J. STAPLETON ROY
ASSISTANT SECRETARY OF STATE FOR
INTELLIGENCE AND RESEARCH
MAY 11, 2000
HOUSE INTERNATIONAL RELATIONS COMMITTEE
Good Morning. I am glad to have the opportunity to appear before you today with my colleague, Assistant Secretary for Diplomatic Security David Carpenter, whom the Secretary of State has named as her senior adviser on security issues. We will be happy to discuss with you the Department’s response to the disappearance of an INR laptop computer and other important security matters.
Let me begin by briefly reviewing the basic facts surrounding disappearance of the laptop computer. On January 31 a laptop computer containing highly classified information was discovered to be missing from a secure area controlled by the Bureau of Intelligence and Research at the Department of State, or INR, which I head. This matter is under active criminal investigation by the FBI and the Department’s Bureau of Diplomatic Security, or DS. I have asked all personnel of INR to cooperate fully with the investigation. That is our sole role. We are not privy to the investigation’s focus, time line and preliminary findings, so I cannot speak to those subjects.
In my testimony today, therefore, I will focus on four subjects: (1) INR’s actions in response to the disappearance of the laptop computer; (2) the Secretary’s decision to transfer formal responsibility for protection of Sensitive Compartmented Information (SCI) from INR to DS; (3) the resulting enhancement of the security regime within INR; and (4) the implications for INR’s statutory role as a member of the Intelligence Community.
Disappearance of the Laptop
The laptop had been purchased in 1996 for the exclusive use of officers from other bureaus engaged in counterproliferation work who did not have access to classified work stations within INR. It was used and stored in an INR secure area because it contained highly classified information bearing on the proliferation of weapons and technologies of mass destruction and related delivery systems. Because of the sensitive information on it, the computer was not permitted to leave the INR secure area, where open storage was authorized under applicable regulations.
On January 31, INR staff could not locate the laptop in response to a request by a would-be user from outside the Bureau. When a careful search of the office suite failed to locate the laptop, the office in question took immediate steps to interview all personnel in the office, as well as officers from outside the Bureau who had been authorized to use the laptop. Some of those approximately 40 officers were out of country on official business. They were queried by phone or cable. When these efforts failed to locate the laptop, INR’s security branch chief launched a formal investigation and requested the office director to respond to a detailed list of questions. He also interviewed key individuals and developed a summary of relevant circumstances. When this internal investigative phase failed to locate the laptop, the INR security branch chief reported the circumstances to me along with his recommendation that because of the potential compromise of classified information, the matter be turned over to DS. I immediately approved this recommendation. On February 10, INR requested DS to commence an investigation and notified the CIA Center for Security that a computer presumed to contain sensitive classified material could not be located.
All matters relating to the investigation are under the purview of DS and the FBI, and I am not privy to the details. We do not yet know how the laptop disappeared from the INR secure area, whether it was removed by an employee authorized to work in the office, whether it was stolen for its material value, or whether it was taken for the information on its hard drive.
Regardless of the circumstances, the loss of the laptop is inexcusable. It should not have happened. As the Assistant Secretary for Intelligence and Research, I am also the Senior Officer of the Intelligence Community in INR, and in the Department of State. All personnel in INR, from top to bottom, have been indoctrinated and trained to be aware of their responsibility to safeguard the nation's most sensitive secrets. Whatever the results of the investigation, it is clear that we failed to exercise our responsibility to safeguard the computer and the classified information on it.
I particularly regret that Members of Congress first learned of the incident from the pages of the Washington Post. This was never our intention. That it happened is most unfortunate and is being looked into as part of our effort to draw lessons from this unfortunate experience.
The Secretary’s Decisions in Response to the Loss
As a result of the circumstances I have just outlined, the Secretary took a number of steps affecting the Bureau that I head:
First, after consulting Director of Central Intelligence Tenet, the Secretary decided that DS should take over from INR the responsibility for protection of Sensitive Compartmented Information. I support this decision and am confident that DS will do the job well. We are working hand-in-glove with DS and with CIA to effect this transfer. In addition to improving security, I believe this will strengthen INR’s ability to concentrate on what we do best, which is analysis and intelligence policy coordination.
In my view, this transfer of the SCI security function can be handled in a manner that will not conflict in any way with INR’s responsibilities as a statutory member of the Intelligence Community. Indeed, since before the discovery that the laptop was missing, we had been working closely with DS to identify and formalize areas for enhanced cooperation.
Aside from the transfer of the SCI security function to DS, the Secretary also asked that in the investigation of the disappearance of the laptop, questions of accountability be examined carefully, and appropriate recommendations be made for decision. Meanwhile, to enhance confidence in the review process, two INR office directors have been temporarily transferred to other duties. This is not a finding of fault. It is to ensure that as the investigation is conducted and remedial steps are taken, there is full confidence in the process.
In addition, the Secretary directed that a number of other steps be taken to tighten security in the Department. Assistant Secretary Carpenter will be addressing these in his testimony.
The Security Environment within INR
The Secretary held a Town Meeting at the Department on May 4 to stress once more that all Department employees must attach the highest priority to their security responsibilities. I had already reinforced this message in a meeting with the entire INR staff on April 26, and I am confident that everyone in the Bureau is conscious of the need to maintain a high level of security awareness at all times and that security is an inextricable and indispensable part of all of our jobs.
Mr. Chairman, you inquired in your invitation letter to me about the day to day procedures for monitoring classified information within INR. In accordance with Director of Central Intelligence Directive (DCID) 1/19, Section 6.9, SCI security or control officers responsible for Sensitive Compartmented Information Facilities (SCIFs) maintain records, manual or electronic (bar codes), of external receipt and dispatch sufficient to investigate loss or compromises of SCI documents during transmittal.
Given the volume of classified and SCI material received daily in INR, we and DS have recognized the need to strengthen procedures for assuring document accountability. Earlier this year, we sought and gained approval to hire additional documents control specialists. Upon their entry on duty, they will work to ensure that both the theory and practice of document accountability within INR are fully in accord with intelligence community standards and requirements.
Following release of the OIG report last September, the DCI’s Community Management Staff offered to make available to INR a professional document control specialist to evaluate our existing staffing and document control procedures, and to make appropriate recommendations. I understand the individual selected to assist us – expected in INR very soon -- will come from the Defense Intelligence Agency, whose operational milieu is in important respects similar to that at State.
As regards the management of and security procedures for construction or renovation projects at Main State, in INR this relates primarily to projects that involve Sensitive Compartmented Information Facilities or SCIFs. Here "DCID 1/21 – Physical Security Standards for Sensitive Compartmented Information Facilities" is the governing directive. The DCID requires that whenever a project is contemplated, a construction plan, balancing threats and vulnerabilities, must be reviewed and approved by the cognizant security authority. In my view, these requirements are time tested and appropriate provided they are, as they should be, rigorously observed.
The INR Assistant Secretary’s Role as Senior Official of the Intelligence Community (SOIC)
Mr. Chairman, you also asked in your letter of invitation that I focus on the security role of the Assistant Secretary for INR as the senior official of the intelligence community (SOIC), as distinct from the responsibilities now placed in DS. First, let me affirm that I see no statutory, regulatory or procedural barriers that need interfere with the ability of the Bureau of Diplomatic Security to carry out security responsibilities within INR. There are some fine points now being addressed, but these have not impeded in any way the transfer of day to day security responsibilities within INR to the Bureau of Diplomatic Security. Nor should this impede INR’s ability to perform its functions as a member of the Intelligence Community.
As members of this Committee may be aware, the Department of State is not a member of the Intelligence Community; rather, it is INR within the Department, that is a statutory member. As Assistant Secretary of INR, I am the senior adviser to the Secretary of State on all intelligence matters and responsive to her direction. At the same time, I have certain responsibilities to the Director of Central Intelligence that derive from my status as the Senior Official of the Intelligence Community within INR. The authorities and responsibilities vested in SOICs are detailed in "DCID 1/19 – Security Policy for Sensitive Compartmented Information and Security Policy Manual." This directive states that intelligence organizations, as defined in E.O. 12333, have the authority and are responsible for all aspects of security program management with respect to the protection of intelligence sources and methods and for implementation of the DCIDs for activities under their purview. Hence, INR had previously maintained its own security program for intelligence sources and methods, while DS has developed and implemented security procedures, both domestically and abroad, for protection of the larger, more traditional universe of collateral classified information, physical and technical security countermeasures, VIP protection, etc. Pursuant to the Secretary’s decision to transfer SCI security protection to DS, we are working with DS and CIA to develop the necessary procedures within the framework of this DCID.
In conclusion, let me stress once again that the Department of State is undertaking a top-to-bottom review of security procedures. INR is a part of that process and, working closely with DS, we are moving simultaneously on many fronts to ensure better security throughout the bureau. As the Secretary said, a 99% grade on security is not a passing mark.