S. Hrg. 112-219 INFORMATION SHARING IN THE ERA OF WIKILEAKS: BALANCING SECURITY AND COLLABORATION ======================================================================= HEARING before the COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS UNITED STATES SENATE of the ONE HUNDRED TWELFTH CONGRESS FIRST SESSION __________ MARCH 10, 2011 __________ Available via the World Wide Web: http://www.fdsys.gov/ Printed for the use of the Committee on Homeland Security and Governmental Affairs U.S. GOVERNMENT PRINTING OFFICE 66-677 WASHINGTON : 2012 ----------------------------------------------------------------------- For sale by the Superintendent of Documents, U.S. Government Printing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202?09512?091800, or 866?09512?091800 (toll-free). E-mail, gpo@custhelp.com. COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS JOSEPH I. LIEBERMAN, Connecticut, Chairman CARL LEVIN, Michigan SUSAN M. COLLINS, Maine DANIEL K. AKAKA, Hawaii TOM COBURN, Oklahoma THOMAS R. CARPER, Delaware SCOTT P. BROWN, Massachusetts MARK L. PRYOR, Arkansas JOHN McCAIN, Arizona MARY L. LANDRIEU, Louisiana RON JOHNSON, Wisconsin CLAIRE McCASKILL, Missouri JOHN ENSIGN, Nevada JON TESTER, Montana ROB PORTMAN, Ohio MARK BEGICH, Alaska RAND PAUL, Kentucky Michael L. Alexander, Staff Director Christian J. Beckner, Associate Staff Director for Homeland Security Prevention and Protection Jeffrey E. Greene, Senior Counsel Nicholas A. Rossi, Minority Staff Director Brendan P. Shields, Minority Director of Homeland Security Policy Luke P. Bellocchi, Minority Counsel Trina Driessnack Tyrer, Chief Clerk Patricia R. Hogan, Publications Clerk and GPO Detailee Laura W. Kilbride, Hearing Clerk C O N T E N T S ------ Opening statements: Page Senator Lieberman............................................ 1 Senator Collins.............................................. 3 Senator Brown................................................ 14 Prepared statements: Senator Lieberman............................................ 29 Senator Collins.............................................. 31 WITNESSES Thursday, March 10, 2011 Hon. Patrick F. Kennedy, Under Secretary for Management, U.S. Department of State............................................ 4 Teresa M. Takai, Chief Information Officer and Acting Assistant Secretary for Networks and Information Integration, U.S. Department of Defense, and Thomas A. Ferguson, Principal Deputy Under Secretary for Intelligence, U.S. Department of Defense... 7 Corin R. Stone, Intelligence Community Information Sharing Executive, Office of the Director of National Intelligence..... 9 Kshemendra Paul, Program Manager, Information Sharing Environment, Office of the Director of National Intelligence... 11 Alphabetical List of Witnesses Ferguson, Thomas A.: Testimony.................................................... 7 Joint prepared statement with Teresa Takai................... 44 Kennedy, Hon. Patrick F.: Testimony.................................................... 4 Prepared statement........................................... 33 Paul, Kshemendra: Testimony.................................................... 11 Prepared statement........................................... 59 Stone, Corin R.: Testimony.................................................... 9 Prepared statement........................................... 52 Takai, Teresa M.: Testimony.................................................... 7 Joint prepared statement with Thomas Ferguson................ 44 APPENDIX Thomas E. McNamara, Former Program Manager of the Information Sharing Environment at the Office of the Director of National Intelligence, prepared statement............................... 68 Markle Task Force on National Security in the Information Age, prepared statement............................................. 72 Responses to post-hearing questions for the Record from: Mr. Kennedy.................................................. 81 Ms. Takai and Mr. Ferguson................................... 86 Ms. Stone.................................................... 102 Mr. Paul..................................................... 105 INFORMATION SHARING IN THE ERA OF WIKILEAKS: BALANCING SECURITY AND COLLABORATION ---------- THURSDAY, MARCH 10, 2011 U.S. Senate, Committee on Homeland Security and Governmental Affairs, Washington, DC. The Committee met, pursuant to notice, at 3:06 p.m., in room SD-342, Dirksen Senate Office Building, Hon. Joseph I. Lieberman, Chairman of the Committee, presiding. Present: Senators Lieberman, Collins, and Brown. OPENING STATEMENT OF CHAIRMAN LIEBERMAN Chairman Lieberman. The hearing will come to order. Good afternoon and thanks for your patience. We just were able to, Senator Collins and I, vote early. And I want to apologize in advance. I am going to have to step out for about 15 minutes in about a half-hour, but I shall return. In just 6 months and a day, we will mark the 10th anniversary of the attacks of September 11, 2001, and we will honor the memory of the nearly 3,000 people who were murdered that day in America. Our mourning over their deaths has always been compounded by the knowledge that those attacks might have been prevented-- certainly that was the implication of the 9/11 Commission Report--had our intelligence and law enforcement agencies shared the disparate facts they had gathered, enabling us to connect the dots. To prevent this from happening again, Congress passed several laws intended to strengthen information sharing among critical Federal agencies. Those acts included the Homeland Security Act, the Intelligence Reform and Terrorism Prevention Act (IRTPA), and the USA PATRIOT Act. Since then, the Executive Branch, I think, has made significant improvements in its information-sharing systems, and there is no question that far more information is now available to partners in other agencies who have a legitimate need for it. All this intelligence is further brought together at key nodes, such as the National Counterterrorism Center (NCTC), where it can be examined by intelligence specialists from a variety of agencies working together under one roof. And as a result, we have seen a number of successes in recent domestic and military counterterrorism operations that I think were thanks to that kind of information sharing, and I am going to cite some examples in a moment. But this Committee's recent report on the Fort Hood attack shows that information sharing within and across agencies is nonetheless still not all it should be, and that allowed in that case a ``ticking time bomb,'' namely Major Nidal Hasan, now accused of killing 13 and wounding 32 others at Fort Hood, to radicalize right under the noses of the Department of Defense (DOD) and the Federal Bureau of Investigation (FBI). So we need to continue improving our information-sharing strategies. Now I fear the WikiLeaks case has become a rallying cry for an overreaction for those who would take us back to the days before September 11, 2001, when information was considered the property of the agency that developed it and was not to be shared. The bulk of the information illegally taken and given to WikiLeaks would not have been available had that information not been on a shared system, so the critics of information sharing argue. But to me this is putting an axe to a problem that requires a scalpel and misunderstands what happened in the WikiLeaks case and I think misstates the solution to the problem. We can and must prevent another WikiLeaks without also enabling Federal agencies, in fact, perhaps compelling Federal agencies to reverse course and return to the pre-September 11, 2001, culture of hoarding information. We need to be smarter about how information is shared and appropriately balance security concerns with the legitimate needs of the users of different types of information. Methods and technologies for doing so already exist. Some of them I gather have been put into place since the WikiLeaks case, and we need to make sure that we utilize them as fully as possible across our government. The bottom line is we cannot walk away from the progress we have made that has saved lives. I will give you a couple of quick examples. U.S. Special Forces and elements of the intelligence community have shared information and worked exceptionally well together in war zones to combat and disrupt terrorist groups such as al-Qaeda in Iraq and the Taliban in Afghanistan. And that would not happen without information sharing. Here at home, we have used information sharing to enhance the role of State, local, tribal, and private sector entities in our fight against terrorists. And those efforts have paid off--most recently in the case of a chemical supply company in North Carolina that alerted the FBI to suspicious purchases by a Saudi Arabian student in Texas who turned out to be building improvised explosive devices. So we need to fix what is broken without going backwards. Today I look forward to hearing from each of our witnesses about what they are planning to do to improve the security of classified networks and information, while still ensuring that information is shared effectively in the interest of our Nation's security. I would also like to hear how Congress can work with you on these efforts either with legislation or through more targeted funding. Efficiently sharing classified information while effectively securing that information is critical to our Nation's security and our national values. We can and must have both. Senator Collins. OPENING STATEMENT OF SENATOR COLLINS Senator Collins. Thank you, Mr. Chairman. Effective information sharing among Federal law enforcement and civilian and military intelligence agencies is critical to our security. The 9/11 Commission found that the failure to share information across the government crippled efforts to detect and potentially prevent the attacks on September 11, 2001. Improving this communication was a critical part of the Intelligence Reform and Terrorism Prevention Act that Senator Lieberman and I authored in 2004. The WikiLeaks breach should not prompt a knee-jerk reaction on the sharing of vital information and its use by those analysts who need it to do their jobs. We must not let the astonishing lack of management and technical controls that allowed a private in the army to allegedly steal some 260,000 classified State Department cables and some 90,000 intelligence reports to send us back to the days before September 11, 2001. Unfortunately, we continue to see agency cultures that resist sharing information and coordination with their law enforcement and the intelligence counterparts. Almost 10 years after September 11, 2001, we still witness mistakes and intelligence oversights reminiscent of criticisms predating our reforms of the intelligence community. Among those cases where the dots were not connected and information was not effectively shared are Abdulmutallab, the so-called Christmas Day bomber, and Nidal Hasan, the Fort Hood shooter. At the same time, as the Chairman has pointed out, there have been several cases that underscore the incredible value and benefit of information sharing, and an example is, as the Chairman has noted, the case of Mr. Zazi, whose plans to bomb the New York City subway system were thwarted. As such successes remind us, we must not allow the WikiLeaks damage to be magnified twofold. Already the content of the cables may have compromised our national security. There have been news reports describing the disclosure of these communications as having a chilling effect on our relationships with some of our closest allies. More important, however, they likely have put at risk some of the lives of citizens, soldiers, and partners. Longer lasting damage could occur if we allow a culture to re-emerge in which each intelligence entity views itself as a separate enterprise within the U.S. counterterrorism structure, with each attempting to protect what it considers to be its own intellectual property by not sharing it with other counterterrorism agencies. If those stovepipes reappear or worsen, we will certainly be in more danger. Such a step backward would run counter to the policy goals embodied in the 2004 Intelligence Reform Act, articulated by law enforcement and the intelligence community leadership, and underscored in multiple hearings before this Committee; and, that is, to effectively detect and thwart terrorists, the ``need to share'' must replace the ``need to know.'' I would also like to hear today about the possible technological solutions to the problems that allowed for the disclosures to WikiLeaks. For example, my credit card company can detect out-of-the-ordinary charges on my account almost instantaneously. Yet the military and intelligence communities were apparently unable to detect more than a quarter million document downloads in less than 2 months. Surely, the government can make better use of the technology currently employed by the financial services industry. It is also notable that the intelligence community was already required to install some audit capabilities in its systems by the 2007 homeland security law, which we authored, that could well have included alerts to supervisors of suspicious download activity. Had this kind of security measure been in place, security officers might have detected these massive downloads before they were passed on to WikiLeaks. Technology and innovation ultimately should help protect information from unauthorized disclosure, while facilitating the appropriate sharing of vital data. I would also like to explore today the implementation of role-based access to secure classified information. Instead of making all information available to anyone who has access to a classified system, under this model, information is made available in a targeted manner based on individuals' positions and the topics for which they are responsible. Access to information not directly relevant to an individual's position or responsibilities would require the approval of a supervisor. We must craft security solutions for the 21st Century and beyond. We live in a world of Twitter and instantly viral videos on YouTube. We must strive to strike the appropriate balance that protects classified and sensitive information while ensuring the effective sharing of vital data. We can use the most cutting edge technology to protect the traditional tools of statecraft and intelligence--those tools of relationships and information. Thank you, Mr. Chairman. Chairman Lieberman. Thank you, Senator Collins, for that thoughtful opening statement. I want to thank the witnesses who are before us for coming, also for the thoughtful written testimony you have submitted to the Committee, which will, without objection, be included as part of the record. Now we will begin with Patrick Kennedy, who is Under Secretary for Management at the Department of State. Welcome, Mr. Kennedy. TESTIMONY OF HON. PATRICK F. KENNEDY,\1\ UNDER SECRETARY FOR MANAGEMENT, U.S. DEPARTMENT OF STATE Mr. Kennedy. Thank you very much. Chairman Lieberman, Ranking Member Collins, and Senator Brown, thank you for this opportunity to address information sharing after WikiLeaks and to discuss Executive Branch efforts to ensure that information is shared effectively yet securely and in a manner that continues to advance our national security. The State Department and our interagency partners have long been working to obtain both appropriate information sharing and protection, and after WikiLeaks, we have focused renewed attention on achieving these dual objectives. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Kennedy appears in the Appendix on page 33. --------------------------------------------------------------------------- From my perspective, serving over 30 years with the State Department, both overseas and in Washington, and also serving as the first Deputy Director of National Intelligence for Management, I especially appreciate your efforts to address with us the challenges of information sharing and security. I can assure you that we at the State Department remain committed to fully sharing our diplomatic reporting within the interagency with safeguards that are reasonable, pragmatic,and responsible. For diplomatic reporting, the State Department has historically communicated between Washington and overseas posts through messages which convey internal deliberations relating to our foreign relations and candid assessments of overseas conditions. This reporting provides the State Department and other U.S. Government agencies crucial information essential to advancing our national interests, and we continue to this day to share this reporting through automatic dissemination to over 65 U.S. Government agencies. In late November 2010, when the press and WikiLeaks announced the release of purported State Department cables, we immediately established a 24/7 WikiLeaks Working Group of senior State Department employees; we did suspend the Secret Internet Protocol Router Network (SIPRNet) to Net Centric Diplomacy, the database of State Department cables, while retaining all of our other distribution systems to other agencies. We also created a mitigation team to address policy, legal, and counterintelligence issues. For continued mitigation efforts, both within the State Department and interagency, we continue to deploy an automated tool that monitors State's classified network to detect anomalies not otherwise apparent, backed up by a staff who analyze these anomalies. Cable distribution has been limited to the Joint Worldwide Intelligence Communications System and our traditional system that reaches out, as I said, to 65 agencies. We are now evaluating other systems for distribution, such as a searchable database that relies on metadata. The State Department has continued to work with information management issues interagency through the Interagency Policy Committee (IPC), chaired by the White House's Special Adviser for Information Access and Security, as well as through existing IPCs. The challenges of grappling with the complexities are threefold. The first is ensuring information-sharing policies are consistently directing the use of technology to solve problems, not the other way around. Post-September 11, 2001, the focus was on providing technical solutions to information sharing. As a result, technical experts were asked to develop solutions to the barriers. The post-WikiLeaks environment reminds us that technology is a tool to execute solutions but it is not in itself the answer. Simply put, we must more consistently sort out what we need to share before determining how to share it. Connecting systems and networks may provide the means to share information, but we must still manage and share this content in an effective and efficient way, as both of you mentioned in your opening statements. The national security community must do a better job of articulating what information is appropriate to share with the widest appropriate distribution and what is more appropriately confined to a narrower audience across the community in order to ensure adequate safeguards. The State Department believes that the way in which we share messages through our traditional means of dissemination and the steps we have taken since November are leading us firmly in that direction. The second main challenge involves each agency's rigorous adherence to existing and improved information security policies, as both of you have noted. This includes improved training in the use of labels to indicate appropriate breadth of dissemination. The Executive Order on classified information establishes the basic levels of classification. From that foundation, individual agencies may still have their own captions that denote how information should be disseminated because obviously not every person with a security clearance needs every piece of worldwide information. Agencies that receive information need to understand how to handle that captioned information so that it is not inappropriately made available to too wide an audience. The Office of Management and Budget (OMB) has directed agencies to address security, counterintelligence, and information issues through special teams. We believe that our Mitigation Team serves as a model for broad, cross-discipline coordination, or governance because it brings together the various subject matter experts. Many information-sharing and security issues can be resolved at the agency level as long as there are standards in place for agencies to execute. For the most part, standards have been created by existing interagency bodies, but there are some areas where further coordination is needed. The third main challenge involves the coordination, or governance, of information management. Numerous interagency groups are wrestling with the issues related to technological aspects of information sharing, such as those dealing with standards, data standards, systems, and networks. Others are wrestling with the policy decisions of who should have access to what information. New interagency governance structures to coordinate information sharing have been developed, including those focused, as you rightly note, on sharing with State, local, and tribal governments, as well as with foreign partners. In keeping with the first challenge, these new structures should maintain or increase focus on defining the content to be shared and protected as well as on the technology which is to be shared and used. Each agency must be confident that security processes and procedures are applied in a uniform and consistent manner in other organizations. And, in addition, it must be understood that material originating in one agency will be treated by other agencies in accordance with mutually understood handling instructions. The State Department shares information with the intent of providing the right people with the right information at the right time. We will continue to share our diplomatic reporting in order to advance our national security information. We recognize the imperative to make diplomatic reporting and analysis available throughout the entire interagency community. The State Department will continue to do this in order to fulfill our mission. We remain committed to both appropriately sharing and protecting critical national security information, but this commitment requires, as you have noted, addressing multiple, complex issues. We must find the right policies; we must find the right technologies; and we must continue to share. Thank you for this opportunity to appear before you today. I look forward to working with you on the challenges and would be pleased at the right time to respond to any questions you might have. Thank you. Chairman Lieberman. Thanks very much, Secretary Kennedy. Now we are going to hear from Teresa Takai, Acting Assistant Secretary for Networks and Information Integration, Chief Information Officer, U.S. Department of Defense. Welcome. TESTIMONY OF TERESA M. TAKAI,\1\ CHIEF INFORMATION OFFICER AND ACTING ASSISTANT SECRETARY FOR NETWORKS AND INFORMATION INTEGRATION, U.S. DEPARTMENT OF DEFENSE, AND THOMAS A. FERGUSON, PRINCIPAL DEPUTY UNDER SECRETARY FOR INTELLIGENCE, U.S. DEPARTMENT OF DEFENSE Ms. Takai. Thank you, sir. Thank you for that introduction. Chairman Lieberman, Ranking Member Collins, and Senator Brown, thank you for the invitation to provide testimony on what the Department of Defense is doing to improve the security of its classified networks while ensuring that information is shared effectively. --------------------------------------------------------------------------- \1\ The joint prepared statement of Ms. Takai and Mr. Ferguson appears in the Appendix on page 44. --------------------------------------------------------------------------- As noted, I am Teri Takai, and I serve as the principal adviser to the Secretary of Defense for Information Management, Information Technology, and Information Assurance, and as such am responsible for the security of the Department's networks and then coordinating the Department's mitigation efforts in response to the WikiLeaks incident. With me is Tom Ferguson, Principal Deputy Under Secretary for Intelligence. He serves as the principal staff adviser to the Under Secretary of Defense for Intelligence and is responsible for policy and strategic oversight of all DOD intelligence, counterintelligence, and security policy, plans, and programs, as delegated by the Under Secretary for Intelligence. In this capacity, Mr. Ferguson oversees the development and implementation of the Department's information- sharing policies. Mr. Ferguson and I have submitted a detailed statement for the record, but I would like to briefly highlight a few of the Department's efforts to better protect its sensitive and classified networks and information while ensuring its ability to share critical information with other partners and agencies is continued. Immediately following the first release of documents on the WikiLeaks Web site, the Secretary of Defense commissioned two internal DOD studies. The first study directed a review of DOD information security policy. The second study focused on procedures for handling classified information in forward- deployed areas. Results of the two studies revealed a number of findings, notably that: Forward-deployed units maintained an overreliance on removable electronic storage media; second, roles and responsibilities for detecting and dealing with an insider threat needed to be better defined; and, finally, limited capability existed to detect and monitor anomalous behavior on classified computer networks. The Department immediately began working to address the findings and improve its overall security posture to mitigate the possibility of another similar type of disclosure. The most expedient remedy for the vulnerability that led to WikiLeaks was to prevent the ability to remove large amounts of data from the Department's secret classified network using removable media, such as discs, while allowing a small number of computers to retain, under strict controls, the ability to write removable media for operational reasons. The Department has completed disabling the write capability on all of its SIPRNet machines except for approximately 12 percent that maintain that capability for operational reasons, largely in deployed areas of operation. The machines that maintain write capability are enabled under strict controls, such as using designated kiosks with two-person controls. We are also working actively with National Counterintelligence Executive on its efforts to establish an information technology insider detection capability and an Insider Threat program. Mr. Ferguson's organization is leading that effort for the Department of Defense, and they have been developing comprehensive policy for a DOD Counterintelligence Insider Threat Program. In addition, DOD is developing Web-enabled information security training that will complement DOD's mandatory annual information assurance training, and the Joint Staff is establishing an oversight program that will include inspection of forward-deployed areas. As DOD continues efforts to improve our information-sharing capabilities, we will strive to implement the mechanisms necessary to protect the intelligence information without reverting back to pre-September 11, 2001, stovepipes. DOD is working closely with its interagency partners, several of whom join me here today, to improve intelligence information sharing across the government while ensuring the appropriate protection and safeguards are in place. I would like to conclude by emphasizing that the Department continues to work towards a resilient information-sharing environment that is secure through both technological solutions and comprehensive policies. Mr. Ferguson and I thank the Committee for the opportunity to appear before you today, and we look forward to answering your questions. Senator Collins [presiding]. Thank you. Mr. Ferguson, I am told that you do not have a prepared statement. Is that correct? Mr. Ferguson. That is correct. Ms. Takai has a nicer voice than I do and has given our joint statement. Senator Collins. Thank you. Before I turn to our next witness, we have been joined by Senator Brown, and I just wanted to give him an opportunity for an opening statement if you would like to have one. Senator Brown. Thank you. I am actually eager to hear from the witnesses and ask questions, but thank you for the offer. Senator Collins. Thank you. Then we will proceed. Our next witness is Corin Stone, who is the Intelligence Community Information Sharing Executive from the Office of the Director of National Intelligence (ODNI). We welcome you. Please proceed with your testimony. TESTIMONY OF CORIN R. STONE,\1\ INTELLIGENCE COMMUNITY INFORMATION SHARING EXECUTIVE, OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE Ms. Stone. Thank you, ma'am. Chairman Lieberman, Ranking Member Collins, and Senator Brown, thank you for inviting me to appear before you today to discuss the intelligence community's progress and challenges in information sharing. I want to first recognize the Committee's leadership on these important issues and thank you for your continued support as we address the many questions associated with the need to share information and the need to protect it. Your leadership and oversight of information sharing, especially as we come up to the 10-year anniversary of September 11, 2001, has been invaluable. I look forward to our continued participation and partnership on this complex and vitally important issue. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Stone appears in the Appendix on page 52. --------------------------------------------------------------------------- As the Intelligence Community Information Sharing Executive, I am the Director's focal point for all intelligence community information-sharing matters, providing guidance, oversight, and direction on information-sharing priorities and initiatives across the community. In that capacity, I work in coordination with my colleagues at the table and across the community on comprehensive and strategic management information sharing, both internally and with all of our mission partners. My main focus today concerns information that is derived from intelligence sources and methods or information that is reflected in the analytic judgments and assessments that the intelligence community produces. I want to be clear, though, that our concern for the protection of information is not only narrowly focused on sources and methods. As we have seen recently through WikiLeaks, the unauthorized disclosure of classified information has serious implications for the policy and operational aspects of national security. We all have networks that must be secured, and as technology continues to advance, my colleagues and I remain deeply committed to keeping up with the ongoing challenges we face. I am acutely aware that our major task is to find what the Director of National Intelligence (DNI) has termed ``the sweet spot'' between the two critical imperatives of sharing and protecting information. Every day our officers work tirelessly to tackle challenges of increasing complexity in a world that is interconnected, fast-paced, and ever changing, sharing vital information with each other, customers and partners, leading to better prepared senior policymakers across the Executive Branch and Congress. It is important to note that the community's work on these complicated questions predates the recent unauthorized disclosures by WikiLeaks. As you know, the challenges associated with both sharing and protecting intelligence are not new and have been the subject of major effort in the intelligence community for years. However, these latest unauthorized disclosures underscore the importance of our ongoing and comprehensive efforts to address these evolving challenges. Working with the whole of government to address these issues, the intelligence community's strategy involves three interlocking elements. The first is access, ensuring that the right people can discover and have access to the networks and information they need to perform their duties, but not to information that they do not need. The second element is technical protection, technically limiting the ability to misappropriate, manipulate, or transfer data, especially in large quantities. And the third area is auditing and monitoring, taking actions to give the intelligence community day-to-day confidence that the information access granted to our personnel is being properly used. As we work to both share and protect networks and information, we must never lose sight of the sweet spot. As we continue to increase how much information is shared, we must also increase the protections in place to ensure information is being properly used and safeguarded. This is the only way to create the necessary trust and confidence in our systems that will foster appropriate information sharing. It is a matter of managing risk, and people, policies, processes, and technology all play important interconnected roles in managing that risk. However, it is also important to note that while all of our capabilities can reduce the likelihood and impact of unauthorized disclosures, in the final analysis our system is based on trust--trust in the individuals who have access to classified information and trust that they will be responsible stewards of this Nation's most sensitive information. Whether classified information is acquired by a computer system, a classified document, or simply heard in a briefing or a meeting, we have had bad apples who have misused this information before, and we will, unfortunately, have them again. This reality does not mean we should err on the side of not sharing; rather, we must put all proper safeguards in place, continue to be forward leaning to find a threat before disclosures occur, be mindful of the risks, and manage those risks with the utmost diligence. Thank you for the Committee's time, and I welcome your questions. Senator Collins. Thank you. Our final witness on the panel this afternoon is Kshemendra Paul, who is the Program Manager for Information Sharing Environment of the Office of the Director of National Intelligence. Welcome, Mr. Paul. TESTIMONY OF KSHEMENDRA PAUL,\1\ PROGRAM MANAGER, INFORMATION SHARING ENVIRONMENT, OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE Mr. Paul. Thank you, Chairman Lieberman, Ranking Member Collins, and Senator Brown. Thank you for the opportunity to speak about our efforts to effectively share and protect information at every level of government. Thank you for your attention to information-sharing reform efforts and your support of my office's mission. I also want to recognize my fellow panelists, key partners in government-wide efforts to further strengthen information sharing and protection. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Paul appears in the Appendix on page 59. --------------------------------------------------------------------------- As the WikiLeaks story emerged, concerns were voiced that the information-sharing efforts would suffer a setback. This Administration is committed to strengthening both information sharing and information protection. While complex and challenging, we do not see these goals as conflicting. Guidance throughout the Executive Branch has been consistent. We need to accelerate information sharing in a responsible and secure way. The WikiLeaks breach is not principally about information- sharing challenges. A bad actor allegedly violated the trust placed in him. While we cannot always stop bad actors, we can and must take this opportunity to reassess our posture, our progress, and our focus related to improving and strengthening information sharing and protection. The challenges highlighted by the WikiLeaks breach are complex and go to deeply rooted issues: First, the perpetuation of agency-based, bilateral, and fragmented solutions versus common and comprehensive approaches to information sharing and protection; second, the need to improve our counterintelligence posture and some of the other technical considerations that my fellow panelists have talked to; and, finally, while the breach involves classified information, we need to be mindful that the root cause issues and the sensitivities extend to sensitive but unclassified information also. It is a whole-of-government problem, not just a classified national security problem. I would like to clarify the information-sharing environment and my role. The purpose of the information-sharing environment is to improve the sharing of terrorism-, homeland security-, and weapons of mass destruction-related information across Federal, State, local, and tribal agencies and with our partners in the private sector and internationally. The information-sharing environment spans five communities: Defense, intelligence, homeland security, law enforcement, and foreign affairs. It is defined as a cross-cutting, horizontal, data-centric, trusted information-sharing and protection capability. My role is to plan for and oversee the agency-based buildout, and manage the information-sharing environment. But my office is not operational. Agencies own the mission, agencies set policies and procedures, and agencies make the investments that interconnect our networks, databases, applications, and business processes. These agency-based contributions together form the information-sharing environment. The law grants the program manager's role governmentwide authority. This authority is exercised primarily two ways: First, I am the co-chair of the White House's Information Sharing and Access Interagency Policy Committee; through that role, we work through policy and oversight issues; and, second, through my partnership with the Office of Management and Budget. We are being deliberate and collaborative in our approach to further strengthening information sharing and protection. We have put an emphasis on governance and outreach. My office, together with my mission partners, is leading the refresh of the 2007 National Strategy for Information Sharing. We are using this opportunity to leverage common mission equities to drive common policies and capabilities. And we are orchestrating specific agency-led sharing and protection initiatives with our partners. We believe this work provides a framework for strengthening efforts to address the root cause issues associated with the WikiLeaks breach. These capabilities will result in further assuring the proper sharing and protection of information. Our work across mission partners is profiled in our annual report to the Congress delivered every summer. I also encourage those interested in following or influencing our efforts to visit our Web site and to participate in upcoming online dialogues aimed at shaping our future direction. In closing, our efforts have been and continue to be focused on accelerating information sharing in a secure and responsible way. Effective information sharing and collaboration are absolutely essential to keeping the American people safe. Thank you for the opportunity to participate in this hearing. I also would appreciate any comments, directions, support, or feedback that you can provide to me in my office. My fellow panelists and I look forward to your questions. Senator Collins. Thank you very much for your testimony, and I thank all of the witnesses. I want to express my personal frustration with this issue. Our Committee has held hearings on the lack of information sharing in the case of Abdulmutallab, where credible information was given to our embassy in Africa but did not make its way in a timely fashion to the National Counterterrorism Center and, thus, Abdulmutallab was not listed on the No Fly List. So there is an example of credible information that should have been shared across government but was not. Similarly, in our investigation into the Fort Hood attacks, we found that credible information about Major Hasan's communications with a known terrorist suspect was not shared by the Joint Terrorism Task Force with the Army--another terrible failure in information sharing. Now, there have been successes as well. But I mention those two failures to contrast and raise such questions with how an Army private allegedly was able to download hundreds of thousands of classified documents, cables, and intelligence reports without being detected, and that baffles me. It also frustrates me because in 2007, Senator Lieberman and I authored homeland security legislation that included a requirement that military and intelligence agencies install audit capabilities with robust access controls on classified systems. And those technologies that would enable us to audit information transmission and authenticate identities for access control are not new. They are widely used. And the serious cyber risks associated with the use of removable media devices, such as thumb drives, have been known for many years. How did this happen? How could it be that a low-level member of the military could download such a volume of documents without it being detected for so long? That truly baffles me. I do not know who to start with. Mr. Ferguson, do you want to take a crack at that? Mr. Ferguson. I will be the first in the pond. Let me take it in a couple steps. Your question has a lot of parts to it. The rank of Private Bradley Manning is really not so much the issue. It was what his responsibilities were. He was there to provide intelligence support for military operations. So we do not base it necessarily on a rank structure. We base it on what is his mission responsibilities to support the military. To get to your question about how was he able to access so much data, and then I will get to the part about what have we done and why didn't we do what we could have done. The situation in the theater is such that--or was. It has changed now. But we took a risk, essentially is what it is. We took a risk that by putting the information out there, share information, provide agility, flexibility of the military forces, they would be able to reach into any of the databases on SIPRNet. They would be able to download that information, and they would be able to move the information using removable media across various domains, whether it is across security domains or from U.S. systems to coalition systems. And we did that so they could do this very rapidly. Here in the Continental United States (CONUS) many of the things you have talked about, about closing off open media ports and so forth, actually have been in place for a decade or more. If you go to many of the agencies, they actually are not able to access those open ports. But the focus in the theater was speed and agility, so we took that risk to allow not just Private Manning but many people who are serving there to move at that pace. You asked about why we did not put in place capabilities that were in your bill. In fact, as early as 2008, we started to deploy what is called the Host Based Security System (HBSS), as early as 2008. And at the time of Private Manning's alleged activities, about 40 percent of the systems in CONUS actually had that system in place. The systems were not--that was not available in the theater. Senator Collins. And why wasn't it? Mr. Ferguson. Mainly because of a lot of the systems there are, for lack of a technical term, cobbled together, and placing those kinds of systems--they are not all equal. It is sort of a family of systems there, and it is not just like working for Bank of America where they have one homogeneous system and they can insert things and take things out as it works. You have multiple systems and putting in new intrusion software or monitoring tools and so forth, you have to approach each system differently. And that is part of the problem. So basically to get away from that and not hold up the ability to move information, they took on the risk by saying, look, these people are cleared. They go through background investigations, and, frankly, most of our focus was right about outside intruder threat, not inside threat. So in the end, to answer your questions--we had ourselves a situation where we had information sharing at this level, and we took the risk of having monitoring tools and guards and passwords and so forth, as well as people did not fully implement policies, they did not follow security rules down at this level. So the problem is that is where we made our mistake. We allowed this to occur when we were sharing information at this level. So what we are trying to fix today is not take this level of information sharing and moving it down here, which you have referred to in your opening statement, but take this and move it up here. And that is what we are trying to do as rapidly as we can. Senator Collins. Thank you. Mr. Kennedy, Mr. Ferguson basically explained that DOD, in the interest of making sure that the information was out there in theater, took a risk, but that does not explain to me how the private would have access to State Department classified cables that had nothing to do with the country for which the private was involved in intelligence activities. So how did it happen that he had access to classified State Department cables, involving countries that had nothing to do with his intelligence responsibilities? Mr. Kennedy. That is a very good question, Senator. Several years ago, the Department of Defense and the intelligence community came to the State Department and said, we need the State Department--and actually they paid for it--to push out reporting to SIPRNet, which is the Department of Defense worldwide system, and to load a number of our cables onto a Defense Department database that would be accessible to Defense Department people. So in response to their request, we took a selected element of our cables and pushed those out to the Department of Defense's database. To be blunt, we believe in the interest of information sharing that it would be a grave mistake and a danger to the national security for the State Department to try to define in each and every one of the 65 agencies that we share our diplomatic reporting analysis with to say that Private Smith should get this cable, Lieutenant Jones should get that cable, Commander X should get that cable. The policies that have been in place between the State Department and other agencies is we provide this information to the other agency. The other agency then takes on the responsibility of controlling access by their people to the material that we provide to them. Senator Collins. I will come back to that issue, but I want to first give an opportunity for my colleague, Senator Brown, to ask his questions. OPENING STATEMENT OF SENATOR BROWN Senator Brown. Thank you. You are on a roll, though. I have served in the National Guard for 31 years. I am a Lieutenant Colonel. I am on the computers regularly, all that good stuff, and I have to tell you, sometimes it is like brain surgery getting on the computer, even for somebody like me who is part of the senior staff, and had been a trial defense attorney, just to log on, get access, go where I need to go, and I still have not really gotten a satisfactory answer as to how this private had complete and total access to the documents he had. In my wildest dreams, I could not do what he did. And then I see, he works 14 hours a day, no one cares. Well, the average workload in that region is that and more for many people. My understanding, in doing my own due diligence, is that there was a complete breakdown of command authority when it came to instructing that soldier and people within that command as to the do's and do not's with regard to information and information sharing. There was no check or balance, and that the amount of people that have access to that information has grown by tens of thousands. Hundreds of thousands of people have access to that information on any given day. Is that accurate, that that many people have access to that information? Whoever feels qualified to answer it, probably the DOD folks. Mr. Ferguson. Let me put it this way: The SIPRNet is a command and control network, just like the Internet. Senator Brown. I know what that is, I am in the military. Can you explain to the listeners what that is? Mr. Ferguson. What is the SIPRNet? Senator Brown. Yes. Mr. Ferguson. The SIPRNet is a command and control network that maintains Department of Defense classified secret level information that covers a whole portfolio of issues. It is not just intelligence information, for one. It is operations data. It is financial programmatic data, personnel data. It covers a very large---- Senator Brown. It is everything. Mr. Ferguson. It is everything. All that information is not available to everyone who is on SIPRNet. A lot of that information, in fact, is password protected. But there are sites, just like going on the Internet, that if you click on there, if you put in the search for that information and it is not password protected, it is available to whoever is on the SIPRNet. Senator Brown. All right. So let me just take what you are saying here--and that was not the case with this young soldier. We are not just talking about that stuff where you just get online and take that stuff. We are talking about that the young person who had the ability to not only get that but all the classified documentation as well. Correct? Mr. Ferguson. He was able to get the classified information that was not password protected. That is correct. Senator Brown. Right. And is it true that there are hundreds of thousands of people that have access to that information still? Mr. Ferguson. That is true. Senator Brown. Once again, I am not a brain surgeon, but I am an officer in the U.S. military, and I have difficulty getting that stuff. Why haven't we locked down and basically weeded through the people that have access, to make sure they are all our friends? Where is the command and control in these types of things? Mr. Ferguson. The command and control, since the SIPRNet is really a family of networks, the site owners decide, just like on the Internet, who gets access to their particular site. Senator Brown. Right. That is for the open stuff, but I am not talking about that. Mr. Ferguson. No. That is for secured information as well. Senator Brown. All right. Mr. Ferguson. So in the case, of course, of the State Department information, that has now been removed from SIPRNet, so that is not available for everybody to take a look at. Senator Brown. I was kind of surprised they were even on there. Mr. Ferguson. Well, that was a request of the Department of Defense and the DNI to put that information on or to make it more accessible to people in the intelligence community. Senator Brown. Is the reason why because--listen, I understand the moving nature of the battlefield. I believe that a lot of the command and control went away because of the changing nature of the battlefield. They needed the information very quickly. Is that a fair assessment? Mr. Ferguson. That is a fair assessment. Senator Brown. So knowing that, what checks and balances have been put in place, notwithstanding that fact, what are we doing? Mr. Ferguson. What they have done--and Ms. Takai can talk about the technology behind this. They have closed down all the ports. They cannot remove the data. But they also are starting to chart and narrow the data access based on mission responsibility, for one. It is not going to be as simple as just going in, turning off stuff, and just doing a big survey of the SIPRNet, although that will probably occur. And then, of course, the moving of the data, which was the big concern, is now a two-man rule. As Ms. Takai pointed out, 12 percent of the systems now have the ability to remove data and shift it to another domain. The other 88 percent are shut down. Senator Brown. Well, he used a thumb drive, right? Mr. Ferguson. He used a compact disc (CD), actually. Oddly enough, the thumb drives have been shut off for some time. Senator Brown. That is what I thought. So it was a CD, right? Mr. Ferguson. It was CDs, that is right. He was downloading the CDs. So we have a two-man rule. Another key piece of this is--I do not know the word to use--a failure on the part to monitor and follow security regulations. It is as simple as that. Senator Brown. Listen, I agree with you. I know there is a protocol in place. I am still flabbergasted. I mean, here we are, we have one of the biggest leaks in my lifetime or my memory, at least, in the military, and we have a private who is in trouble. I am a little curious. There seems to have been a breakdown completely on that chain of command. Mr. Ferguson. It did not work as well as we had hoped. Senator Brown. And that being said, it has not worked as well as you had hoped, is there anything like a red team or an unannounced inspection? Or have you changed the protocol? Mr. Ferguson. Actually there have been investigations looking at the entire process for the entire theater. And a lot of the changes have occurred in terms of the two-man rule, shutting down of the ports, and other security training and so forth has all occurred in the last 3 or 4 months. So, yes, they have taken some pretty significant actions already. If I may, I would like to pass it to Ms. Takai because she can speak to some of the technology that is in place. Senator Brown. And with that, I will take that testimony in a second. But that being said, I know all the agencies are actually awash with new guidelines and directives. Is there a coordinated effort of some kind being made so that policy and oversight are staying consistent, that agencies are not left to guess who to listen to? Is there someone in charge that basically is dictating what we are doing, why we are doing it, how we are doing it, and then following up to say, yes, we are, in fact, doing it? Is there anything like that going on? Mr. Ferguson. Yes, I will give you a good example. Their policies for security and use of material was spread across a number of policy documents, so if you were sitting in a field or you are in the United States and you wanted to find where that policy was, you had to go search for it. In hindsight, that was not a good way of approaching it. It worked that way for years, decades. One of the things we have done is we have updated those policies, and we combined and consolidated them into a single product. So there is only one place--it is a one-stop shop to go get that. That came out of the Under Secretary of Defense for Intelligence's office. So he sets the guidelines for that information protection assurance and security parts. In terms of setting rules for information sharing itself, that is being done as a community-wide activity, not just with the Department of Defense but with the DNI--this is an approach with all the other agencies. So there is one initiative right now underway, and, of course, each department is also looking at it individually. Mr. Paul. Can I amplify that? Senator Brown. Yes, please, and then I just have one final question, but sure, yes, absolutely. Mr. Paul. So there is an ongoing White House-led process right now looking at the WikiLeaks incident and potential structural reforms. That has three main tracks that are going on, and my panelists and I and others are involved in that process. The first part of it is looking at how to better balance things like identity management and tagging of information more consistently so you can do better kinds of access controls like what were talked about in the opening statements. The second is looking at the insider threat passbacks and some of the technical considerations that we have talked about. And the third is looking at how we strengthen governance across the spectrum--so the hope is that in the coming weeks and months we can come back and talk about the results of that process. Ms. Takai. Before I speak to the technology, just to follow on to the governance issue, there is participation by all of the organizations in a White House working group that reports to the deputy's committee around the various activities to make sure that we are well coordinated and that we are working together. Inside the Department of Defense, this is an item that is high on the Secretary's list, and we provide ongoing reports to him from the standpoint of the technology mitigation efforts both to him and the Chairman of the Joint Chiefs of Staff regarding our progress. So there is significant oversight. There is significant guidance in terms of making sure that we are taking care of this and we are following on to the commitments that we have made both from a technology perspective and working with Mr. Ferguson's area in terms of making sure that the policies are updated. So I wanted to make sure that I added that in response to the question. Moving on to the technology, I think we have talked about the Host Based Security System and the progress that we have made thus far in terms of having that installed and making sure that we can detect anomalous behavior in terms of individuals who might get on to the network and download information, and we are doing that in three ways. One is from a device perspective. The Host Based Security System detects if, in fact, a computer does have a device where information can be downloaded so that we can validate that and ensure that it is a part of the 12 percent of those computers that we believe need that information in the field. The second thing that we are doing is to look at what we call an audit extraction module to follow on to Senator Collins' question around how do we have the information and the analytics to see anomalous behavior and we can catch it at the time that it occurs. We are currently in testing. That software is integrated with HBSS, and we will then be moving ahead to roll that out across DOD. The third thing that we are moving forward on, as you mentioned, Senator Collins, is around really a role-based process. We are going to be implementing a public key infrastructure (PKI) identification similar to our current Common Access Cards (CACs) that we have on our non-classified network to all of the DOD users, and what that will do is give us an opportunity over time to refine what information individuals have access to. So sheer access to SIPRNet, for instance, in this case, we will be able to, by looking at each individual database, take it down to what information that individual needed as opposed to having the network completely open. Senator Brown. I appreciate that, and just in closing, it was not only dangerous, it is embarrassing what happened. You know, it is embarrassing for our country some of the things that were actually out there. And so there are a lot of lessons there, but I appreciate the opportunity. Thank you for having this hearing and participating and allowing me to participate in it. Senator Collins. Thank you. Chairman Lieberman [presiding]. Senator Collins, thanks very much for assuming the Chair. I apologize to the witnesses. I appreciate the testimony. Let me ask a few questions, if I might. In a speech that DNI General Clapper gave last fall, he predicted that WikiLeaks was going to have a ``very chilling effect on the need to share.'' After WikiLeaks began to release State Department cables in late November, news headlines forecasted a clampdown on information sharing, and this is what we have been dealing with and you deal with in your testimony as submitted. I wanted to ask you if there are specific areas--and I guess I would start with Ms. Stone and then any others. Are there specific areas where you think the WikiLeaks case has had a direct impact on information sharing other than the examples cited in the prepared testimony by Mr. Kennedy of the State Department removing its diplomatic cables from SIPRNet? Ms. Stone. Thank you for that question, sir. My reaction is that the most direct impact has been in the area of culture and those people who are concerned about sharing information, rightly so, and our ability to protect it. And, therefore, our reaction to WikiLeaks must be to increase protection as well as sharing. As we increase the protection, we also increase the trust and confidence that people have that when they share their information appropriately, it will be protected; we will know where the information is; we will be able to pull that information if it is inappropriately accessed; and we will be able to follow up with appropriate repercussions if and when it is misused. So I think the most direct impact I have seen is not in a specific tangible action, but more so that it has resulted in a very clear need for us to increase the protections, to increase trust and confidence to share more broadly; because--while Director Clapper was very concerned--as we all were, that this would have a chilling effect, we have all worked very hard, both within the ODNI, within the intelligence community, and across the government, to ensure that it does not have a chilling effect; but that, in fact, as Mr. Ferguson said, as we increase sharing, we also increase protection to develop that trust and confidence. Chairman Lieberman. That is good. Mr. Kennedy. Mr. Kennedy. If I could, Mr. Chairman. I think there have been two kinds of chilling effects. One, I think there has been a chilling effect on the part of some foreign governments being willing to share information with us, and that is obviously of great concern to the State Department. We build our diplomatic reporting analysis on the basis of trust; that when individuals tell us things in confidence, we will share them in confidence within the U.S. Government, that it will not go broader than that. So that has been one chilling effect. I think the State Department, though, has avoided the chilling effect that you were directly addressing. For example, if I might, during the period of time, we have posted, as you all mentioned, some 250,000 cables to this database posted to the DOD SIPRNet. During that same period of time, we disseminated 2.4 million cables, 10 times as many, through other systems to the 65 other U.S. Government agencies. And so, therefore, while we stopped disseminating on SIPRNet for the reasons that my DOD colleagues have outlined, we have continued to disseminate to the intelligence community system, the Joint Worldwide Intelligence Communications System (JWICS), and we have continued to disseminate the same volume of material to the same other agencies based upon their need for that information. We do not hold anything back. This unfortunate event has not caused us to hold anything back. We continue to share at the same rate as we were sharing before because we know that our information is essentially the gold standard. There are more reporting and analysis officers and sources and information from 265 State Department diplomatic and consular posts around the world than any other agency, so it is our intent to uphold our piece of national security and obviously to be responsive to the very forceful and correct legislation that you saw past, which is to share. We are continuing to share using two other means. Chairman Lieberman. Do any of the other three witnesses want to comment, either in terms of specific areas of the effect of WikiLeaks on information sharing or perhaps some more indirect impact with people becoming more hesitant to work across agency boundaries or even marking intelligence products more restrictively? Mr. Paul. Mr. Paul. Yes, in my role I have the opportunity to work closely with our State, local, and tribal partners, and I just want to report that the concerns about a chilling effect, they share that. They share the concern, and we remain vigilant and work with them to try to identify any challenges of that sort. But so far with our partners, primarily FBI and DHS, there is a lot of good sharing. Our different sharing initiatives continue to move forward, things like the Nationwide Suspicious Activity Reporting Initiative, the Nationwide Network of Fusion Centers, and different initiatives of those ilk. Chairman Lieberman. Good. Thanks for your answers to that. Incidentally, one of the things I have found that I am sure other Members of Congress have found in foreign travel that we have done since the WikiLeaks leaks is that, somewhat in jest but not really, often leaders of foreign countries that we are meeting with will say, ``I hope this is not going to appear on WikiLeaks.'' So they are hoping that there is a certain confidence and trust in the exchange of information. And, of course, we say, ``Oh, no.'' And then the person from the embassy usually says, ``No, we have taken care of that problem.'' But it did affect the trust of allies around the world. One of the things that Congress called for in the Intelligence Reform and Terrorism Prevention Act was the use of technologies that would allow ``role-based access'' to information in government systems--in other words, that people would have access to information necessary for their work, but would not have overly broad access to information that they did not need. One of the key lessons, obviously, from WikiLeaks is that we have not yet made enough progress toward that goal as we need to, and if such capabilities had been in place on SIPRNet, I presume Private Manning would never have had access to that much information, if any at all. Ms. Takai, maybe we will start with you. What are the key challenges associated with implementing role-based access as I have defined it across our classified and sensitive information systems? Ms. Takai. Thank you, Mr. Chairman. I would like to start first by just giving you an update on where we stand at DOD in terms of rolling out a PKI-based CAC card for SIPRNet. Chairman Lieberman. Good. Ms. Takai. We are in the process and, in fact, they are in production, if you will, through our trusted foundry on those cards. We are anticipating the completion of the rollout by the end of 2012 so that all the individuals who today need SIPRNet and use SIPRNet will have PKI identification. Chairman Lieberman. Have you defined those terms while I was away? Or would you want to do so now, PKI and the CAC card, for the record? Ms. Takai. Effectively the common access card is a card that you actually utilize with your computer that actually identifies you when you log on to the computer. So it is a much more sophisticated password, if you will. It gives you a user name and password, but it more clearly identifies you, and then from that more clearly can identify the role that you play in the organization and then through that the information to which you should have access. Chairman Lieberman. So that would all limit access based on what the position of the card holder was and the presumed needs to know of the card holder. Ms. Takai. That is correct, sir. But to the second part of your question in terms of our rollout plan and the steps that we need to go through, the cards are actually rolled out to each individual who has a computer, so our deployment plan is to actually get the physical cards and the physical readers installed on all of the computers for those individuals that require access to SIPRNet. The second thing is that through the trusted foundry we have a manufacturing process for those cards, and they have a capacity for a certain number of cards, so that also is a factor. So, again, in order for us to really complete 100 percent, we have to take into account those two factors, and also the fact that many of the computers where this is needed are, as you could well imagine, in many locations around the globe. And that is not only, of course, certainly on the ground, but on ships and so on. So it will take us a while, by the end of 2012, to have that deployment complete. But I think it is important to note, in addition to just the physical deployment of the cards and on the various computers, that it will then take us additional time to make sure that we get the roles associated with the information connected. So the cards give us the capability to do that, and then we will continue the deployment to link the information to that. Chairman Lieberman. That is encouraging. Thanks. Senator Collins. Senator Collins. Thank you, Mr. Chairman. Just a couple more questions. Mr. Ferguson, when I think about the WikiLeaks incident, I think not only of the failures of technology but also a failure to focus on certain red flag behavior that was exhibited by the suspect. And it reminds me very much of what our investigation found when we looked into Major Hasan's behavior prior to the massacre at Fort Hood. If the media reports are correct, Private Manning exhibited problems such as mental health issues, an assault on colleagues, and the fact that supervisors had recommended that he not be sent to the front lines. These are all pretty big red flags, and I am wondering why they did not lead to a restriction in his access to classified information. I do not know whether you are the right person for me to ask that question to, but my point is there is more than just technology at stake here. If we have a high-ranking official and we use the user role approach but that individual becomes unstable or embraces Islamist radicalism or there is some other reason that would cause the individual to pose an insider threat, do we have the systems in place to catch that individual? Mr. Ferguson. Senator, I probably cannot really speak to the specifics of Private Manning. It is an ongoing investigation. However, your point, though, about a process to identify behaviors that we should be concerned about, we have taken a look at that, and the training that we had in place-- whether it was Hasan or this case--was not sufficient to give his supervisors the pieces of data they would need to put together and say this person is a problem, or in some cases to take action when they did suspect something was wrong. So what we have done in the Department is begin to shape with new policy and direction how to better train supervisors in how to best identify behaviors that would be of concern. That is one piece, but they also have to be willing to take action, and that is part of the other problem. It is not that somebody might say that this behavior is irregular. It is also in some cases a fear to take action, or it may reflect on them as a failure or it may reflect on them in some other way. And so there are two hurdles here. It is teaching people how to identify the characteristics, but it is also teaching people that the right thing to do is to take action. Senator Collins. I am concerned because we have seen two recent cases where tremendous damage was done, despite the fact that there was ample evidence, it appears--I am less familiar with the case we are discussing today--that something was dramatically wrong. That is an issue that I am eager to pursue, and I think your point about training is a very good one. Mr. Paul, just for my last question, you mentioned in your testimony that there is a fragmented approach to computer security across the Federal Government, and I think I can speak for the Chairman when I say that we could not agree with you more, and that is one reason we have introduced our cybersecurity bill which will apply to the civilian agencies and also try to work with the private sector to develop best practices. But our bill does not deal with the intelligence community or the military computer systems. You also in your testimony pointed out that you are not an operational office at DNI and that you are heading a task force on this issue. What are you telling us? Are you telling us that the DNI needs more authority to prevent this fragmented approach where one intelligence agency may have a totally different approach to security, classification, and access than the Department of Defense? Mr. Paul. So when I was using the description of ``fragmentation,'' what I was referring to was that agencies put in place specific agency-based solutions. Those solutions serve for specific needs. But then when you look at more broad information sharing and protection with other agencies, the solutions tend to not work as well. An example of this is, as we look at things like identity management frameworks--some of my panelists have talked about identity management. That is foundational to being able to do information sharing and information protection. We have several different identity management frameworks across the scope of the Federal Government, our State and local partners, and so forth. Those frameworks are mostly aligned, but we need to make sure that as they get implemented, they are implemented in a way that is consistent across all the different partners. If that does not happen, then you run into challenges when information moves across organizational boundaries. The second part of your question was about my role in co- chairing the Information Sharing and Access Interagency Policy Committee. A key thing that we are trying to do in that group is to harmonize policy frameworks across the different agencies to make sure that on one hand, we have the consistent framework, but on the other hand, we are not slowing down operational considerations in those agencies so that the variations that occur are truly because of mission requirements and not because we are not effectively working together. Senator Collins. Ms. Stone. Ms. Stone. Thank you. If I could just add to that, across the intelligence community we are working very hard to have comprehensive guidelines and processes that are consistent and interoperable. We are working on leveraging public key infrastructure and attribute-based access control to have a more comprehensive identity and access management. We are standardizing data protection models to have several levels of security, and we are working on an enterprise audit framework. So within the intelligence community, while we may have different systems, we are working very hard from the Office of the Director of National Intelligence to more standardize and ensure consistency across those networks. The way we then plug in with the rest of the government--and, indeed, we must be interoperable with the rest of the government, of course--is through this interagency group that we are working on together with everyone at the table and others to ensure that we can, in fact, be coordinating and consistent with the other offices. And we are still working through exactly what that looks like, but that is certainly a concern that we are all very well aware of. Senator Collins. Thank you. Just two final concluding comments. I would note that the Government Accountability Office (GAO) continues to list information sharing, particularly with regard to terrorism-related information, as a high-risk activity, and it is on the high-risk list again this year. And, finally, as we look at the user role approach, which I brought up in my opening statement and which we have commented on today, we do have to be careful that does not translate back to the bad old days where no one shared anything and where we had stovepipes because we are defining who has access so narrowly that we deny access to analysts who really need that information. So it is a very difficult task that you are all embarking on, but in this day and age, that an individual could be able, undetected for so long, to download and illegally distribute hundreds of thousands of important cables, reports, and documents is just inconceivable to me. So, clearly, we have a long way to go to strike the right balance. Thank you, Mr. Chairman. Chairman Lieberman. Thank you, Senator Collins, very much. Thanks again for taking the chair while I had to leave. Just a few more questions, and I want to follow up first with one to you, Mr. Paul, following up on the question I asked Ms. Takai before about role-based access. In your testimony, you note the fact that there are at least five distinct identity credential and access management frameworks in use by Federal agencies, and, of course, that makes me wonder whether that limits the ability to implementation the kind of role- based access capabilities that the IRTPA required in systems in a cost-effective way. I wonder if you could talk about what you are doing, hopefully in cooperation, perhaps, with the other witnesses here today, to harmonize those different access frameworks. Mr. Paul. Sure. Thank you for the question. There are these five different frameworks, but they are really not that different. They are different enough, though, that it requires the attention of my office and other bodies--the Federal Chief Information Officer Council, for example, and my colleagues here--to make sure that as the frameworks get implemented in the different agencies and with our State, local, and tribal partners, that we do not allow for variations or that variations are controlled and reflect mission requirements and the like. So a focus of my office is to work with the interagency, bringing together groups to make sure that as these frameworks get implemented, they are implemented in a consistent way. Building on top of that, it is critical, as we look at role- and attribute-based access controls that you both have highlighted, that the framework for doing those, how we define roles, how we, to use a colloquialism, tag data, how we tag people, and that tagging occurs in different places. A person may be tagged in one agency, data may be tagged in another, and we want to be able to have that data move in an appropriate way with policy enforcement. That means there needs to be a consistent framework for how that happens, and coordination, and this goes to some of what you have heard from me and others about the importance of governance of the standards and architecture approach. So those are contributions that are catalyzed through the efforts of my office in close cooperation with my mission partners. Chairman Lieberman. Good. I urge you on in that. Mr. Ferguson, I mentioned in my opening statement the great successes that we have had in the past few years in Iraq and Afghanistan in disrupting terrorist networks in those countries with our military and intelligence agencies working very closely together and doing so in a remarkably rapid way, sometimes exploiting information from one raid or one source and using it within an hour elsewhere, or quicker. As you make changes to improve the security of classified networks at DOD and in the intelligence community, are you taking steps to ensure that those efforts will not diminish or slow down our ability to carry out the kinds of operations I have just described? Mr. Ferguson. Yes, sir, absolutely. Even though the process was to allow personnel working in a secured facility to access the SIPRNet and pull down data and copy it through open media. Chairman Lieberman. Right. Mr. Ferguson. For example, so we could have more agility and flexibility. We have gone back and taken a look at how that process worked, and we have found that by creating just a kiosk process and a two-man rule, we can still move at the same speed and have the same agility without giving everybody the same availability to the information and being able to pull the data down and copy it. So it is very much in mind to make sure that we do not hinder our ability to carry out the operations. Chairman Lieberman. Good. Do you want to add anything, Ms. Takai? Ms. Takai. Yes, I would. I think one of the things that is very important is that we continue to see the dramatic need for information and information sharing by the warfighter and so, if anything, the demand for that information continues to grow. And so as we are looking at the technology, just to relate back to what Mr. Paul said, part of our efforts are to ensure within DOD we are eliminating our fragmented environment, which has grown up over time, through our legacy base of the way that our networks and our databases have grown up. And so I wanted to make sure that I added that there was a relationship between the work that Mr. Paul is doing and the work that we are doing internal to DOD, and I am sure my partners here are all undergoing the same thing. I think that is really what Ms. Stone was talking about. And those things in combination with being able to apply cybersecurity enhancements are really going to give us an opportunity to get that information out there as quickly as today and in some cases even faster than today, but to do it in a secure way. Chairman Lieberman. That is excellent. Let me ask a final question. Based on the testimony you have provided, really in what you are doing to respond to the challenges that were illuminated by the WikiLeaks case, but also to protect the information-sharing environment, one, have you seen any areas where you think you would benefit from statutory changes? And, two--and this is a question that I ask in a limited way in this fiscal environment--are there any funds we should be targeting to particular uses that we are not now doing to assist you in responding to this crisis? Maybe we will start with Mr. Kennedy and go down the table, if anybody has anything to say. Mr. Kennedy. Thank you very much, Mr. Chairman. I cannot think of any additional legislative authority. I think you have done two things. You have given us the intent, and then you have given us the command. And I think we know from what you have said and what we know internally which way we should go. On the funding, I can always say that an institution as small as the State Department can always use additional funding given the range of demands upon us. But I believe that we have a role-based access system in place that we use to distribute material within the State Department. If you are on the French desk, you get one set of materials. If you are on the Japan desk, you get another. As I mentioned earlier, we will continue to push State Department reporting to the other agencies, but it does, I will admit, put a burden on them to then take our material which we have provided to Secretary of Defense, so to speak, to DOD, and then to distribute that to their people according to the roles that only they are capable of defining, because I think it would be wrong for me to say which individuals within an entity as large as the Defense Department or as large as the DNI or the intelligence community which analyst needs what. So we send it to them, and I think they may be the ones who have to answer that second question about how they are going to distribute it efficiently and effectively as both you and Senator Collins have talked about. Chairman Lieberman. Thanks. Ms. Takai, any legislative recommendations or budget targeting? Ms. Takai. In terms of the legislative question, I agree with Mr. Kennedy. At this time we do not see any additional legislation that we need. We are going through a review to answer exactly that same question for the Secretary in terms of is there any need for any change, not only additional funding but a change in the cadence of the funding. And so once we have that pulled together, we would be happy to share it with you. Chairman Lieberman. I appreciate it. Mr. Ferguson. Mr. Ferguson. I would have to agree on the legislative side, and certainly as Ms. Takai has pointed out, as we go through this process of putting in these capabilities, what kind of funding needs I guess we have to identify what those real costs are and come back. Chairman Lieberman. Ms. Stone. Ms. Stone. Similarly, on the legislative question, I think we have what we need for now, although I would reserve the right to come back if we discover we need something else. And on the funding piece, again, we do have an interagency process ongoing looking at exactly what we might do with different options, so we would have to see where that comes out. But I do believe there is at least something in the fiscal year 2012 proposal submitted by the President to work on some of these issues. Chairman Lieberman. Good. Mr. Paul. Mr. Paul. Just to echo Ambassador Kennedy, the laws and the statutes that this Committee has championed provide an adequate basis, a fine basis. I know in the context of the information- sharing environment that it is my responsibility, there is enough authority. It is an issue for me now of execution and leadership. Chairman Lieberman. Good. Thank you all. Senator Collins. Senator Collins. Thank you. Chairman Lieberman. Well, thanks very much, again, for your prepared testimony and the oral testimony, and I emerge encouraged that you are certainly dealing with the specific series of vulnerabilities that the WikiLeaks/Manning case revealed, and I presume in the nature of the modern world with technology, innovation, and exploitation what it is, you will also be thinking about the next way in which somebody might try to take advantage of our information-sharing environment. But I think that we have raised our guard in a sensible way and also continue to share information, which we need to do, is what I take away from this hearing, and I appreciate that very much. The record will remain open for 15 days for any additional questions or statements. With that, the hearing is adjourned. [Whereupon, at 4:36 p.m., the Committee was adjourned.] A P P E N D I X ---------- [GRAPHIC] [TIFF OMITTED] T6677.001 [GRAPHIC] [TIFF OMITTED] T6677.002 [GRAPHIC] [TIFF OMITTED] T6677.003 [GRAPHIC] [TIFF OMITTED] T6677.004 [GRAPHIC] [TIFF OMITTED] T6677.005 [GRAPHIC] [TIFF OMITTED] T6677.006 [GRAPHIC] [TIFF OMITTED] T6677.007 [GRAPHIC] [TIFF OMITTED] T6677.008 [GRAPHIC] [TIFF OMITTED] T6677.009 [GRAPHIC] [TIFF OMITTED] T6677.010 [GRAPHIC] [TIFF OMITTED] T6677.011 [GRAPHIC] [TIFF OMITTED] T6677.012 [GRAPHIC] [TIFF OMITTED] T6677.013 [GRAPHIC] [TIFF OMITTED] T6677.014 [GRAPHIC] [TIFF OMITTED] T6677.015 [GRAPHIC] [TIFF OMITTED] T6677.016 [GRAPHIC] [TIFF OMITTED] T6677.017 [GRAPHIC] [TIFF OMITTED] T6677.018 [GRAPHIC] [TIFF OMITTED] T6677.019 [GRAPHIC] [TIFF OMITTED] T6677.020 [GRAPHIC] [TIFF OMITTED] T6677.021 [GRAPHIC] [TIFF OMITTED] T6677.022 [GRAPHIC] [TIFF OMITTED] T6677.023 [GRAPHIC] [TIFF OMITTED] T6677.024 [GRAPHIC] [TIFF OMITTED] T6677.025 [GRAPHIC] [TIFF OMITTED] T6677.026 [GRAPHIC] [TIFF OMITTED] T6677.027 [GRAPHIC] [TIFF OMITTED] T6677.028 [GRAPHIC] [TIFF OMITTED] T6677.029 [GRAPHIC] [TIFF OMITTED] T6677.030 [GRAPHIC] [TIFF OMITTED] T6677.031 [GRAPHIC] [TIFF OMITTED] T6677.032 [GRAPHIC] [TIFF OMITTED] T6677.033 [GRAPHIC] [TIFF OMITTED] T6677.034 [GRAPHIC] [TIFF OMITTED] T6677.035 [GRAPHIC] [TIFF OMITTED] T6677.036 [GRAPHIC] [TIFF OMITTED] T6677.037 [GRAPHIC] [TIFF OMITTED] T6677.038 [GRAPHIC] [TIFF OMITTED] T6677.039 [GRAPHIC] [TIFF OMITTED] T6677.040 [GRAPHIC] [TIFF OMITTED] T6677.041 [GRAPHIC] [TIFF OMITTED] T6677.042 [GRAPHIC] [TIFF OMITTED] T6677.043 [GRAPHIC] [TIFF OMITTED] T6677.044 [GRAPHIC] [TIFF OMITTED] T6677.045 [GRAPHIC] [TIFF OMITTED] T6677.046 [GRAPHIC] [TIFF OMITTED] T6677.047 [GRAPHIC] [TIFF OMITTED] T6677.048 [GRAPHIC] [TIFF OMITTED] T6677.049 [GRAPHIC] [TIFF OMITTED] T6677.050 [GRAPHIC] [TIFF OMITTED] T6677.051 [GRAPHIC] [TIFF OMITTED] T6677.052 [GRAPHIC] [TIFF OMITTED] T6677.053 [GRAPHIC] [TIFF OMITTED] T6677.054 [GRAPHIC] [TIFF OMITTED] T6677.055 [GRAPHIC] [TIFF OMITTED] T6677.056 [GRAPHIC] [TIFF OMITTED] T6677.057 [GRAPHIC] [TIFF OMITTED] T6677.058 [GRAPHIC] [TIFF OMITTED] T6677.059 [GRAPHIC] [TIFF OMITTED] T6677.060 [GRAPHIC] [TIFF OMITTED] T6677.061 [GRAPHIC] [TIFF OMITTED] T6677.062 [GRAPHIC] [TIFF OMITTED] T6677.063 [GRAPHIC] [TIFF OMITTED] T6677.064 [GRAPHIC] [TIFF OMITTED] T6677.065 [GRAPHIC] [TIFF OMITTED] T6677.066 [GRAPHIC] [TIFF OMITTED] T6677.067 [GRAPHIC] [TIFF OMITTED] T6677.068 [GRAPHIC] [TIFF OMITTED] T6677.069 [GRAPHIC] [TIFF OMITTED] T6677.070 [GRAPHIC] [TIFF OMITTED] T6677.071 [GRAPHIC] [TIFF OMITTED] T6677.072 [GRAPHIC] [TIFF OMITTED] T6677.073 [GRAPHIC] [TIFF OMITTED] T6677.074 [GRAPHIC] [TIFF OMITTED] T6677.075 [GRAPHIC] [TIFF OMITTED] T6677.076 [GRAPHIC] [TIFF OMITTED] T6677.077 [GRAPHIC] [TIFF OMITTED] T6677.078 [GRAPHIC] [TIFF OMITTED] T6677.079