Statement of Eugene E. Habiger, General, USAF (Retired)
Director, Office of Security And Emergency
I would like to thank the Chairman and Members of the Committee for the opportunity to speak with you today regarding the current status of security at the Department of Energy.
As most of you are aware, Secretary Richardson asked me to become the Departments Security director in June. Since my arrival at the Department, I have visited all of the Departments major sites Reviewed virtually all of our site security plans Observed and participated in segments of our protective force training at our training facility in Albuquerque, New Mexico Examined our newly implemented cyber security procedures at our national laboratories Talked to hundreds of scientists and technicians And, taken a DOE-administered polygraph.
What I have found so far is this:
First, it is clearly obvious that the Department reacted appropriately to the "wake up call" received this past year with the uncovering of internal security problems and the publication of both the Cox and Rudman reports.
Second, security throughout the Department is being administered responsibly and conscientiously by dedicated, hard working professionals who are firmly committed to protecting the critical national security assets which are entrusted to them. The responsibilities of these individuals are demandingyet, despite the obvious challenges, they continue to perform in an outstanding manner.
Finally, although we do have security issues which we must, and will, address, I found all sites that I have visited have the foundation to perform their security functions capably given adequate resources.
But I also discovered several troubling issues.
First and foremost, it was apparent to me early on that the Department was extremely close to losing the confidence and trust of both the American people and the Congress with respect to our ability to perform our security responsibilities. The enormous media coverage surrounding recent security related events coupled with DOEs historical track-record of security deficiencies added to this erosion of public trust.
Secondly and equally as important, I discovered that over the years the Department had lost its focus on security. The Secretary on several occasions has referred to the Department as being a group of fiefdoms within fiefdoms - and almost every fiefdom had its own security responsibility and security budget. There was no office within the Department who had ultimate accountability for the critical security requirements for which DOE is responsible nor was there any emphasis on individual accountability. By-products of this organizational dysfunction and lack of focus included: a deterioration of security awareness and education resulting in a failure to remind and educate our employees and contractors as to their personal security responsibilities and accountabilities A lack of attention to our cyber security practices in a world of increased computer hacking and cyber terrorism And, a gradual erosion of resources required to improve our capabilities to combat ever-changing terrorist and cyber-terrorist threats.
And finally, Congress has, up to this point, failed to fund the Departments FY2000 full budget amendment in order to make near and long-term fixes. We have valid requirements in the area of cyber-security to buy hardware, encryption equipment and to train our system administrators. We need to equip our protective forces to combat weapons of mass destruction to fully arm the headquarters protective forces and complete our headquarters security upgrades And, we need program direction funds to stand up a robust foreign visitor access program as well as an acceptable plutonium, uranium and special nuclear materials control and accountability program and bring about our new organization. Simply stated, we have been given a mandate but not the additional resources to accomplish that mandate.
Through a series of comprehensive and sweeping initiatives by Secretary Richardson, however, the Department has turned the corner and has aggressively and dynamically changed the way it does its security business.
In May of this year Secretary Richardson announced his Security Reform Package - the most sweeping reform of security programs in the Departments history. This comprehensive plan involved the creation of my office - the Office of Security and Emergency Operations, and the elevation and revitalization of Mr. Glenn Podonskys Office of Independent Oversight and Performance Assurance. In the words of Secretary Richardson, "this plan gives DOE the tools and authority we need to detect security infractions, correct institutional problems and protect Americas nuclear secrets." Glenn and I are working closely together to ensure an integrated approach to policy development and oversight.
The foundation of the Secretarys security reform plan is his policy statement regarding security incidents and violations. In his statement, the Secretary established an expectation of personal accountability by DOE employees and contractors for protecting DOEs national security assets. The Secretary further established a policy of zero tolerance for violations of security requirements that could place nuclear or other sensitive information at risk.
Another important step was to change the way the Department managed its security responsibilities. In this regard, the Secretary worked diligently to remove the organizational barriers that had historically impeded the Departments ability to effectively and efficiently implement a comprehensive security program within the Department.
Soon after coming on board I put in motion an aggressive, Four-Phased Security Campaign. In Phase I, which was completed in August, I initiated visits to each of the DOE sites in the field, and established a baseline from which to move forward. Areas requiring immediate fixes were identified. During this period, a complex-wide security stand-down was conducted to promote security awareness as an individual responsibility. New policy was issued for foreign visitors who visit our facilities to ensure that the tightest possible security procedures are followed.
In Phase II, currently underway, I completed visits to the sites and issued, or am in the process of issuing, policy addressing key issues, such as: Standardized Weapons for Protective Forces, and the requirement for protective forces to keep a round in the chamber of weapons carried while on duty. We now have policies which mandate the timely reporting of security incidents, the use of warning banners on computer systems, and badge validation procedures. We are developing an integrated security awareness training curriculum. Two very similar personal security assurance programs will be combined into a single departmental Human Reliability Program to eliminate redundancy and streamline the administration process. In the area of cyber-security, the National Laboratories have implemented numerous corrective actions. Key among these is a program to achieve physical incompatibility between removable media formats within common laboratory work areas. We are taking this sweeping action in an effort to prevent the intentional or inadvertent transfer of classified information from classified to unclassified systems or to a media format easily concealed and removed. In related efforts, the laboratories will continue to search unclassified archives and to monitor outgoing e-mail messages for classified content. We are also developing a comprehensive set of metrics to make sure we are making continuous improvements.
Phase III will occur in January to March of 2000, at which time most new policies to fix security will have been implemented. I will revisit the field to evaluate the effectiveness of the policies and to define metrics to be used for future assessments. At this stage, most of the major security concerns will be fixed and the focus turned to improvements and enhancements.
When we reach Phase IV in April to September of 2000, proposed fixes will be in place and our efforts turned toward adjustments, as we maintain our security program. A critical activity here will be continuous feedback from the field, scheduled visits to the field, and regularly held meetings with representatives from all sites to exchange lessons learned and best practices.
Successful implementation of our security responsibilities will also depend on a focused and well-defined mission and management structure that addresses policy and decision making, personnel and budget resources, planning and program execution. Therefore, we are reconstituting available resources into a robust, responsive, and unified safeguards and security organization. This was the Secretarys intent when he announced his security reform initiative; and we are making real progress.
Our workforceboth Federal and contractor--is the most critical link in the chain of protection of security interests. Consequently, we are instilling a sense of urgency and corporate ownership among all Department of Energy employees and contractors, not just those that have security as part of their job descriptions. This is being accomplished through renewed emphasis on a meaningful enforcement program that holds individuals accountable should they violate their security responsibilities.
We are enhancing our efforts to ensure that employees are fully aware of their own individual protection responsibilities. The granting of a security clearance carries with it a very serious obligation to protect the sensitive and critical assets entrusted to ones care. We have mounted an aggressive and comprehensive security education and awareness campaign to remind each and every individual of their obligations.
For those individuals whose primary duties relate to the protection of national security assets (that is, our security professionals), we are instituting a comprehensive career development initiative that establishes a centrally managed competency based promotion and assignments program designed to institute staffing uniformity and enhanced operability throughout the complex. This program is an adaptation of existing programs in place with other government agencies, the military and private industry. It represents what I believe to be a "best practice" in the area of career development.
Finally, recognizing our critical role in the national security community, we are institutionalizing my office as the principal security coordinator for the Department in developing inter- and intra-agency partnerships. In so doing we actively contribute to the protection of the Nations energy infrastructure and leverage technology and, as applicable, expertise into the international security community dealing with nuclear safeguards and security.
Today, the Department of Energy functions in a security environment decidedly different from the one we faced a decade earlier. There is growing concern about a new breed of threats that confront the Department and the Nations security structures. Terrorism, Weapons of Mass Destruction and cyber attacks on information systems have become ingrained in the global psyche and in our nations security consciousness. These non-traditional, multi-directional threats are testing security resolve and capabilities as never before.
We cannot control or alter the threats to the security interests entrusted to our care. What can be controlled, however, is our ability to plan and respond to threats should they ever materialize. The changing security environment and other threats over the past decade have fundamentally altered the Departments security perspective and posture. This is a significant challenge, but one that the Department of Energy is prepared to meet.