[House Hearing, 114 Congress]
[From the U.S. Government Publishing Office]
COUNTERINTELLIGENCE AND INSIDER THREATS: HOW PREPARED IS THE DEPARTMENT
OF HOMELAND SECURITY?
=======================================================================
HEARING
BEFORE THE
SUBCOMMITTEE ON
COUNTERTERRORISM
AND INTELLIGENCE
OF THE
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
JULY 13, 2016
__________
Serial No. 114-82
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpo.gov/fdsys/
__________
U.S. GOVERNMENT PUBLISHING OFFICE
24-382 PDF WASHINGTON : 2017
_________________________________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center,
U.S. Government Publishing Office. Phone 202-512-1800, or 866-512-1800 (toll-free).
E-mail, [email protected].
COMMITTEE ON HOMELAND SECURITY
Michael T. McCaul, Texas, Chairman
Lamar Smith, Texas Bennie G. Thompson, Mississippi
Peter T. King, New York Loretta Sanchez, California
Mike Rogers, Alabama Sheila Jackson Lee, Texas
Candice S. Miller, Michigan, Vice James R. Langevin, Rhode Island
Chair Brian Higgins, New York
Jeff Duncan, South Carolina Cedric L. Richmond, Louisiana
Tom Marino, Pennsylvania William R. Keating, Massachusetts
Lou Barletta, Pennsylvania Donald M. Payne, Jr., New Jersey
Scott Perry, Pennsylvania Filemon Vela, Texas
Curt Clawson, Florida Bonnie Watson Coleman, New Jersey
John Katko, New York Kathleen M. Rice, New York
Will Hurd, Texas Norma J. Torres, California
Earl L. ``Buddy'' Carter, Georgia
Mark Walker, North Carolina
Barry Loudermilk, Georgia
Martha McSally, Arizona
John Ratcliffe, Texas
Daniel M. Donovan, Jr., New York
Brendan P. Shields, Staff Director
Joan V. O'Hara, General Counsel
Michael S. Twinchek, Chief Clerk
I. Lanier Avant, Minority Staff Director
------
SUBCOMMITTEE ON COUNTERTERRORISM AND INTELLIGENCE
Peter T. King, New York, Chairman
Candice S. Miller, Michigan Brian Higgins, New York
Lou Barletta, Pennsylvania William R. Keating, Massachusetts
John Katko, New York Filemon Vela, Texas
Will Hurd, Texas Bennie G. Thompson, Mississippi
Michael T. McCaul, Texas (ex (ex officio)
officio)
Mandy Bowers, Subcommittee Staff Director
John L. Dickhaus, Subcommittee Clerk
Hope Goins, Minority Subcommittee Staff Director
C O N T E N T S
----------
Page
Statements
The Honorable Peter T. King, a Representative in Congress From
the State of New York, and Chairman, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 1
Prepared Statement............................................. 3
The Honorable Brian Higgins, a Representative in Congress From
the State of New York, and Ranking Member, Subcommittee on
Counterterrorism and Intelligence:
Oral Statement................................................. 4
Prepared Statement............................................. 4
The Honorable Bennie G. Thompson, a Representative in Congress
From the State of Mississippi, and Ranking Member, Committee on
Homeland Security:
Prepared Statement............................................. 5
Witnesses
Hon. Francis X. Taylor, Under Secretary, Office of Intelligence
and Analysis, U.S. Department of Homeland Security:
Oral Statement................................................. 6
Joint Prepared Statement....................................... 8
Col. Richard D. McComb, Chief Security Officer, U.S. Department
of Homeland Security:
Oral Statement................................................. 11
Joint Prepared Statement....................................... 8
Rdml. Robert P. Hayes, Assistant Commandant for Intelligence,
U.S. Coast Guard, U.S. Department of Homeland Security:
Oral Statement................................................. 13
Joint Prepared Statement....................................... 8
For the Record
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas:
Article, NBC4 Washington....................................... 19
Article, Bloomberg News........................................ 22
COUNTERINTELLIGENCE AND INSIDER THREATS: HOW PREPARED IS THE DEPARTMENT
OF HOMELAND SECURITY?
----------
Wednesday, July 13, 2016
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Counterterrorism and Intelligence,
Washington, DC.
The subcommittee met, pursuant to notice, at 10:03 a.m., in
Room 311, Cannon House Office Building, Hon. Peter T. King
(Chairman of the subcommittee) presiding.
Present: Representatives King, Katko, Hurd, Higgins, and
Vela.
Also present: Representative Jackson Lee.
Mr. King. Good morning. The Committee on Homeland Security
Subcommittee on Counterterrorism and Intelligence will come to
order. The subcommittee is meeting today to hear testimony from
the Department of Homeland Security regarding
counterintelligence and insider threat programs.
I would like to welcome my good friend, Mr. Higgins,
Ranking Member of the subcommittee, and express my appreciation
to the witnesses who are here today on this vital topic. I also
want to express my appreciation for your flexibility. As you
know, we had to postpone this meeting from its previously
scheduled date, and I really appreciate you accommodating our
schedule. So thank you very much.
At the outset of today's hearing, I want to stress that the
subject matter is sensitive, and after consultation with the
Ranking Member and the Department, I will move to close the
hearing at some point after the public statements and some
initial questions. We will reconvene in a Classified setting to
continue the hearing. To that end, if other Members arrive
before we move the hearing, I would ask them to consider their
questions and reserve any that are sensitive for the closed
portion.
Today we find our Nation confronting a complex external
threat picture that ranges from ISIS, al-Qaeda and its
affiliates, to traditional foes, such as Russia, Iran, and
China. Earlier this year, General Clapper, the Director of
National Intelligence, said, ``Unpredictable instability has
become the new normal and this trend will continue for the
foreseeable future.''
Compounding this danger, there have been a series of
appalling events over recent years involving trusted
individuals working inside our Government who damaged National
security or committed tragic acts of violence.
Foreign intelligence services and transnational criminal
organizations dedicate years of time and financial resources to
develop an asset with the access that an insider like Bradley
Manning, Edward Snowden, Aldrich Ames, and Robert Hanssen
possessed.
Information illegally released by WikiLeaks and Snowden's
treacherous acts highlight the link between counterintelligence
and the need to spot insider threats before they cause grave
risk to National security and put lives at risk.
The Department of Homeland Security has recently
experienced a number of troubling cases where trusted insiders
have carried out violent acts or have been arrested for having
unauthorized weapons at work. A DHS employee was arrested in
early June when he was found carrying a gun inside DHS
headquarters. I know the case is on-going and the individual's
intent is not known, but the case does raise serious questions.
The public court documents definitely raise concerns that he
may have intended to, ``commit an act of workplace violence.''
Yesterday, there was another case at DHS headquarters where
a contractor was discovered with a gun. If reports are
accurate, this is the second case in a little over a month of
employees discovered through random checks with weapons. I know
the witnesses will agree, this requires immediate attention by
the Department to protect its work force.
In May, an officer with the Federal Protective Service
system murdered his wife and several other people.
The subcommittee is holding this hearing to review DHS's
counterintel and insider threat programs. With over 100,000
employees holding security clearances and significant
responsibilities for the country's border, cyber, and maritime
security, DHS represents a prime target for the intelligence
collection efforts of our enemies.
Unauthorized disclosures of Classified information, whether
deliberate or unwitting, represent a significant threat to
National security, the very nature of modern communications and
the reliance on electronic data storage and transfer, as well
as DHS's information-sharing leadership role with State, local,
and Tribal partners, adds complexity to the challenge and
requires thoughtful programs to educate employees to mitigate
the threat.
The subcommittee wants to hear how the Department is
developing robust and holistic counterintelligence and insider
threat programs to defend against threats both virtual and
physical. We also seek to examine the partnership DHS has
developed within the agency and across the Government to
leverage best practices. We must determine what actions the
Department can take to prevent these threats by proactively
identifying and intervening when necessary, to protect DHS, its
work force, and the country.
I want to thank our distinguished panel for being here
today. Your input is very valuable in showing the benefits of
strong counterintel and insider threat programs extend beyond
DHS, but to the work force as well, by preserving security and
safety and allowing DHS to fulfill its vital homeland security
mission.
[The statement of Chairman King follows:]
Statement of Chairman Peter T. King
July 13, 2016
Today we find our Nation confronting a complex external threat
picture that ranges from ISIS, al-Qaeda and its affiliates, to
traditional foes such as Russia, Iran, and China. Earlier this year,
the Director of National Intelligence said, ``unpredictable instability
has become the new normal and this trend will continue for the
foreseeable future.''\1\
---------------------------------------------------------------------------
\1\ Director of National Intelligence (DNI) James Clapper,
testifying before the Senate Armed Services Committee, 2016 Worldwide
Threats Hearing, February 9, 2016, official DNI Twitter account,
available at: https://twitter.com/odnigov/status/697145988406972420.
---------------------------------------------------------------------------
Compounding this danger, there have been a series of appalling
events over recent years involving trusted individuals working inside
our Government who damaged National security or committed tragic acts
of violence.
Foreign intelligence services and transnational criminal
organizations dedicate years of time and financial resources to develop
an asset with the access that an insider like Bradley Manning, Edward
Snowden, Aldrich Ames, and Robert Hanssen possessed.
Information illegally released by Wikileaks and Snowden's
treacherous acts highlight the link between counterintelligence and the
need to spot insider threats before they cause grave damage to National
security and put lives at risk.
The Department of Homeland Security has recently experienced a
number of troubling cases where trusted insiders have carried out
violent acts or have been arrested for having unauthorized weapons at
work.
A DHS employee was arrested in early June when he was found
carrying a gun inside DHS Headquarters. I understand that the
case is on-going and the individual's intent is not yet known
but the case does raise serious concerns. The public court
documents definitely raise concerns that he may have intended
``to commit an act of workplace violence.''\2\
---------------------------------------------------------------------------
\2\ Scott McFarlane, ``Feds Investigating Whether Employee was
Plotting Attack on Homeland Security Officials'', NBC News Washington,
June 21, 2016, available at: http://www.nbcwashington.com/
investigations/Feds-Investigating-Whether-Employee-Was-Plotting-Attack-
on-Homeland-Security-Officals-383852591.html.
---------------------------------------------------------------------------
Yesterday there was another alarming case at DHS
headquarters where a contractor was discovered with a gun. If
reports are accurate, this is the second case in a little over
a month of employees discovered through random checks with
weapons. I know that the witnesses will agree that this
requires immediate attention by the Department to protect its
workforce.
In May, Eulalio Tordil, an officer with the Federal
Protective Service (FPS), murdered his wife and several other
people.
The subcommittee is holding this hearing to review DHS's
counterintelligence and insider threat programs. With over 100,000
employees holding security clearances and significant responsibilities
for the country's border, cyber, and maritime security, DHS represents
a prime target for the intelligence collection efforts of our enemies.
Unauthorized disclosures of Classified information, whether
deliberate or unwitting, represent a significant threat to National
security. The very nature of modern communications and the reliance on
electronic data storage and transfer, as well as DHS's information-
sharing leadership role with State, local, and Tribal partners, adds
complexity to the challenge and requires thoughtful programs to educate
employees to mitigate the threat.
The subcommittee wants to hear how the Department is developing
robust and holistic counterintelligence and insider threat programs to
defend against threats both virtual and physical. We also seek to
examine the partnerships DHS has developed within the agency and across
the Government to leverage best practices. We must determine what
actions the Department can take to prevent these threats by proactively
identifying and intervening when necessary to protect the DHS, its
workforce, and the country.
I would like to welcome our distinguished panel. Your input today
is very valuable in showing that the benefits of strong
counterintelligence and insider threat programs extend beyond the DHS
enterprise, but to the workforce as well, by preserving safety and
security, and allowing DHS to fulfill its critically important homeland
security mission.
Mr. King. With that, I recognize the Ranking Member of the
subcommittee, the gentleman from New York, Mr. Higgins.
Mr. Higgins. Thank you, Mr. Chairman.
I would like to thank Chairman King for holding this
hearing. I would also like to thank the witnesses for
participating in today's hearing.
Many of the issues that come before this committee are and
have been mainstays in the public discourse since the terrorist
attacks of September 11. However, the security clearance
process and protection of our Classified networks and
information arguably did not become permanently affixed to our
National and international security conversations until May
2013. That is when we learned that former NSA contractor Edward
Snowden leaked the details of Classified programs to the
British newspaper The Guardian.
The sheer volume of the information shared by Snowden
brought many issues to the forefront of our National security
conversations. Since the leak, Congress and the public have
questioned if an outside contractor should have vetted his
security clearance or it was a duty that should have rested
squarely with the hands of the Federal employees. We have
questioned if Snowden should have had access to such sensitive
information in massive volumes.
Then, later that same year, we learned that the same firm
that vetted Edward Snowden also vetted the Navy Yard shooter
Aaron Alexis. On September 16, 2013, Alexis, a civilian
contractor, opened fire at the Navy Yard here in Washington,
DC--literally, within walking distance of where we sit today.
In the subsequent investigation, we learned that Alexis failed
to disclose information about felony charges and a Federal
personnel report had no information about his previous arrests.
In May of this year, a Federal Protection Services
employee, Officer Tordil, who had held a TS and SCI clearance
since November 2015, shot and killed his estranged wife outside
a high school in Maryland, then later killed two more people
outside a mall and grocery store in Maryland.
All of these incidences have raised concerns that we will
discuss today. Had a strong insider threat program been in
place, NSA authorities would have been alerted to massive
amounts of information being transferred by Snowden for public
distribution. Continuous evaluations of Aaron Alexis may have
flagged his arrest and felony charges.
While I understand the limitations of insider threat and
counterintelligence programs, I also see the value in having
such programs today. I also look forward to expanding the
conversation to consider the role right to privacy plays in
these programs in securing the country. Finding this balance is
difficult, but today I hope to learn what the Department of
Homeland Security is doing to advance their insider threat and
counterintelligence programs. I look forward to the robust
discussion with our witnesses today.
I yield back.
[The statement of Ranking Member Higgins follows:]
Statement of Ranking Member Brian Higgins
July 13, 2016
Many of the issues that come before this committee are and have
been mainstays in the public discourse since the terrorist attacks of
September 11. However, the security clearance process and protection of
our Classified networks and information, arguably, did not become
permanently affixed to our National and international security
conversations until May 2013.
That is when we learned that former NSA contractor Edward Snowden
leaked the details of Classified programs to the British newspaper The
Guardian. The sheer volume of information shared by Snowden brought
many issues to the forefront of our security conversations.
Since the leak, Congress and the public have questioned if an
outside contractor should have vetted his security clearance or if it
was a duty that should have rested squarely in the hands of Federal
employees. We have questioned if Snowden should have had access to such
sensitive information in massive volumes.
Then, later that same year, we learned the same firm that vetted
Edward Snowden also vetted the Navy Yard shooter, Aaron Alexis. On
September 16, 2013, Alexis, a civilian contractor, opened fire at Navy
Yard here in Washington, DC, literally within walking distance of where
we sit today. In the subsequent investigation we learned that Alexis
failed to disclose information about felony charges and a Federal
personnel report had no information about his previous arrests.
In May of this year, Federal Protective Services employee Officer
Tordil, who had held a TS/SCI clearance since November 2015, shot and
killed his estranged wife outside of a high school in Maryland. Then,
later killed two more people outside a mall and grocery store in
Maryland. All of these instances have raised concerns that we will
discuss today.
Had a strong Insider Threat program been in place, NSA authorities
would have been alerted to massive amount of information being
transferred by Snowden for public distribution. Continuous evaluations
of Aaron Alexis may have flagged his arrests and felony charges.
While I understand the limitations of Insider Threat and
Counterintelligence programs, I also see the value in having such
programs. Today, I also look forward to expanding the conversation to
consider the role ``the right to privacy'' plays in these programs and
securing the country.
Finding this balance is difficult, but today I hope to learn what
the Department of Homeland Security is doing to advance their Insider
Threat and Counterintelligence programs.
Mr. King. I thank the Ranking Member. Any other Members of
the subcommittee, whether here or not, may submit statements
for the record.
[The statement of Ranking Member Thompson follows:]
Statement of Ranking Member Bennie G. Thompson
July 13, 2016
In a time where threats and issues regarding domestic and foreign
terrorists, emergency preparedness, immigration, and aviation seem to
be at the forefront of our thoughts and concerns, the issues
surrounding how we secure the information that informs all of those
polices is often forgotten.
In the nearly decade and half since the 9/11 attacks, both the
committee and security officials have worked together to increase the
security workforce and information needed to better secure our
homeland.
One of the primary recommendations from the 9/11 Commissioners
encouraged the United States to improve its intelligence gathering and
information-sharing activities.
This resulted in more employment positions that allow access to
Classified information, which requires security clearances.
While it is clear that the sharing of Classified and Unclassified
information between our domestic and international partners is
imperative to keep us all safe, it also presents a number of issues.
Of those issues, the one we will discuss at length today is the
increase in opportunities for bad actors to exploit our workforce and
information through sabotage, theft, espionage, and fraud. Bad actors
commit these acts in order to gain competitive advantages for economic
and political reasons all over the world.
Another issue is the massive proliferation of original and
duplicative Classified material and the exponential growth in the
number of individuals with security clearances.
Both present significant homeland and international security
challenges.
An estimated 4.5 million people held security clearances in fiscal
year 2014.
The costs of security clearance investigations vary significantly,
depending on clearance levels.
However, in fiscal year 2014 the minimum cost for a Top-secret
clearance investigation was almost $4,000, while the minimum cost of a
Secret clearance was $3,000.
Additionally, the cost of maintaining the security classification
system across the Federal Government was estimated at more than $11
billion for fiscal year 2013.
Within that amount, the estimate for the cost of protecting and
maintaining Federal Classified information was more than $4 billion.
To say we have made a significant financial investment in our
Classified security systems is an understatement.
However, none of those financial resources matter as much as the
continued investment that needs to be made to monitor those systems.
In order to address the continuing increase of Classified
information, positions, and systems needed to protect Classified data,
I will reintroduce legislation titled the ``Clearance and Over-
Classification Reform and Reduction Act'' or ``CORRECT Act.''
While the CORRECT Act addresses Government-wide security clearance
processes, in order to advance more focused legislation, I also
introduced H.R. 3505, ``Department of Homeland Security Clearance
Management and Administration Act.''
This act makes specific classification reforms within the
Department of Homeland Security.
Subsequently, that bill has passed our committee and the House with
bipartisan support.
If enacted, H.R. 3505 would make DHS a leader among Federal
agencies with respect to security clearance and position designations
practices.
I believe that access to National security information is a
privilege that should be regarded with the highest integrity and it is
important for the Department to be good stewards of this information by
managing and monitoring its workforce and data.
I look forward to hearing from our witnesses today regarding the
best practices and considerations undertaken to further the programs
directed at counterintelligence and insider threats to the Department
of Homeland Security and its personnel.
Mr. King. We are pleased to have a very distinguished panel
of witnesses before us today on this vital topic. All the
witnesses are reminded, their written testimony will be
submitted for the record.
We will hear first from Under Secretary Frank Taylor. The
Honorable Frank Taylor has served as the under secretary for
intelligence and analysis and as the chief intelligence officer
for the Department since April 2014.
Prior to joining DHS, Secretary Taylor served with great
distinction in the U.S. military for 31 years, rising to the
rank of brigadier general. He has also served in numerous
senior positions in the State Department, focused on
counterterrorism and security of U.S. personnel, and he has
also worked in the private sector.
Most importantly, of course, he holds a bachelor's and
master's degree from the University of Notre Dame. Go Irish.
I now recognize General Taylor.
STATEMENT OF HONORABLE FRANCIS X. TAYLOR, UNDER SECRETARY,
OFFICE OF INTELLIGENCE AND ANALYSIS, U.S. DEPARTMENT OF
HOMELAND SECURITY
General Taylor. Thank you, Chairman King, Ranking Member
Higgins. I would start with ``Go Irish'' given our shared
lineage with the University of Notre Dame. I want to thank you
and the Members of the committee for the opportunity to appear
with my colleagues here today.
The Department faces a range of threats from foreign
intelligence services, non-state entities like terrorist groups
and transnational criminal organizations, and insider threats.
Based on overt intent, capabilities, and broad operational
scope, Russia and China continue to be the leading state
intelligence threats to the United States and our interests,
including the Department of Homeland Security.
Similar to foreign intelligence threats, terrorist groups
and TCOs continue to enhance their human, technical, and cyber
intelligence capabilities recruiting human sources and
conducting physical and technical surveillance of DHS
operations. Additionally, we are very concerned that the threat
from insiders disclosing sensitive U.S. Government information
will also continue.
As the Department's counterintelligence executive, I am
leading the implementation of the new National
Counterintelligence Strategy and building out a unified
Department counterintelligence program. I am also the
Department's senior information-sharing and safeguarding
executive responsible for overseeing all Classified
information-safeguarding efforts in our Department.
We recently completed a Classified assessment of foreign
intelligence threats to the Department and the broader homeland
security enterprise. This will serve as our baseline
assessment, and we will re-evaluate this assessment every year
to track trends and update it with significant changes in the
CI threat environment.
Thanks to Congress, Congressional support, we have
significantly enhanced our counterintelligence and threat
programs. I&A's Counterintelligence Division has Department-
wide responsibilities. Our objectives are to deepen our
understanding of the external and internal threats; deter,
detect, and disrupt these threats; safeguard sensitive
information from exploitation; and to protect our Nation's
networks from foreign intelligence threats, such as the
disruption, exploitation, or theft of sensitive information,
including personally identifiable information.
We are embedding counterintelligence officers in each of
the Department's operational components and within the
Department's most at-risk headquarters components. We are also
leveraging the existing resources, like the U.S. Coast Guard
Counterintelligence Service, and are partnering with CI
personnel from across the Federal Government to enhance the
Department's CI program.
These are just a few of the steps we are taking to meet
these threats so the Department can continue its work securing
the country and fulfilling our border security, immigration,
travel security, and other homeland security missions.
Our Insider Threat Program has made great progress
implementing Executive Order 13587. For this fiscal year, our
technical monitoring solution audited 33 million actions on our
enterprise Classified networks. Of these, 215,000 required
manual review by our analysts, of which 72 required further
investigation. During the previous 2 fiscal years, the Insider
Threat Program also identified 162 violations and provided
support to 15 counterintelligence and internal security
investigations.
Chairman King, Ranking Member Higgins, Members of the
committee, thank you again for the opportunity to appear before
you to have this very important discussion. I look forward to
your questions.
[The joint prepared statement of General Taylor, Colonel
McComb, and Rdml. Andersen* follows:]
---------------------------------------------------------------------------
* Rdml. Robert P. Hayes, Assistant Commandant for Intelligence,
U.S. Coast Guard, U.S. Department of Homeland Security testified on
behalf of Rdml. Andersen.
---------------------------------------------------------------------------
Joint Prepared Statement of Francis X. Taylor, Richard McComb, and
Steven Andersen
June 23, 2016
Chairman King, Ranking Member Higgins, and distinguished Members of
the committee, thank you for the opportunity to appear before you today
to discuss the Department of Homeland Security's (DHS) efforts to
address Counterintelligence and Insider Threat. We look forward to
providing our joint perspective on the full range of
counterintelligence and insider threats we face as a Department.
counterintelligence threat
DHS continues to face a complex foreign intelligence threat
environment. In recent decades, the U.S. Government has made
extraordinary strides in adapting to the changing fiscal,
technological, and threat environment. However, the challenges of
keeping up with the threat have provided opportunities for foreign
intelligence entities to expand their scope of collection and
operations against the U.S. Government, including at DHS. There also
continues to be significant damage done by insiders who engage in
unauthorized disclosures.
In the 2016 National Counterintelligence Strategy, President Obama
characterized the counterintelligence threat as ``daunting'' and one
that ``seeks to undermine our economic strength, steal our most
sensitive information, and weaken our defenses.'' On a daily basis,
foreign intelligence entities, including non-traditional actors such as
terrorist groups and transnational criminal organizations, use human
and technical means, both openly and clandestinely, to steal U.S.
National security information that is of vital importance to our
security. The interconnectedness of systems and emerging technologies
provide our adversaries with novel ways to steal valuable information
from the U.S. Government, academic institutions, and businesses--
oftentimes from the safety of a computer thousands of miles away. As
the cyber intrusions against the Office of Personnel Management (OPM)
illustrated to millions of Government employees, Federal agencies
continue to remain at significant risk of being targeted by foreign
adversaries.
Director of National Intelligence (DNI) James Clapper assessed \1\
that the leading threat of intelligence collection on U.S. interests is
and will continue to be Russia and China, based on their overt intent,
capabilities, and broad operational scope. Other state actors in Asia
and Latin America pose local and regional counterintelligence threats
to U.S. interests. In addition, Iranian and Cuban intelligence and
security services continue to view the United States as their top
priority for intelligence collection. The DNI further assessed that
penetrating and influencing the U.S. National decision-making apparatus
and the intelligence community (IC) will remain primary objectives for
foreign intelligence entities.
---------------------------------------------------------------------------
\1\ James Clapper, Statement for the Record, ``Worldwide Threat
Assessment of the US Intelligence Community,'' February 9, 2016, http:/
/www.intelligence.senate.gov/sites/default/files/wwt2016.pdf.
---------------------------------------------------------------------------
International terrorist groups and transnational organized crime
organizations continue to operate and strengthen their intelligence
capabilities utilizing human, technical, and cyber means. Similar to
state actors, these non-state entities successfully recruit human
sources and conduct physical and technical surveillance of their
targets, with increasing sophistication, in order to evade detection
and capture.
Finally, we continue to believe that unauthorized disclosures of
sensitive U.S. Government information are and will remain a threat for
the foreseeable future. The interconnectedness of information
technology systems exacerbates this threat.
counterintelligence strategy and implementation
DHS is implementing the National Counterintelligence Strategy of
the United States of America 2016. As a result of the broader
intelligence transformation that the Office of Intelligence and
Analysis has undertaken in the last year, I have made integrating
counterintelligence into the broader DHS mission and our components'
world-wide operations one of my top priorities. To emphasize the
growing importance of counterintelligence activities, we realigned I&A
Counterintelligence Division to directly report to the I&A front office
to reflect its Department-wide responsibilities.
We continue to develop a holistic Counterintelligence Program
across the Department, leveraging the Homeland Security Intelligence
Council to drive integration of counterintelligence activities across
the DHS Intelligence Enterprise. Our objectives are to:
Deepen our understanding of the threats posed by foreign
intelligence entities and insider threats to DHS;
Detect, deter, and disrupt these threats through proactive
training and awareness campaigns and effective investigative
efforts;
Safeguard sensitive information from exploitation by
identifying the Department's most critical assets and
implementing enhanced protective measures; and
Support Departmental efforts to protect our Nation's
networks from foreign intelligence efforts to disrupt, exploit,
or steal sensitive information, including personally
identifiable information.
To help coordinate this effort, we created a Counterintelligence
and Security Board, co-chaired by the DHS counterintelligence director
and the DHS chief security officer to better integrate and align
component counterintelligence and security programs. This board helps
synchronize the Department's counterintelligence efforts, insider
threat programs, foreign access and visitor management, and related
counterintelligence and security activities.
As part of the effort to integrate counterintelligence into
component missions and operations, I&A Counterintelligence Division is
embedding experienced Counterintelligence Officers in each of the
operational components and highest risk headquarters offices. These
Counterintelligence Officers perform myriad functions, including:
Assisting DHS component leadership with their efforts to
protect DHS personnel, programs, and information from external
and internal threats;
Conducting comprehensive foreign intelligence threat and
awareness briefings, including foreign travel briefings and
debriefings for DHS personnel traveling to high-threat
countries;
Assisting with periodic Counterintelligence Program
Compliance Reviews; and
Creating a culture of CI awareness through training.
I&A's Counterintelligence Division recently began Departmental
counterintelligence capability assessments and program reviews to
identify gaps requiring additional resources and prioritize existing
resources. The assessments and reviews examine which DHS operations are
most vulnerable to foreign intelligence entities, and provide the
information necessary to make decisions on defensive
counterintelligence operations to counter the foreign intelligence
entity threat.
The Counterintelligence Division also produces all-source
intelligence analysis of foreign intelligence threats to DHS personnel,
operations, technology, and the broader Homeland Security Enterprise,
including our State, local, Tribal, territorial, and private-sector
partners. I&A recently completed a Classified counterintelligence
threat assessment covering the last 3 years. This assessment, which
serves as our baseline, will be updated annually to track trends and
significant changes in the counterintelligence threat environment.
As a member of the Committee on Foreign Investment in the United
States (CFIUS), DHS conducts analysis to support the ODNI-led National
Security Threat Assessments. If a National Security Agreement or other
risk mitigation agreement is put in place, DHS counterintelligence
analysts assess the threat to support DHS CFIUS Compliance Monitoring--
the process through which the U.S. Government continuously tracks,
evaluates, and enforces CFIUS mitigation measures.
DHS counterintelligence also supports Team Telecom, comprised of
the DHS, Department of Justice (DOJ), and Department of Defense (DoD).
Team Telecom reviews applications to the Federal Communications
Commission (FCC) when there is disclosable foreign ownership and the
potential National security, law enforcement, and public interest
concerns. Our threat assessment informs Team Telecom's recommendations
to the FCC.
We also recognize that much of the DHS workforce and the broader
Homeland Security Enterprise does not handle Classified information and
is not always aware of foreign intelligence entity threats or the
relevance of counterintelligence to their work. We work to educate the
workforce on their counterintelligence responsibilities.
In July 2013, I&A's Counterintelligence Division published
an Unclassified finished intelligence product for our Federal,
State, and local partners who host foreign delegations and
tours on potential indicators of foreign collection techniques.
The product highlighted ``Topics of Concern'' and ``Behaviors
of Concern'' personnel should be aware of that might raise a
red flag and encouraged them to report suspicious activity.
We have also conducted significant outreach following the
breach of personnel information from the compromise of OPM
databases and the potential threats stemming from that incident
to educate the workforce and our stakeholders on how they might
be targeted, and encouraged them to report suspicious activity.
To enhance and our counterintelligence program, we are forging
strong partnerships within DHS and are partnering with
counterintelligence elements across the U.S. Government.
u.s. coast guard counterintelligence service
The U.S. Coast Guard's (USCG) Counterintelligence Service serves as
a model for our components. Established in 2004, the USCG
Counterintelligence Service provides defensive counterintelligence
support to USCG personnel and units hosting foreign visitors or
traveling overseas. Given the USCG's unique maritime mission and
frequent international engagements, establishing this capability has
proven crucial to protecting USCG personnel from foreign intelligence
entity collection attempts and serves as the cornerstone for further
development of the Counterintelligence Service's capabilities.
The USCG Counterintelligence Service engages in counterintelligence
operations and investigations with partner agencies, and provides its
personnel with both on-line and in-person threat awareness training.
The USCG also maintains an internal website that hosts insider threat
reference material, as well as a portal employees can use to report
insider threat concerns.
The USCG Counterintelligence Service has increased analytic
production tailored to the current threat environment, specifically
with products related to countering foreign intelligence entities and
transnational organized crime collection efforts targeting the USCG.
Most recently, in support of the USCG's Western Hemisphere Strategy
and the DHS Southern Borders and Approaches Campaign, the USCG
Counterintelligence Service initiated a pilot program to integrate
Counterintelligence Service Agents with DoD Force Protection
Detachments, supporting the increased USCG presence in foreign
countries.
insider threat program
With more than 115,000 Federal employees who have access to
Classified National security information, implementing Executive Order
(EO) 13587 \2\ and the President's National Policy and Minimum
Standards for Executive Branch Insider Threat Programs is the
Department's top information safeguarding priority. Established
pursuant to EO 13587, the DHS Insider Threat Program is a Department-
wide effort to protect Classified National security information from
unauthorized disclosure. The purpose of the program is to identify,
detect, deter, and mitigate the unauthorized disclosure of Classified
information. The DHS Chief Security Officer serves as the Department's
senior official responsible for the day-to-day management and oversight
of the Insider Threat Program.
---------------------------------------------------------------------------
\2\ EO 13587 ``Structural Reforms to Improve the Security of
Classified Networks and the Responsible Sharing and Safeguarding of
Classified Information.''
---------------------------------------------------------------------------
We have made tremendous strides maturing our program to address
insider threats to Classified information and we expect to meet the
administration's mandate to make our insider threat program fully
operational by the end of the calendar year, including the deployment
of monitoring technology on all of our Classified computer networks.
This includes the Secret-level Homeland Secure Data Network, which
provides Classified connectivity to our 23 Federal agency subscribers
and nearly all State and Local Fusion Centers.
Significantly, the USCG became the first Insider Threat Program in
the Executive branch to achieve ``Full Operating Capability'' status as
assessed by the National Insider Threat Task Force. USCG has been
addressing insider threats since 2008, and, in 2012, installed
technologies designed to assist in addressing insider threats on
Classified computer systems. USCG's technical detection capability--
staffed by engineers and analysts--spans all Classified USCG computers,
fuses information from other organizations, and has constant oversight.
In addition to the deployment of monitoring technology to all of
our Classified networks, we have implemented the capability to collect,
fuse, correlate, and analyze information from various data sources in
order to identify suspected insider threats. This capability has
constant oversight by our General Counsel, Privacy Officer, and Officer
for Civil Rights and Civil Liberties in order to ensure the protection
of privacy, civil rights, and civil liberties of all of our personnel.
We strongly believe that in order to prevent insider threats from
materializing through early intervention, we must educate and train our
workforce to ``See Something, Say Something.'' We are in the process of
providing our workforce with comprehensive awareness training to better
sensitize our workforce to identify and report anomalous behavior
indicative of an insider threat. This training, which will serve as a
force multiplier for our program, enables the detection of potential
threats that cannot be discovered through any technological solution
available today. Earlier detection will allow for earlier mitigation of
potential threats and we believe this is a key component of our
program.
The Insider Threat Program complements the Department's
counterintelligence and security missions. In recognition of this, the
Department is currently considering expanding the scope of our program
to include preventing, deterring, detecting, and mitigating other
threats posed by insiders such as workplace violence, criminal
activity, and misconduct.
conclusion
Chairman King, Ranking Member Higgins, and Members of the
committee, we thank you again for the opportunity to appear before you
today to discuss these important matters. We look forward to answering
your questions.
Mr. King. Thank you, General. Thank you really for the
outstanding job you have done and the dedication you have shown
to this job. It is very much appreciated.
Colonel McComb was appointed to the position of chief
security officer for the U.S. Department of Homeland Security
just over 3 months ago, on April 3, 2016. Most recently, he
served as the director of the Leased Facilities Protection
Directorate at the Pentagon Force Protection Agency. Colonel
McComb served over 27 years in the United States Air Force as a
security forces officer, from which he retired as a colonel.
We are privileged to have you here today, and you are
recognized for your testimony.
STATEMENT OF RICHARD D. MC COMB, CHIEF SECURITY OFFICER, U.S.
DEPARTMENT OF HOMELAND SECURITY
Colonel McComb. Chairman King, Ranking Member Higgins, good
morning, and thank you for the opportunity to provide
Department of Homeland Security's Insider Threat Program.
I have the opportunity to lead the dedicated men and women
who make up the Office of Chief Security Officer. My office is
an element under the Department's Management Directorate and I
report to the under secretary for management, Mr. Russ Deyo.
However, in my capacity as a senior insider threat official
for the Department of Homeland Security, under the provisions
of Executive Order 13587, I execute the Insider Threat Program
on behalf of and under the guidance and direction of Under
Secretary Frank Taylor, as the under secretary for intelligence
and analysis.
As a chief security officer, I am responsible for DHS-wide
related programs affecting more than the 235,000 employees that
make up the Department, including the areas of personal
security, physical security, investigations, administrative
security, identity management, special access programs,
security training awareness, and the Department's Insider
Threat Program.
Finally, I serve as the chairman for the Department's Chief
Security Officer Council and have an opportunity to lead, with
my other counterparts in the DHS components, a highly
collaborative security program that is designed to safeguard
the Department's people, property, and information.
The DHS Insider Threat Program seeks to deter, detect, and
mitigate threats posed by trusted insiders. The program uses
technology that is generally called user activity monitoring.
This technology puts effective capability behind the warning
banners which for years have told users they were being subject
to such monitoring. The detection thresholds are tailorable to
specific types of users and to specific types of behaviors.
This is important, that for the first time the activity of
tens of thousands of users on IT systems can actually be
monitored via automation and, when combined with information
from other data sources, present a total threat picture. When
automated analysis is added in, the software can alert analysts
to events that have a high threat potential and minimize
wasteful false positives.
While this technology is a critical facet of our program,
it also relies on aggressive training and awareness for the
work force to enable and empower them to recognize aberrant
behavior and to include the tools to responsibly report it when
they see something.
I want to emphasize that the Insider Threat Program is part
of the security continuum, one of the elements in a series of
steps and programs to mitigate the full spectrum of risks posed
by employees, contractors, and other officials affiliated with
the DHS, as well as external actors who may threaten the
Department from outside.
As presently structured, our Insider Threat Program focuses
on the protection of Classified information as it was
originally driven by the Manning and Snowden cases. However,
DHS, as well as DOD and the intelligence community, are taking
a more expansive view of the threat to include workplace
violence, fraud, waste and abuse, and other potential work
force corruption.
The Office of the Chief Security Officer and the
authorities exercised by it uniquely situate the organization
to execute this program, connect the necessary dots, and detect
and prevent such threats.
DHS is currently monitoring 2 or 3 IT systems. We are in
the process of ensuring that our insider threat training
awareness program meets 508 compliance to ensure accessibility
by those with disabilities. Once completed, this training will
be posted on our Performance and Learning Management System to
enable the work force to meet the initial and annual training
requirements.
As was indicated earlier, resources are key to the
maturation of this program. Currently, we are learning what we
can expect to discover on Classified systems, but Unclassified
systems will present much broader risk, with far more users,
and will require greater analysis and follow-on investigative
capabilities. We have programmed for funding and support of
this expansion consistent with the current proposed insider
threat legislation.
In conclusion, access control to Federal facilities,
information by Federal employees and contractors, and a safe,
secure workplace are Departmental priorities and one in which
the Office of the Chief Security Officer has made significant
progress. However, there is more work to be done, and the
Office of the Chief Security Officer, in coordination with the
under secretary for intelligence and analysis and the DHS
components, has charted a clear course to further mitigate the
concern of the insider threat.
Thank you again for the opportunity to testify today, and I
look forward to your questions, sir.
Mr. King. Colonel, thank you.
Our next witness is Rear Admiral Robert Hayes, who just
recently took on the mantle for Coast Guard intelligence
activities, assuming the post of assistant commandant for
intelligence just earlier this month. Prior to this command,
Admiral Hayes served as chief of plans and policy for the
assistant commandant for intelligence and criminal
investigations. Prior to that, served as deputy director of the
Coast Guard's Counterintelligence Service.
He graduated from the Coast Guard Academy in 1988 and
earned a master's in strategic intelligence with the National
Intelligence University in 1993.
Admiral Hayes, good to have you here today. I look forward
to your testimony. Thank you.
STATEMENT OF ROBERT P. HAYES, ASSISTANT COMMANDANT FOR
INTELLIGENCE, U.S. COAST GUARD, U.S. DEPARTMENT OF HOMELAND
SECURITY
Admiral Hayes. Thank you, Chairman King. Good morning, sir.
Good morning, Ranking Member Higgins and other distinguished
Members of the committee.
I am honored to be here today to discuss the Coast Guard's
counterintelligence and insider threat programs. It is a
pleasure to be alongside my Department of Homeland Security
colleagues, Under Secretary Taylor and Chief Security Officer
McComb. I echo Under Secretary Taylor's assessment of the range
of intelligence collection threats that face the Department and
the Coast Guard.
As the world's premier multimission maritime service
responsible for the safety, security, and stewardship of the
Nation's waters, the Coast Guard offers a unique and enduring
value proposition to the Department of Homeland Security and
the American public. At all times a military service and branch
of the Armed Forces, a Federal law enforcement agency, a
regulatory body, a first responder, and a member of the U.S.
intelligence community, the Coast Guard is under high demand as
a global instrument of National security.
One of the key elements of the Coast Guard's intelligence
enterprise is our counterintelligence program. In 2004, the
Coast Guard began the initial development of its
counterintelligence capability. In the early stages of
development, counterintelligence activities were primarily
defensive in nature, providing support to Coast Guard personnel
in units either hosting foreign visitors or traveling overseas.
Given the Coast Guard's extensive international engagement
with maritime stakeholders, establishing counterintelligence
capability was crucial to protecting Coast Guard personnel from
foreign intelligence collection attempts and served as the
cornerstone for further development of other
counterintelligence activities.
Today, the Coast Guard's Counterintelligence Service
protects our work force through detection, deterrence, and
neutralization of foreign intelligence threats by leveraging
authorities and capabilities to provide the full spectrum of
counterintelligence support. We do this through many
activities, including counterintelligence investigations,
operations, collections, and analysis. These activities shield
Coast Guard operations, personnel, systems, facilities, and
information from the intelligence activities of not only
foreign powers, but terrorist groups and criminal
organizations, as Under Secretary Taylor mentioned.
In addition to the counterintelligence mission, the
Counterintelligence Service manages and executes the Coast
Guard's Insider Threat Program, which began formally addressing
insider threats in 2008. In 2012, the Coast Guard officially
chartered an Insider Threat Working Group. The
Counterintelligence Service staffed a small team to address
insider threat requirements and began installation of activity-
monitoring technologies designed to detect insider threats on
Classified computer systems.
Additionally, the director of the Coast Guard
Counterintelligence Service was appointed as the senior
official for the Coast Guard Insider Threat Program. A National
Insider Threat Task Force assessment of the Coast Guard's
Insider Threat Program resulted in the Coast Guard becoming the
first insider threat program in the Executive branch to achieve
full operating capability earlier this year. The National
Insider Threat Task Force also refers to the Coast Guard's
Insider Threat Program as the gold standard for small
organizations.
The Coast Guard's Insider Threat Program has transitioned
from seeking help from partner agencies to providing it. We
have advised the Department of Defense on the conduct of
technical insider threat detection on Classified computer
systems at sea; we have compared and contrasted best practices
with other departments; and we have provided best practices to
Executive branch agencies, as well as some combatant commands.
Our technical detection capability, which is staffed by
engineers and analysts, spans all Classified Coast Guard
computer systems in its continuous oversight from Coast Guard
leadership and legal counsel. Since inception, we have
identified or supported the detection of multiple threats. The
overwhelming majority of these detections have been non-
malicious types of unauthorized disclosures, password sharing,
and system administrator privilege abuse. Despite the absence
of harmful attacks, we must remain vigilant by continuing to
mature the insider threat and counterintelligence program.
Thank you for inviting me to discuss the Coast Guard's
counterintelligence and insider threat programs, and I look
forward to your questions, sir.
Mr. King. Thank you, Admiral.
I will keep my questions brief prior to the closed session.
Colonel McComb, there have been two very public cases of
employees arrested with guns at work in the last month that I
mentioned in my opening statement. What is your overall
assessment of security at the DHS facilities and your ability
to identify insider threats that could pose a physical threat?
Colonel McComb. Thank you, sir.
As you may or may not know, the DHS headquarters is a level
5 facility; that is, we meet the standards of the Interagency
Security Committee, which is the highest level with regard to
Federal facilities. We meet those standards at the DHS
headquarters in the Nebraska Avenue complex, and we are
implementing enhanced security measures which are above and
beyond the basic measures required by those standards.
As you alluded to, during those enhanced security measures,
which includes random screening of employees, we did detect
individuals that were attempting to bring unauthorized items
into the DHS headquarters. They are currently under
investigation, but in both instances we have not detected
anything that would lead us to believe that these individuals
were planning any sort of workplace violence or conspiring with
others to commit workplace violence.
We take security very seriously. I think we do a great job,
and I believe our enhanced security measures worked in these
cases.
In addition to the enhanced security measures that are
being employed at this location, we have taken on a large
employee education effort, which includes townhall meetings,
communications to the employees to understand that if they see
something unusual to report it, and including training to
include insider threat training and also emergency management
training for how to respond in certain cases.
So the Department is very committed to ensuring that folks
are protected within our headquarters, and the DHS complex at
Nebraska Avenue complex is no exception to that rule, sir.
Mr. King. Thank you.
I guess I will ask this across the board. Is there a
renewed sense of urgency in the Department and the
administration to expedite the implementation of continuous
evaluation programs in the wake of the OPM breach?
Colonel McComb. Sir, the DNI, the Director of National
Intelligence, has the lead for the continuous evaluation. As
you may or may not know, that program will be automated. It is
yet to happen, but when it does, there will be 7 authoritative
databases that individuals that have National security
determinations or possess Secret or above clearances will be
vetted against those either on a daily basis or monthly basis,
dependent upon the particular data base.
If an individual indicates a hit from one of those
databases, then the Department of Homeland Security, along with
all of the other departments that participate in this program,
will be required to follow that lead, vet that individual, and
determine whether it has implication on their ability to
perform their job and/or have access to National security
information.
There is a time line that 5 percent of the tier 5, that is,
those with TS/SCI clearances, must be in a continuous
evaluation program by September 2017. We in DHS have already
initiated the work to ensure that our IT systems allow us to
receive those alerts from the DNI automated program. We will do
a pilot program this year to start doing some of those
continuous evaluations on our, once again, most sensitive
population, those with TS/SCI clearances.
Mr. King. OK. Anybody else want to comment on that? OK,
thank you.
Ranking Member Mr. Higgins.
Mr. Higgins. Thank you, Mr. Chairman.
Mr. Taylor, I just want to continue this line of
questioning on the issue of Homeland Security headquarters. For
the second time in a month, an employee has been arrested for
taking a handgun onto the secured grounds of the Department of
Homeland Security at their headquarters here in Washington, DC.
According to police records, the accused had a 9-millimeter
handgun in a leather handbag while inside the complex. The
accused is a contractor who works in the information technology
for the agency. The weapon appeared to be fully functional,
capable of being fired by a single hand, and designed to expel
a projectile by the action of an explosive.
This arrest comes about a month after the arrest of another
individual, another Homeland Security employee accused of
carrying a firearm inside agency headquarters. Court filings
from the investigators indicated that the accused, the second
individual, was found with a loaded .22-caliber handgun
carrying 5 hollow-point bullets in June.
In that same court filing, it said that the agent was,
``probable cause to believe that the accused was conspiring
with another to commit work force violence, and more
particularly, may have been conspiring or planning to commit
violence against a senior DHS official in the building.''
What can you tell us?
General Taylor. Sir, I will ask CSO McComb to comment
further, but I believe it probably most appropriate to do this
in the closed session as opposed to this open session to
respond to that question.
Mr. Higgins. OK.
Colonel McComb. Sir, what I would indicate is that, as you
stated, you are correct in that there were two individuals that
were discovered during our random screening processes as part
of our enhanced security measures at the Nebraska Avenue
complex, were discovered with weapons. The investigation is on-
going, but as I indicated earlier, at this point there is no
indication that either of these individuals were planning or
conspiring to commit workplace violence. Both of these
individuals recently had been previously cleared. As Under
Secretary Taylor indicated, we certainly would be happy to
provide more details of both of those events in the closed
session.
Mr. Higgins. I have no further questions.
Mr. King. Mr. Katko, the gentleman from New York.
Mr. Katko. Thank you, Mr. Chairman.
General, it is good to see you again, Colonel McComb, and
Rear Admiral Hayes.
Quick question for you. As you may know, I think you know,
I have direct oversight over the Transportation Security
Administration through my subcommittee. Is it fair to say that
in your capacities, General and Colonel, that you consult TSA
on a regular basis regarding intelligence matters and security
matters?
General Taylor. Yes, sir, that is correct. Every day.
Mr. Katko. OK, great. So just a couple of quick questions
with respect to the insider threat at TSA facilities and
airports.
I know you are well aware of the incident about a year-and-
a-half ago where a fellow got off a plane in LaGuardia Airport
with a backpack full of guns, and it turned out that an
employee at the airport in Atlanta had carried those backpacks
through the secure area using a SIDA badge and gave the
backpack to the fellow and he brought it up to New York. It
turns out that is about his tenth trip. The backpack in
question had 16 guns, 9 millimeters and assault rifles, most of
which were loaded. Obviously, that is a major concern about the
insider threat from employees at airports.
Also, more recently, the insider threat at airports
manifested with the Dallas-Fort Worth incident in a major drug
trafficking case, which in the public record included
invitations by one of the employees at the airport to bring
anything through the access control areas, including bombs, if
people wanted to.
With the threat from ISIS being what it is, and their
desire to take down planes and taking credit for two planes
that have been bombed in the last 8 months and perhaps even a
third with EgyptAir, we don't know yet, it is a very real
concern for me and it is something that I can't get over and I
will continue to pursue.
The concerns are manifested for this hearing in two ways.
One is the safety and security of the airports in the United
States and the safety and security at last point of departure
at airports worldwide.
With respect to the safety and security of the airports in
the United States, are you aware of any changes in procedures
that have been undertaken by TSA and/or Homeland Security with
respect to the vetting of employees at airports; not just TSA
employees, but vetting the employees at airports to ensuring
that the insider threat is minimized?
No. 2, what do you think about beefing up the access
controls for those employees?
General Taylor. Thank you for your question, Congressman.
Some of this we would probably want to discuss in the closed
hearing because of the sensitive nature of it.
But since the event in Atlanta, TSA has been working with
the airport authorities and the Federal security directors to
tighten up significantly the security in the sterile area,
particularly for employees that have access under SIDA badges.
We can speak to you about how those changes have occurred over
time.
We are very much concerned about security in the open area,
before the secure and sterile area, and we have communicated
with airport operators and our Federal security directors
continuously since Istanbul about that concern. We issued a
joint NCTC, FBI, DHS joint intelligence bulletin around
tactics, techniques, and procedures that we noted from Istanbul
that we think will be valuable in planning security in the
public areas of the airport.
It is a huge problem, we recognize that, and we will be
consulting in the next month across the industry in terms of
best practices for keeping the area open and welcoming, but
also providing the layers of security that are necessary to
protect the public that is there.
Mr. Katko. Thank you.
Colonel, do you want to add anything or does that
adequately cover it?
Colonel McComb. The only thing I would add, sir, is that
TSA does have a robust insider threat program. As we will talk
in more detail in the closed session, they are very concerned
about the areas that you discussed, and that will be a very
prominent part of what they monitor as we continue to roll out
and mature the Insider Threat Program within the Department of
Homeland Security.
Mr. Katko. If the Chairman will just indulge me one more
moment.
Mr. King. Sure.
Mr. Katko. Thank you.
Just switching gears briefly, I am vitally concerned about
developing facts with respect to opening the airports in Cuba.
My concern is, quite frankly, that we are sprinting to the
starting line, but we do not know where the finish line is, and
I think it is a recipe for disaster. One of the biggest
concerns I have is the insider threat at the airports in Cuba
and the lack of appropriate facilities for those airports.
The Homeland Security Committee--Homeland Security I know
is well aware of my concerns, but I just want to state them
again on the record, Colonel and General. It is incredibly
important that we do a thorough job evaluating those airports
before we open up those routes. I know everyone is licking
their chops from a financial standpoint and I know there may be
some pressure from the administration because the President
wants this done before he leaves office, but I urge you in the
strongest words possible, based on everything I know, and we
can talk more about that in a secure setting, that it is a very
serious security issue.
One thing I can say on the public record is, when you don't
even know how the Cuban officials screen their employees and
they won't tell you how they do it and you don't know such
basically things as that, I would strongly urge you that if you
really are serious about the insider threat and you are very
serious about keeping the skies safe, that you look at with a
very focused eye on what is going on in Cuba before you open up
those airports, with 20 direct flights a day to New York and
possibly direct flights to Washington, which are the two main
targets for terrorists.
General Taylor. Yes, sir. I think we can have a further
discussion in the closed session about those challenges with
those airports.
But for the record, DHS takes aviation security very
seriously, particularly any aviation operating directly into
the United States. We recognize the risk and want to make sure
we have done a thorough job of assessing both the security at
the airport and the security of the aircraft before they arrive
here.
Mr. Katko. Thank you very much. I yield back.
Mr. King. The gentleman yields.
The gentlelady from Texas is recognized for 5 minutes.
Ms. Jackson Lee. I thank the Chairman and the Ranking
Member for this combined committee, and thank the witnesses, as
well, for your presence here today.
Let me say that in the backdrop of the memorial yesterday
that I attended in my home State for the fallen officers, let
me again offer my deepest sympathy to the Dallas Police
Department and to the families who have lost loved ones through
actions of terror and certainly through our recent incidences
in our Nation that have befallen many families from many
different States and jurisdictions.
That the climate that we are in calls for greater
attention. Maybe as we speak we are not poignantly talking
about the immediacy of loss of life, but cybersecurity
incidences and intrusion to places where individuals should not
go can certainly bring about an enormous amount of danger and
possible injury and death.
I would like to put into the record--I am not sure if this
is in the record--``Another Employee With A Gun Arrested At
Homeland Security Headquarters, A Man Caught During Random
Employee Screening.'' I would ask unanimous consent to put this
into the record.
Mr. King. We have already discussed that, but no objection.
[The information referred to follows:]
Article Submitted by Hon. Sheila Jackson Lee
Another Employee With a Gun Arrested at Homeland Security Headquarters
man caught during random employee screening
By Scott MacFarlane
http://www.nbcwashington.com/investigations/Another-
Employee-With-A-Gun-Arrested-At-Homeland-Security-
Headquarters-386519051.html
For the second time in a month, an employee has been arrested for
taking a handgun on to the secured grounds of U.S. Department of
Homeland Security headquarters in Washington, D.C.
According to police and court records obtained by the News4 I-Team,
security officers arrested Thomas Pressley of Woodbridge, Virginia,
Monday, accusing him of carrying a 9-millimeter handgun in a leather
handbag while inside the complex.
Feds Request Stay Away Order for DHS Employee Arrested
Pressley, a contractor who works in IT for the agency, has been
ordered jailed in D.C. until his next scheduled court appearance
Friday. He is charged with carrying a pistol without a license. Court
filings did not detail what, if any, plea has been entered in the case
by Pressley. His attorney did not immediately return requests for
comment from the I-Team.
Federal government records specify the U.S. Department of Homeland
Security headquarters complex on Nebraska Avenue in northwest
Washington is among the most secured government facilities in the
United States, rivaling the security apparatus of the White House and
the Pentagon.
Feds Investigating Whether Employee Was Plotting Attack on DHS
Officials
``The weapon appeared to be fully functional, capable of being
fired by a single hand, and designed to expel a projectile by the
action of an explosive,'' according to a police report.
The report also said, ``The weapon also had a barrel length of less
than 12 inches.''
DHS Employee Found With Gun at HQ
Agency security located the handgun during a random employee
screening, the report said.
``As a result of enhanced security and screening measures at the
NAC, security officers detained a contract employee yesterday after
they discovered a concealed firearm during screening,'' a DHS spokesman
said. ``The contract employee was subsequently arrested.
``While we currently have no information to suggest that this
individual sought to cause harm, as discussed at a recent employee town
hall, the safety of employees and visitors to DHS facilities is a top
priority. The enhanced security procedures discussed at that meeting
remain in effect, including increased levels of screening of employees
entering the NAC. And because we won't hesitate to take every
appropriate measure to protect our employees, our security
professionals are evaluating what additional security enhancements may
be necessary.''
Pressley's arrest comes about a month after the arrest of Jonathan
Wienke, another Homeland Security employee accused of carrying a
firearm inside agency headquarters. Court filings from investigators
said Wienke was found with a loaded .22-caliber handgun, carrying five
hollow point bullets in June.
Wienke pleaded not guilty to a gun charge and is awaiting further
court proceedings in the case.
But Wienke had more than a gun when he was searched on June 9,
according to a request for court permission to raid Wienke's home. A
federal agent and security officers also found Wienke had a knife,
pepper spray, thermal imaging equipment and radio devices.
And the feds said in the court filing that Wienke was found in his
workspace, which is in close proximity to a meeting of senior agency
officials the day of his arrest--and that Wienke was aware of the
meeting.
In the same court filing, the agent said there was ``probable cause
to believe Jonathan Wienke was conspiring with another to commit
workplace violence and, more particularly, may have been conspiring or
planning to commit violence against the senior DHS officials in the
building.''
Ms. Jackson Lee. All right. Put the story at least into the
record. The reason I say that is because there are a number of
intrusions that I am concerned about and I want to discuss some
legislation that I have introduced as well.
But let me pointedly go to two entities, nations that are
known as our chief threats to intelligence assets of the United
States, and this would be to you, Mr. Secretary, Secretary
Taylor. How can Russia or China use the OPM breach data with
the Ashley Madison breach of information to compromise
security?
General Taylor. Ma'am, I would prefer we respond to that
question in the closed session. I think we can be more full in
our answer.
The threat from cybersecurity is a significant threat and
the information and data that is collected through cyber
intrusion means present a significant threat to our country.
But the specifics, I would prefer if we could answer that in
the closed session.
Ms. Jackson Lee. OK. Well, let me just get a general
assessment then, because I am not sure when we will designate a
closed session.
Mr. King. Right after this, as soon as you are finished, we
are going downstairs.
Ms. Jackson Lee. OK. Then let me just make my own comments
and say the great concern that I have of that data being out is
what I hope that we will have a focused perspective on--and I
assume that you can answer--we will have a focused effort on
that.
General Taylor. We have 110 percent focused effort on that
activity and the potential implications of that activity for
the National security.
Ms. Jackson Lee. Very good.
Let me then go to some legislation that I think had to do
or reflects the shooter that was at the Navy Yard and Snowden.
As I understand, they were vetted for security by the same
contractor.
Are you able to comment on any firewalls that are being put
on outside contractors, any extensive review on contractors who
have responsibilities for vetting and where the Government
relies upon them? Are these contracts periodic? Do people get
10-year contracts? Are these people wedded in their positions,
can't be taken out? Are they lax? What is happening?
I think that Snowden has to be one of the most severe and
outrageous responses or actions that we had in security and he
was vetted and he was engaged in, I think, at too high a level
of the Nation's security data, intelligence data.
Colonel McComb. Ma'am, kind of bottom-line up-front is that
the vetting of contractors and the companies that have
contractors are done in accordance with the Federal
Investigative Standards. At the interagency level, the
Performance Accountability Council for suitability, security
clearances, and credentialing is looking at that issue very
hard.
All of the companies who are on Classified contracts must
meet the National Industrial Security Program standards, which
requires that they have a facility security officer, they run
through the background investigations of the individuals who
will be working those contracts, whether they be for an
investigative purposes or if they are doing some other level of
work, whether it be on the IT systems, et cetera.
We in DHS look at those contractors from a fitness
perspective, once again applying the OPM standards. So we look
at that very hard. Contracts are held to the standards that are
in the performance work statement. Where there are issues or
breaches of those, then contracting action can be taken against
those individuals, those companies, to include termination on
behalf of the Government based on those breaches.
We continue to monitor that along with the contracting
folks. The other thing I would add is, with the cyber hygiene
initiative in the Department of Homeland Security we are
ensuring that all information that is handled through contracts
is kept at the high security level, which is above the standard
required for the Federal Government, to ensure that it is
protected at the appropriate levels and that it is not
potentially endangered for unauthorized access.
Ms. Jackson Lee. Can I get just a quick follow-up, Mr.
Chairman, just very quickly?
Mr. Snowden was lodged somewhere in the back corners of a
Hawaii office building. Do you have the responsibility--and you
are one of the intelligence components, I understand that--but
the monitoring? You may have the company and then you have
these individual actors under the company, maybe many. Is there
a mode of monitoring those individuals?
Last, if our cyber system is attacked, meaning what we
utilize here in the Government, are we prepared? That may be an
answer for a back-up system somewhere.
General Taylor. Ma'am, I will try to answer your question.
First, our insider threat monitoring will monitor everyone
that has access to our Classified systems--contractor,
Government employee, regardless--and ultimately individuals
that are operating on our Unclassified system that may or may
not have a security clearance.
Cyber hygiene has been a real focus of Secretary Johnson
with regard to applying the National programs division
cybersecurity initiatives across our Government and ensuring
that they are robustly applied and effectively implemented.
So it has been a major focus for us. I can't speak to the
issue of back-up. I am not technically qualified to understand
that system. But would certainly find the answer to that
question for you and get back to you, ma'am.
Ms. Jackson Lee. I would appreciate it. Thank you.
Did you want to answer?
Colonel McComb. No, ma'am.
Ms. Jackson Lee. All right.
Thank you all for your testimony.
Mr. Chairman, may I ask, I won't pursue the back-up system.
Maybe I will get that at another time.
Mr. King. OK. We have to start going downstairs soon.
Ms. Jackson Lee. Yes. Let me ask unanimous consent to put
in the record, Bloomberg News, ``Edward Snowden and the NSA: A
Lesson About Insider Threats.'' I ask unanimous consent.
Mr. King. Without objection.
[The information referred to follows:]
Article Submitted by Hon. Sheila Jackson Lee
Edward Snowden and the NSA: A Lesson About Insider Threats
Vijay Basani, Bloomberg News, July 3, 2013
https://www.bloomberg.com/news/articles/2013-07-03/edward-
snowden-and-the-nsa-a-lesson-about-insider-threats
In all the mysteries surrounding the Edward Snowden affair, there's
one that hasn't received much attention: Why didn't the NSA, one of the
most technologically sophisticated organizations on the planet, have a
way to detect that Snowden was downloading thousands of documents?
The corollary question every chief executive should ask of his or
her top security officer: ``Does our organization have a way to detect
unauthorized access to our data?'' According to the recent SANS 2013
Critical Security Controls survey, less than 10 percent of companies
actually have proactive monitoring of security controls, the area that
governs unauthorized access.
Employees and contractors with boundless privilege to access
sensitive data present greater risk of intentionally, accidentally, or
indirectly misusing that privilege and potentially stealing, deleting,
or modifying data. Human nature is the weakest link when it comes to
the intersection of people, process, and technology--the three tenants
of security--and the Edward Snowden blunder is a perfect example.
According to Michael Hayden, former director of the NSA and the
CIA, no more than 22 personnel at NSA were to have access to the highly
Classified data, which included about 1 billion-plus records per day.
One can assume that these individuals should be internal analysts who
have gone through extensive background checks, who are very experienced
in dealing with highly confidential data, and who are employees of NSA.
We can also assume that these individuals have special privileges to
access these data in a highly secure manner.
I have no special knowledge of the NSA's internal workings, but it
appears that somehow this protocol was not followed, and Snowden, a
contractor, was given access to this information with no mandatory
monitoring, a clear violation of controls and a breakdown of process.
While technologies do exist to enforce access rights, privileges,
and policies, the technology is only as good as the people and
processes that are put into place. If people who manage these
technologies decide to circumvent the technology's ability to enforce
policies, or make an exception, or ignore violations, or do not instill
sufficient supervisory mechanisms, then the technology will fail.
Another issue to be looked at from a technological perspective is
the complete lack of continuous monitoring and auditing of the users,
process, and security controls in a unified fashion by the NSA.
If someone at the NSA were monitoring, analyzing, and auditing all
network, user, and system activity, policy enforcements, etc., to
identify abnormal behavior and usage patterns, most likely Snowden's
access to sensitive data, the connection of removable media and copying
of these data would have drawn red flags. It is possible that the data
and signals from individual products, such as a USB monitoring solution
or a database activity monitoring system, would have captured these
data, but the individual administrators who were looking at each data
point in isolation were not able to connect the dots. If the NSA had
adopted technology that pulled all information into a single database
and automatically correlated the data in a unified fashion, it would
have detected a potential breach or policy violation.
Unfortunately the Snowden situation of privileged access to
sensitive data with lack of sufficient checks and balances is an all-
too-familiar story in the private sector. Executive management tends to
have a checkbox mentality when it comes to security (i.e. do what is
absolutely necessary to pass a government or industry mandate) or lack
the knowledge to realize that their intellectual property and business
is at risk for lack of sufficient security controls.
With traditional network perimeters becoming increasingly porous
with the introduction of BYOD, mobile devices, and cloud
infrastructure, organizations need to implement security best
practices, such as SANS 20 Critical Security Controls, to protect
against cyber attacks and espionage. This requires resources and budget
commitment from C-level management.
The Snowden debacle should be a wake-up call in both the public and
private sectors to adopt an approach that provides complete awareness
and continuous, automated monitoring of critical security controls to
reduce real risk and real threats to their business.
Ms. Jackson Lee. I yield back.
Mr. King. I ask unanimous consent that the remainder of the
hearing be closed to the public under House Rule XI, clause
2(g)(2), because disclosure of testimony, evidence, or other
matters would endanger National security or compromise
sensitive law enforcement information.
Is there any objection to the motion to close the hearing?
Hearing none, the motion is agreed to, and the subcommittee
will recess briefly to move to a more secure location to
continue its business. The hearing will reconvene in that
location in 15 minutes.
[Whereupon, at 10:50 a.m., the subcommittee proceeded to
closed session and subsequently adjourned at 11:27 p.m.]
[all]