contractor agreements was placed in the overall
contract and all of the subcontractors that they would work
together. We believe that this is one of the factors at the
State Department that, over time, we will be able to improve by
making awards and asking the contractors to work together.
The second element under acquisition, the 20 most important
controls or consensus audit guidelines, is a view that many key
government and industry professionals in the security field
believe that we need tools around each of the 15 of the 20
categories that are susceptible to automated verification at
the State Department. Our programs currently only implement
about four or five of the 15 areas that are under the
continuous evaluation and grading program. So if we awarded a
contract that had multiple providers for those 15 tools, then
the most compelling and innovative ways that industry would
give to the government would be regularly refreshed. So I think
a multiple-award contract would be very helpful.
Senator Carper. Mr. Kundra.
Mr. Kundra. The other area I would like to add is as we
think about the public-private partnership, it is very
important to recognize that we need to approach cyber security
from an ecosystem perspective, thinking about what technologies
are we buying, how are we buying them, and what are the default
settings in a lot of the software and hardware that we procure.
An example would be what we are doing with Microsoft in
terms of an operating system strategy, which is that if you
look at a Federal desktop core configuration, by fundamentally
changing the default settings, because most software companies
are going to design software and operating systems and have the
default settings so they are extremely easy to use, yet from a
public sector perspective, there are a lot of things that we
need to change to make sure that we are leaning towards greater
security to protect the privacy and security of the American
people.
So through this strategy, we have partnered with Microsoft
and we actually create a model configuration that prevents a
majority of the attack vectors that are out there. And
especially as we move towards a new platform with Windows 7, we
are working closely with Microsoft through NIST and DOD to make
sure that their core configuration is a secure one before we
even deploy it across the Federal Government.
Senator Carper. Alright. Thank you. Mr. Wilshusen.
Mr. Wilshusen. I would just like to add that the U.S.
Government spends about $70 billion a year on IT products and
services. I think that is the correct number. So there is a
certain leverage that the Federal Government has when it
procures these products and services to require certain minimum
security requirements. Certainly that will help potentially
enhance the security features on products that it buys and that
could also apply to other marketplaces, as well.
Having standard settings and standard requirements can also
potentially lead to cost savings, as well. One of the benefits
that we looked at when we had our review on Federal encryption
efforts was the Smart Buy program over at GSA in which agencies
were able to buy cost-effective encryption technologies at
almost pennies on the dollar, not quite, but at a huge cost
savings because they were able to take advantage of volume
discounts. So there are advantages to leveraging the Federal
procurement dollar and its acquisition policies.
Senator Carper. In a day and age when we have seen in the
first 8 years of this decade, we literally doubled our Nation's
debt, we ran it up by another $1.4 trillion last year, and
likely even more this year, every time we can save some pennies
on the dollar, that is good. It sounds like in this case it is
quarters on the dollar, which is even better.
A couple more questions and then we will wrap it up. This
would be a question really for the entire panel. In the current
FISMA legislation that we have drafted, Inspectors General must
evaluate whether agencies are securing their systems like they
say that they are securing them. That means that agencies are
spending $1.3 billion to produce the paperwork that the IGs use
to evaluate agency effectiveness. IGs then must spend even more
time and more money, perhaps another $1 billion or so, to see
whether the paperwork was accurate. So the government ends up
spending maybe over $2 billion, maybe it is $2.3 billion or so,
on a process that is basically flawed. It doesn't make a lot of
sense to me, and I don't think to others, as well.
Could each of you just take a couple of moments and tell us
what you think the role of the IG should be in cyber security?
And maybe better yet, how do we make the partnership between an
agency and that agency's IG more proactive, more collaborative,
so that we aren't wasting or they aren't wasting so much money?
Do you want to go first, Mr. Streufert?
Mr. Streufert. Yes, Senator Carper. This is a key question.
The first thing we might say is that these products in the
three-ring binders here, a systems security plan, a contingency
plan, testing plans, test results, these are all important
things to do. What the finding of the State Department is, that
with the modern tools that are increasingly available since
FISMA was put into law, we can do that 72 times more frequently
than the 3-year standard of producing these binders.
So the first thing to say is that as we look at the
possibility for continuous monitoring, the discussions between
the departments and the OIGs could be on data that was as fresh
as 15 days old, as opposed to what I will have to do unless
there is an adjustment. It will take me a full 8 months to
produce these 2,000 pages for the third time when I know that
many elements of that data I am already collecting every 2 to
15 days.
I would say that our conversations with the OIG would be
stronger if we had common measuring sticks for security, not
just in the vulnerability area, which we have already done very
well, but many other parts of our security program. And if we
had an agreement between the parties that managed the security
program of what were the criteria for evaluation in advance,
not just within an individual cabinet department but across the
entire government, we would be able to compare the relative
security between one cabinet department or agency and another.
I think the worst mistake of all we could make, even though
the dramatic nature of some of our expenditures of C&As, is to
make the mistake of doing less than we are currently doing. So
notwithstanding, I would be the first person to say that we
should try to use automated means rather than paper. We want to
make sure before we set aside the paper methods that we would
do our very best to make sure we have a stronger system than
the one that we just left behind.
Senator Carper. Mr. Wilshusen.
Mr. Wilshusen. And I would also agree to a large extent
with what Mr. Streufert said, in that many of these documents
that are being prepared are not being prepared just for the
benefit of the auditor, but, in fact, are being prepared in
order to adequately protect the systems that are being covered
by those documents.
Now, having said that, certainly auditors have a
responsibility to review the effectiveness of security
controls, and that includes testing a subset of systems. In our
examinations, while we do look at certain documents that are
the products or byproducts and artifacts of agency processes,
we are also looking at how systems are actually configured and
testing the effectiveness of those controls. So it is more than
just reviewing documents. It is actually doing a more in-depth
review, and that is what IGs are doing and should be doing, as
well, in addition to reviewing some of the artifacts that are
generated from agency security processes.
Senator Carper. Alright. Mr. Kundra, you get the last word
on this question, and then I have one more separate question
for you and we will call it a day.
Mr. Kundra. I think it is impossible to confront a real-
time threat, such as cyber warfare or adversaries and State
actors and organized crime that are actively trying to hack
into our systems, with a process that is built around annual
reporting, quarterly reporting, or whether you do it on a
monthly basis. What needs to happen in terms of the
relationship between the IGs and the CIOs is that they need to
have greater transparency into the same data and moving toward
a real-time platform so they could both see what is happening
on a real-time basis and constructively move the security
posture of the U.S. Government rather than relying on reports
that are created.
By the time that report is printed and handed over to the
IG, there is already a new threat factor that is created on a
real-time basis. The velocity at which these threats come and
the frequency cannot be addressed with a filing cabinet like
this.
Senator Carper. Good point. Thank you.
And the last question, I think I will direct it just to Mr.
Kundra unless other panelists think he mis-answers the
question, then you can correct him. In your current position,
how do you like what you are doing? Are you enjoying it? Is it
challenging? Do you ever get to go home at night?
Mr. Kundra. It is great. Very little sleep, but it is an
enormous opportunity to serve the country and to advance the
President's technology agenda.
Senator Carper. Alright. Good. In your current position, I
think you are maybe the person responsible for overseeing the
effectiveness of our Federal Government's cyber defense, and
that is a government, as we know, that is composed of hundreds,
maybe thousands of different systems. I am told that you have
relatively few, if any, cyber security experts that work for
you and I find that of concern, maybe even troubling.
But I find it even more troubling that OMB, which is known
for their budget prowess, has never asked for a detailed
accounting of what an agency spends on cyber security. I don't
know if that is true, but if it is true, why do you think it
has been the case? Why hasn't OMB, as far as I know, ever said,
well, what are you all spending for cyber security? And to
follow up, if that is true, are you going to do anything to
correct that situation?
Mr. Kundra. Sure. So that was actually one of the most
shocking things when we tried to do analysis as far as cyber
security was concerned. One was that the information that was
being submitted to OMB was being submitted in these
spreadsheets, hundreds of spreadsheets that were being mailed
in.
Two was, from a cost perspective, what was being collected
was aggregate security information. So what we did immediately
is for the 2009 report, we are getting to the detailed cost
allocation when it comes to information security, so we know
where is the government spending when it comes to products,
human capital, and specifically computer network attacks
(CNAs). And unfortunately, with a lack of that information,
what we aren't able to do is effective comparative analysis
between one agency and another, and more importantly, a deeper
understanding of how do our investments line up with our
vulnerabilities and where do we need to make those appropriate
investments.
But we are working very closely with DHS and the U.S.
Computer Emergency Readiness Team (US-CERT) specifically, and
as part of the FISMA reporting requirements in CyberScope, we
are going to be collecting all that data.
Senator Carper. If you will all just bear with me for one
moment, please.
[Pause.]
Senator Carper. I know I said the last question was the
last question. I am going to try to squeeze one more in here
before we let you go. Again, this is for Mr. Kundra, and if
others want to chime in, go ahead.
I think OMB has the ability to ask agencies if they would
follow a model similar to that of the Department of State. Do
you think that conducting a pilot, or maybe having a number of
agencies basically say, we want you to follow something
similar, do you think that is a good idea? Maybe it is
something you have given some thought to, or maybe you are
planning on doing it, or maybe you don't think it is a good
idea, but would you just think out loud for us on that?
Mr. Kundra. Sure. I actually think it is a great idea. That
is one of the reasons the State Department is actually talking
to the Veterans Administration. It is making the tool, the
software actually available to NIST and DHS, also, to figure
out how can that be scaled, recognizing that across Federal
agencies, HHS is going to have a very different environment.
But what is going to be common is they all have desktops,
certain network infrastructure, from routers to switches, and
figuring out how can we make sure that we are not duplicatively
spending money and creating new tools if we can leverage best
practices across a Federal Government.
From an OMB perspective, it is very important for us to get
the threat matrix across the entire Federal Government. So how
do we roll up this information at a DHS level so we get a real-
time posture from a security perspective?
Senator Carper. OK. Do you all want to comment at all on
what Mr. Kundra said? You don't have to, but if you would like
to, you are welcome to do so. Did he do OK?
Mr. Streufert. Yes. We very much appreciate the leadership
of Mr. Kundra and OMB on the issues of CyberScope to make our
reporting more efficient, and his very early willingness to
look at issues like dashboards. I think that our collective
commitment should be to one of continuous improvement. The
State Department has some ideas on this and we have worked on
it some. We want to share that with others. But I believe what
will happen is Vivek invites, and he already has done so,
conversations more widely in government that good ideas will
come from all of the cabinet departments that we will be well
served to fold in and come up with the strongest possible
product as a government together.
Senator Carper. OK. I think we will wrap it up at this
point. I have another hearing that started at 9:30 this morning
that is still going on on climate change legislation. It will
be a full day.
A couple of thank yous. One to Mr. Streufert, to you and
your colleagues. I know you said it is not just you, there are
a lot of people involved at the State Department that are
responsible for the progress that is being made there and for
the example that you are able to provide for other Federal
agencies. But thank you for your leadership, and our
commendation is to you and to your colleagues. As we used to
say in the Navy, Bravo Zulu.
I want to thank Mr. Wilshusen for the report that we
received from you and your colleagues on cyber security
metrics. It is one I requested, I believe last year, but thanks
for that report.
And Mr. Kundra, thank you for taking on this responsibility
and giving it 110 percent, maybe more than that.
We are going to stay on this. We are going to push forward
on the legislation and get it enacted if we can. I know the
Chairman and Ranking Member of the full Committee on Homeland
Security and Governmental Affairs are interested in passing
even more comprehensive legislation on cyber security, and
there is some discussion of folding our piece into that, or
maybe moving what we are doing on its own if we want to try to
get it out there and moving along.
But thank you for helping inform our legislative path just
a little bit better today. I would encourage, Mr. Kundra, for
you and our friends at OMB to use this model that works and
other models that work and to replicate that success.
But maybe one or two points that I will make, and maybe I
am being redundant, but I will go ahead and make them anyway. I
think repetition can be helpful.
But the first point is we are spending way too much money
on a process that is flawed from the beginning. That is not to
take anything away from Congressman Davis and others who were
involved in the FISMA legislation from 2002, but it is a
process that is flawed. Writing a report about security is not
the same as investing in security, and with so much at stake,
we should be doing a much better job.
The irony of it is, we had a luncheon speaker at our weekly
caucus luncheon today who runs a big Federal agency and he
shared with us just some up-to-date information about the kind
of attacks that are underway every day, every hour, every
minute. It really puts this in real time and with a real sense
of urgency.
My next point is the fact that OMB is, I think, the only
one who really can make this happen absent Congress passing a
bill. I would again say, Mr. Kundra, actually take a hard look
at what you can do, and I sense that you are already doing
that, to make sure that we don't waste another year, another $1
billion, if not more, to do something that doesn't work very
well.
My last point is the fact that, obviously, that we all need
to work together. I am pleased to see with the three of you
here before us, it is a pretty good model of how we can
cooperate and I hope that we are part of that, as well. But
technology changes so fast that without a partnership between--
not just among agencies, but also between the Legislative
Branch and the Executive Branch, Americans, unfortunately, are
going to end up on the losing end, and we don't want that to
happen.
I am going to ask, I think, for you all to come back to me,
I will put this in writing, but to come back to us in maybe 2
weeks with opportunities that you believe will lead to
efficiencies in defending our networks. If you do that, I would
be grateful. If you get any other questions from my colleagues,
then if you would respond to those within 2 weeks, that would
be terrific.
Thank you all very much for coming today, for your
testimony, and for the work that you are doing. I would
encourage you to continue on and we will do our best to have
you back. Thank you.
And with that having been said, this hearing is adjourned.
[Whereupon, at 4:07 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC] [TIFF OMITTED] T3852.001
[GRAPHIC] [TIFF OMITTED] T3852.002
[GRAPHIC] [TIFF OMITTED] T3852.003
[GRAPHIC] [TIFF OMITTED] T3852.004
[GRAPHIC] [TIFF OMITTED] T3852.005
[GRAPHIC] [TIFF OMITTED] T3852.006
[GRAPHIC] [TIFF OMITTED] T3852.007
[GRAPHIC] [TIFF OMITTED] T3852.008
[GRAPHIC] [TIFF OMITTED] T3852.009
[GRAPHIC] [TIFF OMITTED] T3852.010
[GRAPHIC] [TIFF OMITTED] T3852.011
[GRAPHIC] [TIFF OMITTED] T3852.012
[GRAPHIC] [TIFF OMITTED] T3852.013
[GRAPHIC] [TIFF OMITTED] T3852.014
[GRAPHIC] [TIFF OMITTED] T3852.015
[GRAPHIC] [TIFF OMITTED] T3852.016
[GRAPHIC] [TIFF OMITTED] T3852.017
[GRAPHIC] [TIFF OMITTED] T3852.018
[GRAPHIC] [TIFF OMITTED] T3852.019
[GRAPHIC] [TIFF OMITTED] T3852.020
[GRAPHIC] [TIFF OMITTED] T3852.021
[GRAPHIC] [TIFF OMITTED] T3852.022
[GRAPHIC] [TIFF OMITTED] T3852.023
[GRAPHIC] [TIFF OMITTED] T3852.024
[GRAPHIC] [TIFF OMITTED] T3852.025
[GRAPHIC] [TIFF OMITTED] T3852.026
[GRAPHIC] [TIFF OMITTED] T3852.027
[GRAPHIC] [TIFF OMITTED] T3852.028
[GRAPHIC] [TIFF OMITTED] T3852.029
[GRAPHIC] [TIFF OMITTED] T3852.030
[GRAPHIC] [TIFF OMITTED] T3852.031
[GRAPHIC] [TIFF OMITTED] T3852.032
[GRAPHIC] [TIFF OMITTED] T3852.033
[GRAPHIC] [TIFF OMITTED] T3852.034
[GRAPHIC] [TIFF OMITTED] T3852.035
[GRAPHIC] [TIFF OMITTED] T3852.036
[GRAPHIC] [TIFF OMITTED] T3852.037
[GRAPHIC] [TIFF OMITTED] T3852.038
[GRAPHIC] [TIFF OMITTED] T3852.039
[GRAPHIC] [TIFF OMITTED] T3852.040
[GRAPHIC] [TIFF OMITTED] T3852.041
[GRAPHIC] [TIFF OMITTED] T3852.042
[GRAPHIC] [TIFF OMITTED] T3852.043
[GRAPHIC] [TIFF OMITTED] T3852.044
[GRAPHIC] [TIFF OMITTED] T3852.045
[GRAPHIC] [TIFF OMITTED] T3852.046
[GRAPHIC] [TIFF OMITTED] T3852.047
[GRAPHIC] [TIFF OMITTED] T3852.048
[GRAPHIC] [TIFF OMITTED] T3852.049
[GRAPHIC] [TIFF OMITTED] T3852.050
[GRAPHIC] [TIFF OMITTED] T3852.051
[GRAPHIC] [TIFF OMITTED] T3852.052
[GRAPHIC] [TIFF OMITTED] T3852.053
[GRAPHIC] [TIFF OMITTED] T3852.054
[GRAPHIC] [TIFF OMITTED] T3852.055
[GRAPHIC] [TIFF OMITTED] T3852.056
[GRAPHIC] [TIFF OMITTED] T3852.057
[GRAPHIC] [TIFF OMITTED] T3852.058
[GRAPHIC] [TIFF OMITTED] T3852.059
[GRAPHIC] [TIFF OMITTED] T3852.060
[GRAPHIC] [TIFF OMITTED] T3852.061
[GRAPHIC] [TIFF OMITTED] T3852.062
[GRAPHIC] [TIFF OMITTED] T3852.063
[GRAPHIC] [TIFF OMITTED] T3852.064
[GRAPHIC] [TIFF OMITTED] T3852.065
[GRAPHIC] [TIFF OMITTED] T3852.066
[GRAPHIC] [TIFF OMITTED] T3852.067
[GRAPHIC] [TIFF OMITTED] T3852.068
[GRAPHIC] [TIFF OMITTED] T3852.069
[GRAPHIC] [TIFF OMITTED] T3852.070
|
NEWSLETTER
|
|
Join the GlobalSecurity.org mailing list
|
|
|
