PDF Version

                                                        S. Hrg. 112-219
                           AND COLLABORATION



                               before the

                              COMMITTEE ON
                          UNITED STATES SENATE

                                 of the

                      ONE HUNDRED TWELFTH CONGRESS

                             FIRST SESSION


                             MARCH 10, 2011


        Available via the World Wide Web: http://www.fdsys.gov/

                       Printed for the use of the
        Committee on Homeland Security and Governmental Affairs

66-677                    WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202?09512?091800, or 866?09512?091800 (toll-free). E-mail, gpo@custhelp.com.  


               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii              TOM COBURN, Oklahoma
THOMAS R. CARPER, Delaware           SCOTT P. BROWN, Massachusetts
MARK L. PRYOR, Arkansas              JOHN McCAIN, Arizona
MARY L. LANDRIEU, Louisiana          RON JOHNSON, Wisconsin
CLAIRE McCASKILL, Missouri           JOHN ENSIGN, Nevada
JON TESTER, Montana                  ROB PORTMAN, Ohio
MARK BEGICH, Alaska                  RAND PAUL, Kentucky

                  Michael L. Alexander, Staff Director
  Christian J. Beckner, Associate Staff Director for Homeland Security
                       Prevention and Protection
                   Jeffrey E. Greene, Senior Counsel
               Nicholas A. Rossi, Minority Staff Director
   Brendan P. Shields, Minority Director of Homeland Security Policy
                  Luke P. Bellocchi, Minority Counsel
                  Trina Driessnack Tyrer, Chief Clerk
         Patricia R. Hogan, Publications Clerk and GPO Detailee
                    Laura W. Kilbride, Hearing Clerk

                            C O N T E N T S

Opening statements:
    Senator Lieberman............................................     1
    Senator Collins..............................................     3
    Senator Brown................................................    14
Prepared statements:
    Senator Lieberman............................................    29
    Senator Collins..............................................    31

                        Thursday, March 10, 2011

Hon. Patrick F. Kennedy, Under Secretary for Management, U.S. 
  Department of State............................................     4
Teresa M. Takai, Chief Information Officer and Acting Assistant 
  Secretary for Networks and Information Integration, U.S. 
  Department of Defense, and Thomas A. Ferguson, Principal Deputy 
  Under Secretary for Intelligence, U.S. Department of Defense...     7
Corin R. Stone, Intelligence Community Information Sharing 
  Executive, Office of the Director of National Intelligence.....     9
Kshemendra Paul, Program Manager, Information Sharing 
  Environment, Office of the Director of National Intelligence...    11

                     Alphabetical List of Witnesses

Ferguson, Thomas A.:
    Testimony....................................................     7
    Joint prepared statement with Teresa Takai...................    44
Kennedy, Hon. Patrick F.:
    Testimony....................................................     4
    Prepared statement...........................................    33
Paul, Kshemendra:
    Testimony....................................................    11
    Prepared statement...........................................    59
Stone, Corin R.:
    Testimony....................................................     9
    Prepared statement...........................................    52
Takai, Teresa M.:
    Testimony....................................................     7
    Joint prepared statement with Thomas Ferguson................    44


Thomas E. McNamara, Former Program Manager of the Information 
  Sharing Environment at the Office of the Director of National 
  Intelligence, prepared statement...............................    68
Markle Task Force on National Security in the Information Age, 
  prepared statement.............................................    72
Responses to post-hearing questions for the Record from:
    Mr. Kennedy..................................................    81
    Ms. Takai and Mr. Ferguson...................................    86
    Ms. Stone....................................................   102
    Mr. Paul.....................................................   105

                           AND COLLABORATION


                        THURSDAY, MARCH 10, 2011

                                     U.S. Senate,  
                       Committee on Homeland Security and  
                                      Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 3:06 p.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I. 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Collins, and Brown.


    Chairman Lieberman. The hearing will come to order. Good 
afternoon and thanks for your patience. We just were able to, 
Senator Collins and I, vote early. And I want to apologize in 
advance. I am going to have to step out for about 15 minutes in 
about a half-hour, but I shall return.
    In just 6 months and a day, we will mark the 10th 
anniversary of the attacks of September 11, 2001, and we will 
honor the memory of the nearly 3,000 people who were murdered 
that day in America.
    Our mourning over their deaths has always been compounded 
by the knowledge that those attacks might have been prevented--
certainly that was the implication of the 9/11 Commission 
Report--had our intelligence and law enforcement agencies 
shared the disparate facts they had gathered, enabling us to 
connect the dots.
    To prevent this from happening again, Congress passed 
several laws intended to strengthen information sharing among 
critical Federal agencies. Those acts included the Homeland 
Security Act, the Intelligence Reform and Terrorism Prevention 
Act (IRTPA), and the USA PATRIOT Act.
    Since then, the Executive Branch, I think, has made 
significant improvements in its information-sharing systems, 
and there is no question that far more information is now 
available to partners in other agencies who have a legitimate 
need for it.
    All this intelligence is further brought together at key 
nodes, such as the National Counterterrorism Center (NCTC), 
where it can be examined by intelligence specialists from a 
variety of agencies working together under one roof. And as a 
result, we have seen a number of successes in recent domestic 
and military counterterrorism operations that I think were 
thanks to that kind of information sharing, and I am going to 
cite some examples in a moment.
    But this Committee's recent report on the Fort Hood attack 
shows that information sharing within and across agencies is 
nonetheless still not all it should be, and that allowed in 
that case a ``ticking time bomb,'' namely Major Nidal Hasan, 
now accused of killing 13 and wounding 32 others at Fort Hood, 
to radicalize right under the noses of the Department of 
Defense (DOD) and the Federal Bureau of Investigation (FBI). So 
we need to continue improving our information-sharing 
    Now I fear the WikiLeaks case has become a rallying cry for 
an overreaction for those who would take us back to the days 
before September 11, 2001, when information was considered the 
property of the agency that developed it and was not to be 
    The bulk of the information illegally taken and given to 
WikiLeaks would not have been available had that information 
not been on a shared system, so the critics of information 
sharing argue.
    But to me this is putting an axe to a problem that requires 
a scalpel and misunderstands what happened in the WikiLeaks 
case and I think misstates the solution to the problem. We can 
and must prevent another WikiLeaks without also enabling 
Federal agencies, in fact, perhaps compelling Federal agencies 
to reverse course and return to the pre-September 11, 2001, 
culture of hoarding information.
    We need to be smarter about how information is shared and 
appropriately balance security concerns with the legitimate 
needs of the users of different types of information. Methods 
and technologies for doing so already exist. Some of them I 
gather have been put into place since the WikiLeaks case, and 
we need to make sure that we utilize them as fully as possible 
across our government.
    The bottom line is we cannot walk away from the progress we 
have made that has saved lives. I will give you a couple of 
quick examples.
    U.S. Special Forces and elements of the intelligence 
community have shared information and worked exceptionally well 
together in war zones to combat and disrupt terrorist groups 
such as al-Qaeda in Iraq and the Taliban in Afghanistan. And 
that would not happen without information sharing.
    Here at home, we have used information sharing to enhance 
the role of State, local, tribal, and private sector entities 
in our fight against terrorists. And those efforts have paid 
off--most recently in the case of a chemical supply company in 
North Carolina that alerted the FBI to suspicious purchases by 
a Saudi Arabian student in Texas who turned out to be building 
improvised explosive devices.
    So we need to fix what is broken without going backwards. 
Today I look forward to hearing from each of our witnesses 
about what they are planning to do to improve the security of 
classified networks and information, while still ensuring that 
information is shared effectively in the interest of our 
Nation's security.
    I would also like to hear how Congress can work with you on 
these efforts either with legislation or through more targeted 
funding. Efficiently sharing classified information while 
effectively securing that information is critical to our 
Nation's security and our national values. We can and must have 
    Senator Collins.


    Senator Collins. Thank you, Mr. Chairman.
    Effective information sharing among Federal law enforcement 
and civilian and military intelligence agencies is critical to 
our security. The 9/11 Commission found that the failure to 
share information across the government crippled efforts to 
detect and potentially prevent the attacks on September 11, 
2001. Improving this communication was a critical part of the 
Intelligence Reform and Terrorism Prevention Act that Senator 
Lieberman and I authored in 2004.
    The WikiLeaks breach should not prompt a knee-jerk reaction 
on the sharing of vital information and its use by those 
analysts who need it to do their jobs. We must not let the 
astonishing lack of management and technical controls that 
allowed a private in the army to allegedly steal some 260,000 
classified State Department cables and some 90,000 intelligence 
reports to send us back to the days before September 11, 2001.
    Unfortunately, we continue to see agency cultures that 
resist sharing information and coordination with their law 
enforcement and the intelligence counterparts. Almost 10 years 
after September 11, 2001, we still witness mistakes and 
intelligence oversights reminiscent of criticisms predating our 
reforms of the intelligence community. Among those cases where 
the dots were not connected and information was not effectively 
shared are Abdulmutallab, the so-called Christmas Day bomber, 
and Nidal Hasan, the Fort Hood shooter.
    At the same time, as the Chairman has pointed out, there 
have been several cases that underscore the incredible value 
and benefit of information sharing, and an example is, as the 
Chairman has noted, the case of Mr. Zazi, whose plans to bomb 
the New York City subway system were thwarted.
    As such successes remind us, we must not allow the 
WikiLeaks damage to be magnified twofold. Already the content 
of the cables may have compromised our national security. There 
have been news reports describing the disclosure of these 
communications as having a chilling effect on our relationships 
with some of our closest allies. More important, however, they 
likely have put at risk some of the lives of citizens, 
soldiers, and partners.
    Longer lasting damage could occur if we allow a culture to 
re-emerge in which each intelligence entity views itself as a 
separate enterprise within the U.S. counterterrorism structure, 
with each attempting to protect what it considers to be its own 
intellectual property by not sharing it with other 
counterterrorism agencies. If those stovepipes reappear or 
worsen, we will certainly be in more danger.
    Such a step backward would run counter to the policy goals 
embodied in the 2004 Intelligence Reform Act, articulated by 
law enforcement and the intelligence community leadership, and 
underscored in multiple hearings before this Committee; and, 
that is, to effectively detect and thwart terrorists, the 
``need to share'' must replace the ``need to know.''
    I would also like to hear today about the possible 
technological solutions to the problems that allowed for the 
disclosures to WikiLeaks. For example, my credit card company 
can detect out-of-the-ordinary charges on my account almost 
instantaneously. Yet the military and intelligence communities 
were apparently unable to detect more than a quarter million 
document downloads in less than 2 months. Surely, the 
government can make better use of the technology currently 
employed by the financial services industry.
    It is also notable that the intelligence community was 
already required to install some audit capabilities in its 
systems by the 2007 homeland security law, which we authored, 
that could well have included alerts to supervisors of 
suspicious download activity. Had this kind of security measure 
been in place, security officers might have detected these 
massive downloads before they were passed on to WikiLeaks.
    Technology and innovation ultimately should help protect 
information from unauthorized disclosure, while facilitating 
the appropriate sharing of vital data.
    I would also like to explore today the implementation of 
role-based access to secure classified information. Instead of 
making all information available to anyone who has access to a 
classified system, under this model, information is made 
available in a targeted manner based on individuals' positions 
and the topics for which they are responsible. Access to 
information not directly relevant to an individual's position 
or responsibilities would require the approval of a supervisor.
    We must craft security solutions for the 21st Century and 
beyond. We live in a world of Twitter and instantly viral 
videos on YouTube. We must strive to strike the appropriate 
balance that protects classified and sensitive information 
while ensuring the effective sharing of vital data. We can use 
the most cutting edge technology to protect the traditional 
tools of statecraft and intelligence--those tools of 
relationships and information.
    Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Collins, for that 
thoughtful opening statement.
    I want to thank the witnesses who are before us for coming, 
also for the thoughtful written testimony you have submitted to 
the Committee, which will, without objection, be included as 
part of the record.
    Now we will begin with Patrick Kennedy, who is Under 
Secretary for Management at the Department of State. Welcome, 
Mr. Kennedy.


    Mr. Kennedy. Thank you very much. Chairman Lieberman, 
Ranking Member Collins, and Senator Brown, thank you for this 
opportunity to address information sharing after WikiLeaks and 
to discuss Executive Branch efforts to ensure that information 
is shared effectively yet securely and in a manner that 
continues to advance our national security. The State 
Department and our interagency partners have long been working 
to obtain both appropriate information sharing and protection, 
and after WikiLeaks, we have focused renewed attention on 
achieving these dual objectives.
    \1\ The prepared statement of Mr. Kennedy appears in the Appendix 
on page 33.
    From my perspective, serving over 30 years with the State 
Department, both overseas and in Washington, and also serving 
as the first Deputy Director of National Intelligence for 
Management, I especially appreciate your efforts to address 
with us the challenges of information sharing and security. I 
can assure you that we at the State Department remain committed 
to fully sharing our diplomatic reporting within the 
interagency with safeguards that are reasonable, pragmatic,and 
    For diplomatic reporting, the State Department has 
historically communicated between Washington and overseas posts 
through messages which convey internal deliberations relating 
to our foreign relations and candid assessments of overseas 
conditions. This reporting provides the State Department and 
other U.S. Government agencies crucial information essential to 
advancing our national interests, and we continue to this day 
to share this reporting through automatic dissemination to over 
65 U.S. Government agencies.
    In late November 2010, when the press and WikiLeaks 
announced the release of purported State Department cables, we 
immediately established a 24/7 WikiLeaks Working Group of 
senior State Department employees; we did suspend the Secret 
Internet Protocol Router Network (SIPRNet) to Net Centric 
Diplomacy, the database of State Department cables, while 
retaining all of our other distribution systems to other 
agencies. We also created a mitigation team to address policy, 
legal, and counterintelligence issues.
    For continued mitigation efforts, both within the State 
Department and interagency, we continue to deploy an automated 
tool that monitors State's classified network to detect 
anomalies not otherwise apparent, backed up by a staff who 
analyze these anomalies. Cable distribution has been limited to 
the Joint Worldwide Intelligence Communications System and our 
traditional system that reaches out, as I said, to 65 agencies. 
We are now evaluating other systems for distribution, such as a 
searchable database that relies on metadata.
    The State Department has continued to work with information 
management issues interagency through the Interagency Policy 
Committee (IPC), chaired by the White House's Special Adviser 
for Information Access and Security, as well as through 
existing IPCs.
    The challenges of grappling with the complexities are 
    The first is ensuring information-sharing policies are 
consistently directing the use of technology to solve problems, 
not the other way around. Post-September 11, 2001, the focus 
was on providing technical solutions to information sharing. As 
a result, technical experts were asked to develop solutions to 
the barriers. The post-WikiLeaks environment reminds us that 
technology is a tool to execute solutions but it is not in 
itself the answer. Simply put, we must more consistently sort 
out what we need to share before determining how to share it. 
Connecting systems and networks may provide the means to share 
information, but we must still manage and share this content in 
an effective and efficient way, as both of you mentioned in 
your opening statements.
    The national security community must do a better job of 
articulating what information is appropriate to share with the 
widest appropriate distribution and what is more appropriately 
confined to a narrower audience across the community in order 
to ensure adequate safeguards. The State Department believes 
that the way in which we share messages through our traditional 
means of dissemination and the steps we have taken since 
November are leading us firmly in that direction.
    The second main challenge involves each agency's rigorous 
adherence to existing and improved information security 
policies, as both of you have noted. This includes improved 
training in the use of labels to indicate appropriate breadth 
of dissemination. The Executive Order on classified information 
establishes the basic levels of classification. From that 
foundation, individual agencies may still have their own 
captions that denote how information should be disseminated 
because obviously not every person with a security clearance 
needs every piece of worldwide information. Agencies that 
receive information need to understand how to handle that 
captioned information so that it is not inappropriately made 
available to too wide an audience.
    The Office of Management and Budget (OMB) has directed 
agencies to address security, counterintelligence, and 
information issues through special teams. We believe that our 
Mitigation Team serves as a model for broad, cross-discipline 
coordination, or governance because it brings together the 
various subject matter experts. Many information-sharing and 
security issues can be resolved at the agency level as long as 
there are standards in place for agencies to execute. For the 
most part, standards have been created by existing interagency 
bodies, but there are some areas where further coordination is 
    The third main challenge involves the coordination, or 
governance, of information management. Numerous interagency 
groups are wrestling with the issues related to technological 
aspects of information sharing, such as those dealing with 
standards, data standards, systems, and networks. Others are 
wrestling with the policy decisions of who should have access 
to what information. New interagency governance structures to 
coordinate information sharing have been developed, including 
those focused, as you rightly note, on sharing with State, 
local, and tribal governments, as well as with foreign 
partners. In keeping with the first challenge, these new 
structures should maintain or increase focus on defining the 
content to be shared and protected as well as on the technology 
which is to be shared and used. Each agency must be confident 
that security processes and procedures are applied in a uniform 
and consistent manner in other organizations. And, in addition, 
it must be understood that material originating in one agency 
will be treated by other agencies in accordance with mutually 
understood handling instructions.
    The State Department shares information with the intent of 
providing the right people with the right information at the 
right time. We will continue to share our diplomatic reporting 
in order to advance our national security information. We 
recognize the imperative to make diplomatic reporting and 
analysis available throughout the entire interagency community. 
The State Department will continue to do this in order to 
fulfill our mission.
    We remain committed to both appropriately sharing and 
protecting critical national security information, but this 
commitment requires, as you have noted, addressing multiple, 
complex issues. We must find the right policies; we must find 
the right technologies; and we must continue to share.
    Thank you for this opportunity to appear before you today. 
I look forward to working with you on the challenges and would 
be pleased at the right time to respond to any questions you 
might have. Thank you.
    Chairman Lieberman. Thanks very much, Secretary Kennedy.
    Now we are going to hear from Teresa Takai, Acting 
Assistant Secretary for Networks and Information Integration, 
Chief Information Officer, U.S. Department of Defense. Welcome.

                   U.S. DEPARTMENT OF DEFENSE

    Ms. Takai. Thank you, sir. Thank you for that introduction. 
Chairman Lieberman, Ranking Member Collins, and Senator Brown, 
thank you for the invitation to provide testimony on what the 
Department of Defense is doing to improve the security of its 
classified networks while ensuring that information is shared 
    \1\ The joint prepared statement of Ms. Takai and Mr. Ferguson 
appears in the Appendix on page 44.
    As noted, I am Teri Takai, and I serve as the principal 
adviser to the Secretary of Defense for Information Management, 
Information Technology, and Information Assurance, and as such 
am responsible for the security of the Department's networks 
and then coordinating the Department's mitigation efforts in 
response to the WikiLeaks incident.
    With me is Tom Ferguson, Principal Deputy Under Secretary 
for Intelligence. He serves as the principal staff adviser to 
the Under Secretary of Defense for Intelligence and is 
responsible for policy and strategic oversight of all DOD 
intelligence, counterintelligence, and security policy, plans, 
and programs, as delegated by the Under Secretary for 
Intelligence. In this capacity, Mr. Ferguson oversees the 
development and implementation of the Department's information-
sharing policies.
    Mr. Ferguson and I have submitted a detailed statement for 
the record, but I would like to briefly highlight a few of the 
Department's efforts to better protect its sensitive and 
classified networks and information while ensuring its ability 
to share critical information with other partners and agencies 
is continued.
    Immediately following the first release of documents on the 
WikiLeaks Web site, the Secretary of Defense commissioned two 
internal DOD studies. The first study directed a review of DOD 
information security policy. The second study focused on 
procedures for handling classified information in forward-
deployed areas. Results of the two studies revealed a number of 
findings, notably that: Forward-deployed units maintained an 
overreliance on removable electronic storage media; second, 
roles and responsibilities for detecting and dealing with an 
insider threat needed to be better defined; and, finally, 
limited capability existed to detect and monitor anomalous 
behavior on classified computer networks.
    The Department immediately began working to address the 
findings and improve its overall security posture to mitigate 
the possibility of another similar type of disclosure. The most 
expedient remedy for the vulnerability that led to WikiLeaks 
was to prevent the ability to remove large amounts of data from 
the Department's secret classified network using removable 
media, such as discs, while allowing a small number of 
computers to retain, under strict controls, the ability to 
write removable media for operational reasons. The Department 
has completed disabling the write capability on all of its 
SIPRNet machines except for approximately 12 percent that 
maintain that capability for operational reasons, largely in 
deployed areas of operation. The machines that maintain write 
capability are enabled under strict controls, such as using 
designated kiosks with two-person controls.
    We are also working actively with National 
Counterintelligence Executive on its efforts to establish an 
information technology insider detection capability and an 
Insider Threat program. Mr. Ferguson's organization is leading 
that effort for the Department of Defense, and they have been 
developing comprehensive policy for a DOD Counterintelligence 
Insider Threat Program.
    In addition, DOD is developing Web-enabled information 
security training that will complement DOD's mandatory annual 
information assurance training, and the Joint Staff is 
establishing an oversight program that will include inspection 
of forward-deployed areas.
    As DOD continues efforts to improve our information-sharing 
capabilities, we will strive to implement the mechanisms 
necessary to protect the intelligence information without 
reverting back to pre-September 11, 2001, stovepipes. DOD is 
working closely with its interagency partners, several of whom 
join me here today, to improve intelligence information sharing 
across the government while ensuring the appropriate protection 
and safeguards are in place.
    I would like to conclude by emphasizing that the Department 
continues to work towards a resilient information-sharing 
environment that is secure through both technological solutions 
and comprehensive policies. Mr. Ferguson and I thank the 
Committee for the opportunity to appear before you today, and 
we look forward to answering your questions.
    Senator Collins [presiding]. Thank you.
    Mr. Ferguson, I am told that you do not have a prepared 
statement. Is that correct?
    Mr. Ferguson. That is correct. Ms. Takai has a nicer voice 
than I do and has given our joint statement.
    Senator Collins. Thank you.
    Before I turn to our next witness, we have been joined by 
Senator Brown, and I just wanted to give him an opportunity for 
an opening statement if you would like to have one.
    Senator Brown. Thank you. I am actually eager to hear from 
the witnesses and ask questions, but thank you for the offer.
    Senator Collins. Thank you. Then we will proceed.
    Our next witness is Corin Stone, who is the Intelligence 
Community Information Sharing Executive from the Office of the 
Director of National Intelligence (ODNI). We welcome you. 
Please proceed with your testimony.

                     NATIONAL INTELLIGENCE

    Ms. Stone. Thank you, ma'am. Chairman Lieberman, Ranking 
Member Collins, and Senator Brown, thank you for inviting me to 
appear before you today to discuss the intelligence community's 
progress and challenges in information sharing. I want to first 
recognize the Committee's leadership on these important issues 
and thank you for your continued support as we address the many 
questions associated with the need to share information and the 
need to protect it. Your leadership and oversight of 
information sharing, especially as we come up to the 10-year 
anniversary of September 11, 2001, has been invaluable. I look 
forward to our continued participation and partnership on this 
complex and vitally important issue.
    \1\ The prepared statement of Ms. Stone appears in the Appendix on 
page 52.
    As the Intelligence Community Information Sharing 
Executive, I am the Director's focal point for all intelligence 
community information-sharing matters, providing guidance, 
oversight, and direction on information-sharing priorities and 
initiatives across the community. In that capacity, I work in 
coordination with my colleagues at the table and across the 
community on comprehensive and strategic management information 
sharing, both internally and with all of our mission partners.
    My main focus today concerns information that is derived 
from intelligence sources and methods or information that is 
reflected in the analytic judgments and assessments that the 
intelligence community produces. I want to be clear, though, 
that our concern for the protection of information is not only 
narrowly focused on sources and methods.
    As we have seen recently through WikiLeaks, the 
unauthorized disclosure of classified information has serious 
implications for the policy and operational aspects of national 
security. We all have networks that must be secured, and as 
technology continues to advance, my colleagues and I remain 
deeply committed to keeping up with the ongoing challenges we 
    I am acutely aware that our major task is to find what the 
Director of National Intelligence (DNI) has termed ``the sweet 
spot'' between the two critical imperatives of sharing and 
protecting information. Every day our officers work tirelessly 
to tackle challenges of increasing complexity in a world that 
is interconnected, fast-paced, and ever changing, sharing vital 
information with each other, customers and partners, leading to 
better prepared senior policymakers across the Executive Branch 
and Congress.
    It is important to note that the community's work on these 
complicated questions predates the recent unauthorized 
disclosures by WikiLeaks. As you know, the challenges 
associated with both sharing and protecting intelligence are 
not new and have been the subject of major effort in the 
intelligence community for years. However, these latest 
unauthorized disclosures underscore the importance of our 
ongoing and comprehensive efforts to address these evolving 
    Working with the whole of government to address these 
issues, the intelligence community's strategy involves three 
interlocking elements.
    The first is access, ensuring that the right people can 
discover and have access to the networks and information they 
need to perform their duties, but not to information that they 
do not need.
    The second element is technical protection, technically 
limiting the ability to misappropriate, manipulate, or transfer 
data, especially in large quantities.
    And the third area is auditing and monitoring, taking 
actions to give the intelligence community day-to-day 
confidence that the information access granted to our personnel 
is being properly used.
    As we work to both share and protect networks and 
information, we must never lose sight of the sweet spot. As we 
continue to increase how much information is shared, we must 
also increase the protections in place to ensure information is 
being properly used and safeguarded. This is the only way to 
create the necessary trust and confidence in our systems that 
will foster appropriate information sharing. It is a matter of 
managing risk, and people, policies, processes, and technology 
all play important interconnected roles in managing that risk.
    However, it is also important to note that while all of our 
capabilities can reduce the likelihood and impact of 
unauthorized disclosures, in the final analysis our system is 
based on trust--trust in the individuals who have access to 
classified information and trust that they will be responsible 
stewards of this Nation's most sensitive information.
    Whether classified information is acquired by a computer 
system, a classified document, or simply heard in a briefing or 
a meeting, we have had bad apples who have misused this 
information before, and we will, unfortunately, have them 
again. This reality does not mean we should err on the side of 
not sharing; rather, we must put all proper safeguards in 
place, continue to be forward leaning to find a threat before 
disclosures occur, be mindful of the risks, and manage those 
risks with the utmost diligence.
    Thank you for the Committee's time, and I welcome your 
    Senator Collins. Thank you.
    Our final witness on the panel this afternoon is Kshemendra 
Paul, who is the Program Manager for Information Sharing 
Environment of the Office of the Director of National 
Intelligence. Welcome, Mr. Paul.


    Mr. Paul. Thank you, Chairman Lieberman, Ranking Member 
Collins, and Senator Brown. Thank you for the opportunity to 
speak about our efforts to effectively share and protect 
information at every level of government. Thank you for your 
attention to information-sharing reform efforts and your 
support of my office's mission. I also want to recognize my 
fellow panelists, key partners in government-wide efforts to 
further strengthen information sharing and protection.
    \1\ The prepared statement of Mr. Paul appears in the Appendix on 
page 59.
    As the WikiLeaks story emerged, concerns were voiced that 
the information-sharing efforts would suffer a setback. This 
Administration is committed to strengthening both information 
sharing and information protection. While complex and 
challenging, we do not see these goals as conflicting. Guidance 
throughout the Executive Branch has been consistent. We need to 
accelerate information sharing in a responsible and secure way.
    The WikiLeaks breach is not principally about information-
sharing challenges. A bad actor allegedly violated the trust 
placed in him. While we cannot always stop bad actors, we can 
and must take this opportunity to reassess our posture, our 
progress, and our focus related to improving and strengthening 
information sharing and protection.
    The challenges highlighted by the WikiLeaks breach are 
complex and go to deeply rooted issues: First, the perpetuation 
of agency-based, bilateral, and fragmented solutions versus 
common and comprehensive approaches to information sharing and 
protection; second, the need to improve our counterintelligence 
posture and some of the other technical considerations that my 
fellow panelists have talked to; and, finally, while the breach 
involves classified information, we need to be mindful that the 
root cause issues and the sensitivities extend to sensitive but 
unclassified information also. It is a whole-of-government 
problem, not just a classified national security problem.
    I would like to clarify the information-sharing environment 
and my role. The purpose of the information-sharing environment 
is to improve the sharing of terrorism-, homeland security-, 
and weapons of mass destruction-related information across 
Federal, State, local, and tribal agencies and with our 
partners in the private sector and internationally.
    The information-sharing environment spans five communities: 
Defense, intelligence, homeland security, law enforcement, and 
foreign affairs. It is defined as a cross-cutting, horizontal, 
data-centric, trusted information-sharing and protection 
capability. My role is to plan for and oversee the agency-based 
buildout, and manage the information-sharing environment. But 
my office is not operational. Agencies own the mission, 
agencies set policies and procedures, and agencies make the 
investments that interconnect our networks, databases, 
applications, and business processes. These agency-based 
contributions together form the information-sharing 
    The law grants the program manager's role governmentwide 
authority. This authority is exercised primarily two ways: 
First, I am the co-chair of the White House's Information 
Sharing and Access Interagency Policy Committee; through that 
role, we work through policy and oversight issues; and, second, 
through my partnership with the Office of Management and 
    We are being deliberate and collaborative in our approach 
to further strengthening information sharing and protection. We 
have put an emphasis on governance and outreach. My office, 
together with my mission partners, is leading the refresh of 
the 2007 National Strategy for Information Sharing. We are 
using this opportunity to leverage common mission equities to 
drive common policies and capabilities. And we are 
orchestrating specific agency-led sharing and protection 
initiatives with our partners.
    We believe this work provides a framework for strengthening 
efforts to address the root cause issues associated with the 
WikiLeaks breach. These capabilities will result in further 
assuring the proper sharing and protection of information.
    Our work across mission partners is profiled in our annual 
report to the Congress delivered every summer. I also encourage 
those interested in following or influencing our efforts to 
visit our Web site and to participate in upcoming online 
dialogues aimed at shaping our future direction.
    In closing, our efforts have been and continue to be 
focused on accelerating information sharing in a secure and 
responsible way. Effective information sharing and 
collaboration are absolutely essential to keeping the American 
people safe.
    Thank you for the opportunity to participate in this 
hearing. I also would appreciate any comments, directions, 
support, or feedback that you can provide to me in my office. 
My fellow panelists and I look forward to your questions.
    Senator Collins. Thank you very much for your testimony, 
and I thank all of the witnesses.
    I want to express my personal frustration with this issue. 
Our Committee has held hearings on the lack of information 
sharing in the case of Abdulmutallab, where credible 
information was given to our embassy in Africa but did not make 
its way in a timely fashion to the National Counterterrorism 
Center and, thus, Abdulmutallab was not listed on the No Fly 
List. So there is an example of credible information that 
should have been shared across government but was not.
    Similarly, in our investigation into the Fort Hood attacks, 
we found that credible information about Major Hasan's 
communications with a known terrorist suspect was not shared by 
the Joint Terrorism Task Force with the Army--another terrible 
failure in information sharing.
    Now, there have been successes as well. But I mention those 
two failures to contrast and raise such questions with how an 
Army private allegedly was able to download hundreds of 
thousands of classified documents, cables, and intelligence 
reports without being detected, and that baffles me. It also 
frustrates me because in 2007, Senator Lieberman and I authored 
homeland security legislation that included a requirement that 
military and intelligence agencies install audit capabilities 
with robust access controls on classified systems. And those 
technologies that would enable us to audit information 
transmission and authenticate identities for access control are 
not new. They are widely used. And the serious cyber risks 
associated with the use of removable media devices, such as 
thumb drives, have been known for many years.
    How did this happen? How could it be that a low-level 
member of the military could download such a volume of 
documents without it being detected for so long? That truly 
baffles me. I do not know who to start with. Mr. Ferguson, do 
you want to take a crack at that?
    Mr. Ferguson. I will be the first in the pond. Let me take 
it in a couple steps. Your question has a lot of parts to it.
    The rank of Private Bradley Manning is really not so much 
the issue. It was what his responsibilities were. He was there 
to provide intelligence support for military operations. So we 
do not base it necessarily on a rank structure. We base it on 
what is his mission responsibilities to support the military.
    To get to your question about how was he able to access so 
much data, and then I will get to the part about what have we 
done and why didn't we do what we could have done. The 
situation in the theater is such that--or was. It has changed 
now. But we took a risk, essentially is what it is. We took a 
risk that by putting the information out there, share 
information, provide agility, flexibility of the military 
forces, they would be able to reach into any of the databases 
on SIPRNet. They would be able to download that information, 
and they would be able to move the information using removable 
media across various domains, whether it is across security 
domains or from U.S. systems to coalition systems. And we did 
that so they could do this very rapidly.
    Here in the Continental United States (CONUS) many of the 
things you have talked about, about closing off open media 
ports and so forth, actually have been in place for a decade or 
more. If you go to many of the agencies, they actually are not 
able to access those open ports. But the focus in the theater 
was speed and agility, so we took that risk to allow not just 
Private Manning but many people who are serving there to move 
at that pace.
    You asked about why we did not put in place capabilities 
that were in your bill. In fact, as early as 2008, we started 
to deploy what is called the Host Based Security System (HBSS), 
as early as 2008. And at the time of Private Manning's alleged 
activities, about 40 percent of the systems in CONUS actually 
had that system in place. The systems were not--that was not 
available in the theater.
    Senator Collins. And why wasn't it?
    Mr. Ferguson. Mainly because of a lot of the systems there 
are, for lack of a technical term, cobbled together, and 
placing those kinds of systems--they are not all equal. It is 
sort of a family of systems there, and it is not just like 
working for Bank of America where they have one homogeneous 
system and they can insert things and take things out as it 
works. You have multiple systems and putting in new intrusion 
software or monitoring tools and so forth, you have to approach 
each system differently. And that is part of the problem.
    So basically to get away from that and not hold up the 
ability to move information, they took on the risk by saying, 
look, these people are cleared. They go through background 
investigations, and, frankly, most of our focus was right about 
outside intruder threat, not inside threat.
    So in the end, to answer your questions--we had ourselves a 
situation where we had information sharing at this level, and 
we took the risk of having monitoring tools and guards and 
passwords and so forth, as well as people did not fully 
implement policies, they did not follow security rules down at 
this level. So the problem is that is where we made our 
mistake. We allowed this to occur when we were sharing 
information at this level. So what we are trying to fix today 
is not take this level of information sharing and moving it 
down here, which you have referred to in your opening 
statement, but take this and move it up here. And that is what 
we are trying to do as rapidly as we can.
    Senator Collins. Thank you.
    Mr. Kennedy, Mr. Ferguson basically explained that DOD, in 
the interest of making sure that the information was out there 
in theater, took a risk, but that does not explain to me how 
the private would have access to State Department classified 
cables that had nothing to do with the country for which the 
private was involved in intelligence activities. So how did it 
happen that he had access to classified State Department 
cables, involving countries that had nothing to do with his 
intelligence responsibilities?
    Mr. Kennedy. That is a very good question, Senator. Several 
years ago, the Department of Defense and the intelligence 
community came to the State Department and said, we need the 
State Department--and actually they paid for it--to push out 
reporting to SIPRNet, which is the Department of Defense 
worldwide system, and to load a number of our cables onto a 
Defense Department database that would be accessible to Defense 
Department people. So in response to their request, we took a 
selected element of our cables and pushed those out to the 
Department of Defense's database.
    To be blunt, we believe in the interest of information 
sharing that it would be a grave mistake and a danger to the 
national security for the State Department to try to define in 
each and every one of the 65 agencies that we share our 
diplomatic reporting analysis with to say that Private Smith 
should get this cable, Lieutenant Jones should get that cable, 
Commander X should get that cable. The policies that have been 
in place between the State Department and other agencies is we 
provide this information to the other agency. The other agency 
then takes on the responsibility of controlling access by their 
people to the material that we provide to them.
    Senator Collins. I will come back to that issue, but I want 
to first give an opportunity for my colleague, Senator Brown, 
to ask his questions.


    Senator Brown. Thank you. You are on a roll, though.
    I have served in the National Guard for 31 years. I am a 
Lieutenant Colonel. I am on the computers regularly, all that 
good stuff, and I have to tell you, sometimes it is like brain 
surgery getting on the computer, even for somebody like me who 
is part of the senior staff, and had been a trial defense 
attorney, just to log on, get access, go where I need to go, 
and I still have not really gotten a satisfactory answer as to 
how this private had complete and total access to the documents 
he had. In my wildest dreams, I could not do what he did.
    And then I see, he works 14 hours a day, no one cares. 
Well, the average workload in that region is that and more for 
many people.
    My understanding, in doing my own due diligence, is that 
there was a complete breakdown of command authority when it 
came to instructing that soldier and people within that command 
as to the do's and do not's with regard to information and 
information sharing. There was no check or balance, and that 
the amount of people that have access to that information has 
grown by tens of thousands. Hundreds of thousands of people 
have access to that information on any given day.
    Is that accurate, that that many people have access to that 
information? Whoever feels qualified to answer it, probably the 
DOD folks.
    Mr. Ferguson. Let me put it this way: The SIPRNet is a 
command and control network, just like the Internet.
    Senator Brown. I know what that is, I am in the military. 
Can you explain to the listeners what that is?
    Mr. Ferguson. What is the SIPRNet?
    Senator Brown. Yes.
    Mr. Ferguson. The SIPRNet is a command and control network 
that maintains Department of Defense classified secret level 
information that covers a whole portfolio of issues. It is not 
just intelligence information, for one. It is operations data. 
It is financial programmatic data, personnel data. It covers a 
very large----
    Senator Brown. It is everything.
    Mr. Ferguson. It is everything. All that information is not 
available to everyone who is on SIPRNet. A lot of that 
information, in fact, is password protected. But there are 
sites, just like going on the Internet, that if you click on 
there, if you put in the search for that information and it is 
not password protected, it is available to whoever is on the 
    Senator Brown. All right. So let me just take what you are 
saying here--and that was not the case with this young soldier. 
We are not just talking about that stuff where you just get 
online and take that stuff. We are talking about that the young 
person who had the ability to not only get that but all the 
classified documentation as well. Correct?
    Mr. Ferguson. He was able to get the classified information 
that was not password protected. That is correct.
    Senator Brown. Right. And is it true that there are 
hundreds of thousands of people that have access to that 
information still?
    Mr. Ferguson. That is true.
    Senator Brown. Once again, I am not a brain surgeon, but I 
am an officer in the U.S. military, and I have difficulty 
getting that stuff. Why haven't we locked down and basically 
weeded through the people that have access, to make sure they 
are all our friends? Where is the command and control in these 
types of things?
    Mr. Ferguson. The command and control, since the SIPRNet is 
really a family of networks, the site owners decide, just like 
on the Internet, who gets access to their particular site.
    Senator Brown. Right. That is for the open stuff, but I am 
not talking about that.
    Mr. Ferguson. No. That is for secured information as well.
    Senator Brown. All right.
    Mr. Ferguson. So in the case, of course, of the State 
Department information, that has now been removed from SIPRNet, 
so that is not available for everybody to take a look at.
    Senator Brown. I was kind of surprised they were even on 
    Mr. Ferguson. Well, that was a request of the Department of 
Defense and the DNI to put that information on or to make it 
more accessible to people in the intelligence community.
    Senator Brown. Is the reason why because--listen, I 
understand the moving nature of the battlefield. I believe that 
a lot of the command and control went away because of the 
changing nature of the battlefield. They needed the information 
very quickly. Is that a fair assessment?
    Mr. Ferguson. That is a fair assessment.
    Senator Brown. So knowing that, what checks and balances 
have been put in place, notwithstanding that fact, what are we 
    Mr. Ferguson. What they have done--and Ms. Takai can talk 
about the technology behind this. They have closed down all the 
ports. They cannot remove the data. But they also are starting 
to chart and narrow the data access based on mission 
responsibility, for one. It is not going to be as simple as 
just going in, turning off stuff, and just doing a big survey 
of the SIPRNet, although that will probably occur. And then, of 
course, the moving of the data, which was the big concern, is 
now a two-man rule. As Ms. Takai pointed out, 12 percent of the 
systems now have the ability to remove data and shift it to 
another domain. The other 88 percent are shut down.
    Senator Brown. Well, he used a thumb drive, right?
    Mr. Ferguson. He used a compact disc (CD), actually. Oddly 
enough, the thumb drives have been shut off for some time.
    Senator Brown. That is what I thought. So it was a CD, 
    Mr. Ferguson. It was CDs, that is right. He was downloading 
the CDs. So we have a two-man rule.
    Another key piece of this is--I do not know the word to 
use--a failure on the part to monitor and follow security 
regulations. It is as simple as that.
    Senator Brown. Listen, I agree with you. I know there is a 
protocol in place. I am still flabbergasted. I mean, here we 
are, we have one of the biggest leaks in my lifetime or my 
memory, at least, in the military, and we have a private who is 
in trouble. I am a little curious. There seems to have been a 
breakdown completely on that chain of command.
    Mr. Ferguson. It did not work as well as we had hoped.
    Senator Brown. And that being said, it has not worked as 
well as you had hoped, is there anything like a red team or an 
unannounced inspection? Or have you changed the protocol?
    Mr. Ferguson. Actually there have been investigations 
looking at the entire process for the entire theater. And a lot 
of the changes have occurred in terms of the two-man rule, 
shutting down of the ports, and other security training and so 
forth has all occurred in the last 3 or 4 months. So, yes, they 
have taken some pretty significant actions already.
    If I may, I would like to pass it to Ms. Takai because she 
can speak to some of the technology that is in place.
    Senator Brown. And with that, I will take that testimony in 
a second. But that being said, I know all the agencies are 
actually awash with new guidelines and directives. Is there a 
coordinated effort of some kind being made so that policy and 
oversight are staying consistent, that agencies are not left to 
guess who to listen to? Is there someone in charge that 
basically is dictating what we are doing, why we are doing it, 
how we are doing it, and then following up to say, yes, we are, 
in fact, doing it? Is there anything like that going on?
    Mr. Ferguson. Yes, I will give you a good example. Their 
policies for security and use of material was spread across a 
number of policy documents, so if you were sitting in a field 
or you are in the United States and you wanted to find where 
that policy was, you had to go search for it. In hindsight, 
that was not a good way of approaching it. It worked that way 
for years, decades.
    One of the things we have done is we have updated those 
policies, and we combined and consolidated them into a single 
product. So there is only one place--it is a one-stop shop to 
go get that. That came out of the Under Secretary of Defense 
for Intelligence's office. So he sets the guidelines for that 
information protection assurance and security parts.
    In terms of setting rules for information sharing itself, 
that is being done as a community-wide activity, not just with 
the Department of Defense but with the DNI--this is an approach 
with all the other agencies. So there is one initiative right 
now underway, and, of course, each department is also looking 
at it individually.
    Mr. Paul. Can I amplify that?
    Senator Brown. Yes, please, and then I just have one final 
question, but sure, yes, absolutely.
    Mr. Paul. So there is an ongoing White House-led process 
right now looking at the WikiLeaks incident and potential 
structural reforms. That has three main tracks that are going 
on, and my panelists and I and others are involved in that 
    The first part of it is looking at how to better balance 
things like identity management and tagging of information more 
consistently so you can do better kinds of access controls like 
what were talked about in the opening statements.
    The second is looking at the insider threat passbacks and 
some of the technical considerations that we have talked about.
    And the third is looking at how we strengthen governance 
across the spectrum--so the hope is that in the coming weeks 
and months we can come back and talk about the results of that 
    Ms. Takai. Before I speak to the technology, just to follow 
on to the governance issue, there is participation by all of 
the organizations in a White House working group that reports 
to the deputy's committee around the various activities to make 
sure that we are well coordinated and that we are working 
    Inside the Department of Defense, this is an item that is 
high on the Secretary's list, and we provide ongoing reports to 
him from the standpoint of the technology mitigation efforts 
both to him and the Chairman of the Joint Chiefs of Staff 
regarding our progress. So there is significant oversight. 
There is significant guidance in terms of making sure that we 
are taking care of this and we are following on to the 
commitments that we have made both from a technology 
perspective and working with Mr. Ferguson's area in terms of 
making sure that the policies are updated. So I wanted to make 
sure that I added that in response to the question.
    Moving on to the technology, I think we have talked about 
the Host Based Security System and the progress that we have 
made thus far in terms of having that installed and making sure 
that we can detect anomalous behavior in terms of individuals 
who might get on to the network and download information, and 
we are doing that in three ways. One is from a device 
perspective. The Host Based Security System detects if, in 
fact, a computer does have a device where information can be 
downloaded so that we can validate that and ensure that it is a 
part of the 12 percent of those computers that we believe need 
that information in the field.
    The second thing that we are doing is to look at what we 
call an audit extraction module to follow on to Senator 
Collins' question around how do we have the information and the 
analytics to see anomalous behavior and we can catch it at the 
time that it occurs. We are currently in testing. That software 
is integrated with HBSS, and we will then be moving ahead to 
roll that out across DOD.
    The third thing that we are moving forward on, as you 
mentioned, Senator Collins, is around really a role-based 
process. We are going to be implementing a public key 
infrastructure (PKI) identification similar to our current 
Common Access Cards (CACs) that we have on our non-classified 
network to all of the DOD users, and what that will do is give 
us an opportunity over time to refine what information 
individuals have access to. So sheer access to SIPRNet, for 
instance, in this case, we will be able to, by looking at each 
individual database, take it down to what information that 
individual needed as opposed to having the network completely 
    Senator Brown. I appreciate that, and just in closing, it 
was not only dangerous, it is embarrassing what happened. You 
know, it is embarrassing for our country some of the things 
that were actually out there. And so there are a lot of lessons 
there, but I appreciate the opportunity.
    Thank you for having this hearing and participating and 
allowing me to participate in it.
    Senator Collins. Thank you.
    Chairman Lieberman [presiding]. Senator Collins, thanks 
very much for assuming the Chair. I apologize to the witnesses.
    I appreciate the testimony. Let me ask a few questions, if 
I might. In a speech that DNI General Clapper gave last fall, 
he predicted that WikiLeaks was going to have a ``very chilling 
effect on the need to share.'' After WikiLeaks began to release 
State Department cables in late November, news headlines 
forecasted a clampdown on information sharing, and this is what 
we have been dealing with and you deal with in your testimony 
as submitted.
    I wanted to ask you if there are specific areas--and I 
guess I would start with Ms. Stone and then any others. Are 
there specific areas where you think the WikiLeaks case has had 
a direct impact on information sharing other than the examples 
cited in the prepared testimony by Mr. Kennedy of the State 
Department removing its diplomatic cables from SIPRNet?
    Ms. Stone. Thank you for that question, sir. My reaction is 
that the most direct impact has been in the area of culture and 
those people who are concerned about sharing information, 
rightly so, and our ability to protect it. And, therefore, our 
reaction to WikiLeaks must be to increase protection as well as 
sharing. As we increase the protection, we also increase the 
trust and confidence that people have that when they share 
their information appropriately, it will be protected; we will 
know where the information is; we will be able to pull that 
information if it is inappropriately accessed; and we will be 
able to follow up with appropriate repercussions if and when it 
is misused.
    So I think the most direct impact I have seen is not in a 
specific tangible action, but more so that it has resulted in a 
very clear need for us to increase the protections, to increase 
trust and confidence to share more broadly; because--while 
Director Clapper was very concerned--as we all were, that this 
would have a chilling effect, we have all worked very hard, 
both within the ODNI, within the intelligence community, and 
across the government, to ensure that it does not have a 
chilling effect; but that, in fact, as Mr. Ferguson said, as we 
increase sharing, we also increase protection to develop that 
trust and confidence.
    Chairman Lieberman. That is good. Mr. Kennedy.
    Mr. Kennedy. If I could, Mr. Chairman. I think there have 
been two kinds of chilling effects. One, I think there has been 
a chilling effect on the part of some foreign governments being 
willing to share information with us, and that is obviously of 
great concern to the State Department. We build our diplomatic 
reporting analysis on the basis of trust; that when individuals 
tell us things in confidence, we will share them in confidence 
within the U.S. Government, that it will not go broader than 
that. So that has been one chilling effect.
    I think the State Department, though, has avoided the 
chilling effect that you were directly addressing. For example, 
if I might, during the period of time, we have posted, as you 
all mentioned, some 250,000 cables to this database posted to 
the DOD SIPRNet. During that same period of time, we 
disseminated 2.4 million cables, 10 times as many, through 
other systems to the 65 other U.S. Government agencies. And so, 
therefore, while we stopped disseminating on SIPRNet for the 
reasons that my DOD colleagues have outlined, we have continued 
to disseminate to the intelligence community system, the Joint 
Worldwide Intelligence Communications System (JWICS), and we 
have continued to disseminate the same volume of material to 
the same other agencies based upon their need for that 
information. We do not hold anything back. This unfortunate 
event has not caused us to hold anything back. We continue to 
share at the same rate as we were sharing before because we 
know that our information is essentially the gold standard.
    There are more reporting and analysis officers and sources 
and information from 265 State Department diplomatic and 
consular posts around the world than any other agency, so it is 
our intent to uphold our piece of national security and 
obviously to be responsive to the very forceful and correct 
legislation that you saw past, which is to share. We are 
continuing to share using two other means.
    Chairman Lieberman. Do any of the other three witnesses 
want to comment, either in terms of specific areas of the 
effect of WikiLeaks on information sharing or perhaps some more 
indirect impact with people becoming more hesitant to work 
across agency boundaries or even marking intelligence products 
more restrictively? Mr. Paul.
    Mr. Paul. Yes, in my role I have the opportunity to work 
closely with our State, local, and tribal partners, and I just 
want to report that the concerns about a chilling effect, they 
share that. They share the concern, and we remain vigilant and 
work with them to try to identify any challenges of that sort. 
But so far with our partners, primarily FBI and DHS, there is a 
lot of good sharing. Our different sharing initiatives continue 
to move forward, things like the Nationwide Suspicious Activity 
Reporting Initiative, the Nationwide Network of Fusion Centers, 
and different initiatives of those ilk.
    Chairman Lieberman. Good. Thanks for your answers to that.
    Incidentally, one of the things I have found that I am sure 
other Members of Congress have found in foreign travel that we 
have done since the WikiLeaks leaks is that, somewhat in jest 
but not really, often leaders of foreign countries that we are 
meeting with will say, ``I hope this is not going to appear on 
WikiLeaks.'' So they are hoping that there is a certain 
confidence and trust in the exchange of information. And, of 
course, we say, ``Oh, no.'' And then the person from the 
embassy usually says, ``No, we have taken care of that 
problem.'' But it did affect the trust of allies around the 
    One of the things that Congress called for in the 
Intelligence Reform and Terrorism Prevention Act was the use of 
technologies that would allow ``role-based access'' to 
information in government systems--in other words, that people 
would have access to information necessary for their work, but 
would not have overly broad access to information that they did 
not need.
    One of the key lessons, obviously, from WikiLeaks is that 
we have not yet made enough progress toward that goal as we 
need to, and if such capabilities had been in place on SIPRNet, 
I presume Private Manning would never have had access to that 
much information, if any at all.
    Ms. Takai, maybe we will start with you. What are the key 
challenges associated with implementing role-based access as I 
have defined it across our classified and sensitive information 
    Ms. Takai. Thank you, Mr. Chairman. I would like to start 
first by just giving you an update on where we stand at DOD in 
terms of rolling out a PKI-based CAC card for SIPRNet.
    Chairman Lieberman. Good.
    Ms. Takai. We are in the process and, in fact, they are in 
production, if you will, through our trusted foundry on those 
cards. We are anticipating the completion of the rollout by the 
end of 2012 so that all the individuals who today need SIPRNet 
and use SIPRNet will have PKI identification.
    Chairman Lieberman. Have you defined those terms while I 
was away? Or would you want to do so now, PKI and the CAC card, 
for the record?
    Ms. Takai. Effectively the common access card is a card 
that you actually utilize with your computer that actually 
identifies you when you log on to the computer. So it is a much 
more sophisticated password, if you will. It gives you a user 
name and password, but it more clearly identifies you, and then 
from that more clearly can identify the role that you play in 
the organization and then through that the information to which 
you should have access.
    Chairman Lieberman. So that would all limit access based on 
what the position of the card holder was and the presumed needs 
to know of the card holder.
    Ms. Takai. That is correct, sir. But to the second part of 
your question in terms of our rollout plan and the steps that 
we need to go through, the cards are actually rolled out to 
each individual who has a computer, so our deployment plan is 
to actually get the physical cards and the physical readers 
installed on all of the computers for those individuals that 
require access to SIPRNet.
    The second thing is that through the trusted foundry we 
have a manufacturing process for those cards, and they have a 
capacity for a certain number of cards, so that also is a 
    So, again, in order for us to really complete 100 percent, 
we have to take into account those two factors, and also the 
fact that many of the computers where this is needed are, as 
you could well imagine, in many locations around the globe. And 
that is not only, of course, certainly on the ground, but on 
ships and so on. So it will take us a while, by the end of 
2012, to have that deployment complete.
    But I think it is important to note, in addition to just 
the physical deployment of the cards and on the various 
computers, that it will then take us additional time to make 
sure that we get the roles associated with the information 
connected. So the cards give us the capability to do that, and 
then we will continue the deployment to link the information to 
    Chairman Lieberman. That is encouraging. Thanks. Senator 
    Senator Collins. Thank you, Mr. Chairman. Just a couple 
more questions.
    Mr. Ferguson, when I think about the WikiLeaks incident, I 
think not only of the failures of technology but also a failure 
to focus on certain red flag behavior that was exhibited by the 
suspect. And it reminds me very much of what our investigation 
found when we looked into Major Hasan's behavior prior to the 
massacre at Fort Hood.
    If the media reports are correct, Private Manning exhibited 
problems such as mental health issues, an assault on 
colleagues, and the fact that supervisors had recommended that 
he not be sent to the front lines.
    These are all pretty big red flags, and I am wondering why 
they did not lead to a restriction in his access to classified 
information. I do not know whether you are the right person for 
me to ask that question to, but my point is there is more than 
just technology at stake here. If we have a high-ranking 
official and we use the user role approach but that individual 
becomes unstable or embraces Islamist radicalism or there is 
some other reason that would cause the individual to pose an 
insider threat, do we have the systems in place to catch that 
    Mr. Ferguson. Senator, I probably cannot really speak to 
the specifics of Private Manning. It is an ongoing 
investigation. However, your point, though, about a process to 
identify behaviors that we should be concerned about, we have 
taken a look at that, and the training that we had in place--
whether it was Hasan or this case--was not sufficient to give 
his supervisors the pieces of data they would need to put 
together and say this person is a problem, or in some cases to 
take action when they did suspect something was wrong.
    So what we have done in the Department is begin to shape 
with new policy and direction how to better train supervisors 
in how to best identify behaviors that would be of concern. 
That is one piece, but they also have to be willing to take 
action, and that is part of the other problem. It is not that 
somebody might say that this behavior is irregular. It is also 
in some cases a fear to take action, or it may reflect on them 
as a failure or it may reflect on them in some other way. And 
so there are two hurdles here. It is teaching people how to 
identify the characteristics, but it is also teaching people 
that the right thing to do is to take action.
    Senator Collins. I am concerned because we have seen two 
recent cases where tremendous damage was done, despite the fact 
that there was ample evidence, it appears--I am less familiar 
with the case we are discussing today--that something was 
dramatically wrong. That is an issue that I am eager to pursue, 
and I think your point about training is a very good one.
    Mr. Paul, just for my last question, you mentioned in your 
testimony that there is a fragmented approach to computer 
security across the Federal Government, and I think I can speak 
for the Chairman when I say that we could not agree with you 
more, and that is one reason we have introduced our 
cybersecurity bill which will apply to the civilian agencies 
and also try to work with the private sector to develop best 
practices. But our bill does not deal with the intelligence 
community or the military computer systems.
    You also in your testimony pointed out that you are not an 
operational office at DNI and that you are heading a task force 
on this issue. What are you telling us? Are you telling us that 
the DNI needs more authority to prevent this fragmented 
approach where one intelligence agency may have a totally 
different approach to security, classification, and access than 
the Department of Defense?
    Mr. Paul. So when I was using the description of 
``fragmentation,'' what I was referring to was that agencies 
put in place specific agency-based solutions. Those solutions 
serve for specific needs. But then when you look at more broad 
information sharing and protection with other agencies, the 
solutions tend to not work as well. An example of this is, as 
we look at things like identity management frameworks--some of 
my panelists have talked about identity management. That is 
foundational to being able to do information sharing and 
information protection. We have several different identity 
management frameworks across the scope of the Federal 
Government, our State and local partners, and so forth. Those 
frameworks are mostly aligned, but we need to make sure that as 
they get implemented, they are implemented in a way that is 
consistent across all the different partners. If that does not 
happen, then you run into challenges when information moves 
across organizational boundaries.
    The second part of your question was about my role in co-
chairing the Information Sharing and Access Interagency Policy 
Committee. A key thing that we are trying to do in that group 
is to harmonize policy frameworks across the different agencies 
to make sure that on one hand, we have the consistent 
framework, but on the other hand, we are not slowing down 
operational considerations in those agencies so that the 
variations that occur are truly because of mission requirements 
and not because we are not effectively working together.
    Senator Collins. Ms. Stone.
    Ms. Stone. Thank you. If I could just add to that, across 
the intelligence community we are working very hard to have 
comprehensive guidelines and processes that are consistent and 
interoperable. We are working on leveraging public key 
infrastructure and attribute-based access control to have a 
more comprehensive identity and access management. We are 
standardizing data protection models to have several levels of 
security, and we are working on an enterprise audit framework.
    So within the intelligence community, while we may have 
different systems, we are working very hard from the Office of 
the Director of National Intelligence to more standardize and 
ensure consistency across those networks. The way we then plug 
in with the rest of the government--and, indeed, we must be 
interoperable with the rest of the government, of course--is 
through this interagency group that we are working on together 
with everyone at the table and others to ensure that we can, in 
fact, be coordinating and consistent with the other offices. 
And we are still working through exactly what that looks like, 
but that is certainly a concern that we are all very well aware 
    Senator Collins. Thank you. Just two final concluding 
comments. I would note that the Government Accountability 
Office (GAO) continues to list information sharing, 
particularly with regard to terrorism-related information, as a 
high-risk activity, and it is on the high-risk list again this 
    And, finally, as we look at the user role approach, which I 
brought up in my opening statement and which we have commented 
on today, we do have to be careful that does not translate back 
to the bad old days where no one shared anything and where we 
had stovepipes because we are defining who has access so 
narrowly that we deny access to analysts who really need that 
    So it is a very difficult task that you are all embarking 
on, but in this day and age, that an individual could be able, 
undetected for so long, to download and illegally distribute 
hundreds of thousands of important cables, reports, and 
documents is just inconceivable to me. So, clearly, we have a 
long way to go to strike the right balance.
    Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Collins, very much. 
Thanks again for taking the chair while I had to leave.
    Just a few more questions, and I want to follow up first 
with one to you, Mr. Paul, following up on the question I asked 
Ms. Takai before about role-based access. In your testimony, 
you note the fact that there are at least five distinct 
identity credential and access management frameworks in use by 
Federal agencies, and, of course, that makes me wonder whether 
that limits the ability to implementation the kind of role-
based access capabilities that the IRTPA required in systems in 
a cost-effective way. I wonder if you could talk about what you 
are doing, hopefully in cooperation, perhaps, with the other 
witnesses here today, to harmonize those different access 
    Mr. Paul. Sure. Thank you for the question. There are these 
five different frameworks, but they are really not that 
different. They are different enough, though, that it requires 
the attention of my office and other bodies--the Federal Chief 
Information Officer Council, for example, and my colleagues 
here--to make sure that as the frameworks get implemented in 
the different agencies and with our State, local, and tribal 
partners, that we do not allow for variations or that 
variations are controlled and reflect mission requirements and 
the like. So a focus of my office is to work with the 
interagency, bringing together groups to make sure that as 
these frameworks get implemented, they are implemented in a 
consistent way.
    Building on top of that, it is critical, as we look at 
role- and attribute-based access controls that you both have 
highlighted, that the framework for doing those, how we define 
roles, how we, to use a colloquialism, tag data, how we tag 
people, and that tagging occurs in different places. A person 
may be tagged in one agency, data may be tagged in another, and 
we want to be able to have that data move in an appropriate way 
with policy enforcement. That means there needs to be a 
consistent framework for how that happens, and coordination, 
and this goes to some of what you have heard from me and others 
about the importance of governance of the standards and 
architecture approach. So those are contributions that are 
catalyzed through the efforts of my office in close cooperation 
with my mission partners.
    Chairman Lieberman. Good. I urge you on in that.
    Mr. Ferguson, I mentioned in my opening statement the great 
successes that we have had in the past few years in Iraq and 
Afghanistan in disrupting terrorist networks in those countries 
with our military and intelligence agencies working very 
closely together and doing so in a remarkably rapid way, 
sometimes exploiting information from one raid or one source 
and using it within an hour elsewhere, or quicker.
    As you make changes to improve the security of classified 
networks at DOD and in the intelligence community, are you 
taking steps to ensure that those efforts will not diminish or 
slow down our ability to carry out the kinds of operations I 
have just described?
    Mr. Ferguson. Yes, sir, absolutely. Even though the process 
was to allow personnel working in a secured facility to access 
the SIPRNet and pull down data and copy it through open media.
    Chairman Lieberman. Right.
    Mr. Ferguson. For example, so we could have more agility 
and flexibility. We have gone back and taken a look at how that 
process worked, and we have found that by creating just a kiosk 
process and a two-man rule, we can still move at the same speed 
and have the same agility without giving everybody the same 
availability to the information and being able to pull the data 
down and copy it. So it is very much in mind to make sure that 
we do not hinder our ability to carry out the operations.
    Chairman Lieberman. Good. Do you want to add anything, Ms. 
    Ms. Takai. Yes, I would. I think one of the things that is 
very important is that we continue to see the dramatic need for 
information and information sharing by the warfighter and so, 
if anything, the demand for that information continues to grow. 
And so as we are looking at the technology, just to relate back 
to what Mr. Paul said, part of our efforts are to ensure within 
DOD we are eliminating our fragmented environment, which has 
grown up over time, through our legacy base of the way that our 
networks and our databases have grown up. And so I wanted to 
make sure that I added that there was a relationship between 
the work that Mr. Paul is doing and the work that we are doing 
internal to DOD, and I am sure my partners here are all 
undergoing the same thing. I think that is really what Ms. 
Stone was talking about. And those things in combination with 
being able to apply cybersecurity enhancements are really going 
to give us an opportunity to get that information out there as 
quickly as today and in some cases even faster than today, but 
to do it in a secure way.
    Chairman Lieberman. That is excellent. Let me ask a final 
question. Based on the testimony you have provided, really in 
what you are doing to respond to the challenges that were 
illuminated by the WikiLeaks case, but also to protect the 
information-sharing environment, one, have you seen any areas 
where you think you would benefit from statutory changes? And, 
two--and this is a question that I ask in a limited way in this 
fiscal environment--are there any funds we should be targeting 
to particular uses that we are not now doing to assist you in 
responding to this crisis? Maybe we will start with Mr. Kennedy 
and go down the table, if anybody has anything to say.
    Mr. Kennedy. Thank you very much, Mr. Chairman. I cannot 
think of any additional legislative authority. I think you have 
done two things. You have given us the intent, and then you 
have given us the command. And I think we know from what you 
have said and what we know internally which way we should go.
    On the funding, I can always say that an institution as 
small as the State Department can always use additional funding 
given the range of demands upon us. But I believe that we have 
a role-based access system in place that we use to distribute 
material within the State Department. If you are on the French 
desk, you get one set of materials. If you are on the Japan 
desk, you get another. As I mentioned earlier, we will continue 
to push State Department reporting to the other agencies, but 
it does, I will admit, put a burden on them to then take our 
material which we have provided to Secretary of Defense, so to 
speak, to DOD, and then to distribute that to their people 
according to the roles that only they are capable of defining, 
because I think it would be wrong for me to say which 
individuals within an entity as large as the Defense Department 
or as large as the DNI or the intelligence community which 
analyst needs what. So we send it to them, and I think they may 
be the ones who have to answer that second question about how 
they are going to distribute it efficiently and effectively as 
both you and Senator Collins have talked about.
    Chairman Lieberman. Thanks. Ms. Takai, any legislative 
recommendations or budget targeting?
    Ms. Takai. In terms of the legislative question, I agree 
with Mr. Kennedy. At this time we do not see any additional 
legislation that we need. We are going through a review to 
answer exactly that same question for the Secretary in terms of 
is there any need for any change, not only additional funding 
but a change in the cadence of the funding. And so once we have 
that pulled together, we would be happy to share it with you.
    Chairman Lieberman. I appreciate it. Mr. Ferguson.
    Mr. Ferguson. I would have to agree on the legislative 
side, and certainly as Ms. Takai has pointed out, as we go 
through this process of putting in these capabilities, what 
kind of funding needs I guess we have to identify what those 
real costs are and come back.
    Chairman Lieberman. Ms. Stone.
    Ms. Stone. Similarly, on the legislative question, I think 
we have what we need for now, although I would reserve the 
right to come back if we discover we need something else.
    And on the funding piece, again, we do have an interagency 
process ongoing looking at exactly what we might do with 
different options, so we would have to see where that comes 
out. But I do believe there is at least something in the fiscal 
year 2012 proposal submitted by the President to work on some 
of these issues.
    Chairman Lieberman. Good. Mr. Paul.
    Mr. Paul. Just to echo Ambassador Kennedy, the laws and the 
statutes that this Committee has championed provide an adequate 
basis, a fine basis. I know in the context of the information-
sharing environment that it is my responsibility, there is 
enough authority. It is an issue for me now of execution and 
    Chairman Lieberman. Good. Thank you all. Senator Collins.
    Senator Collins. Thank you.
    Chairman Lieberman. Well, thanks very much, again, for your 
prepared testimony and the oral testimony, and I emerge 
encouraged that you are certainly dealing with the specific 
series of vulnerabilities that the WikiLeaks/Manning case 
revealed, and I presume in the nature of the modern world with 
technology, innovation, and exploitation what it is, you will 
also be thinking about the next way in which somebody might try 
to take advantage of our information-sharing environment. But I 
think that we have raised our guard in a sensible way and also 
continue to share information, which we need to do, is what I 
take away from this hearing, and I appreciate that very much.
    The record will remain open for 15 days for any additional 
questions or statements. With that, the hearing is adjourned.
    [Whereupon, at 4:36 p.m., the Committee was adjourned.]

                            A P P E N D I X