Skip to main content

tv   Key Capitol Hill Hearings  CSPAN  June 17, 2015 3:00am-5:01am EDT

3:00 am
hearing and all of our panelists for your public service. as one who represents the city that was attacked by 911, we lost thousands on that day and thousands more are still dying from health-related causes from that fateful day, but i consider this attack, i call it an attack on our country, a far more serious one to the national security of our country. and i would like to ask mr. ozment from homeland security, would you character size this as a large scale cyber spying effort? that's what it sounds like to me. what is it? dr. ozment: i think to speak to who were the this is a spying effort, we would have to talk to any understanding of who the adversaries were and what their intent was. >> you do believe it was a
3:01 am
coordinated effort? they appear to be attacking health records, employment records, friendship, family, whole background. this seems to be a large fear of information not only from the government but private contractors, individuals and sometimes it appears targeted towards americans who may be serving overseas in sensitive positions. would you consider this a coordinated effort? can you answer that or is it classified? dr. ozment: i would refer that to classified. >> i will be at the 1:00 briefing. thank you. i would like to refer to this article. i would like to place it in the the record. i think it is an important one. it came from abc news. it reports that they seem to be looking at and gathering information on an sf-18 form, a
3:02 am
standard form 18 which is required for any employee seeking classified security clearances. so that would be people in important positions in our government. and won't ask a question on that. i'll just wait until later. it is classified, but i am extremely disturbed. this article also points out it is not only individuals that they are going after. they are going after contractors and those that serve the government and it mentions in other reports lockheed martin where they went after their secure i.d. program. is that true, mr. ozment? dr. ozment: i can't speak to whether any adversaries have gone after private sector -- >> others say they were hit by
3:03 am
cyber attacks and other government contractors. now one that probably hit congress is one in 2013 where the f.b.i. warned that a group called anonymous hacked into the u.s. army department of energy, department of health and human services and many agencies by exploiting a weakness in the a-- the adobe system. i have that in my office. they could have hacked into my office and probably every other congressional office. then they talk about going into healthcare. they go into the blue cross, blue shield system of all the federal employees. it seems like they want a comprehensive package on certain million s of americans, many whom are serving our country, i would say at negotiating tables, commerce state department, probably defense and every other aspect
3:04 am
of american life in the world economy. but mr. scott, you have been before this committee before, and you announced you were going to review the agency's cyber security programs to identify risks and implement gaps. i wonder if you could report on what you learned from this review and any specific changes in cyber security policies, procedures or guidance, if you can report on that or that may be classified too. anything you can share with us on what you have been doing to act to build some firewalls. mr. scott: sure. thank you for the question. we're conducting regular cyber stat reviews with each of the agencies. it is along the key lines with many of the topics we have talked about here.
3:05 am
to factor patching, minimizing the number of system administrators, all are called hygiene factors that we think lead to good cyber security. >> my time is expired but anything you want to give to the committee in writing we would appreciate it. rep. chaffetz: i recognize the gentleman from north carolina. >> thank you mr. chairman . ms. archuleta, you have been in your current position since 2013? is that correct? ms. archuleta: i was sworn in in november of 2013. >> so in 2013, you, according to your testimony, made cyber the highest priority. i think that is how you opened up your testimony that the security of federal employees was your highest priority. is that correct?
3:06 am
ms. archuleta: yes, sir. >> so help me reconcile then, if it is your highest priority, how when the most recent report that came out that took security from being a material weakness is how it was characterized before you got there, to significant deficiency, how would you reconcile highest priority and significant deficiency as being one and the same? ms. archuleta: thank you for your question. as i mentioned earlier one of the first things that we did or i did for o.p.m. was to develop within 100 days an i.t. strategic plan. the issues that the i.g. just mentioned in terms of i.t. governance and leadership as well as i.t. architecture
3:07 am
agility, data and cyber security, were all strong come opponents of this i.t. plan and the i.g. regular parts of the plan and the i.g. recognized that. >> i only have five minutes and i can't let you just ramble on with all of these things. let me ask you how if he recognized that, would he still characterize it as significant deficient sis? ms. archuleta: as we were instituting the improvements we were making, he was at the same time conducting his audit. his audit was conducted in the summer of 2014 when we were beginning to implement our strategic plan. the i.g. has continued to work with us and we have taken his recommendations very seriously. >> you have taken them seriously. have you implemented all of them? yes or no? just yes or no. ms. archuleta: we have many of them. >> have you implemented all of
3:08 am
those? ms. archuleta: as i said sir, i have implemented many of them and continue to work -- >> so you will implement all of them. ms. archuleta: we're looking at each of those recommendations. >> not looking. can you assure the federal workers that you are going to implement all of what the i.g. recommended to you? ms. archuleta: we are working very closely with i.g. >> i will take that as a no. let me go on further. i'm very concerned. we have not notified most of the federal employees that have -- we have known about it. they continue to not be notified. and yet here you are saying that you have different priorities. when chairman chaffetz asked you about why did you not shut it down, you said well o.p.m. has a number of other responsibilities. is that correct? that was your answer to chairman chaffetz . ms. archuleta: we house a variety of data. not just data on employee
3:09 am
personnel files. we also house healthcare data and employee other records. >> you're saying it was better that you supply that and put federal workers at risk versus making it according to your words the highest priority to make sure that the information was not compromised? if it is your highest priority, why didn't you shut it down like mr. chaffetz asked and like what was recommend? why didn't you shut it down? ms. archuleta: in our opinion we were not able to shut it down in view of all of the responsibilities we hold at o.p.m.. >> so in your opinion protecting federal workers then could not have been your highest priority because they were competing i guess priority, you said it was better that you continued on with the others versus protecting the federal workforce. ms. archuleta: the recommendations that the i.g. gave to us are ones that we take very seriously.
3:10 am
i don't want to characterize that we didn't. that in fact we did take -- >> there is a quote -- ok. there is a quote that says what we occasionally have to look at you know, no matter how beautiful the strategy, we have to occasionally look at the results and the results here are pretty profound that we have got security risks all over and i would encourage you to take it a little bit more serious and indeed make it your highest priority. i yield back. thank you, mr. chairman. rep. chaffetz: i recognize the gentleman from massachusetts for five minutes. >> i want to thank the panel for your help. i want to associate myself with the marks and the ranking member which doesn't always happen. >> duly noted. >> i would like to ask --
3:11 am
excuse me, the national treasurery employees union and also a letter from the president of the american federation of government employees, aflcio. i want to also -- i want to read the first three paragraphses. this is a a letter from the president of the aflcio to the honorable archuleta. it says i'm writing in reference to the data breach by the office of personnel management. this was dated last week in in the days since the breach was announced, very little substance or information has been shared with us despite the fact that we represent more than 670,000 federal employees and agencies throughout executive branch. o.p.m. has attempted to justify the withholding on the breach with the claim that it
3:12 am
restricts your ability to inform us of what happened. what vulnerabilities were exploit, who was responsible for the breach and how they might be compensated. we believe that the data file was the targeted database and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree. we believe the hackers have affected every person's social security number, military record, address, birthday, job, paid history, life insurance email, pension information, age, gender, race, union status and more. we believe the social security numbers were not encrypted. this is absolutely indedefensible and outragets. were the social security
3:13 am
numbers, were they encrypted? ms. archuleta: o.p.m. is in the process -- >> is that an i don't know? ms. archuleta: i don't believe that -- >> could we just stick to a yes or no? this is one of those hearings where i think i'm going to know less coming out of this hearing than i knew walking in because of the dancing around that we're all doing here. as a matter of fact, i wish that you were as strenuous and hard working at keeping information out of the hands of hackers as you are keeping information out of the hands of congress and federal employees. it is ironic. you're doing a great job stone walling us but hackers not so much. so were the social security numbers, were they encrypted?
3:14 am
yes or no? ms. archuleta: no, they were not. >> there you go. there you go. now we're getting somewhere. that is pretty basic though. that is pretty basic. encrypting social security numbers. all of this happy talk about these complex systems we're going to come up with, you're not even encrypting people's social security numbers. that is a shame. let me ask you about this standard form 86. for those of you obviously you know standard form 86 is what we require employees to fill out if they are going to receive security clearance. these are people who have sensitive information. we drill down on these folks. this is a copy of the application. it is online if you want to look it a. it is 127 pages online. we ask them everything. what kind of underwear they wear. what kind of toothpaste. it is a deep dive. we want to know when people get security clearance that they are trust worthy. there is information have you
3:15 am
ever been arrested? you have financial information in here. there is a lot of information on this form. they hacked this. they hacked this. they got this information. on standard form 86. so they know all of these employee who is -- and everything about them that we asked them in the standard form 86. is that right, ms. seymour? ms. seymour: i believe that is a discussion that would best be held until this afternoon, sir. >> i think you have got to be honest with your employees. i think that we need -- in order to protect them, we need to let them know what's going on because they have the email addresses in here as well. several, you know, your first, your second, your third email address and all of that information is out there. so we need to be a little bit more -- not a little bit more, we need to be more forth coming
3:16 am
with our own employees. these are people who work for us. a lot of them deserve a lot more protection than they are getting from the united states government and the office of o.p.m. i see that my time is expired. i yield back. rep. chaffetz: i recognize the gentleman from south carolina for five minutes. >> thank you mr. chairman. many of us are uncomfortable asking questions in this type of setting. we don't want to ask questions the answers to which should be kept confidential. i encourage you in advance if i ask you something we should talk in another setting, that that be the answer. let me start with this. the follow up question that mr. meadows asked of ms. archuleta. he asked if you were going to implement all of the i.g.'s recommendations. whether or not that was a yes or no answer, i agree that it was probably closer to no.
3:17 am
can you name for me some of the i.g. recommendations that you are pushing back against or that you're not interested in implementing? ms. archuleta: i don't have the specific recommendations in front of me. i would be very glad to come back and talk about that. what i would like to say sir, as we look at the recommendations by the i.g. we work with him and so that he can fully understand that, where we have moved in our security efforts and also to understand his observations and that is normal audit process and we continue to go through that on a regular basis. >> that makes perfect sense. what bugs me mrs. archuleta is back in the end of 2014, they recommended, in fact, it was their third recommendation that all active systems at o.p.m. have current authorization and your response was we agree that
3:18 am
it is important to maintain all systems but we don't believe this rises to the level of material weakness. you believe that your opinion on that has changed since november of 2014? ms. archuleta: i appreciate all of the information. and the recommendations that the i.g. has given us and we will continue to -- >> you believe knowing what you know now that did not rise to the level of material weakness? ms. archuleta: we are working with a legacy system. it has the recommendations he has made to us, we are working those with the best of our ability. >> that's what frightens me, ms. archuleta, that this is the best of your ability. let me see if i can get some information here as i go back and try to explain to folks back home. i heard it is just people in the executive branch. are we still saying that the only people whose data was
3:19 am
exposed were tpwholings worked within the executive branch of government? ms. archuleta: sir, this was an ongoing investigation and as we uncover new information, we are happy to share it with you. we have -- we are not necessarily restricted to the executive branch because there are people who worked in the executive branch today who worked in -- >> i got the notice and it says if you worked in the executive branch or ever have worked in the executive branch then there is a chance they got your data. if you never have, then you don't have to worry. are you still comfortable with that statement? ms. seymour: no, sir, this is an ongoing investigation and we are learning new facts every day. >> the original number we heard was 4 million. is it still 4 million? i heard 14 million. what is the current number of previous employees who have been affected?
3:20 am
ms. seymour: approximately 4 million is the number we are making notifications of today. we continue to investigate so that we can understand that data and begin to make notifications there as well. >> have i a question. i don't think it has been asked yet. i think it is for mr. ozment or whoever else understands the i.t. systems. we used to differentiate between someone who hacked into our system is and someone who stole something from us. there is two levelses of love jment there. -- involvement there. have you been able to make that distinction where things were exposed and where possibly they actually downloaded data? dr. ozment: that is an important distinction and one that we spent a lot of our investigative time examining. for the personnel records approximately 4.2 million records, the incident response team led by d.h.s. has
3:21 am
concluded with the high probability that that data was exfiltrated, meaning that it was removed from the network by the adversary who took it and we continue to investigate the information. >> i appreciate that. i don't mean to cut you off. let me ask one more question. i heard about the data. i heard mr. lynch ask about the social security numbers. health data. why -- do we collect health data on our employees? if i come to work for you, for the government, do i give you my health records? ms. archuleta: not your health records but the information regarding your healthcarier is the information we receive. not your health. >> it is not specific medication or specific conditions. it is just who my health insurance company is? ms. archuleta: exactly. rep. chaffetz: i recognize the gentleman from virginia. >> thank you, mr. chairman.
3:22 am
in bloodless and bureaucratic language, we're talking about the compromise of information for federal americans. the most catastrophic compromise of personal information in history of this country. social security records. ms. archuleta, you mentioned not health information but healthcare. that is a road map to other information that hackers can get. security clearances. security clearances are deeply personal and often involve do they not, ms. seymour unconfirmed negative information. even rumors. i think so so and so has a drinking problem. that gets in that report even if the it is not confirmed. is that not correct? ms. seymour: sir, i'm not a federal investigator and i'm not familiar with all of the data.
3:23 am
>> let me confirm for you. it is correct. it is -- how do we protect our employees? dr. ozment, when i heard your testimony, it almost sounded like you were saying that the good news here was we detected the hack. but the object here is not effective detection although that is part of the process. it is to protect our citizens including federal employees. you talked about einstein and you championed his merits. was einstein in place at o.p.m. when this hack occurred? dr. ozment: sir, i share your deep concern about the loss of this information and agree that that is a terrible outcome. >> a terrible outcome? dr. ozment: absolutely.
3:24 am
as a federal employee whose information itself is a part of this database. >> it might even be personally devastating, dr. ozment. not just a terrible outcome. dr. ozment: that is correct, sir. what i would tell you on this is that einstein was critical in this incident as o.p.m. implemented their new security measures and detected the breach -- >> was einstein in place at the time of this breach? dr. ozment: one and two. three was not yet available. >> i have only got two minutes. i want to understand your answer. you didn't successfully detect that a breach had occurred? dr. ozment: it did not detect the breach that o.p.m. caught on their own networks. we are focused on -- you first have to have the threat information. once we had the threat information, we used einstein
3:25 am
one and two to detect a separate breach that we were able to work. >> i'm sure every federal employee who has had their information compromised is coming forted by your answer. ms. archuleta what is the time gap between discovering the breach and the actual breach itself? ms. archuleta: we discovered the breach in april of -- >> this year. and when did this breach occur? ms. archuleta: we expected it happened earlier in 2014. >> sometime late last year? ms. archuleta: yes, sir. >> ok. so they -- whoever were the hackers, presumably an agency of the chinese government, according to published reports confirmed by u.s. officials, it is not a classified piece of
3:26 am
information, but the details of it may be. our government i believe has confirmed without at bution in public records that it was a systematic effort by the peems lib -- people's liberation army which is notorious for hacking. they had four months in which to do something with this data. is that correct? maybe five? ms. archuleta: i can't make a comment on the -- on at butions. >> i didn't ask you to. i just asked whether they had four or five months to do something with this data. ms. archuleta: the period of discovery from the time we believe the breach occurred and our discovery, yes. >> i'm going to real quickly if the chairman allows mr. scott one last question. the director said if agencies implemented three steps we
3:27 am
could -- 85% of breaches. new inventions and technology, ms. seymour talks about new legacy systems. i had always hoped that the chinese didn't know how to log into it. minimize privileges and continue to add software and this did not go on. what is your take on those three recommendations? >> i think those recommendations are great and there is a number of other things as well some of which i talked about today. i think the one point i would make is there is no one measure that you could say that's going to preevent all attack or even prevent an attack. it is really defense and depth is your best measure and that's what we're really looking at emphasizing. >> thank you mr. chairman.
3:28 am
i recognize the gentleman from north carolina mr. walker for five minutes. >> i agree with my colleague from virginia in his description, this is a catastrophic compromise. ms. archuleta it appears that o.p.m. did not follow the very basic cyber security best practices specifically network segmentation and encrippings of sensitive data. should the data have been encrypted? can you address that? ms. archuleta: that the data was not encrypted and as dr. ozment has indicated encryption may not have been a valuable tool in this particular breach. as i said earlier, we are working closely to determine what sorts of additional tools we can put into our system. >> you said may not have been. but it doesn't answer the
3:29 am
question, should it have been encrypted and could it have been another line of defense? ms. archuleta: i would turn to my colleagues from d.h.s. to determine the use of encryption but i would say it was not encrypted at the time of the breach. >> an adversary that is credentials to the users on the network, they can access data even if it is encrypted. that did occur in this case. encryption in this case would not have protected this data. >> let me ask this. what consequences should c.i.o.'s face for failing to meet such a baseline of cyber security standard on their networks? may >> i believe the cio is responsible for the implementation of a solid plan and we have been doing that. we are working with a legacy system that is decades old. we are using our financial and
3:30 am
human resources to improve that system. we are -- cyber security is a government wide effort. we must work together to improve the systems we have. >> i am not sure the american people are content with how we are working together. i want to speak to einstein. i have had -- heard several components. even if it is part of defending the system the private sector is moving on. is that a fair question? dr. ozmet: is a necessary but not sufficient tool. we need a defense in depth strategy. we are supplementing it with litigations. we are looking at taking what is
3:31 am
a signature focus system and adding capabilities to detect previously unknown intrusion. as you do that, he received more false positives. you receive more notifications that an intrusion occurred even if it did not. mr. walker: it seems to be that you are more excited or confident in the einstein three a version? is that going to be more solid? dr. ozment: it will help us to tech and block adversaries. mr. walker: i heard you say something about how that system needs to be supplemented with others. dr. ozment: that is correct. no single system will solve the
3:32 am
problem. mr. walker: it says it prevents malicious traffic. should we be understanding that before the hearing? why are we just now getting the information? dr. ozment: i cannot speak to the webpage but i believe we need a defense in depth strategy. mr. walker: who is responsible for the information? dr. ozment: i will look into that and get back to you. mr. cartwright: thank you and i think the chairman and ranking member. i know there have been bigger
3:33 am
data breaches than this. i share the sentiment of mr. connolly from virginia. this is extremely troubling. we are talking about 4 million plus federal workers people dedicating their lives to our country. another information has been compromised through no fault of their own. if i understand your testimony the personal information of about 4 million current and former employees was potentially compromised. do you believe the number is going to be bigger than 4 million? >> thank you for your question. i described two incidents. mr. cartwright: it is a yes, no or i don't know.
3:34 am
>> the first incident is 4.2 million. an ongoing -- mr. cartwright: you know what it means when i say yes or no? do you think it could be more? >> yes, sir. mr. cartwright: your professors discovered it in april. they believe the hack may have begun in december, am i correct? >> yes, it began in 2014. mr. cartwright: the contract revealed they were targeted in an earlier cyber attack. contractor that does the majority of the background check investigations. and my correct? >> they do a number.
3:35 am
mr. cartwright: the attack was successful. personal information was compromised, correct? >> yes, sir. mr. cartwright: the article says, hackers who recently launched a massive cyber attack on the u.s. government, exposing sensitive information, may have used information stolen from a private government contractor to break into federal systems. the article goes on. the particle -- hackers entered the office of personnel management system after first gaining access to key point government solutions. it continues. authorities believe hackers were able to extract electronic
3:36 am
credentials or other information from within key point systems and somehow use them to unlock opm systems. they rummaged through separate segments potentially compromising personal information of not only be 4 million current and former employees. ms. seymour:, i know we are having the classified briefing later. but can you comment on the reports? did they get what they wanted? so they could then go after opm itself? ms. seymour: i believe that is a discussion we should have it in a class right setting. mr. cartwright: we know their other contractor was briefed and their information was also compromised. can you tell us if those hackers
3:37 am
got information that they were then able to use in the attack against opm? ms. seymour: again, that is a discussion we should have later. mr. cartwright: i understand. i want to close by asking a final question. federal agencies and private companies are only as strong as their weakest link. we start reaches of two contractors. now we have reports that they are getting into opm information because of what they learned in those attacks. agencies have leverage over there contractors. i want to ask each of you, how can agencies use that leverage to improve cyber security practices of contractors so they do a better job of safeguarding the information they are entrusted with?
3:38 am
go ahead, right down the line. starting with you. ms. archuleta: what we can do with the contractors that we engage is make sure they have the security systems that match the federal government. they are using the same systems. in addition, i want to make sure i understand your question three and the contractors we employ as individuals or companies? mr. cartwright: as companies. ms. archuleta: with the companies, we are working to make sure they are adhering to the same standards that we have in federal government as outlined in our rules. dr. ozment: one example, they have been building additional cyber security requirements. i would also point you to the fed a ramp effort to establish a baseline of requirements for
3:39 am
cloud contractors to the government. >> i think as my colleague and i testified, we also are strengthening the federal contract procurement language and creating language any agency can use as part of their -- >> i think it is about beefing up security clauses's they cover the extent of what we need and then doing the monitoring and follow-up to ensure the contractors are adhering. ms. seymour: i would agree but i would also add site inspections are important. as well as continuous monitoring. looking at a system every third year is not ample. that is not a best practice and
3:40 am
we need to move towards more security controls. the other option we do use is ig. >> i agree with what the other witnesses stated. like she said, we go out and do audits of contractors, health insurance companies. we can be used and see ourselves in that role. mr. cartwright: i want to note they were invited. >> we have classified we have to go to. thank you. >> i now recognize mr. russell for five minutes. mr. russell: i am baffled by all of this.
3:41 am
upon receipt, upon your appointment of the directorship of opm director archuleta stated she was committed to building an inclusive workforce. who would have thought that included enemies? in the testimony, we heard statements we did not encrypt because we thought we might be able to decrypt or decipher. that is by fling -- baffling. there was another statement i heard earlier that said, had we not established the systems, we would have never known about the breach. that is tantamount to saying, if we had not watered flowerbeds, we would have never seen muddy footprints. that is absolute negligence that puts the lives of americans and also foreign nationals at risk. of particular concern are the
3:42 am
forms of which i am for money with. we had sean gallagher who summed it up test. he said this was the result of another shot, a lack of internal expertise, and a decade of neglect. director archuleta, why did you not shut down 11 of the 21 systems that had no security assessment and authorization? ms. archuleta: as i mentioned before there are numerous priorities that go into safety and security including making sure our retirees receive benefits. our employees get paid. there are numerous considerations.
3:43 am
mr. russell: israel have those diaries encrypting social security numbers did your strategic plan included leaving half of the systems without protection when you formulated it? ms. archuleta: no, sir. mr. russell: why was it not made a priority? ms. archuleta: the systems that were referred to, those systems he recommended we shut down, he recommended we shut them down because they were without authorization. all our systems are authorized and are operating. we are looking at systems that are very old. we can take a look at encryption and other steps that can be taken. we are doing that.
3:44 am
as we look at the system, we are having to deal with decades -- mr. russell: there is an old saying we had in the military. poor is the workman who blames his tools. missions can be accomplished even with what you have and measures could have done had this been made a priority. what i see now is, whited opm have no multi-factor authenticityation? if they get into the system, they have free reign. ms. archuleta: we have implemented multifactor authentication with a remote users. mr. russell: when was that put inn, before or after the breach? ms. archuleta: this was begun
3:45 am
in 2015. prior to the time of two factor authentication it takes time to implement these tools. i am as distressed as you are about how long the systems have gone neglected. when they have needed much resources. it might ministry should, we put those resources to it. we have to act quickly, which we are doing. we are working with our partners across government. as i said before, cyber security is an issue all of us address. mr. russell: was a priority made that these systems would allow -- ms. archuleta: would you repeat the question? mr. russell: was a priority made that once they get in, they would have a free run. ms. archuleta: it was a priority
3:46 am
but legacy systems, it takes time. mr. russell: it did not take our enemies time. >> i recognize the gentleman from california. >> under your watch, database containing the crown jewels of american database -- intelligence was breached. this year, another database was reached. -- breached. the igs says your technology systems are either weak or deficient. my question to you is, do you accept responsibility for what happened? ms. archuleta: i accept responsibility for the administration of opm and the important role of our i.t. systems delivering services. i take very seriously my responsibilities in overseeing the improvements to a decades
3:47 am
old legacy system. mr. lieu: i don't know what that means, i asked for a yes or no but that is fine. i will reserve the balance of my time to make a statement. having been a member of this committee, and as a computer science major, it is clear to me there is a high level of technological incompetence across many agencies. we have held hearings where federal agencies could not procure or deploy i.t. systems without massive bugs or cost overruns. we have had hearings where at least one agency, in this case fbi, had a misunderstanding of technology and continued to believe they can put in backdoors to encryption systems just for the good guys and not for hackers, which you cannot do. we had over 10 federal data system reaches last year.
3:48 am
there is a culture problem and a problem of civilian leadership not understanding we are in a cyber war. every day, we are getting attacked. the u.s. military understands. that is why they stood up an entire u.s. cyber command. until the civilian leadership understands, we will continue having more data breaches. you have heard their unencrypted social security numbers. that is unacceptable. look at the reports. and then look at last year's report last year which says, as of november of last year, opm had not done a risk assessment. that is ridiculous. you knew in march or system was breached. that is a failure of leadership. this goes beyond opm. you have only been here a few months. i want to know, why was it not
3:49 am
until last friday that agencies were ordered to put in basic cyber security measures? why was this not gone last year? there is a failure of leadership. when there is a culture problem, what have we done in the past? in the area of national security, you can't have the view that, this is a legacy system. national security has to be zero saw lawrence -- zero tolerance. that cannot happen. when you have a culture problem as we have had to, in the past, leadership resigns or they are fired. at the dea leadership left. we had this happen at the secret service and veterans administration. we do that for two reasons.
3:50 am
one, send a signal the status quo is not acceptable. we cannot continue to have this attitude where we make excuse after excuse. the one word i have not heard is the word sorry. when is opm going to apologize to 4 million employees? when is opm going to apologize? federal employees who had personally devastating information released. when there is a culture problem we send the signal that the status quo is unacceptable. that is because we want new leadership that is more competent. i am looking here to stay a few good people to step forward except responsibility, and resign for the good of the nation. i yield back. >> will said. -- well said. i now recognize the chairman of the i.t. subcommittee.
3:51 am
>> thank you, mr. chairman. it is my hope is that every agency and cio are listening or watching war will read the testimony after this event to read the first thing they wake up tomorrow. pull out the gal high-risk report that identifies areas they have problem with. take and start working to address the remediation's. i have been at this job for 21 weeks, similar to mr. scott. one of the things you hear from people, they are frustrated with their government. intentions are great. ms. archuleta:, you said security is per month. i.e. believe you believe that. but the execution has been horrific.
3:52 am
intentions are not enough. we have to have execution. my question, let's are with you did the hackers use full ability to get into your network? ms. archuleta: i think that would be better answered in a classified setting. mr. hurd: if it was a zero dave wohl nerve ability, i hope everybody should -- zero day owner ability, i hope everybody is notified. what i heard is einstein detected the breach. my question is, how long did somebody have access to these? why did it take that long to get
3:53 am
it into einstein's system? has that been promoted to every other agency using einstein? dr. ozment: we loaded it into einstein immediately. both to detect and look back through history to see if any other traffic back in time indicated a similar compromise. that is how we found in intrusion into opm related to this incident that led to our discovery of the breach of the personal records. we also put into einstein three so agencies would be protected against a similar activity moving forward. we held a call with all the federal cio's and asked them to search their networks. mr. hurd: you talk about legacy
3:54 am
systems. the difficulty of protecting those. what are some of those? what programming software is used to develop them? ms. archuleta: these are systems that have been around for going close to 25-30 years. cboobol systems. director archuleta and i were brought here to address some of these problems. i started my job in december, 2013. mr. hurd: why did we wait for two factor authentication? ms. seymour: these are two decades in the making.
3:55 am
we are not going to solve them in two years. mr. hurd: how much overtime have you signed off on? ms. seymour: my cio team works 20 47. -- 24/7. >> i am very proud of the employees working on this issue. mr. hurd: you have inherited a mess. we are looking to you to ensure things like this do not happen. to make sure agencies are implementing recommendations of the ig, the gao. we will continue to drag people up here and answer these questions. that is our responsibility. i recognize that, you are not
3:56 am
going to stop everybody from penetrating your network. how quickly can you identify them and kick them off? those are metrics we should be using. we are woefully and adequate i yield back time. >> thank you, mr. chairman. ms. archuleta:, you said, we have confirmed that any employee from across branches of service may have been compromised, even if there personnel file was not stored. what do you mean by service history? ms. archuleta: their careers they may have been in a different position earlier than perhaps -- as they move around government. it may be someone whose current
3:57 am
job would not be any system, but because of their service history, it would be dated back. >> potentially broader beach. with the sf 86, i remember filling it out as a young officer in the navy. it is the most intrusive form i have ever filled out. it took me days. i had to do research on myself. it is not just that you are doing personal sensitive data about the individual applicant. the sf 86 asks about family members, friends spouses relatives. where you lived. who you knew. it also asks you to come clean about anything in your past life. to me, people have said this is crown jewels material in terms of blackmail. this is a very serious breach.
3:58 am
my question for ms. archuleta:. were level officials implicated in this breach? ms. archuleta: this would be better discussed in a classified setting. >> what about people in the military and intelligence communities? ms. archuleta: this is something we should respond to in a classified setting. >> you don't disagree with my classification of the sf 86. theoretically, that is a major breach that will have ramifications for our country. ms. archuleta: we will discuss this with you in the classified setting. mr. desantis: china now has a
3:59 am
list of chinese this is -- citizens in close contact with american officials. they will use that for espionage purposes. what our security implications? that could be for anybody. >> that is a question we will discuss. >> some reports say that not only were hackers pursuing information on federal employees, but also password and encryption keys that could be used for trade secret theft and espionage. i guess you will have more to say in a classified setting. for this forum, can you say that that is a significant risk, that is that the type of information we would want the enemy to have? and it can be damaging, correct? dr. ozment: again, we will defer
4:00 am
discussion of that way classified briefing. rep. desantis: i get that. i will be there, i will listen intently. it concerns me, because this is a treasure trove for our enemies, potentially, in the fact that this was hacked and we didn't know about it for a long time. that is really troubling. i think the american people, if you ask people to want to serve in these sensitive positions and they think like filling out the forms, they will put themselves and family members at risk because the government is not competent enough to maintain that secretly, that is a major problem as well. the information can be used against the country and you will have a chilling effect on people wanting to get involved if they don't get a handle on this. i look forward to hearing from witnesses and a classified setting. i yield back the balance of my time. >> we recognize the gentleman from alabama.
4:01 am
>> thank you, mr. chairman. this seymour does the exposure include others, or just people who filled out form 86? ms. seymour: our investigation is ongoing. >> i have two employees who have never filled out the standard form 86. i have a letter from you informing them of the possibility that their data may have been compromised. i will ask you again, and this is a yes or no, does it extend beyond the people who filled out the sf-86? ms. seymour: yes. we have come here to talk about two incidents. >> why didn't you answer yes? ms. seymour: you were talking about sf-86. >> i made it clear. you said the investigation was ongoing. apparently you have
4:02 am
investigated enough to send a letter to employees who didn't fill out those forms. thank you for your yes answer. is there, in your judgment, miss archuleta, how likely was it that the hackers were able to access these personnel files through employee accounts? ms. archuleta: sir, we will be able to discuss that with you during the classified setting. >> let me be more specific. are you familiar with the wall street journal articles that indicated that it was possible that the breach occurred through personal e-mail accounts because employees were using the federal system, and early in 20 11, immigration and customs enforcement agency noticed a significant uptick in infections and privacy spills. they asked for a direct, they put out a directive that federal
4:03 am
employees could not use the federal system to access their personal e-mail. the american federation of government employees filed agreements with the federal arbitrator claiming that was something that needed to be bargained, needed to be part of the collective bargaining agreement. the arbitrator dismissed the security arguments in 75 boards, claiming exclusive discretion to manage i.t. systems. they were not able to shut that off. do you have any comment? ms. archuleta: those are issues we will be able to discuss in the classified hearing. rep. pal is beingmer: discussed in the wall street journal.
4:04 am
>> what are the risks associated with not having a valid system authorization? >> the risks are evident, not having a valid authorization essentially could be a system, a symptom of weak controls over operating systems and applications, and lead to things such as a breach. >> with all the things we are talking about here today ms. seymour, you were fully aware of these risks, and opm was aware of the risks. ms. archuleta: i was aware of the reports. >> i hate going back to this. it has come up several times already. i am waiting for an answer. the inspector general put out his report last november expressing great alarm
4:05 am
recommending that opm consider shutting down the systems because of the risks that you knew about. and that ms. archuleta knew about. yet, they were ignored. i will come back to you with this, because quite frankly ms. archuleta has tried to dodge this question. i want to come straight up to you. why were those recommendations not followed? ms. seymour: two reasons. what is an authorization to operate, that is merely the documentation of the security controls of a system. and their effectiveness. that does not mean sibley because you do not have an authorization, that those tools don't exist. as they were doing the audit we were taking all of those vulnerabilities into play. we had already developed a security plan and we were in the
4:06 am
process of implementing. the ig admits in their report we were in the process of implementing many of those controls. >> did that plan work? obviously, it didn't. would shutting it down have worked? ms. seymour: the controls we put in place allowed us to stop the remote access to our network and they also allowed us to detect this activity that had occurred prior to the ig report. rep. hice: the vulnerability was still there. your plan failed. ms. seymour: there are vulnerabilities in every system. we do risk management. we look at the vulnerabilities as well as the business that we must conduct. rep. hice: what currently are the consequences of an opm
4:07 am
system, currently? what are the consequences now if they operate without a valid authorization? mr. essen: there are no consequences. will we report that in audits? other than that, there are no official sanctions in place. it is something that gets publicized. rep. hice: it sounds to me like this is not being taken seriously. why are we still operating without authorization? ms. seymour: i have extended the authorizations we have in the systems because we put a number of security controls in place in the environment. we have increase the effectiveness of the security around those systems. mr. hice: there are no consequences for operating on a
4:08 am
system without authorization. how serious are you taking it? ms. seymour: they are consequences. those consequences are, if you are not doing assessments, documenting them, while that is evident that those assessments have been done, the assessments themselves are more important. the scanning of the network -- rep. hice: what are the consequences? ms. seymour: we report to omb on a quarterly basis about the status of our security and our network. rep. hice: that sounds like just reporting you were supposed to do anyway, that's not consequences. again, are there measures that need to be taken to get the
4:09 am
whole thing up to the standard it ought to be? is there anything you would recommend? mr. essen: we recommend the cio, the agency, take the steps that, in a lot of cases, they are beginning to take. the centralization of the i.t. governance is well along the way. what they also need to do is get a full inventory of the assets they are responsible for protecting. the shell project that ms. seymour has alluded to is also something that we support we also have concerns about the way the project has been started and manage. overall, we support the idea behind the shell project. >> we recognize the gentlewoman
4:10 am
from new mexico. >> thank you, mr. chairman. i want to take -- thank the panel for taking questions so seriously. in new mexico, we sophistication and frequency of cyber attacks continue to be a threat. after my election, one of the key briefings of a national lab in my district is the continuing, growing concern with cyber security issues, and their
4:11 am
aggressive responses, to be proactive as much as they can be, and to appropriately be reactive once you have an identifiable breach. given the data breach, at the opm and at home depot and target, and thumb, it is clear to me that not only does the federal government have a role in protecting federal employees and the information you have, but we have a role in working to protect the public in general from these serious and continuing cyber attacks. i recognize also that this is a challenging effort, and there is not a simple solution. if there was, we could stop this hacking altogether. we could have the magic bullet. as much as i want you to do that, i don't want to minimize the fact that i recognize that is more difficult to do then to it is easy to say, not so easy to do.
4:12 am
my concerns are growing, given that even the best in the country are facing significant cyberattacks including a lab we rely on for innovative and appropriate technologies to implement. so, given that diatribe, and given all the questions you have had about accountability and the serious nature, here's my question. federal government is not known for being, and i mean no disrespect, it is not a proactive or reactive body by the nature of how large it is, how broad our mission is, and how we are dependent on whatever the resources are, and the priorities are, at any given time. given that climate, and the rule to protect the general public and your role to protect federal employees'information, what can you do to make a difference that puts you in a position to be much more proactive particularly given the nature of
4:13 am
cyber attacks? quite frankly they have already hacked in as you are making the next modifications. anyone on the panel. mr. scott, that made primarily before you. mr. scott: i can think of several things in the short run that actually we already have underway. probably long-term, the biggest thing is to double down on replacing these legacy systems these old systems we have. one of the central problems here we have old stuff that was just not designed or built in an era when we had these kinds of threats. in some cases, it is very hard to duct tape and band-aid things around these systems. doesn't mean there is nothing we can do but it is old
4:14 am
architecture that needs to be replaced and security needs to be designed into the very fabric of the architecture of the hardware, the software, the networks, the applications, and the faster we can do that, the faster we are on a better road. >> giving your role to do that in federal government, i am clear -- i am not clear what percentage of old platforms we are still operating under, in which departments are more at risk than others. what is the timeframe for getting that done? what is a reasonable course to take to make sure we have accountability in federal government to move forward exactly in that effort? mr. scott: first thing is, we will be very transparent with you in terms of the omb reports in terms of where we are at on that journey as we go through our work over the course of the year. several of the members of this committee have said they will pay close attention to that.
4:15 am
i encourage that. >> our time is so tight. we would like a full and complete answer. there will be questions for the record and we will continue to follow-up. i hope you understand. we need to give time for the gentleman from wisconsin. >> i am glad we establish the federal government is not a proactive-reactive body. we must always remember, no matter what goes around here that is something to member. first question, this is kind of a significant story here. out of curiosity to seal the government operates, has anybody lost their job over this? are there any incrimination's in that regard? >> no sir. >> next question. as i understand, it took months for the state department to root
4:16 am
out the russian hackers and their unclassified systems. apparently, the chinese hackers are known for leaving behind time delayed malware. do we know for sure these people are out of the system by now? or could be still be floating around? -- could they still be floating around? x we have a team led by dhs, with participation from the fbi and nsa. they have fully removed the adversary from these networks. it is difficult to have 100% certainty. >> it could be, but you think. dr. ozment: yes, sir. >> there are rumors that people are now selling some of these files. is this a threat? do we know if it is going on? if so, are we doing anything to counter that?
4:17 am
dr. ozment: the impact, and those questions are better suited for a classified briefing. >> i yield the remainder of my time. >> i think you understand on a bipartisan basis how seriously we take the situation. to the federal employees who are affected, one of the things that should come out is, in the letter, the very end of the letter, if you received one of these, it does note that the office of personnel management will not call you. they will not contact you to provide additional information. there will be some very bad actors that will try to take advantage of this that situation, and exploit it for their own personal gain. they have already done that. they will do it again, and there will be others that will try to do that. to federal employees please, do not fall victim to some but he will send you an e-mail or make
4:18 am
a call and try to prey upon you further. that was noted in the letter. it is worth knowing from the pulpit. we look forward to the 1:00 classified briefing. the committee stands adjourned. thank you. the personal life of every first lady and american history. first ladies presidential historians on iconic american women. inspiring stories and scrutiny
4:19 am
of the white house. a great summertime read. through your favorite look store or online look seller. >> the house voted to extend the trade deadline until july 30 to find more time to advance obama's trade agenda. the house voted to give the chamber more time on the measure to provide relief for workers who lose their jobs as a result of trade deals. here is the debate that was part of the intel bill. debate on a wide variety of issues related to the authorization of funds for 16 intelligence agencies. this rule provides for the consideration of h.r. 2596 the intelligence authorization act for fiscal year 2016. the rules committee met on this
4:20 am
measure yesterday evening and heard testimony from both the chairman of the committee and the ranking member. in addition to seefings amendment testimony from mult -- receiving amendment testimony from multiple members. it is brought forward a structured rule. there were 29 amendments submitted in total. of those 29, i'm pleased a full house will debate 16 amendments over half, that were submitted. the amendments were bipartisan. in fact, demonstrated in the unity of this body and advancing funds that would go directly to fighting terrorism proliferation and weapons of mass destruction. to provide for the common defense, it's a common phrase to us all, and one that clearly sets forth the most basic responsibility of our government. a responsibility that the members of the rules committee, the intelligence committee and, yes, i believe the entire house do not take lightly. this rule provides for one hour of general debate equally divided and controlled by the chairman and the ranking member of the permanent select committee on intelligence. as most of the intelligence
4:21 am
budget involves highly classified programs, all members -- let me repeat -- all members were given to review the classified annexes to the underlying legislation prior to rules committee consideration. members should also be aware that section 2 of the rule provides that the motion to reconsider the vote on the trade adjustment assistance, or total 2 of the senate amendment to h.r. 1314, may continue to be postponed until thursday, july 30, 2015. this postponement was necessary to allow the house and senate leadership and the white house to consider legislative options related to this action on trade adjustment assistance. i am proud of the work undertaken by the intelligence committee to advance this vitally important legislation whose consideration is provided for by this rule. there are a few key provisions that i want to ensure members are aware of because i believe they speak to the overwhelming awareness the intelligence committee possesses of the responsibility of congress to protect this nation from
4:22 am
terrorism and also from our unwavering fidelity to the united states constitution. first, section 302 of the underlying legislation provides that the authorization of appropriations by this act shall not be deemed to institute authority for the conduct of any -- coninstitute authority for the conduct that is not otherwise authorized by the constitution or the laws of the united states. section 303 and 304 requires specific elements of the executive branch to provide congress a timely notification requirement on key intelligence activities. congressional notification requirements generally remain a vital important mechanism to ensure that congress' able to conduct robust oversight. notification requirements specific to the intelligence community are even more essential given the classified and delicate nature of the situation of our intelligence agencies face every day. the classification of documents and the decisionmaking factors that go into such classification have historically been an area of great interest and are
4:23 am
concerned by members of this body and the citizens we represent. in the interests by members and the public at large the intelligence committee's report on h.r. 2596, they specifically state that the committee seeks to improve its visibility into the classification process and better understand how the intelligence community determines the classification level of especially sensitive reporting and analysis. in the underlying legislation, the committee carries out this goal by directing the director of national intelligence to provide within 60 days of the enactment a report to the congressional intelligence committee's outlying each instance in the past five years that office of director of national intelligence or any other entity within the executive branch directed an element of the intelligence community to begin disseminating existing, uncompartmented intelligence reporting through a compartment or subcompartment. this is one of several reporting requirements in the
4:24 am
legislation to serve to enhance congress' role in and understanding of the classification process. again emphasizing congress' oversight role. the committee has done a good job in clarifying that the underlying legislation directs the central intelligence agency to provide the congressional intelligence committees based on the documents collected in the may 1, 2011 raid that killed osama bin laden. we live in a dangerous world and face constant and evolving threats from terrorist groups like al qaeda boko haram al-shabaab and isis. these groups successfully use the internet to anonymously build their resources, both human and financial. the united states government must maintain and enhance their ability to counter extremists online by understanding how and where terrorist groups operate, we can more effectively fight for freedom at home and abroad. i am pleased to see strong provisions in the legislation that will further this goal. these provisions that i have just spoke of are just a few examples of the thoughtful and
4:25 am
difficult work that intelligence committee undertook to bring forward this legislation that authorizes critical national security functions while staying within the funding constraints of the budget control act, or b.c.a. i want to thank the intelligence committee and their staff for their hard work on the authorization measure, and with that, mr. speaker i reserve the balance of my time . the speaker pro tempore: the gentleman from georgia reserves the balance of his time. the gentleman from florida is recognized. mr. hastings: thank you very much mr. speaker. i thank the gentleman, my friend from georgia, for yielding the customary 30 minutes for debate, and i yield myself such time as i may consume. the speaker pro tempore: the gentleman from florida is recognized for such time as he may consume. mr. hastings: mr. speaker, this rule provides for consideration of h.r. 2596, the intelligence authorization act for fiscal year 2016 as well as provides that the motion to reconsider the vote on passage of the trade adjustment assistance measure may continue to be postponed until the end of the legislative day on july 30.
4:26 am
first, i commend the efforts of chairman nunes and ranking member schiff for their efforts in crafting a bill with largely bipartisan support that provides our nation's intelligence community with the resources they need to keep us safe. our national security relies on the continued strength of our intelligence community. as we face ongoing security challenges both at home and abroad from threats such as isil, lone wolf attacks the emergeans of cybercrime -- emergence of cybercrime as well as the unknown challenges that may be awaiting us, a strong intelligence apparatus is of the utmost importance. this legislation will do much to meet those challenges. specifically, this bill supports investments in cutting edge technology like spy
4:27 am
satellite enhances our nation's human intelligence capabilities provides resources to safeguard valuable signals intelligence collection and partners with our foreign allies to maximize the reach of our intelligence efforts. this investment in our country's intelligence infrastructure comes at a critically important time. as you know the office of personnel management recently suffered a disastrous breach. hackers were able to target o.p.m. and gain access to personnel data, including employee's names, addresses, social security numbers and numerous other personal details. perhaps most disturbingly o.p.m. suggests houses the applications and files submitted by those applying for security clearances with data
4:28 am
going back until 1985. these files were compromised as well leading some experts to suggest that the compromise of these files could have tremendous negative effects for our human intelligence gathering capabilities. the cyberattacks represent a critical threat to our national security. we all love the convenience of -- that technology provides us but we must also be prepared to invest in technologies that will protect us from those who wish to sabotage our security in the virtual world. it is time for the o.p.m. to implement and abide by best practices so that we never face a data breach like the one we saw last week. to the extent that congress will play a role in securing our virtual infrastructure, we should work as quickly as possible to ensure that our employees and our most
4:29 am
sensitive material are not needlessly exposed to those who wish to do us harm. mr. speaker while i support the strong national security protections this authorization provides, i am extremely disappointed yet again in how my republican colleagues have skirted the fiscal cuts imposed by sequestration in order to fund the things that they care about while ignoring the effects such fool-hearted cuts have on the vital domestic programs that they don't seem to care about. we have people hurting all over this nation because of this irresponsible and senseless policy of sequestration. republicans claim to be using this policy as an important tool to rein in out-of-control
4:30 am
government spending. yet when sequestration affects programs and areas of the budget they care about, they magically get around this dilemma by using accounting gimmicks. that is just what they've done here in this measure. the majority has yet again used the overseas contingency operations account to evade sequestration spending caps. wouldn't it be nice if republicans wanted to evade spending caps for the department of education so that we can get around sequestration and properly educate our children? or if they could use accounting tricks to get around sequestration to fully fund and repair our crumbling infrastructure. or if they were also inclined to use their budgetary magic to get around sequestration caps to properly fund critically important agencies like the
4:31 am
environmental protection agency so that our children and our grandchildren can continue to have access to clean water and clean air, but alas all we get from the majority is more of the same budgetary double standard. using tricks to get around spending caps on things you like to spend money on and then require sequester, sequester on things you don't like to spend money on. let's stop pretending. that isn't a plan to rein in government spending. that's just spending taxpayer money on things you deem worthy of unfettered spending and ignoring programs for political reasons that you don't even like even though such programs remain vital to our country's success. . .
4:32 am
mr. speaker, many on my side of the aisle have taken exception to the facility on guantanamo bay since day one. i certainly have. once again the republicans look to continue operation of this prison when we should be working to bring about its orderly closure. we are better than this prison. as a country dedicated to the rule of law, as a country that inspires people the world over to work for and even die for the establishment of democratic rules, we are better than this prison. this prison is an exercise in kafkaesque justice, which has long worked to undermine our standing with our allies and help terrorist organizations recruit more and more fighters. look, i don't think that anyone is arguing that if we close the prison, then the myriad terrorist groups who use it as a recruiting tool would no longer
4:33 am
have people joining their ranks. but it would be one less arrow in their quiver. and for that reason, we need to work together to close the prison as quickly as possible. in doing so we will not jeopardize the safety of our country, but will act more fully to reflect our commitment to democracy and the rule of law. we know, and i know, having been in the judiciary that our justice system is more than capable of handling the prosecution of terrorists no matter where they are, including those held in guantanamo bay. we have successfully tried richard reid umar farq, faziel shazad and dzokar tsarnaev, the boston bomber, and we have either sentenced them to death or life imprisonment in our most secure prisons. at last night's rules committee
4:34 am
meet, my friends on the other side of the aisle decided to make a last-minute change to today's rule. i might add further pollute today's rule. that last minute change allows for the postponement of the motion to reconsider t.a.a. over the course of my tenure in congress, i voted to support thousands of pieces of legislation. in the 20-plus years i have served in this body, i can think of only three votes which i deeply regret making, and one of those was in support of nafta. in the years since, i've seen after nafta a decrease in american jobs, a rollback of critical environmental protections here and in mexico where i was promised that the environmental circumstances
4:35 am
would be cleaned up and they were not. and a stagnation of wages that have prevented the financial upward mobility of working class and middle class americans and has ground poor american into poverty beyond belief. if we're going to create trade policy that is worthy of future generations then we must ensure that that policy strengthens, not weakens, labor rights. it must strengthen, not weaken, environmental protection. it must ensure other countries' responsibility to adhere to basic human rights. it must expand and strengthen our middle class, not squeeze hardworking americans in favor of corporate interests. the legislation included in this rule today is part of a trade
4:36 am
package that does nothing to bolster these important priorities. finally, as i stated time and again, i take issue with the man for the which these important measures are being considered. legislation as important as the one at hand deserve an open and transparent process where members of both parties and both houses of congress may debate and offer amendments as they please. this process envisioned and designed by our founding fathers to serve as a safeguard to democracy continues to be eroded by the majority's insistence on grouping multiple unrelated bills together under one rule and limiting the number of amendments that can be made in order as well as the time available for debate. there were amendments offered last night, for example on congresswoman -- for example,
4:37 am
congresswoman speier offered whistleblower protection not made in order. my colleague, representative schweikert from arizona, and i offered a very sensible measure under the intelligence provision to allow for, as a sense of congress only, say that we will participate with due knee shah's intelligence operation in a more pronounced manner. totally innocuous but at the very same time helping a country that may very well make the bridge to democracy and certainly has been an ally in intelligence and a needed one in light of the number of people that come up from north africa through due knee shah and wind up fighting in the northeast. -- in the neevet. if we are truly to operate as a -- in the middle east.
4:38 am
if we are truly to operate as a democratic body we must do more to make sure that our pieces of legislation are afforded the time and consideration they rightly deserve. thank you mr. speaker, and i reserve the plans of my time. the speaker pro tempore: the gentleman reserves. the gentleman from georgia is recognized. mr. collins: thank you, mr. speaker. mr. speaker, i appreciate the gentleman from florida. if we want -- one of the things that i, coming onto the rules committee have found is the really, the vigorous debates we do have and the gentleman from florida, we have had many of them. that's a good place for them. it's a good place also here on the floor to discuss what really is the focus on very clearly a rule for a bill, then there's a procedural issue that we are extending to t.a.a. reconsideration until july 30. i'm understand what he's saying but i want to make clear to members that is what is happening. we're working on the majority side for a process that's open. 16 amendments made in order, will be debated here on the
4:39 am
floor of the house and voted. i think that's what the republican majority is focused on. one of the things that came up and i wanted to be clear mr. speaker is the gentleman brings up a point it's about priorities. about priorities and we're dealing with authorizations and spending bills is what we're dealing with in the majority here we have made it very clear i believe from the republican majority standpoint, although i personally and others may have discussions on how we use overseas con tinsen -- contingency funds and those have been debated on this floor and should be debated on this floor, however one of the things we are doing is we are putting priorities first. priorities for national defense. securing our national interest. and in light of this bill making sure that our country is safe abroad and here from tax -- from people who don't like us. i don't buy the argument. the debate on guantanamo is a
4:40 am
different shmb but the argument that if we close it up, it takes away one recruiting piece. i'm sorry, boko haram and others do not hate us only because of the prison. they hate us because we're free. they hate us because we have a society that is open. i understand the debate that we want to have but let's make it crystal clear. there was no guantanamo when they ran -- rammed planes into the world trade center. there was no guantanamo at that time. they just don't like us. and let's make that very clear. funding is appropriate. we will debate those entirely and we will continue to. the republicans will still look out for jobs and those working in the middle class and those that are trying to find their families, priorities, and their own economic sphere and looking at it in a country that's in debt and trying to make sure we make good fiscal decisions. our priorities are that we help businesses start.
4:41 am
we encourage the creation of jobs. not a government strangulation of jobs. that's what resources do. with this bill, this is about our intelligence community. this is a rule that supports an authorization coming from a very difficult committee that does a very difficult job. we're supporting a rule that funds those to keep us safe and does the things that keeps america free. that's the argument we'll continue to have. i appreciate, mr. speaker, the other debate that we want to have here but let's be focused this rule is about that, also about policy decision or procedural decision in this rule. with that, mr. speaker, i reserve the balance of my time. the speaker pro tempore: the gentleman reserves. the gentleman from florida is recognized. mr. hastings: at this time, i'm pleased to yield two minutes to the distinguished gentlewoman from connecticut, my friend, ms. delauro. the speaker pro tempore: the gentlewoman from connecticut is recognized for two minutes. ms. delauro: mr. speaker, the
4:42 am
vote on trade adjustment assistance failed in the house of representatives last friday by a 3-1 margin. yet, this rule today would extend the revote on trade adjustment assistance through the end of july. this is one more attempt to play games with the future of hardworking families. american workers demand and they deserve respect, they deserve a living wage, and the right not to have their job shipped overseas. that is what we are united in fighting for. a vote for this rule is a vote for fast track a vote for fast strack a vote against jobs and against wages. the united states trade policy has been failing american workers. failing american consumers and
4:43 am
families for 20 years. the u.s.-korea free trade agreement has already cost up to 75000 jobs. and it was just passed three years ago. up to five million jobs have been destroyed by currency manipulation. and a number of the signatories to this trade agreement, their policy is to manipulate their country, to have their goods sold at a lower price than american goods putting american workers out of jobs and lowering their wages. joseph stieglitz, the noble laureate in economics has written, inequality is not inevitable. it is a choice we make with the rules we create to structure our economy. trade policy is one of those choices. and if we approve fast track we throw away our ability our
4:44 am
constitutional authority, to represent the people who sent us here in good faith. we throw away that ability to be able to fix the flaws in the trade agreement like the transpacific partnership, to the detriment of millions of american families. i urge a no vote on this rule. >> the house went on to pass the intel debate rules, which includes language allowing the revote on the measure to happen between now and july 30. the transportation security administration found no threat from 73 aviation workers who were cited as possible security risks after they fell through a screening loophole. a tsa official made this announcement at a house homeland security subcommittee hearing that included questions about
4:45 am
tsa security gaps. >> the committee will come to order. the subcommittee is meeting today to hear testimony on vetting by tsa. i now recognize myself for an opening statement. i would like to welcome everyone to today's hearing. since the start of the congress, my subcommittee has actively engaged a number of aspects related to tsa operations, policies, and procedures. through hearings, inquiries, and legislation, we've been working to get to the bottom of these issues and raise awareness of the need to fix them. recent revelations that the tsa cleared for employment individuals with potential ties to terrorism demonstrate the
4:46 am
dire need for improved procedures at tsa. the findings released by the department of homeland security inspector general are alarming. in may, the inspector general released a report that found tsa did not have appropriate controls in place to ensure that screening has necessary maintenance work performed. a few weeks ago, news outlets reported test results showing they failed to detect threat items 96% of the time. just last week, we learned that 73 airport employees with potential ties to terrorism were issued credentials which allow them access to secure areas of airports. these recent findings come out on the heels of revelations of security breaches by employees at major u.s. airports involving a nationwide gun smuggling ring. more recently, we learned of a
4:47 am
drug trafficking ring operating out of the airport in oakland california. all these findings are concerning. in the aggregate, they shake the public's confidence and further demonstrate the need for steady leadership at tsa. this committee will continue to lead efforts to close the security loopholes and ensure the continuing safety and security of our nation's aviation system. the purpose of today's hearing is to examine the identified security gaps highlighted in the most recent ig report about aviation worker vetting and find ways to improve the vetting process to ensure that these vulnerabilities are addressed and the american people can feel safe while traveling. aviation workers are supposed to be thoroughly vetted. due to their access to sensitive areas and their position of
4:48 am
trust within the transportation system. however, as the ig report has found, there are significant shortfalls in the vetting policies. for example, the ig found the tsa does not have access to all the data it may need to thoroughly check a worker's potential ties to terrorism. what is even more alarming is that a memo was sent to the tsa administrator last year noting the need for additional information and tsa has yet to resolve this gap a year later. the report found that airports do not match the expiration date of an employee's credentials to the expiration of their legal work authorization in the united states. while tsa stated they are working to resolve these issues, it raises serious concerns that this gap exists in the first place. therefore, i sponsored hr 2750, improved vetting for aviation workers, which i introduced last
4:49 am
week along with german mark all and ranking member rice and congressman payne.,. to close the security gaps. the reality is, in this post-9/11 world, that the terrorist threat is metastasizing, we as a nation must remain responsive to any holes in the security of our transportation systems and ensure the protocols keep pace with the landscape improving the vetting of aviation workers who have access to the sensitive areas of airports can help close another backdoor of vulnerability at our nation's airports. we have representatives from the t.s.a., d.h.s. inspector general himself, and g.a.o. to address how the recommendations highlighted in the report can be implemented and what tools are needed to improve the security at our nation's airports. i look forward to hearing their testimony and having a meaningful dialogue and how we can better protect this vital transportation mode and keep aviation safe and secure for the
4:50 am
american people. the chair now recognizes the ranking minority member of the subcommittee, the gentlelady from new york, miss rice, for any statement she may have. miss rice: thank you, mr. chairman. thank you for convening this hearing. we have an important question to answer today. how can we do a better job vetting aviation workers? how can we do a better job ensuring that criminals and terrorists can not get a job in one of our airports and gain access to secure areas? clearly if the terrorists were to penetrate an airport in that way, the results could be catastrophic. we have to assume that right now someone is trying to do just that. we have to assume that we can prevent it. we have to keep working together aggressively and proactively to strengthen our security, and stay one step ahead. t.s.a. is responsible for vetting diverse groups of people from the credential program to prechecks to aviation worker programs. aviation workers themselves are a diverse group of people who play many different and important roles within the
4:51 am
commercial airport environment. from the person who works the news stand beyond the security checkpoints to the mechanic who has to access to the plane itself to perform his or her duties. what these two people have in common is they both go to work every day beyond the checkpoints in the secure area of the airport. but these two people have in common is they both go to work every day everyday be on the checkpoints in a secure area of the airport and we must do everything within our power to make sure people who work in these areas are exhaustively vetted before employment and on a recurring basis and prove themselves to be trustworthy. lastly, the department of homeland security office issued a report the details of 73 individuals with links to terrorism were able to get jobs and able to access secure areas. first, we should be grateful to the inspector general for bringing this to our attention and to know that this thread was out there, think about what could have
4:52 am
happened should be all the motivation you need to work together. that is why we're here today, not to create a spectacle r figure out how this happened, we need to learn from it is due to close the gap. i also want to.out that the inspector general noted the tsa vetting process was generally effective. as as far as i understand this seems to be two main factors. because of the current enter agency watch this policy tsa does not have access to databases. that is simply unacceptable and must change. the tsa should have an access to all information, should have access to any and all information that will make the vetting process as exhausted as possible. the report made it clear that tsa databases are a mess.
4:53 am
87,000 employee filed about social security numbers, many would not -- passport number of proof of citizenship. there is no excuse. it strikes me as i'm sure everyone is sloppy and there is no place for sloppiness. we strive for a system that is airtight and precise and in order to achieve that are information must be airtight everything we do must be precise. he has backed a general's office is issued six recommendations all of which will help to address these issues issues, and i appreciate the fact that tsa has concurred with these recommendations. alex forward hearing more about these issues and corrective action. after this hearing a look forward to to taking of legislation authored by myself and the chairman that we will codify recommendations from this report in from another oig report that details the need for tsa to properly manage its airport screening equipment maintenance program. i want to thank each of our
4:54 am
witnesses for being here today and i am eager to hear your testimony and have a productive conversation about how we can do a better job vetting aviation workers, do a better job keeping airport secure and primarily keeping passengers safe. i yield back the balance of my time. >> thank you, ms. miss rice. you, ms. rice. at least the chairman of the homeland security full community plans on coming here and making a statement. he is held up another hearing. hearing. i extend the same courtesy to mr. thompson if he shows up. i i must remind you that opening statements may be submitted for the record. we are pleased to have several distinguished witnesses before us today. the witnesses entire written statement will appear in the record. as someone who is well familiar with this committee welcome back and thank you for your continuing good work.
4:55 am
thank you for being here. i would like to hear from mr. roth. >> chairman, ranking member, members, members of the subcommittee, thank you for inviting me here today. federal regulations federal regulations require individuals who work in secure areas undergo background checks. required to perform these checks before granting individuals bet is that allow them on escorted access to secure areas. each check includes a security threat assessment including a terrorist check fingerprint-based criminal hacker teefive, or history record check and evidence of the applicant's opposition to work in the us. the airports themselves collect this information's and submitted to tsa.
4:56 am
once tsa receives biographic data electronically match is it against an extract of the terrorist screening database to identify individuals with potential links to terrorism's. tsa that's airport workers every time it receives a watchlist update. based upon this review they may direct the airport grants' deny, or revoke credentials. we we found tsa was generally effective in identifying individuals with links to terrorism. however, did identify significant weakness. the national counterterrorism center perform the data match over 900,000 airport workers who have access to secure areas against the national counterterrorism database. as a result the identified 73 individuals. current enter agency policy
4:57 am
prevents tsa from resuming all terrorism related codes and this lack of access resulted in on discovery's. officials recognize that not receiving these codes represent the represents a weakness in the program and informed us that tsa cannot guarantee that a consistently identify all questionable individuals. in 2014 the tsa administrator authorized after request missing category codes. however according to an official they have yet to formalize the request in order to receive additional categories. the airport from detains the ultimate authority.
4:58 am
however, tsa did not have adequate monitoring processes in place to ensure airport operators properly adjudicated criminal history tsa officials informed us airport officials rarely or almost never documented the results of the personal, or history reviews. individuals with access to secure areas are free of disqualifying criminal conviction. moreover tsa is not legally authorized to conduct vetting of criminal history. we found a weakness in the verification process. as with criminal history the airport operators were required to ensure aviation
4:59 am
workers are authorized to work before sending the information to tsa for review. tsa verifies the deviation workers have lawful status. however, our review showed that tsa has had to deny credentials for over 4800 applicants because tsa determined that they did not prove their lawful status despite the fact these individuals have previously been through the work. tsa relied to submit complete and accurate aviation worker data. we identified thousands of aviation worker records that appeared to have incomplete or inaccurate biographic information. he made six recommendations in the report. we will follow up on the implementation.
5:00 am
thank you for inviting me to testify today. i look forward to any questions you are other members may have. >> thank you for your continuing professionalism. we appreciate you being here. our 2nd witness deputy assistant administrator for the tsa office of intelligence analysis. division director for checkpoint solution and integrity division within the tsa office of security capability. tsa efforts to identify, acquire, and identify acquire, and manage state-of-the-art technologies and capabilities that screen passengers at us airports. prior to beginning of federal career she held management positions at airlines reporting corporation, us airways and trance state airlines. >> good morning


info Stream Only

Uploaded by TV Archive on