[House Hearing, 114 Congress] [From the U.S. Government Publishing Office] COUNTERINTELLIGENCE AND INSIDER THREATS: HOW PREPARED IS THE DEPARTMENT OF HOMELAND SECURITY? ======================================================================= HEARING BEFORE THE SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE OF THE COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED FOURTEENTH CONGRESS SECOND SESSION __________ JULY 13, 2016 __________ Serial No. 114-82 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC NOT AVAILABLE IN TIFF FORMAT] Available via the World Wide Web: http://www.gpo.gov/fdsys/ __________ U.S. GOVERNMENT PUBLISHING OFFICE 24-382 PDF WASHINGTON : 2017 _________________________________________________________________________________________ For sale by the Superintendent of Documents, U.S. Government Publishing Office, http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free). E-mail, [email protected]. COMMITTEE ON HOMELAND SECURITY Michael T. McCaul, Texas, Chairman Lamar Smith, Texas Bennie G. Thompson, Mississippi Peter T. King, New York Loretta Sanchez, California Mike Rogers, Alabama Sheila Jackson Lee, Texas Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island Chair Brian Higgins, New York Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana Tom Marino, Pennsylvania William R. Keating, Massachusetts Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey Scott Perry, Pennsylvania Filemon Vela, Texas Curt Clawson, Florida Bonnie Watson Coleman, New Jersey John Katko, New York Kathleen M. Rice, New York Will Hurd, Texas Norma J. Torres, California Earl L. ``Buddy'' Carter, Georgia Mark Walker, North Carolina Barry Loudermilk, Georgia Martha McSally, Arizona John Ratcliffe, Texas Daniel M. Donovan, Jr., New York Brendan P. Shields, Staff Director Joan V. O'Hara, General Counsel Michael S. Twinchek, Chief Clerk I. Lanier Avant, Minority Staff Director ------ SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE Peter T. King, New York, Chairman Candice S. Miller, Michigan Brian Higgins, New York Lou Barletta, Pennsylvania William R. Keating, Massachusetts John Katko, New York Filemon Vela, Texas Will Hurd, Texas Bennie G. Thompson, Mississippi Michael T. McCaul, Texas (ex (ex officio) officio) Mandy Bowers, Subcommittee Staff Director John L. Dickhaus, Subcommittee Clerk Hope Goins, Minority Subcommittee Staff Director C O N T E N T S ---------- Page Statements The Honorable Peter T. King, a Representative in Congress From the State of New York, and Chairman, Subcommittee on Counterterrorism and Intelligence: Oral Statement................................................. 1 Prepared Statement............................................. 3 The Honorable Brian Higgins, a Representative in Congress From the State of New York, and Ranking Member, Subcommittee on Counterterrorism and Intelligence: Oral Statement................................................. 4 Prepared Statement............................................. 4 The Honorable Bennie G. Thompson, a Representative in Congress From the State of Mississippi, and Ranking Member, Committee on Homeland Security: Prepared Statement............................................. 5 Witnesses Hon. Francis X. Taylor, Under Secretary, Office of Intelligence and Analysis, U.S. Department of Homeland Security: Oral Statement................................................. 6 Joint Prepared Statement....................................... 8 Col. Richard D. McComb, Chief Security Officer, U.S. Department of Homeland Security: Oral Statement................................................. 11 Joint Prepared Statement....................................... 8 Rdml. Robert P. Hayes, Assistant Commandant for Intelligence, U.S. Coast Guard, U.S. Department of Homeland Security: Oral Statement................................................. 13 Joint Prepared Statement....................................... 8 For the Record The Honorable Sheila Jackson Lee, a Representative in Congress From the State of Texas: Article, NBC4 Washington....................................... 19 Article, Bloomberg News........................................ 22 COUNTERINTELLIGENCE AND INSIDER THREATS: HOW PREPARED IS THE DEPARTMENT OF HOMELAND SECURITY? ---------- Wednesday, July 13, 2016 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Counterterrorism and Intelligence, Washington, DC. The subcommittee met, pursuant to notice, at 10:03 a.m., in Room 311, Cannon House Office Building, Hon. Peter T. King (Chairman of the subcommittee) presiding. Present: Representatives King, Katko, Hurd, Higgins, and Vela. Also present: Representative Jackson Lee. Mr. King. Good morning. The Committee on Homeland Security Subcommittee on Counterterrorism and Intelligence will come to order. The subcommittee is meeting today to hear testimony from the Department of Homeland Security regarding counterintelligence and insider threat programs. I would like to welcome my good friend, Mr. Higgins, Ranking Member of the subcommittee, and express my appreciation to the witnesses who are here today on this vital topic. I also want to express my appreciation for your flexibility. As you know, we had to postpone this meeting from its previously scheduled date, and I really appreciate you accommodating our schedule. So thank you very much. At the outset of today's hearing, I want to stress that the subject matter is sensitive, and after consultation with the Ranking Member and the Department, I will move to close the hearing at some point after the public statements and some initial questions. We will reconvene in a Classified setting to continue the hearing. To that end, if other Members arrive before we move the hearing, I would ask them to consider their questions and reserve any that are sensitive for the closed portion. Today we find our Nation confronting a complex external threat picture that ranges from ISIS, al-Qaeda and its affiliates, to traditional foes, such as Russia, Iran, and China. Earlier this year, General Clapper, the Director of National Intelligence, said, ``Unpredictable instability has become the new normal and this trend will continue for the foreseeable future.'' Compounding this danger, there have been a series of appalling events over recent years involving trusted individuals working inside our Government who damaged National security or committed tragic acts of violence. Foreign intelligence services and transnational criminal organizations dedicate years of time and financial resources to develop an asset with the access that an insider like Bradley Manning, Edward Snowden, Aldrich Ames, and Robert Hanssen possessed. Information illegally released by WikiLeaks and Snowden's treacherous acts highlight the link between counterintelligence and the need to spot insider threats before they cause grave risk to National security and put lives at risk. The Department of Homeland Security has recently experienced a number of troubling cases where trusted insiders have carried out violent acts or have been arrested for having unauthorized weapons at work. A DHS employee was arrested in early June when he was found carrying a gun inside DHS headquarters. I know the case is on-going and the individual's intent is not known, but the case does raise serious questions. The public court documents definitely raise concerns that he may have intended to, ``commit an act of workplace violence.'' Yesterday, there was another case at DHS headquarters where a contractor was discovered with a gun. If reports are accurate, this is the second case in a little over a month of employees discovered through random checks with weapons. I know the witnesses will agree, this requires immediate attention by the Department to protect its work force. In May, an officer with the Federal Protective Service system murdered his wife and several other people. The subcommittee is holding this hearing to review DHS's counterintel and insider threat programs. With over 100,000 employees holding security clearances and significant responsibilities for the country's border, cyber, and maritime security, DHS represents a prime target for the intelligence collection efforts of our enemies. Unauthorized disclosures of Classified information, whether deliberate or unwitting, represent a significant threat to National security, the very nature of modern communications and the reliance on electronic data storage and transfer, as well as DHS's information-sharing leadership role with State, local, and Tribal partners, adds complexity to the challenge and requires thoughtful programs to educate employees to mitigate the threat. The subcommittee wants to hear how the Department is developing robust and holistic counterintelligence and insider threat programs to defend against threats both virtual and physical. We also seek to examine the partnership DHS has developed within the agency and across the Government to leverage best practices. We must determine what actions the Department can take to prevent these threats by proactively identifying and intervening when necessary, to protect DHS, its work force, and the country. I want to thank our distinguished panel for being here today. Your input is very valuable in showing the benefits of strong counterintel and insider threat programs extend beyond DHS, but to the work force as well, by preserving security and safety and allowing DHS to fulfill its vital homeland security mission. [The statement of Chairman King follows:] Statement of Chairman Peter T. King July 13, 2016 Today we find our Nation confronting a complex external threat picture that ranges from ISIS, al-Qaeda and its affiliates, to traditional foes such as Russia, Iran, and China. Earlier this year, the Director of National Intelligence said, ``unpredictable instability has become the new normal and this trend will continue for the foreseeable future.''\1\ --------------------------------------------------------------------------- \1\ Director of National Intelligence (DNI) James Clapper, testifying before the Senate Armed Services Committee, 2016 Worldwide Threats Hearing, February 9, 2016, official DNI Twitter account, available at: https://twitter.com/odnigov/status/697145988406972420. --------------------------------------------------------------------------- Compounding this danger, there have been a series of appalling events over recent years involving trusted individuals working inside our Government who damaged National security or committed tragic acts of violence. Foreign intelligence services and transnational criminal organizations dedicate years of time and financial resources to develop an asset with the access that an insider like Bradley Manning, Edward Snowden, Aldrich Ames, and Robert Hanssen possessed. Information illegally released by Wikileaks and Snowden's treacherous acts highlight the link between counterintelligence and the need to spot insider threats before they cause grave damage to National security and put lives at risk. The Department of Homeland Security has recently experienced a number of troubling cases where trusted insiders have carried out violent acts or have been arrested for having unauthorized weapons at work.A DHS employee was arrested in early June when he was found carrying a gun inside DHS Headquarters. I understand that the case is on-going and the individual's intent is not yet known but the case does raise serious concerns. The public court documents definitely raise concerns that he may have intended ``to commit an act of workplace violence.''\2\ --------------------------------------------------------------------------- \2\ Scott McFarlane, ``Feds Investigating Whether Employee was Plotting Attack on Homeland Security Officials'', NBC News Washington, June 21, 2016, available at: http://www.nbcwashington.com/ investigations/Feds-Investigating-Whether-Employee-Was-Plotting-Attack- on-Homeland-Security-Officals-383852591.html. --------------------------------------------------------------------------- Yesterday there was another alarming case at DHS headquarters where a contractor was discovered with a gun. If reports are accurate, this is the second case in a little over a month of employees discovered through random checks with weapons. I know that the witnesses will agree that this requires immediate attention by the Department to protect its workforce. In May, Eulalio Tordil, an officer with the Federal Protective Service (FPS), murdered his wife and several other people. The subcommittee is holding this hearing to review DHS's counterintelligence and insider threat programs. With over 100,000 employees holding security clearances and significant responsibilities for the country's border, cyber, and maritime security, DHS represents a prime target for the intelligence collection efforts of our enemies. Unauthorized disclosures of Classified information, whether deliberate or unwitting, represent a significant threat to National security. The very nature of modern communications and the reliance on electronic data storage and transfer, as well as DHS's information- sharing leadership role with State, local, and Tribal partners, adds complexity to the challenge and requires thoughtful programs to educate employees to mitigate the threat. The subcommittee wants to hear how the Department is developing robust and holistic counterintelligence and insider threat programs to defend against threats both virtual and physical. We also seek to examine the partnerships DHS has developed within the agency and across the Government to leverage best practices. We must determine what actions the Department can take to prevent these threats by proactively identifying and intervening when necessary to protect the DHS, its workforce, and the country. I would like to welcome our distinguished panel. Your input today is very valuable in showing that the benefits of strong counterintelligence and insider threat programs extend beyond the DHS enterprise, but to the workforce as well, by preserving safety and security, and allowing DHS to fulfill its critically important homeland security mission. Mr. King. With that, I recognize the Ranking Member of the subcommittee, the gentleman from New York, Mr. Higgins. Mr. Higgins. Thank you, Mr. Chairman. I would like to thank Chairman King for holding this hearing. I would also like to thank the witnesses for participating in today's hearing. Many of the issues that come before this committee are and have been mainstays in the public discourse since the terrorist attacks of September 11. However, the security clearance process and protection of our Classified networks and information arguably did not become permanently affixed to our National and international security conversations until May 2013. That is when we learned that former NSA contractor Edward Snowden leaked the details of Classified programs to the British newspaper The Guardian. The sheer volume of the information shared by Snowden brought many issues to the forefront of our National security conversations. Since the leak, Congress and the public have questioned if an outside contractor should have vetted his security clearance or it was a duty that should have rested squarely with the hands of the Federal employees. We have questioned if Snowden should have had access to such sensitive information in massive volumes. Then, later that same year, we learned that the same firm that vetted Edward Snowden also vetted the Navy Yard shooter Aaron Alexis. On September 16, 2013, Alexis, a civilian contractor, opened fire at the Navy Yard here in Washington, DC--literally, within walking distance of where we sit today. In the subsequent investigation, we learned that Alexis failed to disclose information about felony charges and a Federal personnel report had no information about his previous arrests. In May of this year, a Federal Protection Services employee, Officer Tordil, who had held a TS and SCI clearance since November 2015, shot and killed his estranged wife outside a high school in Maryland, then later killed two more people outside a mall and grocery store in Maryland. All of these incidences have raised concerns that we will discuss today. Had a strong insider threat program been in place, NSA authorities would have been alerted to massive amounts of information being transferred by Snowden for public distribution. Continuous evaluations of Aaron Alexis may have flagged his arrest and felony charges. While I understand the limitations of insider threat and counterintelligence programs, I also see the value in having such programs today. I also look forward to expanding the conversation to consider the role right to privacy plays in these programs in securing the country. Finding this balance is difficult, but today I hope to learn what the Department of Homeland Security is doing to advance their insider threat and counterintelligence programs. I look forward to the robust discussion with our witnesses today. I yield back. [The statement of Ranking Member Higgins follows:] Statement of Ranking Member Brian Higgins July 13, 2016 Many of the issues that come before this committee are and have been mainstays in the public discourse since the terrorist attacks of September 11. However, the security clearance process and protection of our Classified networks and information, arguably, did not become permanently affixed to our National and international security conversations until May 2013. That is when we learned that former NSA contractor Edward Snowden leaked the details of Classified programs to the British newspaper The Guardian. The sheer volume of information shared by Snowden brought many issues to the forefront of our security conversations. Since the leak, Congress and the public have questioned if an outside contractor should have vetted his security clearance or if it was a duty that should have rested squarely in the hands of Federal employees. We have questioned if Snowden should have had access to such sensitive information in massive volumes. Then, later that same year, we learned the same firm that vetted Edward Snowden also vetted the Navy Yard shooter, Aaron Alexis. On September 16, 2013, Alexis, a civilian contractor, opened fire at Navy Yard here in Washington, DC, literally within walking distance of where we sit today. In the subsequent investigation we learned that Alexis failed to disclose information about felony charges and a Federal personnel report had no information about his previous arrests. In May of this year, Federal Protective Services employee Officer Tordil, who had held a TS/SCI clearance since November 2015, shot and killed his estranged wife outside of a high school in Maryland. Then, later killed two more people outside a mall and grocery store in Maryland. All of these instances have raised concerns that we will discuss today. Had a strong Insider Threat program been in place, NSA authorities would have been alerted to massive amount of information being transferred by Snowden for public distribution. Continuous evaluations of Aaron Alexis may have flagged his arrests and felony charges. While I understand the limitations of Insider Threat and Counterintelligence programs, I also see the value in having such programs. Today, I also look forward to expanding the conversation to consider the role ``the right to privacy'' plays in these programs and securing the country. Finding this balance is difficult, but today I hope to learn what the Department of Homeland Security is doing to advance their Insider Threat and Counterintelligence programs. Mr. King. I thank the Ranking Member. Any other Members of the subcommittee, whether here or not, may submit statements for the record. [The statement of Ranking Member Thompson follows:] Statement of Ranking Member Bennie G. Thompson July 13, 2016 In a time where threats and issues regarding domestic and foreign terrorists, emergency preparedness, immigration, and aviation seem to be at the forefront of our thoughts and concerns, the issues surrounding how we secure the information that informs all of those polices is often forgotten. In the nearly decade and half since the 9/11 attacks, both the committee and security officials have worked together to increase the security workforce and information needed to better secure our homeland. One of the primary recommendations from the 9/11 Commissioners encouraged the United States to improve its intelligence gathering and information-sharing activities. This resulted in more employment positions that allow access to Classified information, which requires security clearances. While it is clear that the sharing of Classified and Unclassified information between our domestic and international partners is imperative to keep us all safe, it also presents a number of issues. Of those issues, the one we will discuss at length today is the increase in opportunities for bad actors to exploit our workforce and information through sabotage, theft, espionage, and fraud. Bad actors commit these acts in order to gain competitive advantages for economic and political reasons all over the world. Another issue is the massive proliferation of original and duplicative Classified material and the exponential growth in the number of individuals with security clearances. Both present significant homeland and international security challenges. An estimated 4.5 million people held security clearances in fiscal year 2014. The costs of security clearance investigations vary significantly, depending on clearance levels. However, in fiscal year 2014 the minimum cost for a Top-secret clearance investigation was almost $4,000, while the minimum cost of a Secret clearance was $3,000. Additionally, the cost of maintaining the security classification system across the Federal Government was estimated at more than $11 billion for fiscal year 2013. Within that amount, the estimate for the cost of protecting and maintaining Federal Classified information was more than $4 billion. To say we have made a significant financial investment in our Classified security systems is an understatement. However, none of those financial resources matter as much as the continued investment that needs to be made to monitor those systems. In order to address the continuing increase of Classified information, positions, and systems needed to protect Classified data, I will reintroduce legislation titled the ``Clearance and Over- Classification Reform and Reduction Act'' or ``CORRECT Act.'' While the CORRECT Act addresses Government-wide security clearance processes, in order to advance more focused legislation, I also introduced H.R. 3505, ``Department of Homeland Security Clearance Management and Administration Act.'' This act makes specific classification reforms within the Department of Homeland Security. Subsequently, that bill has passed our committee and the House with bipartisan support. If enacted, H.R. 3505 would make DHS a leader among Federal agencies with respect to security clearance and position designations practices. I believe that access to National security information is a privilege that should be regarded with the highest integrity and it is important for the Department to be good stewards of this information by managing and monitoring its workforce and data. I look forward to hearing from our witnesses today regarding the best practices and considerations undertaken to further the programs directed at counterintelligence and insider threats to the Department of Homeland Security and its personnel. Mr. King. We are pleased to have a very distinguished panel of witnesses before us today on this vital topic. All the witnesses are reminded, their written testimony will be submitted for the record. We will hear first from Under Secretary Frank Taylor. The Honorable Frank Taylor has served as the under secretary for intelligence and analysis and as the chief intelligence officer for the Department since April 2014. Prior to joining DHS, Secretary Taylor served with great distinction in the U.S. military for 31 years, rising to the rank of brigadier general. He has also served in numerous senior positions in the State Department, focused on counterterrorism and security of U.S. personnel, and he has also worked in the private sector. Most importantly, of course, he holds a bachelor's and master's degree from the University of Notre Dame. Go Irish. I now recognize General Taylor. STATEMENT OF HONORABLE FRANCIS X. TAYLOR, UNDER SECRETARY, OFFICE OF INTELLIGENCE AND ANALYSIS, U.S. DEPARTMENT OF HOMELAND SECURITY General Taylor. Thank you, Chairman King, Ranking Member Higgins. I would start with ``Go Irish'' given our shared lineage with the University of Notre Dame. I want to thank you and the Members of the committee for the opportunity to appear with my colleagues here today. The Department faces a range of threats from foreign intelligence services, non-state entities like terrorist groups and transnational criminal organizations, and insider threats. Based on overt intent, capabilities, and broad operational scope, Russia and China continue to be the leading state intelligence threats to the United States and our interests, including the Department of Homeland Security. Similar to foreign intelligence threats, terrorist groups and TCOs continue to enhance their human, technical, and cyber intelligence capabilities recruiting human sources and conducting physical and technical surveillance of DHS operations. Additionally, we are very concerned that the threat from insiders disclosing sensitive U.S. Government information will also continue. As the Department's counterintelligence executive, I am leading the implementation of the new National Counterintelligence Strategy and building out a unified Department counterintelligence program. I am also the Department's senior information-sharing and safeguarding executive responsible for overseeing all Classified information-safeguarding efforts in our Department. We recently completed a Classified assessment of foreign intelligence threats to the Department and the broader homeland security enterprise. This will serve as our baseline assessment, and we will re-evaluate this assessment every year to track trends and update it with significant changes in the CI threat environment. Thanks to Congress, Congressional support, we have significantly enhanced our counterintelligence and threat programs. I&A's Counterintelligence Division has Department- wide responsibilities. Our objectives are to deepen our understanding of the external and internal threats; deter, detect, and disrupt these threats; safeguard sensitive information from exploitation; and to protect our Nation's networks from foreign intelligence threats, such as the disruption, exploitation, or theft of sensitive information, including personally identifiable information. We are embedding counterintelligence officers in each of the Department's operational components and within the Department's most at-risk headquarters components. We are also leveraging the existing resources, like the U.S. Coast Guard Counterintelligence Service, and are partnering with CI personnel from across the Federal Government to enhance the Department's CI program. These are just a few of the steps we are taking to meet these threats so the Department can continue its work securing the country and fulfilling our border security, immigration, travel security, and other homeland security missions. Our Insider Threat Program has made great progress implementing Executive Order 13587. For this fiscal year, our technical monitoring solution audited 33 million actions on our enterprise Classified networks. Of these, 215,000 required manual review by our analysts, of which 72 required further investigation. During the previous 2 fiscal years, the Insider Threat Program also identified 162 violations and provided support to 15 counterintelligence and internal security investigations. Chairman King, Ranking Member Higgins, Members of the committee, thank you again for the opportunity to appear before you to have this very important discussion. I look forward to your questions. [The joint prepared statement of General Taylor, Colonel McComb, and Rdml. Andersen* follows:] --------------------------------------------------------------------------- * Rdml. Robert P. Hayes, Assistant Commandant for Intelligence, U.S. Coast Guard, U.S. Department of Homeland Security testified on behalf of Rdml. Andersen. --------------------------------------------------------------------------- Joint Prepared Statement of Francis X. Taylor, Richard McComb, and Steven Andersen June 23, 2016 Chairman King, Ranking Member Higgins, and distinguished Members of the committee, thank you for the opportunity to appear before you today to discuss the Department of Homeland Security's (DHS) efforts to address Counterintelligence and Insider Threat. We look forward to providing our joint perspective on the full range of counterintelligence and insider threats we face as a Department. counterintelligence threat DHS continues to face a complex foreign intelligence threat environment. In recent decades, the U.S. Government has made extraordinary strides in adapting to the changing fiscal, technological, and threat environment. However, the challenges of keeping up with the threat have provided opportunities for foreign intelligence entities to expand their scope of collection and operations against the U.S. Government, including at DHS. There also continues to be significant damage done by insiders who engage in unauthorized disclosures. In the 2016 National Counterintelligence Strategy, President Obama characterized the counterintelligence threat as ``daunting'' and one that ``seeks to undermine our economic strength, steal our most sensitive information, and weaken our defenses.'' On a daily basis, foreign intelligence entities, including non-traditional actors such as terrorist groups and transnational criminal organizations, use human and technical means, both openly and clandestinely, to steal U.S. National security information that is of vital importance to our security. The interconnectedness of systems and emerging technologies provide our adversaries with novel ways to steal valuable information from the U.S. Government, academic institutions, and businesses-- oftentimes from the safety of a computer thousands of miles away. As the cyber intrusions against the Office of Personnel Management (OPM) illustrated to millions of Government employees, Federal agencies continue to remain at significant risk of being targeted by foreign adversaries. Director of National Intelligence (DNI) James Clapper assessed \1\ that the leading threat of intelligence collection on U.S. interests is and will continue to be Russia and China, based on their overt intent, capabilities, and broad operational scope. Other state actors in Asia and Latin America pose local and regional counterintelligence threats to U.S. interests. In addition, Iranian and Cuban intelligence and security services continue to view the United States as their top priority for intelligence collection. The DNI further assessed that penetrating and influencing the U.S. National decision-making apparatus and the intelligence community (IC) will remain primary objectives for foreign intelligence entities. --------------------------------------------------------------------------- \1\ James Clapper, Statement for the Record, ``Worldwide Threat Assessment of the US Intelligence Community,'' February 9, 2016, http:/ /www.intelligence.senate.gov/sites/default/files/wwt2016.pdf. --------------------------------------------------------------------------- International terrorist groups and transnational organized crime organizations continue to operate and strengthen their intelligence capabilities utilizing human, technical, and cyber means. Similar to state actors, these non-state entities successfully recruit human sources and conduct physical and technical surveillance of their targets, with increasing sophistication, in order to evade detection and capture. Finally, we continue to believe that unauthorized disclosures of sensitive U.S. Government information are and will remain a threat for the foreseeable future. The interconnectedness of information technology systems exacerbates this threat. counterintelligence strategy and implementation DHS is implementing the National Counterintelligence Strategy of the United States of America 2016. As a result of the broader intelligence transformation that the Office of Intelligence and Analysis has undertaken in the last year, I have made integrating counterintelligence into the broader DHS mission and our components' world-wide operations one of my top priorities. To emphasize the growing importance of counterintelligence activities, we realigned I&A Counterintelligence Division to directly report to the I&A front office to reflect its Department-wide responsibilities. We continue to develop a holistic Counterintelligence Program across the Department, leveraging the Homeland Security Intelligence Council to drive integration of counterintelligence activities across the DHS Intelligence Enterprise. Our objectives are to: Deepen our understanding of the threats posed by foreign intelligence entities and insider threats to DHS; Detect, deter, and disrupt these threats through proactive training and awareness campaigns and effective investigative efforts; Safeguard sensitive information from exploitation by identifying the Department's most critical assets and implementing enhanced protective measures; and Support Departmental efforts to protect our Nation's networks from foreign intelligence efforts to disrupt, exploit, or steal sensitive information, including personally identifiable information. To help coordinate this effort, we created a Counterintelligence and Security Board, co-chaired by the DHS counterintelligence director and the DHS chief security officer to better integrate and align component counterintelligence and security programs. This board helps synchronize the Department's counterintelligence efforts, insider threat programs, foreign access and visitor management, and related counterintelligence and security activities. As part of the effort to integrate counterintelligence into component missions and operations, I&A Counterintelligence Division is embedding experienced Counterintelligence Officers in each of the operational components and highest risk headquarters offices. These Counterintelligence Officers perform myriad functions, including: Assisting DHS component leadership with their efforts to protect DHS personnel, programs, and information from external and internal threats; Conducting comprehensive foreign intelligence threat and awareness briefings, including foreign travel briefings and debriefings for DHS personnel traveling to high-threat countries; Assisting with periodic Counterintelligence Program Compliance Reviews; and Creating a culture of CI awareness through training. I&A's Counterintelligence Division recently began Departmental counterintelligence capability assessments and program reviews to identify gaps requiring additional resources and prioritize existing resources. The assessments and reviews examine which DHS operations are most vulnerable to foreign intelligence entities, and provide the information necessary to make decisions on defensive counterintelligence operations to counter the foreign intelligence entity threat. The Counterintelligence Division also produces all-source intelligence analysis of foreign intelligence threats to DHS personnel, operations, technology, and the broader Homeland Security Enterprise, including our State, local, Tribal, territorial, and private-sector partners. I&A recently completed a Classified counterintelligence threat assessment covering the last 3 years. This assessment, which serves as our baseline, will be updated annually to track trends and significant changes in the counterintelligence threat environment. As a member of the Committee on Foreign Investment in the United States (CFIUS), DHS conducts analysis to support the ODNI-led National Security Threat Assessments. If a National Security Agreement or other risk mitigation agreement is put in place, DHS counterintelligence analysts assess the threat to support DHS CFIUS Compliance Monitoring-- the process through which the U.S. Government continuously tracks, evaluates, and enforces CFIUS mitigation measures. DHS counterintelligence also supports Team Telecom, comprised of the DHS, Department of Justice (DOJ), and Department of Defense (DoD). Team Telecom reviews applications to the Federal Communications Commission (FCC) when there is disclosable foreign ownership and the potential National security, law enforcement, and public interest concerns. Our threat assessment informs Team Telecom's recommendations to the FCC. We also recognize that much of the DHS workforce and the broader Homeland Security Enterprise does not handle Classified information and is not always aware of foreign intelligence entity threats or the relevance of counterintelligence to their work. We work to educate the workforce on their counterintelligence responsibilities. In July 2013, I&A's Counterintelligence Division published an Unclassified finished intelligence product for our Federal, State, and local partners who host foreign delegations and tours on potential indicators of foreign collection techniques. The product highlighted ``Topics of Concern'' and ``Behaviors of Concern'' personnel should be aware of that might raise a red flag and encouraged them to report suspicious activity. We have also conducted significant outreach following the breach of personnel information from the compromise of OPM databases and the potential threats stemming from that incident to educate the workforce and our stakeholders on how they might be targeted, and encouraged them to report suspicious activity. To enhance and our counterintelligence program, we are forging strong partnerships within DHS and are partnering with counterintelligence elements across the U.S. Government. u.s. coast guard counterintelligence service The U.S. Coast Guard's (USCG) Counterintelligence Service serves as a model for our components. Established in 2004, the USCG Counterintelligence Service provides defensive counterintelligence support to USCG personnel and units hosting foreign visitors or traveling overseas. Given the USCG's unique maritime mission and frequent international engagements, establishing this capability has proven crucial to protecting USCG personnel from foreign intelligence entity collection attempts and serves as the cornerstone for further development of the Counterintelligence Service's capabilities. The USCG Counterintelligence Service engages in counterintelligence operations and investigations with partner agencies, and provides its personnel with both on-line and in-person threat awareness training. The USCG also maintains an internal website that hosts insider threat reference material, as well as a portal employees can use to report insider threat concerns. The USCG Counterintelligence Service has increased analytic production tailored to the current threat environment, specifically with products related to countering foreign intelligence entities and transnational organized crime collection efforts targeting the USCG. Most recently, in support of the USCG's Western Hemisphere Strategy and the DHS Southern Borders and Approaches Campaign, the USCG Counterintelligence Service initiated a pilot program to integrate Counterintelligence Service Agents with DoD Force Protection Detachments, supporting the increased USCG presence in foreign countries. insider threat program With more than 115,000 Federal employees who have access to Classified National security information, implementing Executive Order (EO) 13587 \2\ and the President's National Policy and Minimum Standards for Executive Branch Insider Threat Programs is the Department's top information safeguarding priority. Established pursuant to EO 13587, the DHS Insider Threat Program is a Department- wide effort to protect Classified National security information from unauthorized disclosure. The purpose of the program is to identify, detect, deter, and mitigate the unauthorized disclosure of Classified information. The DHS Chief Security Officer serves as the Department's senior official responsible for the day-to-day management and oversight of the Insider Threat Program. --------------------------------------------------------------------------- \2\ EO 13587 ``Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information.'' --------------------------------------------------------------------------- We have made tremendous strides maturing our program to address insider threats to Classified information and we expect to meet the administration's mandate to make our insider threat program fully operational by the end of the calendar year, including the deployment of monitoring technology on all of our Classified computer networks. This includes the Secret-level Homeland Secure Data Network, which provides Classified connectivity to our 23 Federal agency subscribers and nearly all State and Local Fusion Centers. Significantly, the USCG became the first Insider Threat Program in the Executive branch to achieve ``Full Operating Capability'' status as assessed by the National Insider Threat Task Force. USCG has been addressing insider threats since 2008, and, in 2012, installed technologies designed to assist in addressing insider threats on Classified computer systems. USCG's technical detection capability-- staffed by engineers and analysts--spans all Classified USCG computers, fuses information from other organizations, and has constant oversight. In addition to the deployment of monitoring technology to all of our Classified networks, we have implemented the capability to collect, fuse, correlate, and analyze information from various data sources in order to identify suspected insider threats. This capability has constant oversight by our General Counsel, Privacy Officer, and Officer for Civil Rights and Civil Liberties in order to ensure the protection of privacy, civil rights, and civil liberties of all of our personnel. We strongly believe that in order to prevent insider threats from materializing through early intervention, we must educate and train our workforce to ``See Something, Say Something.'' We are in the process of providing our workforce with comprehensive awareness training to better sensitize our workforce to identify and report anomalous behavior indicative of an insider threat. This training, which will serve as a force multiplier for our program, enables the detection of potential threats that cannot be discovered through any technological solution available today. Earlier detection will allow for earlier mitigation of potential threats and we believe this is a key component of our program. The Insider Threat Program complements the Department's counterintelligence and security missions. In recognition of this, the Department is currently considering expanding the scope of our program to include preventing, deterring, detecting, and mitigating other threats posed by insiders such as workplace violence, criminal activity, and misconduct. conclusion Chairman King, Ranking Member Higgins, and Members of the committee, we thank you again for the opportunity to appear before you today to discuss these important matters. We look forward to answering your questions. Mr. King. Thank you, General. Thank you really for the outstanding job you have done and the dedication you have shown to this job. It is very much appreciated. Colonel McComb was appointed to the position of chief security officer for the U.S. Department of Homeland Security just over 3 months ago, on April 3, 2016. Most recently, he served as the director of the Leased Facilities Protection Directorate at the Pentagon Force Protection Agency. Colonel McComb served over 27 years in the United States Air Force as a security forces officer, from which he retired as a colonel. We are privileged to have you here today, and you are recognized for your testimony. STATEMENT OF RICHARD D. MC COMB, CHIEF SECURITY OFFICER, U.S. DEPARTMENT OF HOMELAND SECURITY Colonel McComb. Chairman King, Ranking Member Higgins, good morning, and thank you for the opportunity to provide Department of Homeland Security's Insider Threat Program. I have the opportunity to lead the dedicated men and women who make up the Office of Chief Security Officer. My office is an element under the Department's Management Directorate and I report to the under secretary for management, Mr. Russ Deyo. However, in my capacity as a senior insider threat official for the Department of Homeland Security, under the provisions of Executive Order 13587, I execute the Insider Threat Program on behalf of and under the guidance and direction of Under Secretary Frank Taylor, as the under secretary for intelligence and analysis. As a chief security officer, I am responsible for DHS-wide related programs affecting more than the 235,000 employees that make up the Department, including the areas of personal security, physical security, investigations, administrative security, identity management, special access programs, security training awareness, and the Department's Insider Threat Program. Finally, I serve as the chairman for the Department's Chief Security Officer Council and have an opportunity to lead, with my other counterparts in the DHS components, a highly collaborative security program that is designed to safeguard the Department's people, property, and information. The DHS Insider Threat Program seeks to deter, detect, and mitigate threats posed by trusted insiders. The program uses technology that is generally called user activity monitoring. This technology puts effective capability behind the warning banners which for years have told users they were being subject to such monitoring. The detection thresholds are tailorable to specific types of users and to specific types of behaviors. This is important, that for the first time the activity of tens of thousands of users on IT systems can actually be monitored via automation and, when combined with information from other data sources, present a total threat picture. When automated analysis is added in, the software can alert analysts to events that have a high threat potential and minimize wasteful false positives. While this technology is a critical facet of our program, it also relies on aggressive training and awareness for the work force to enable and empower them to recognize aberrant behavior and to include the tools to responsibly report it when they see something. I want to emphasize that the Insider Threat Program is part of the security continuum, one of the elements in a series of steps and programs to mitigate the full spectrum of risks posed by employees, contractors, and other officials affiliated with the DHS, as well as external actors who may threaten the Department from outside. As presently structured, our Insider Threat Program focuses on the protection of Classified information as it was originally driven by the Manning and Snowden cases. However, DHS, as well as DOD and the intelligence community, are taking a more expansive view of the threat to include workplace violence, fraud, waste and abuse, and other potential work force corruption. The Office of the Chief Security Officer and the authorities exercised by it uniquely situate the organization to execute this program, connect the necessary dots, and detect and prevent such threats. DHS is currently monitoring 2 or 3 IT systems. We are in the process of ensuring that our insider threat training awareness program meets 508 compliance to ensure accessibility by those with disabilities. Once completed, this training will be posted on our Performance and Learning Management System to enable the work force to meet the initial and annual training requirements. As was indicated earlier, resources are key to the maturation of this program. Currently, we are learning what we can expect to discover on Classified systems, but Unclassified systems will present much broader risk, with far more users, and will require greater analysis and follow-on investigative capabilities. We have programmed for funding and support of this expansion consistent with the current proposed insider threat legislation. In conclusion, access control to Federal facilities, information by Federal employees and contractors, and a safe, secure workplace are Departmental priorities and one in which the Office of the Chief Security Officer has made significant progress. However, there is more work to be done, and the Office of the Chief Security Officer, in coordination with the under secretary for intelligence and analysis and the DHS components, has charted a clear course to further mitigate the concern of the insider threat. Thank you again for the opportunity to testify today, and I look forward to your questions, sir. Mr. King. Colonel, thank you. Our next witness is Rear Admiral Robert Hayes, who just recently took on the mantle for Coast Guard intelligence activities, assuming the post of assistant commandant for intelligence just earlier this month. Prior to this command, Admiral Hayes served as chief of plans and policy for the assistant commandant for intelligence and criminal investigations. Prior to that, served as deputy director of the Coast Guard's Counterintelligence Service. He graduated from the Coast Guard Academy in 1988 and earned a master's in strategic intelligence with the National Intelligence University in 1993. Admiral Hayes, good to have you here today. I look forward to your testimony. Thank you. STATEMENT OF ROBERT P. HAYES, ASSISTANT COMMANDANT FOR INTELLIGENCE, U.S. COAST GUARD, U.S. DEPARTMENT OF HOMELAND SECURITY Admiral Hayes. Thank you, Chairman King. Good morning, sir. Good morning, Ranking Member Higgins and other distinguished Members of the committee. I am honored to be here today to discuss the Coast Guard's counterintelligence and insider threat programs. It is a pleasure to be alongside my Department of Homeland Security colleagues, Under Secretary Taylor and Chief Security Officer McComb. I echo Under Secretary Taylor's assessment of the range of intelligence collection threats that face the Department and the Coast Guard. As the world's premier multimission maritime service responsible for the safety, security, and stewardship of the Nation's waters, the Coast Guard offers a unique and enduring value proposition to the Department of Homeland Security and the American public. At all times a military service and branch of the Armed Forces, a Federal law enforcement agency, a regulatory body, a first responder, and a member of the U.S. intelligence community, the Coast Guard is under high demand as a global instrument of National security. One of the key elements of the Coast Guard's intelligence enterprise is our counterintelligence program. In 2004, the Coast Guard began the initial development of its counterintelligence capability. In the early stages of development, counterintelligence activities were primarily defensive in nature, providing support to Coast Guard personnel in units either hosting foreign visitors or traveling overseas. Given the Coast Guard's extensive international engagement with maritime stakeholders, establishing counterintelligence capability was crucial to protecting Coast Guard personnel from foreign intelligence collection attempts and served as the cornerstone for further development of other counterintelligence activities. Today, the Coast Guard's Counterintelligence Service protects our work force through detection, deterrence, and neutralization of foreign intelligence threats by leveraging authorities and capabilities to provide the full spectrum of counterintelligence support. We do this through many activities, including counterintelligence investigations, operations, collections, and analysis. These activities shield Coast Guard operations, personnel, systems, facilities, and information from the intelligence activities of not only foreign powers, but terrorist groups and criminal organizations, as Under Secretary Taylor mentioned. In addition to the counterintelligence mission, the Counterintelligence Service manages and executes the Coast Guard's Insider Threat Program, which began formally addressing insider threats in 2008. In 2012, the Coast Guard officially chartered an Insider Threat Working Group. The Counterintelligence Service staffed a small team to address insider threat requirements and began installation of activity- monitoring technologies designed to detect insider threats on Classified computer systems. Additionally, the director of the Coast Guard Counterintelligence Service was appointed as the senior official for the Coast Guard Insider Threat Program. A National Insider Threat Task Force assessment of the Coast Guard's Insider Threat Program resulted in the Coast Guard becoming the first insider threat program in the Executive branch to achieve full operating capability earlier this year. The National Insider Threat Task Force also refers to the Coast Guard's Insider Threat Program as the gold standard for small organizations. The Coast Guard's Insider Threat Program has transitioned from seeking help from partner agencies to providing it. We have advised the Department of Defense on the conduct of technical insider threat detection on Classified computer systems at sea; we have compared and contrasted best practices with other departments; and we have provided best practices to Executive branch agencies, as well as some combatant commands. Our technical detection capability, which is staffed by engineers and analysts, spans all Classified Coast Guard computer systems in its continuous oversight from Coast Guard leadership and legal counsel. Since inception, we have identified or supported the detection of multiple threats. The overwhelming majority of these detections have been non- malicious types of unauthorized disclosures, password sharing, and system administrator privilege abuse. Despite the absence of harmful attacks, we must remain vigilant by continuing to mature the insider threat and counterintelligence program. Thank you for inviting me to discuss the Coast Guard's counterintelligence and insider threat programs, and I look forward to your questions, sir. Mr. King. Thank you, Admiral. I will keep my questions brief prior to the closed session. Colonel McComb, there have been two very public cases of employees arrested with guns at work in the last month that I mentioned in my opening statement. What is your overall assessment of security at the DHS facilities and your ability to identify insider threats that could pose a physical threat? Colonel McComb. Thank you, sir. As you may or may not know, the DHS headquarters is a level 5 facility; that is, we meet the standards of the Interagency Security Committee, which is the highest level with regard to Federal facilities. We meet those standards at the DHS headquarters in the Nebraska Avenue complex, and we are implementing enhanced security measures which are above and beyond the basic measures required by those standards. As you alluded to, during those enhanced security measures, which includes random screening of employees, we did detect individuals that were attempting to bring unauthorized items into the DHS headquarters. They are currently under investigation, but in both instances we have not detected anything that would lead us to believe that these individuals were planning any sort of workplace violence or conspiring with others to commit workplace violence. We take security very seriously. I think we do a great job, and I believe our enhanced security measures worked in these cases. In addition to the enhanced security measures that are being employed at this location, we have taken on a large employee education effort, which includes townhall meetings, communications to the employees to understand that if they see something unusual to report it, and including training to include insider threat training and also emergency management training for how to respond in certain cases. So the Department is very committed to ensuring that folks are protected within our headquarters, and the DHS complex at Nebraska Avenue complex is no exception to that rule, sir. Mr. King. Thank you. I guess I will ask this across the board. Is there a renewed sense of urgency in the Department and the administration to expedite the implementation of continuous evaluation programs in the wake of the OPM breach? Colonel McComb. Sir, the DNI, the Director of National Intelligence, has the lead for the continuous evaluation. As you may or may not know, that program will be automated. It is yet to happen, but when it does, there will be 7 authoritative databases that individuals that have National security determinations or possess Secret or above clearances will be vetted against those either on a daily basis or monthly basis, dependent upon the particular data base. If an individual indicates a hit from one of those databases, then the Department of Homeland Security, along with all of the other departments that participate in this program, will be required to follow that lead, vet that individual, and determine whether it has implication on their ability to perform their job and/or have access to National security information. There is a time line that 5 percent of the tier 5, that is, those with TS/SCI clearances, must be in a continuous evaluation program by September 2017. We in DHS have already initiated the work to ensure that our IT systems allow us to receive those alerts from the DNI automated program. We will do a pilot program this year to start doing some of those continuous evaluations on our, once again, most sensitive population, those with TS/SCI clearances. Mr. King. OK. Anybody else want to comment on that? OK, thank you. Ranking Member Mr. Higgins. Mr. Higgins. Thank you, Mr. Chairman. Mr. Taylor, I just want to continue this line of questioning on the issue of Homeland Security headquarters. For the second time in a month, an employee has been arrested for taking a handgun onto the secured grounds of the Department of Homeland Security at their headquarters here in Washington, DC. According to police records, the accused had a 9-millimeter handgun in a leather handbag while inside the complex. The accused is a contractor who works in the information technology for the agency. The weapon appeared to be fully functional, capable of being fired by a single hand, and designed to expel a projectile by the action of an explosive. This arrest comes about a month after the arrest of another individual, another Homeland Security employee accused of carrying a firearm inside agency headquarters. Court filings from the investigators indicated that the accused, the second individual, was found with a loaded .22-caliber handgun carrying 5 hollow-point bullets in June. In that same court filing, it said that the agent was, ``probable cause to believe that the accused was conspiring with another to commit work force violence, and more particularly, may have been conspiring or planning to commit violence against a senior DHS official in the building.'' What can you tell us? General Taylor. Sir, I will ask CSO McComb to comment further, but I believe it probably most appropriate to do this in the closed session as opposed to this open session to respond to that question. Mr. Higgins. OK. Colonel McComb. Sir, what I would indicate is that, as you stated, you are correct in that there were two individuals that were discovered during our random screening processes as part of our enhanced security measures at the Nebraska Avenue complex, were discovered with weapons. The investigation is on- going, but as I indicated earlier, at this point there is no indication that either of these individuals were planning or conspiring to commit workplace violence. Both of these individuals recently had been previously cleared. As Under Secretary Taylor indicated, we certainly would be happy to provide more details of both of those events in the closed session. Mr. Higgins. I have no further questions. Mr. King. Mr. Katko, the gentleman from New York. Mr. Katko. Thank you, Mr. Chairman. General, it is good to see you again, Colonel McComb, and Rear Admiral Hayes. Quick question for you. As you may know, I think you know, I have direct oversight over the Transportation Security Administration through my subcommittee. Is it fair to say that in your capacities, General and Colonel, that you consult TSA on a regular basis regarding intelligence matters and security matters? General Taylor. Yes, sir, that is correct. Every day. Mr. Katko. OK, great. So just a couple of quick questions with respect to the insider threat at TSA facilities and airports. I know you are well aware of the incident about a year-and- a-half ago where a fellow got off a plane in LaGuardia Airport with a backpack full of guns, and it turned out that an employee at the airport in Atlanta had carried those backpacks through the secure area using a SIDA badge and gave the backpack to the fellow and he brought it up to New York. It turns out that is about his tenth trip. The backpack in question had 16 guns, 9 millimeters and assault rifles, most of which were loaded. Obviously, that is a major concern about the insider threat from employees at airports. Also, more recently, the insider threat at airports manifested with the Dallas-Fort Worth incident in a major drug trafficking case, which in the public record included invitations by one of the employees at the airport to bring anything through the access control areas, including bombs, if people wanted to. With the threat from ISIS being what it is, and their desire to take down planes and taking credit for two planes that have been bombed in the last 8 months and perhaps even a third with EgyptAir, we don't know yet, it is a very real concern for me and it is something that I can't get over and I will continue to pursue. The concerns are manifested for this hearing in two ways. One is the safety and security of the airports in the United States and the safety and security at last point of departure at airports worldwide. With respect to the safety and security of the airports in the United States, are you aware of any changes in procedures that have been undertaken by TSA and/or Homeland Security with respect to the vetting of employees at airports; not just TSA employees, but vetting the employees at airports to ensuring that the insider threat is minimized? No. 2, what do you think about beefing up the access controls for those employees? General Taylor. Thank you for your question, Congressman. Some of this we would probably want to discuss in the closed hearing because of the sensitive nature of it. But since the event in Atlanta, TSA has been working with the airport authorities and the Federal security directors to tighten up significantly the security in the sterile area, particularly for employees that have access under SIDA badges. We can speak to you about how those changes have occurred over time. We are very much concerned about security in the open area, before the secure and sterile area, and we have communicated with airport operators and our Federal security directors continuously since Istanbul about that concern. We issued a joint NCTC, FBI, DHS joint intelligence bulletin around tactics, techniques, and procedures that we noted from Istanbul that we think will be valuable in planning security in the public areas of the airport. It is a huge problem, we recognize that, and we will be consulting in the next month across the industry in terms of best practices for keeping the area open and welcoming, but also providing the layers of security that are necessary to protect the public that is there. Mr. Katko. Thank you. Colonel, do you want to add anything or does that adequately cover it? Colonel McComb. The only thing I would add, sir, is that TSA does have a robust insider threat program. As we will talk in more detail in the closed session, they are very concerned about the areas that you discussed, and that will be a very prominent part of what they monitor as we continue to roll out and mature the Insider Threat Program within the Department of Homeland Security. Mr. Katko. If the Chairman will just indulge me one more moment. Mr. King. Sure. Mr. Katko. Thank you. Just switching gears briefly, I am vitally concerned about developing facts with respect to opening the airports in Cuba. My concern is, quite frankly, that we are sprinting to the starting line, but we do not know where the finish line is, and I think it is a recipe for disaster. One of the biggest concerns I have is the insider threat at the airports in Cuba and the lack of appropriate facilities for those airports. The Homeland Security Committee--Homeland Security I know is well aware of my concerns, but I just want to state them again on the record, Colonel and General. It is incredibly important that we do a thorough job evaluating those airports before we open up those routes. I know everyone is licking their chops from a financial standpoint and I know there may be some pressure from the administration because the President wants this done before he leaves office, but I urge you in the strongest words possible, based on everything I know, and we can talk more about that in a secure setting, that it is a very serious security issue. One thing I can say on the public record is, when you don't even know how the Cuban officials screen their employees and they won't tell you how they do it and you don't know such basically things as that, I would strongly urge you that if you really are serious about the insider threat and you are very serious about keeping the skies safe, that you look at with a very focused eye on what is going on in Cuba before you open up those airports, with 20 direct flights a day to New York and possibly direct flights to Washington, which are the two main targets for terrorists. General Taylor. Yes, sir. I think we can have a further discussion in the closed session about those challenges with those airports. But for the record, DHS takes aviation security very seriously, particularly any aviation operating directly into the United States. We recognize the risk and want to make sure we have done a thorough job of assessing both the security at the airport and the security of the aircraft before they arrive here. Mr. Katko. Thank you very much. I yield back. Mr. King. The gentleman yields. The gentlelady from Texas is recognized for 5 minutes. Ms. Jackson Lee. I thank the Chairman and the Ranking Member for this combined committee, and thank the witnesses, as well, for your presence here today. Let me say that in the backdrop of the memorial yesterday that I attended in my home State for the fallen officers, let me again offer my deepest sympathy to the Dallas Police Department and to the families who have lost loved ones through actions of terror and certainly through our recent incidences in our Nation that have befallen many families from many different States and jurisdictions. That the climate that we are in calls for greater attention. Maybe as we speak we are not poignantly talking about the immediacy of loss of life, but cybersecurity incidences and intrusion to places where individuals should not go can certainly bring about an enormous amount of danger and possible injury and death. I would like to put into the record--I am not sure if this is in the record--``Another Employee With A Gun Arrested At Homeland Security Headquarters, A Man Caught During Random Employee Screening.'' I would ask unanimous consent to put this into the record. Mr. King. We have already discussed that, but no objection. [The information referred to follows:] Article Submitted by Hon. Sheila Jackson Lee Another Employee With a Gun Arrested at Homeland Security Headquarters man caught during random employee screening By Scott MacFarlane http://www.nbcwashington.com/investigations/Another- Employee-With-A-Gun-Arrested-At-Homeland-Security- Headquarters-386519051.html For the second time in a month, an employee has been arrested for taking a handgun on to the secured grounds of U.S. Department of Homeland Security headquarters in Washington, D.C. According to police and court records obtained by the News4 I-Team, security officers arrested Thomas Pressley of Woodbridge, Virginia, Monday, accusing him of carrying a 9-millimeter handgun in a leather handbag while inside the complex. Feds Request Stay Away Order for DHS Employee Arrested Pressley, a contractor who works in IT for the agency, has been ordered jailed in D.C. until his next scheduled court appearance Friday. He is charged with carrying a pistol without a license. Court filings did not detail what, if any, plea has been entered in the case by Pressley. His attorney did not immediately return requests for comment from the I-Team. Federal government records specify the U.S. Department of Homeland Security headquarters complex on Nebraska Avenue in northwest Washington is among the most secured government facilities in the United States, rivaling the security apparatus of the White House and the Pentagon. Feds Investigating Whether Employee Was Plotting Attack on DHS Officials ``The weapon appeared to be fully functional, capable of being fired by a single hand, and designed to expel a projectile by the action of an explosive,'' according to a police report. The report also said, ``The weapon also had a barrel length of less than 12 inches.'' DHS Employee Found With Gun at HQ Agency security located the handgun during a random employee screening, the report said. ``As a result of enhanced security and screening measures at the NAC, security officers detained a contract employee yesterday after they discovered a concealed firearm during screening,'' a DHS spokesman said. ``The contract employee was subsequently arrested. ``While we currently have no information to suggest that this individual sought to cause harm, as discussed at a recent employee town hall, the safety of employees and visitors to DHS facilities is a top priority. The enhanced security procedures discussed at that meeting remain in effect, including increased levels of screening of employees entering the NAC. And because we won't hesitate to take every appropriate measure to protect our employees, our security professionals are evaluating what additional security enhancements may be necessary.'' Pressley's arrest comes about a month after the arrest of Jonathan Wienke, another Homeland Security employee accused of carrying a firearm inside agency headquarters. Court filings from investigators said Wienke was found with a loaded .22-caliber handgun, carrying five hollow point bullets in June. Wienke pleaded not guilty to a gun charge and is awaiting further court proceedings in the case. But Wienke had more than a gun when he was searched on June 9, according to a request for court permission to raid Wienke's home. A federal agent and security officers also found Wienke had a knife, pepper spray, thermal imaging equipment and radio devices. And the feds said in the court filing that Wienke was found in his workspace, which is in close proximity to a meeting of senior agency officials the day of his arrest--and that Wienke was aware of the meeting. In the same court filing, the agent said there was ``probable cause to believe Jonathan Wienke was conspiring with another to commit workplace violence and, more particularly, may have been conspiring or planning to commit violence against the senior DHS officials in the building.'' Ms. Jackson Lee. All right. Put the story at least into the record. The reason I say that is because there are a number of intrusions that I am concerned about and I want to discuss some legislation that I have introduced as well. But let me pointedly go to two entities, nations that are known as our chief threats to intelligence assets of the United States, and this would be to you, Mr. Secretary, Secretary Taylor. How can Russia or China use the OPM breach data with the Ashley Madison breach of information to compromise security? General Taylor. Ma'am, I would prefer we respond to that question in the closed session. I think we can be more full in our answer. The threat from cybersecurity is a significant threat and the information and data that is collected through cyber intrusion means present a significant threat to our country. But the specifics, I would prefer if we could answer that in the closed session. Ms. Jackson Lee. OK. Well, let me just get a general assessment then, because I am not sure when we will designate a closed session. Mr. King. Right after this, as soon as you are finished, we are going downstairs. Ms. Jackson Lee. OK. Then let me just make my own comments and say the great concern that I have of that data being out is what I hope that we will have a focused perspective on--and I assume that you can answer--we will have a focused effort on that. General Taylor. We have 110 percent focused effort on that activity and the potential implications of that activity for the National security. Ms. Jackson Lee. Very good. Let me then go to some legislation that I think had to do or reflects the shooter that was at the Navy Yard and Snowden. As I understand, they were vetted for security by the same contractor. Are you able to comment on any firewalls that are being put on outside contractors, any extensive review on contractors who have responsibilities for vetting and where the Government relies upon them? Are these contracts periodic? Do people get 10-year contracts? Are these people wedded in their positions, can't be taken out? Are they lax? What is happening? I think that Snowden has to be one of the most severe and outrageous responses or actions that we had in security and he was vetted and he was engaged in, I think, at too high a level of the Nation's security data, intelligence data. Colonel McComb. Ma'am, kind of bottom-line up-front is that the vetting of contractors and the companies that have contractors are done in accordance with the Federal Investigative Standards. At the interagency level, the Performance Accountability Council for suitability, security clearances, and credentialing is looking at that issue very hard. All of the companies who are on Classified contracts must meet the National Industrial Security Program standards, which requires that they have a facility security officer, they run through the background investigations of the individuals who will be working those contracts, whether they be for an investigative purposes or if they are doing some other level of work, whether it be on the IT systems, et cetera. We in DHS look at those contractors from a fitness perspective, once again applying the OPM standards. So we look at that very hard. Contracts are held to the standards that are in the performance work statement. Where there are issues or breaches of those, then contracting action can be taken against those individuals, those companies, to include termination on behalf of the Government based on those breaches. We continue to monitor that along with the contracting folks. The other thing I would add is, with the cyber hygiene initiative in the Department of Homeland Security we are ensuring that all information that is handled through contracts is kept at the high security level, which is above the standard required for the Federal Government, to ensure that it is protected at the appropriate levels and that it is not potentially endangered for unauthorized access. Ms. Jackson Lee. Can I get just a quick follow-up, Mr. Chairman, just very quickly? Mr. Snowden was lodged somewhere in the back corners of a Hawaii office building. Do you have the responsibility--and you are one of the intelligence components, I understand that--but the monitoring? You may have the company and then you have these individual actors under the company, maybe many. Is there a mode of monitoring those individuals? Last, if our cyber system is attacked, meaning what we utilize here in the Government, are we prepared? That may be an answer for a back-up system somewhere. General Taylor. Ma'am, I will try to answer your question. First, our insider threat monitoring will monitor everyone that has access to our Classified systems--contractor, Government employee, regardless--and ultimately individuals that are operating on our Unclassified system that may or may not have a security clearance. Cyber hygiene has been a real focus of Secretary Johnson with regard to applying the National programs division cybersecurity initiatives across our Government and ensuring that they are robustly applied and effectively implemented. So it has been a major focus for us. I can't speak to the issue of back-up. I am not technically qualified to understand that system. But would certainly find the answer to that question for you and get back to you, ma'am. Ms. Jackson Lee. I would appreciate it. Thank you. Did you want to answer? Colonel McComb. No, ma'am. Ms. Jackson Lee. All right. Thank you all for your testimony. Mr. Chairman, may I ask, I won't pursue the back-up system. Maybe I will get that at another time. Mr. King. OK. We have to start going downstairs soon. Ms. Jackson Lee. Yes. Let me ask unanimous consent to put in the record, Bloomberg News, ``Edward Snowden and the NSA: A Lesson About Insider Threats.'' I ask unanimous consent. Mr. King. Without objection. [The information referred to follows:] Article Submitted by Hon. Sheila Jackson Lee Edward Snowden and the NSA: A Lesson About Insider Threats Vijay Basani, Bloomberg News, July 3, 2013 https://www.bloomberg.com/news/articles/2013-07-03/edward- snowden-and-the-nsa-a-lesson-about-insider-threats In all the mysteries surrounding the Edward Snowden affair, there's one that hasn't received much attention: Why didn't the NSA, one of the most technologically sophisticated organizations on the planet, have a way to detect that Snowden was downloading thousands of documents? The corollary question every chief executive should ask of his or her top security officer: ``Does our organization have a way to detect unauthorized access to our data?'' According to the recent SANS 2013 Critical Security Controls survey, less than 10 percent of companies actually have proactive monitoring of security controls, the area that governs unauthorized access. Employees and contractors with boundless privilege to access sensitive data present greater risk of intentionally, accidentally, or indirectly misusing that privilege and potentially stealing, deleting, or modifying data. Human nature is the weakest link when it comes to the intersection of people, process, and technology--the three tenants of security--and the Edward Snowden blunder is a perfect example. According to Michael Hayden, former director of the NSA and the CIA, no more than 22 personnel at NSA were to have access to the highly Classified data, which included about 1 billion-plus records per day. One can assume that these individuals should be internal analysts who have gone through extensive background checks, who are very experienced in dealing with highly confidential data, and who are employees of NSA. We can also assume that these individuals have special privileges to access these data in a highly secure manner. I have no special knowledge of the NSA's internal workings, but it appears that somehow this protocol was not followed, and Snowden, a contractor, was given access to this information with no mandatory monitoring, a clear violation of controls and a breakdown of process. While technologies do exist to enforce access rights, privileges, and policies, the technology is only as good as the people and processes that are put into place. If people who manage these technologies decide to circumvent the technology's ability to enforce policies, or make an exception, or ignore violations, or do not instill sufficient supervisory mechanisms, then the technology will fail. Another issue to be looked at from a technological perspective is the complete lack of continuous monitoring and auditing of the users, process, and security controls in a unified fashion by the NSA. If someone at the NSA were monitoring, analyzing, and auditing all network, user, and system activity, policy enforcements, etc., to identify abnormal behavior and usage patterns, most likely Snowden's access to sensitive data, the connection of removable media and copying of these data would have drawn red flags. It is possible that the data and signals from individual products, such as a USB monitoring solution or a database activity monitoring system, would have captured these data, but the individual administrators who were looking at each data point in isolation were not able to connect the dots. If the NSA had adopted technology that pulled all information into a single database and automatically correlated the data in a unified fashion, it would have detected a potential breach or policy violation. Unfortunately the Snowden situation of privileged access to sensitive data with lack of sufficient checks and balances is an all- too-familiar story in the private sector. Executive management tends to have a checkbox mentality when it comes to security (i.e. do what is absolutely necessary to pass a government or industry mandate) or lack the knowledge to realize that their intellectual property and business is at risk for lack of sufficient security controls. With traditional network perimeters becoming increasingly porous with the introduction of BYOD, mobile devices, and cloud infrastructure, organizations need to implement security best practices, such as SANS 20 Critical Security Controls, to protect against cyber attacks and espionage. This requires resources and budget commitment from C-level management. The Snowden debacle should be a wake-up call in both the public and private sectors to adopt an approach that provides complete awareness and continuous, automated monitoring of critical security controls to reduce real risk and real threats to their business. Ms. Jackson Lee. I yield back. Mr. King. I ask unanimous consent that the remainder of the hearing be closed to the public under House Rule XI, clause 2(g)(2), because disclosure of testimony, evidence, or other matters would endanger National security or compromise sensitive law enforcement information. Is there any objection to the motion to close the hearing? Hearing none, the motion is agreed to, and the subcommittee will recess briefly to move to a more secure location to continue its business. The hearing will reconvene in that location in 15 minutes. [Whereupon, at 10:50 a.m., the subcommittee proceeded to closed session and subsequently adjourned at 11:27 p.m.] [all]