We are here today to continue this Committee's review of computer security -- or lack thereof as the case may be -- at Federal agencies under our jurisdiction. Since 1998, this Committee has reviewed computer security policies and practices at the Environmental Protection Agency, the Department of Energy, the Health Care Financing Administration, and today we will be focusing our attention on the Department of Commerce. Without exception, we have found significant security problems at each of these agencies, all of which either took -- or are taking -- prompt action to correct the deficiencies identified as a result of our oversight. Unfortunately, it appears that information security rarely becomes a priority within an agency until the white-hot lights of public and congressional attention focus on that agency's specific flaws.

Today we will hear from information security experts at the General Accounting Office who, at this Committee's request, conducted an in-depth evaluation of the Department's management and implementation of computer security at seven of its operating divisions, including the Bureau of Export Administration, the International Trade Administration, the Economics and Statistics Administration, and the Office of the Secretary.

GAO's team of ethical hackers identified and exploited vulnerabilities in the computer systems of these divisions to gain virtually unlimited access to them internally, from within the Department's network, and externally, from the Internet. Not only could these systems be accessed without authorization, but the information contained in them could be read, modified, or deleted at will - even with respect to the most sensitive systems and data files within these seven divisions. And with such access also comes the power to completely disrupt critical Department operations.

It is no secret that, of the systems reviewed and found to be vulnerable by GAO, many contain highly sensitive personal, financial, commercial, and national security-related data, and are critical to the Department's overall mission. Included in this list are the export control licensing systems and the networks that are used by the International Trade Administration for communications with our foreign Commerce outposts around the world.

The state of the Department's security was truly deplorable. GAO found instances in which systems did not require passwords, even for system administrator accounts. Other systems had easily guessed passwords, such as "password." Certain passwords and password files were either unencrypted or not otherwise protected, permitting anyone on the network - authorized or unauthorized -- to read and obtain even the most powerful account passwords. And six of the seven bureaus did not even limit the number of times an individual could try to log on to the system, allowing would-be hackers excessive opportunities to crack these poor password controls.

GAO also found that poor network security and configurations permitted GAO's experts to circumvent the limited security controls that were in place, and thus to travel between and among the seven connected bureaus - essentially finding that the lowest common denominator among these bureaus set the security standard for the rest of them. Some of the bureaus did not even have firewalls in place to protect all of their sensitive internal systems from the Internet -- or, if they did, they were either so poorly implemented as to be largely ineffective, or could be easily bypassed via alternative access routes. These failures place all of the connected bureaus at significant risk of intrusions.

Equally troubling, and despite advance notice of the GAO hacking attempts, the Department's monitoring of cyber intrusions failed to detect the overwhelming majority of GAO's intrusion and scanning efforts, including the successful ones. In fact, GAO reports that its hackers gained access to one system, only to find that a Russian hacker had been there before them, without the Department's apparent knowledge. And only two of the bureaus reviewed by GAO had formal intrusion detection systems in place. In short, the Department simply has no idea of whether its sensitive systems are being or have been compromised --- a totally unacceptable situation.

The reason for these failures, according to GAO, is the lack of an effective security management program at the Department. Basic and longstanding Federal security requirements have essentially been ignored for years. Only three of the 94 sensitive systems reviewed by GAO had documented risk assessments, and only seven had current security plans, none of which had been approved yet by management. The Department's computer security policies have not been updated since 1995, despite the tremendous growth of the Internet and the increased inter-connectivity between Commerce bureaus and the outside world. And there are virtually no minimum security requirements for all Commerce computer systems - even, for example, on basic issues such as password lengths or characteristics.

In addition to GAO, we will hear today from the Department's Inspector General, which also has done work in this area. A recent IG report essentially confirmed that the lack of effective security management found by GAO, with respect to seven of the Department's operating divisions, was not unusual. Across the Department, adequate risk assessments and security plans are the exception rather than the norm, with roughly 92% of the Department's systems failing to comply with at least one of these Federal security requirements.

The IG's financial control audits, which, beginning this year, contained a limited penetration test of computer security controls, also confirm that access control problems similar to those identified at the seven bureaus reviewed by GAO exist at many other Commerce bureaus as well, including the Census Bureau, NOAA, NIST, and others, posing threats from both internal and external sources.

How could this situation exist, and for so long? The short answer is that, until this Committee started asking questions early last year, no one at the Department was even seriously looking at these issues. Despite Federal requirements for independent reviews of security controls on major systems on a routine basis, GAO found that neither the Department's chief information officer, nor six of the seven bureaus reviewed, had conducted any such audits or oversight.

Unfortunately, this situation is not at all unusual. Our cyber security reviews have consistently shown that this lack of real-world testing of the effectiveness of security controls is one of the major problems facing not just the Commerce Department, but the Federal government as a whole.

This lack of attention to cyber security is reflected by the lack of resources devoted to this purpose. At Commerce, for example, the Department's Office of Information Technology Security -- which is responsible for setting the Department's computer security policies and conducting oversight to ensure compliance by the various bureaus -- was a one-person operation up until March 2000, when the director of this office was given two interns to assist with these important functions. I am pleased to hear that Secretary Evans recently approved a re-direction of additional personnel and funding for this office, which in addition to computer security is also responsible for the Department's overall critical infrastructure protection efforts.

It certainly is time - indeed, it is well past time - for the Commerce Department to start taking the security of its data systems seriously, much more so than it was under the previous Administration. In the 21st century, effective computer security is as much a part and cost of doing business as having locks on the front door was during previous centuries. And we will continue our oversight in this area until Commerce and the other Federal agencies under our jurisdiction get this message loud and clear.

I want to welcome and thank our witnesses for testifying today on this important topic, and will now recognize the Ranking Member for an opening statement.