Jeffrey LewisSo Long, Linton

Secretary of Energy Samuel Bodman has fired NNSA Administrator Linton Brooks. NNSA Deputy Administrator Tom D’Agostino will serve as acting Under Secretary for Nuclear Security and Administrator.

Linton Brooks is a fine public servant getting a raw deal.

Bodman cited security lapses as the reason for firing Brooks:

I repeatedly have told DOE and laboratory employees, and in particular senior managers, we must be accountable to the President and the American people not just for efforts, but for results. Therefore, and after careful consideration, I have decided that it is time for new leadership at the NNSA, and I have asked for the resignation of NNSA Administrator, Linton Brooks. Ambassador Brooks will tender his resignation to the President, and depart later this month.

Of course, Brooks could really tick me off as he did one year at the Carnegie Nonproliferation Conference. And I certainly enjoyed poking fun at him over beers. But I could say that about most people in the Bush Administration.

Despite our deep disagreements over the role of nuclear weapons in US national security, Brooks got a lot of things right as NNSA Administrator, from promoting efforts to secure nuclear materials to fostering dialogue with China. I am sorry to see him go.

It isn’t clear to me, yet, why Brooks got the ax now. Some members of Congress, particularly Joe Barton (R-TX) have been calling for his resolution since he failed to tell Bodman that NNSA’s computers had been hacked. Barton got pretty testy in a hearing:

REP. BARTON: All right. Now, it’s public knowledge, at least in this hearing room, and unfortunately outside the hearing room, that back in September, we know from the testimony of the prior witnesses, that Mr. Podonsky and his group conducted a red team exercise that penetrated some of the security protections at the Department of Energy. And you were made aware of that at that time. Is that not correct?

MR. BROOKS: That’s correct.

REP. BARTON: And we also know that, subsequent to that, there was a real penetration of your administration.

MR. BROOKS: That’s correct.

REP. BARTON: And you were informed of that in September.

MR. BROOKS: That’s correct.

REP. BARTON: And you meet with the secretary or the deputy secretary almost every day, and yet apparently you didn’t tell them about that.

MR. BROOKS: That’s correct.

REP. BARTON: Now, for probably the third or fourth time, why not?

MR. BROOKS: The—I’m choosing my words carefully, and we can expand on this in the closed session. The department has treated these intrusions, once they happen, as counterintelligence issues. The department has a fragmented counterintelligence organization which it has submitted legislation to correct.

It appears that each side of that organization assumed that the other side had made the appropriate notification to the deputy secretary.

REP. BARTON: That’s hogwash.

[snip]

To say that somebody else is responsible begs the intelligence of this committee. I mean, I’m—I don’t know what to say other than it will be my strong recommendation after I have had a consultation with the ranking member, Mr. Dingell, that you be removed from your office as expeditiously as possible. And I mean like 5 o’clock this afternoon if it’s possible.

Barton and Kentucky Republican Ed Whitfield subsequently sent a letter to Bodman demanding Brooks’ resignation.

But, that was in June and I kind of figured that had blown over by now …

Comments

  1. Jeffrey Lewis

    Here is the transcript of the hearing where Barton and Brooks squared off …

    Copyright 2006 The Federal News Service, Inc.Federal News Service

    June 9, 2006 Friday

    SECTION: PRESS CONFERENCE OR SPEECH

    LENGTH: 9585 words

    HEADLINE: PANEL II OF A HEARING OF THE OVERSIGHT AND INVESTIGATIONS SUBCOMMITTEE OF THE HOUSE ENERGY AND COMMERCE COMMITTEE

    SUBJECT: CYBERSECURITY CHALLENGES AT THE DEPARTMENT OF ENERGY

    CHAIRED BY: REPRESENTATIVE ED WHITFIELD (R-KY)

    WITNESSES: TOM PYKE, CHIEF INFORMATION OFFICER, U.S. DEPARTMENT OF ENERGY; LINTON BROOKS, ADMINISTRATOR, NATIONAL NUCLEAR SECURITY ADMINISTRATION; AND DAVID K. GARMAN, UNDERSECRETARY OF ENERGY FOR ENERGY, SCIENCE AND ENVIRONMENT

    LOCATION: 2123 RAYBURN HOUSE OFFICE BUILDING, WASHINGTON, D.C.

    BODY:

    REP. WHITFIELD: At this time I’d like to call up the second panel. And on the second panel we have Mr. Tom Pyke, who is the chief information officer at the Department of Energy. We have the Honorable Linton Brooks, administrator for the National Nuclear Security Administration, and we have the Honorable David Garman, undersecretary for Energy, Science and Environment at the Department of Energy.

    I want to welcome all of you. We appreciate your being with us on this important subject matter. And as you know, this is the Oversight and Investigations Subcommittee, and it is our tradition to take testimony under oath. Do any of you object to testifying under oath?

    MR. : No, sir.

    REP. WHITFIELD: Do any of you have any legal counsel that you would like to be with you?

    (No audible response.)

    If you would raise your right hand. (Witnesses are sworn.)

    Thank you very much. You’re now under oath.

    And, Mr. Pyke, I’ll recognize you for your five-minute opening statement.

    MR. PYKE: Good afternoon, Mr. Chairman. My name is Tom Pyke. I am the chief information officer of the Department of Energy. I am pleased to be here today to share with the committee a summary of the actions that the Department of Energy has taken to strengthen our cybersecurity posture.

    The Department of Energy takes cybersecurity very seriously. Our senior management team is working together to ensure that we are taking all appropriate actions to protect our information systems, as well as the information processed on these systems. We are taking a risk-based approach, managing the overall risk and the risk that still remains after all appropriate managerial and technical controls have been applied. This risk is sometimes called residual risk.

    The department’s cybersecurity program is guided by the Federal Information Security Management Act, known as FISMA, including that act’s emphasis on certifying and accrediting every information system before it is placed into operation. We are also guided by the actions and products of the Committee on National Security Systems, and by the National Industrial Security Program Operating Manual for National Security Systems.

    Based on a risk assessment and a systems security plan, each system has controls applied to ensure availability, confidentiality and integrity of each system and the information on that system. These controls are tested to ensure they are working properly. After the controls are applied, a statement of the residual risk is presented to an accrediting official. This official makes the determination for the system to become operational based on the residual risk evaluation, taking into account the role of the system to supporting the agency’s mission.

    I would like to point out to the committee that there is no such thing as “no risk” and no such thing as “perfect” cybersecurity. Well-informed judgments have to be made as to the nature and amount of protection that is to be applied to each system and network, and that is a fundamental part of the certification and accreditation process.

    We are also guided in managing cybersecurity by the Office of Management and Budget with its policy, and by guidance issued by the National Institute of Standards and Technology, NIST.

    Our cybersecurity program responds to risk assessments conducted within the bounds of our assessment of the current threats to our systems. The threat to our systems from outside our perimeter, as well as from insiders, is continually increasing. The hackers and others intent on harming our systems or obtaining information from our systems are becoming smarter in their attacks. The threat is especially challenging given the vulnerability in off-the-shelf operating system and applications software that we must use to support our mission. This software is very complex, and vulnerabilities are continually identified over the lifetime of that software. Although software vendors prepare and distribute software patches after vulnerabilities are identified, there is always a delay in preparing and distributing these software patches, creating a window of opportunity for attacks despite best efforts to maintain secure system configurations and despite best efforts to supply the software patches in a timely way. I should also point out that software patches need to be tested first before they’re applied to our systems, to ensure they do not interfere with the systems’ ability to meet mission requirements.

    Our cybersecurity posture is bolstered by the testing we do during the certification and accreditation process as well as by systematic, continuous vulnerability testing. We also benefit significantly from the testing that the department’s Office of Inspector General conducts as a part of its financial and FISMA reviews, and we are also fortunate to have the Department of—Office of Security and Safety Performance Assurance in the department, which conducts the Red Team attacks that you’ve been hearing about and penetration, including penetration testing on our systems and networks to identify vulnerabilities as well as performing cybersecurity assessments and evaluations that are of great help to us.

    The Department of Energy has extensive expertise in the area of cybersecurity, and we are devoting substantial resources to this important area.

    The challenge in managing cybersecurity is for us to prioritize our efforts using a risk-based approach as we implement all the parts of a balanced cybersecurity program. We need to be smart about how to apply our cybersecurity resources both in what we do and the relative priority we give to each part of our activity.

    When I came on board at Energy, at the end of November 2005, the department had recognized the cybersecurity challenge it faced. I have personally given cybersecurity the highest priority in the management of the department information technology. At that time, we had available a recently prepared cybersecurity project team report, that you heard about earlier from Mr. Podonsky. We had that in hand. It summarized some of the kinds of actions that needed to be taken to improve our cybersecurity posture.

    At the direction of the secretary and the deputy secretary, I led the development of a Department of Energy cybersecurity revitalization plan, which now provides the basis for the department’s cybersecurity program.

    The plan was developed under the oversight of an executive committee, which I chair, and which has as members the undersecretaries, including the administrator of the National Nuclear Security Administration, Ambassador Brooks, and the undersecretary for Energy, Science and Environment, Mr. David Garman, as well as the new undersecretary for Science, Mr. Ray Orbach, Dr. Ray Orbach, director of the Office of Security and Safety Performance Assurance, the administrator of Energy Information Administration and a representative of the department’s Power Marketing Administration. We have a cybersecurity working group that reports to the Steering Committee, that has coordinated the development of the revitalization plan and is actively involved now in coordinating the implementation of the plan.

    In developing the revitalization plan, we went back to basics, guided by FISMA, OMB policy and NIST guidance. We considered the department’s mission and the way the department is structured, and we considered the cybersecurity risks currently faced by the department. We factored into the plan the recommendations from the cybersecurity project team report.

    Under the revitalization plan, my office, the Office of the Chief Information Officer, develops top-level cybersecurity policy to be issued by the deputy secretary. Our office issues guidance on implementing cybersecurity management—REP. WHITFIELD: Mr. Pyke?

    MR. PYKE: Yes, sir.

    REP. WHITFIELD: Excuse me for interrupting, but you’ve gone about two minutes over the five minutes. And if you wouldn’t mind summarizing, we do have your testimony in its entirety and would appreciate it.

    MR. PYKE: I will move right ahead.

    After we have this top-level policy, the undersecretaries establish policies and implementations plans for their parts of the department consistent with that policy and guidance. And the plan provides a basis for long-term strengths in cybersecurity in the department with a significant beginning to be accomplished in the next 12 months. We’ve already issued initial guidance in the critical certification and accreditation area.

    I should say that it’s been very important for us to continue to adjust our priorities in implementing the revitalization plan based on our assessment of risk. For example, during the last three months, we have given special attention to improving our ability to respond to increasingly more sophisticated cyber attacks. The resources required to do so have necessitated changes in our schedule—our initial schedule for completing some other parts of the revitalization effort.

    I would like to assure the committee that we—which we have provided the—to which we have provided our current schedule, that we are working very hard and diligently in this area, and we are attempting to accelerate the completion of as many products as possible as—to the extent that we are able to do so.

    REP. WHITFIELD: Thank you very much, Mr. Pyke.

    Mr. Brooks, you’re recognized for five minutes.

    MR. BROOKS: Thank you, Mr. Chairman.

    As Mr. Pyke’s statement made clear, we have to focus—we have to use a risk-based approach, and the highest risk, of course, would be compromise of classified material. I recognize the hearing is focused primarily on cyber threats to unclassified, but it’s important to note that we have to focus on both.

    I am confident that our classified material is secure, but we need to focus on both unclassified and classified.

    I’d like to highlight several specific actions that we’re taking to strengthen cybersecurity.

    First—and this does apply to classified—is the conversion to discless workstations. We will be completing that by the end of 2008. About 45 percent of our classified workstations are operating without discs, and that will increase our ability to use the transmission of both classified and other forms of sensitive information around the department.

    Secondly, we are working on continuous asset monitoring systems. That lets us improve real-time security monitoring of both classified and unclassified networks and lets us increase the efficiency and the accuracy of our reporting. Several of the members of the committee have stressed the very large number of computers that we have spread out over a very large number of organizations. If we do not have a solid handle on what we have, no management system will work. And we have spent, with Mr. Pyke’s organization in the last 18 months, testing and evaluating a series of offerings. We’ve selected a customized architecture. And last week, our Pantex Plant became the first DOE site to successfully implement the new system.

    Third, we are giving increasing attention to deployment of encryption for secure communication over unclassified networks. The fragmented nature of the department means that we sometimes act inefficiently, so we’ve worked together with Mr. Pyke’s organization to combine our licenses into a single agreement for various commercial encryption software in order to save about a million dollars.

    In addition, we are implementing encryption on laptops in a similar way that you heard from the inspector general.

    Fourth, we’re working hard on training. Training and awareness is the key to everything else. Mr. Pyke sets the example by conducting training at (pop-up ?) meetings for the senior leadership of the department, and we’re attempting to emulate that in a variety of ways.

    In addition to these, we’ve developed a comprehensive set of policies to standardize configuration. That gives our individual sites a uniform set of risk-acceptance tools. We’re trying to use our metrics not just to feed into the various reports that Mr. Pyke mentioned, but to improve internally.

    We’re developing continuity of operations plans, and we are continuing to focus on inventory.

    Working with Mr. Pyke, we’re making good progress—that’s a statement about the progress, not about where we are—toward both better management of risk and more efficient use of resources. I believe everyone in the department’s leadership is committed to both improving cybersecurity and to the security of our information.

    In that regard—and this is not in my prepared statement—I know we will be talking about this more in classified—in the closed session, but I do want to note that the personnel information to which you refer to is not what we would normally call personnel files. It is a list of names, Social Security numbers and dates of birth. I don’t mean to minimize the seriousness, but—and it might very well have been something else, but that’s what it was. And we can talk about that in more detail in the closed session.

    Thank you, sir.

    REP. WHITFIELD: Thank you.

    Mr. Garman?

    MR. GARMAN: Mr. Chairman, members of the committee, as you have heard from the others, cyber threats are on the rise. And I cannot tell you that we can fully guarantee the protection of all the data that resides on the system or our systems themselves. Moreover, given the evolving and dynamic nature of the threat, I believe it’s unlikely that we will ever be fully satisfied with our cybersecurity posture. However, the fact that we cannot achieve absolute enduring protection against all cyber threats must not deter us from undertaking serious, sustained efforts to improve our cybersecurity posture.

    The secretary and the deputy secretary have made cybersecurity a priority. Shortly after they came to the department, they grasped the challenges that confronted us. The recruited a new chief information officer. They established a Cybersecurity Executive Steering Committee, on which I serve along with the others you see here and more. We’ve established a Cybersecurity Working Group comprised of information technology and cybersecurity specialists to assist us in our responsibilities. During the ensuing months, we have developed and issued a cybersecurity revitalization plan that we are currently implementing.

    To put it bluntly—and you mentioned this earlier, Mr. Chairman—it is my view that we are not yet where we need to be, but I believe we are far better off than we were a year ago, as a consequence of these actions by the secretary, the deputy secretary and the chief information officer.

    In addition to stressing the importance of cybersecurity to the assistant secretaries and office directors that report to me, I have met with the cybersecurity information and technology personnel who report to them, to discuss and understand the particular challenges that they face.

    We’ve also recently detailed a cybersecurity expert to my office to assist me in implementing the plan and identifying best practices for replication.

    In addition to the efforts embodied in the Cybersecurity Revitalization Plan, we’ve engaged in a number of activities that improves the department’s ability to protect our data. For example, in 2005 the Office of Science initiated a cybersecurity site assistance visit program. Cybersecurity specialists from the Office of Science, together with inspectors from the Office of Security and Safety Performance Assurance, are conducting, as we speak, cybersecurity reviews at various sites and national laboratories. These visits are helping sites to identify and remediate potential weaknesses, accept (sic) risks and establish a consistent cybersecurity baseline. To date the Office of Science has conducted 10 such visits and will shortly expand coverage to facilities outside of their purview.

    The Office of Environmental Management, meanwhile, has also made significant progress in reengineering its own cybersecurity management oversight process. That office has developed several cybersecurity management applications, such as an intrusion detection monitoring capability, allowing them to identify foreign-based cyber attacks launched against EM facilities from the Internet, and a risk assessment management systems which automates cybersecurity risk assessments in support of their certification and accreditation responsibilities.

    Those are just some examples. All of our programs have active cybersecurity programs, and all are working collaboratively to implement relevant portions of the Cybersecurity Revitalization Plan at headquarters and in the field.

    Now, this is very important. We know that this is not a quest for an end point where we declare success, but rather a continuous process where we strive to get ahead and stay ahead of our adversaries. Just as we welcome the efforts of the inspector general, the Office of Security and Safety Performance Assurance and others to test and evaluate our success in this regard in an ongoing basis, we also welcome the efforts of this subcommittee as we work to manage cybersecurity risk in a cost-effective and responsible manner.

    This concludes my testimony, and I would, of course, be pleased to respond to any questions you have either today or in the future.

    Thank you, Mr. Chairman.

    REP. WHITFIELD: Well, thank you very much. And we appreciate your testimony.

    Of course, it’s not the purpose of this subcommittee to be critical all the time, but we do take our oversight responsibility seriously. And the information that I think all of us could agree to in many ways is that there is a lot still lacking on cybersecurity at DOE. And some people say that they may have one of the worst systems in the government, but we may or may not agree with that.

    But Mr. Pyke, I know you’ve only been there since November of 2005, and you and Mr. Garman refer to the revitalization plan of 2006.

    And I know great emphasis has been placed on that. But in reviewing the plan, we have noticed that six of the corrective actions that were suggested out of many had already passed their dates, and the one on cyber-risk assessment was supposed to have been completed on April 6th. And it is not completed, and no new date has been set. The DOE incident management was scheduled to be completed in May of `06. It’s not completed, and no new date has been set.

    And I know that it’s easy for us to just pinpoint a few areas where you’ve not met your plan, but what do you have to say about that, Mr. Pyke? I mean, these evidently were not that complicated because they were going to be completed in a couple of months, and now that it’s already over, gone, and you’re not meeting the goal.

    MR. PYKE: Mr. Chairman, as I stated in my—it’s on—Mr. Chairman, as I stated in my formal comments, my opening statement, it’s essential that we continually adjust our priorities based on our current assessment of risks. We have adjusted and will continue to adjust our priorities and our schedule for completing a large number of products. We’ve made a lot of progress in the incident management area that will lead to a strong incident management guidance document.

    And as I said earlier, we have had to deal with increasingly sophisticated attacks and larger numbers of attacks over the last three months, and I can assure you that we have learned from handling those attacks, and we have already adjusted our incident management processes within the department in a positive direction.

    Likewise, on risk assessment, we are learning in the process. The products, when they’re produced, will be strong, and we do intend to continue to adjust our schedule as is indicated. And we believe we are being responsible—REP. WHITFIELD: So you’re just setting priorities in a different way than what it was originally set at then.

    MR. PYKE: Yes, sir.

    REP. WHITFIELD: Now, Mr. Brooks had mentioned in his opening statement that we all view any breach to be a serious issue, particularly when personal information—that’s one—when personal information is obtained by an unauthorized source outside the government. We also understand the national security issues involved.

    But I want to ask you, Mr. Pyke, you’re the chief information officer. When did you first become aware that these personnel—the information of 1,500 people had been obtained by a third party?

    MR. PYKE: Two days ago, sir.

    REP. WHITFIELD: Two days ago.

    MR. PYKE: Although since I arrived at the department and was informed of the kinds of attacks that we were under on a continuing basis, and I should say, we are attacked several hundred thousand times each day by folks from outside the department attempting to break through our perimeter.

    The particular system that was involved here was protected by a firewall, was protected by intrusion detection software. It had other protective software. And despite that, a very sophisticated attack succeeded in getting in. And we’re dealing in a very difficult situation, which we’ll expand on in the executive session.

    REP. WHITFIELD: What is your understanding as to when someone at DOE was first aware of this information being obtained?

    MR. PYKE: I do not know personally when—REP. WHITFIELD: But you found out two days ago?

    MR. PYKE: I found out about two days ago, and that was at the time when a determination was—to my knowledge, when the first determination was placed in black and white on paper that this had happened after an extensive investigation. That’s my understanding.

    REP. WHITFIELD: Mr. Brooks, when did you find out?

    MR. BROOKS: Late September.

    REP. WHITFIELD: Now, this was about—MR. BROOKS: With the recognition—with the recognition that, as Mr. Pyke says, this has been an ongoing event. But late September is when I—REP. WHITFIELD: But that’s when you first found out that the information on 1,500 individuals had been obtained by an outside party?

    MR. BROOKS: Yes, sir.

    REP. WHITFIELD: Well, did you feel like you had an obligation or responsibility to report it to the secretary or the CIO or—MR. BROOKS: The CIO builds the wall. Once something gets over the wall, it’s a counterintelligence issue, or a potential counterintelligence issue. Pretty much whenever I say the words “counterintelligence,” the next thing I say is “closed session.” There is a—there was a problem for which the—of fragmentated responsibility. And as far as I can tell now—I was not aware, frankly, that the secretary and the deputy had not been informed. And as far as I can tell, this is one of the consequences of the split counterintelligence organization, which the administration has submitted legislation to correct.

    And I really—it’s a very important question, but I’d like to go into it more in closed session because I’m afraid that the specifics will get me into areas I shouldn’t talk about.

    REP. WHITFIELD: Yeah. Okay.

    And, Mr. Garman, when did you become aware the first time?

    MR. GARMAN: June 7th.

    REP. WHITFIELD: June the 7th?

    MR. GARMAN: Two days ago.

    REP. WHITFIELD: Okay. Okay.

    MR. BROOKS: In fairness to Mr. Garman, I should point out that to the best of my knowledge, all of the people involved are under my responsibility, not his. So—REP. WHITFIELD: Yeah. And it’s my understanding that the secretary did not know about this until a couple of days ago.

    Is that your understanding? Or do you know?

    MR. GARMAN: I think that’s right. I’m sorry, sir.

    REP. WHITFIELD: Okay. Who informed you that—about this breach, Mr. Brooks? Or is that something—MR. BROOKS: The director of the NNSA counterintelligence organization.

    REP. WHITFIELD: Okay, okay.

    Okay, I have no other questions, Mr. Stupak.

    REP. STUPAK: Yes, thank you.

    Mr. Brooks, whose responsibility is it to inform the secretary?

    MR. BROOKS: That sounds like such an obvious, clear question, and I believe that one of the things we’re learning from this is the answer isn’t as clear as it should have been.

    Because we treat these things as a counterintelligence issue under our current structure, which we’ve proposed legislation to fix, you can get two answers to that, and it appears to me that each of the parts assume that the other person was involved. That’s a preliminary assessment because I—just as the secretary just learned about this this week, I just learned this week that the secretary didn’t know. And—REP. STUPAK: So who are the two people that are supposed to inform the secretary?

    MR. BROOKS: Well, we have—we have, under the present system, a(n) Office of Counterintelligence for the department and an Office of Defense Nuclear Counterintelligence for the NNSA.

    And since this problem—sir, I’m—I’m not trying to be unresponsive, but I’m really worried that in trying to answer that question, I’m going to go into areas that I don’t want to go about where the data was and whose data it was and what we think happened. I’d like to save that for the closed session, if I may, sir.

    REP. STUPAK: Sure. Don’t you have any responsibility to tell the secretary?

    MR. BROOKS: Well, I certainly wish I had, now that I know that nobody else did. And that’s—I think that there is—there are a number of us who in hindsight should have done things differently on informing, as far as I can tell. In terms of responding to the issue, that was done well.

    REP. STUPAK: Well, who should have notified this committee?

    MR. BROOKS: I’m not sure, sir, and I’m then—and—part of our problem is I can’t answer that question—REP. STUPAK: Well, will you get the answer to it?

    MR. BROOKS: Yes, sir, I will.

    REP. STUPAK: Why does it take VA, when they have a breach—26.5 million people’s information has been obtained—they let us know in about three weeks; it’s been at least eight months, and DOE doesn’t let us know.

    MR. BROOKS: I’ll find out, sir.

    REP. STUPAK: You going to hold anyone accountable for this?

    MR. BROOKS: When I figure out what was done wrong and by who, if anything, then I’ll be answer to that. I—I’m really reluctant to answer it in the absence of fully understanding what happened.

    REP. STUPAK: If—you said to the chairman you’re going to build this wall, right, to protect cybersecurity, right?

    MR. BROOKS: Yes, sir.

    REP. STUPAK: Don’t you think you should have told Mr. Pyke, who is your chief information officer, about this?

    MR. BROOKS: It is—of course Mr. Pyke was not in the department at the time this incident happened.

    REP. STUPAK: But Mr. Pyke’s been there for some time. You’ve known since late September. So when were you going to tell your chief information officer, who’s supposed to know how to build that wall? How does he build the wall if you withhold information from him?

    MR. BROOKS: I—I will let Mr. Pyke speak for himself on what he knows. He’s very familiar with the specifics of the—more familiar than I with the specifics of the incident and how the data was—REP. STUPAK: I thought he just testified it was only two days ago when Mr. Pyke found out.

    MR. BROOKS: What the content of the data was. But you protect the data without regard to its content, and whatever is sitting on a system—REP. STUPAK: But if he doesn’t know what the content is, he doesn’t know where the hole in the wall is.

    MR. BROOKS: I’ll defer to Mr. Pyke. That’s not my—REP. STUPAK: Well, before I go there, did you tell your previous CIO officer, then? If you knew since September. Mr. Pyke’s been here, what, a couple of months. So did you tell the other CIO officer?

    MR. BROOKS: I did not. It was my understanding at the time that the organizations had shared that information. But I’ll have to answer that for the record, Mr. Stupak.

    REP. STUPAK: Okay.

    Mr. Pyke?

    MR. PYKE: Yes, Mr. Stupak, soon after I arrived at the Department of Energy, I was briefed on the current state of cybersecurity, including a number of very sophisticated attacks that were being made, and which will be the subject of discussion in closed session today.

    REP. STUPAK: But were you told about this breach?

    MR. PYKE: As I said a few minutes ago, the so-called breach was in the context of very sophisticated attacks that went through full protective measures that were state of the art at the time, and that for the most part, in the government and private sector are state of the art today.

    We’re fortunate in having still additional protective measures in place without which we would not know about this incident. We can discuss that in closed session. I did not know until June 7th, two days ago, that a particular file had been exfiltrated or sent out during one of those attacks—REP. STUPAK: But how do you protect the information in that file if you don’t know the file has been breached? How do you know if your security system—how do you know if your security patches are working if you don’t know which network or what file has been breached? How do you protect that file then?

    MR. PYKE: We protect all files in part, depending on the nature of the system, the risk associated with the data and the function of a particular system with—REP. STUPAK: Obviously it didn’t work here.

    MR. PYKE: And we don’t necessarily need to know the actual content of a file to provide appropriate protection.

    REP. STUPAK: How do you protect what you don’t know you lost? How do I protect something after it’s lost?

    MR. PYKE: Sir, as a part of a balanced cybersecurity program, we apply a wide range—REP. STUPAK: Sure.

    MR. PYKE:—management and technical means in order to protect the data.

    REP. STUPAK: Right, understand all that. But how do you protect something if you don’t know it’s lost? One part knew you lost it eight months ago. You knew you lost it two days ago. How do you protect it if you don’t know it’s lost? How do you know your system is working properly if you don’t know it’s lost?

    MR. PYKE: Although we’ll discuss the details I believe in closed session, sir, the determination that anything might have been lost was a long, complex process. It deals with the state of the art of cybersecurity protection—REP. STUPAK: It’s not—MR. PYKE: It’s not a simple case here, sir.

    REP. STUPAK: And it’s not a simple case of having to know the information that was lost. It’s a simple case of you’re supposed to have security. It was breached. It’s not necessarily the information, which is, you know—it is the fact that you were breached and no one tells you for eight months. And what the information is and the extent of that security, that’s a different issue. The issue is you have the responsibility for cybersecurity, something was breached, and you don’t even know about it.

    MR. PYKE: Mr. Stupak, it would have been very helpful for in the conduct of my job for me to know that that file had been breached and that it had gone outside. However, one of the things I learned—in fact, one of the reasons I came to the Department of Energy, was to try to strengthen cybersecurity because it was receiving like many organizations increasingly sophisticated attacks which in part resulted in this loss of this file.

    MR. BROOKS: Mr. Stupak, may I—REP. STUPAK: Maybe we should start with information sharing between parts of DOE.

    Yes, sir, Mr. Brooks? Ambassador Brooks?

    MR. BROOKS: I—we can go into this in a little more detail, but I believe that we have given you a misunderstanding. It is Mr. Pyke’s systems that told us about the file. It’s—I need to—we have a better answer than we have given you, although not a perfectly satisfactory answer. I really need to do this in closed session, sir.

    REP. STUPAK: Okay.

    REP. WHITFIELD: Mr. Burgess?

    REP. MICHAEL BURGESS (R-TX): Thank you, Mr. Chairman. I think we’re probably all anxious to get to closed session now, so I’ll be pretty brief. I just wanted to ask a few more questions about the issues that came up in the previous panel on sequestration and encryption. Neither member of the other panel really could address the—what the cost would be for going to a fully sequestered and encrypted system. Does anyone on this panel have a concept of the cost involved, the budgetary requirement to go to a system that employed full encryption sequestration?

    MR. PYKE: Mr. Burgess, the segmentation of networks and sequestering data, if you like, as well encryption, are two techniques that are already being applied within the department in protecting data as a part of the total package of cybersecurity protection.

    As you heard earlier, we make extensive use of encryption software appropriate for protecting information, and we do plan to expand that use. The issue here is not one of resources; in fact, in terms of resources, although we can always use more for cybersecurity, the question is deploying the resources and prioritizing in a smart way. We are expanding our use of encryption. We already use some of it. In terms of segmentation, we have taken significant steps to segment our networks in the last several months, and we are continuing to do even more of that.

    REP. BURGESS: Are you satisfied that you are doing all you can to rapidly deploy encryption throughout your department?

    MR. PYKE: I’m never satisfied, sir. We are always working—attempting to work faster and to get more protections in place as quickly as we can.

    REP. BURGESS: Mr. Chairman, I think in the interest of going to closed session, I’m going to yield back at this time. I have some other questions that I may submit for the record.

    REP. WHITFIELD: Okay, Ms. DeGette of Colorado.

    REP. DIANA DEGETTE (D-CO): Mr. Chairman, I’ll be brief as well. I have a lot of questions. I just want to ask Ambassador Brooks—you said you knew about this breach eight months ago, correct?

    MR. BROOKS: Yes, ma’am.

    REP. DEGETTE: Did you inform the 1,500 people who were involved in this breach, who were targets of it, that their data had been breached, their information had been breached?

    MR. BROOKS: This is going to sound like a strange answer: I’d like to answer that in closed session. The answer is no; I would like to answer why in closed session.

    REP. DEGETTE: Okay. I was going to say I don’t think that’s classified, whether you informed them or not. So you’ll talk about why in closed session.

    MR. BROOKS: Yes, ma’am, I will.

    REP. DEGETTE: Do you have concerns about the safety of those individuals because of the eight-month gap?

    MR. BROOKS: No, ma’am.

    REP. DEGETTE: And I suppose you’ll tell me why about that in closed session too?

    MR. BROOKS: Yes, ma’am, I will.

    REP. DEGETTE: All right, I’m just going to wait till closed session.

    REP. WHITFIELD: Mr. Inslee—no, Mr. Walden is recognized.

    REP. GREG WALDEN (R-OR): Thank you, Mr. Chairman. Mr. Pyke, we learned in testimony from the inspector general’s office that as many as 50 percent of the cybersecurity incidents at DOE were not reported to law enforcement officials, which is a requirement. What’s been done to ensure that all reportable cybersecurity incidents at DOE are reported to the proper authorities?

    MR. PYKE: Mr. Walden, we have both policy and procedures in place that require reporting of all incidents that meet our criteria, and we have criteria that we apply—that are supposed to be applied throughout the department for determining what should be reported to—within the department as well as to law enforcement as necessary. We—whenever anything happens that we become aware of, as part of our compliance monitoring of our policies, we take action in order to shore it up. I’ve been pleased with the amount of incident reporting that I’m aware of. For example, over the last—in this fiscal year, it’s—we have seldom learned of incidents after the fact that should have been reported—REP. WALDEN: So what you’re saying is what the inspector general has reported to us is no longer the case?

    MR. PYKE: No. I’m saying that the trend is in the right direction, sir; and people, I believe, are being diligent in their reporting of incidents.

    REP. WALDEN: So the inspector general indicated 50 percent—half of the cybersecurity incidents at DOE were not reported to law enforcement. What would you say that percentage is today, then?

    MR. PYKE: Sir, I have no idea. I am aware of only a small number of cybersecurity incidents that we learned about significantly after the fact, beyond the reporting requirements, and that have been entered in and reported at that time. It’s hard to tell what—it’s hard to know what you don’t know, and I’m afraid that I agree with the inspector general that folks may have a tendency to try not to report things, because they think there might be a stigma associated with reporting incidents. In a number of cases these incidents occurred despite all the proper protections being—or appropriate protections being provided. I do not know how many incidents are not being provided or not being reported.

    REP. WALDEN: So it could be the 50 percent the inspector general references?

    MR. PYKE: But I believe, based on the data I do have, what we’ve learned after the fact of incidents that should have been reported, I’ve seen a relatively small number of such incidents.

    REP. WALDEN: The data on these individuals, 1,500 individuals who work for the Department of Energy that was taken, can you describe for us the content of those data? Were these Social Security numbers? Were they personnel files? Did they have personal addresses?

    MR. BROOKS: They did not have personal addresses. May I consult with somebody for a moment?

    REP. WALDEN: Certainly, of course.

    MR. BROOKS: Name, Social Security number, date of birth; a code which indicates who they work for; a second code which indicates if they were a subcontractor—the majority of these are contractor employees; a code which either had the letter L or Q, the level of clearance—those are the two DOE clearances; and a column called “status,” which in every case said “continue,” because what this appears to have been was the list of routine people being processed for update of clearance. There was no home information. There was no personnel file type information. There was no health information. There was nothing that would, from the paper, let you know where these people lived or worked, although the particular code that is a shorthand for a company is not particularly sensitive—it’s just the way you put that—REP. WALDEN: With other research—MR. BROOKS:—in smaller boxes.

    REP. WALDEN: With other search engines that anybody can—MR. BROOKS: I—I—that’s probably—that’s the information.

    REP. WALDEN: Okay. And—REP. DEGETTE: Will the gentleman yield?

    REP. WALDEN: Yeah, sure.

    REP. DEGETTE: Ambassador Brooks, if somebody got that information from your file—your name, your Social Security number, your security clearance—everything else—and Mr. Walden is right, you can just go on other search engines and do a cross—MR. BROOKS: But—REP. DEGETTE: But—but even if you didn’t, would you be a little concerned if nobody told you that for eight months?

    MR. BROOKS: There—of course I would.

    REP. DEGETTE: Thank you.

    REP. WALDEN: Reclaiming my time, what is the protocol for your agency where you have a breach of personnel records? Are you required to notify the individuals within a certain period of time, or do you have any rules or regulations?

    MR. BROOKS: We have no formal rules. There—this is an issue of good management and our obligation to people. It’s not an issue of law and regulation, as far as I can tell.

    REP. WALDEN: Right.

    MR. BROOKS: I don’t mean to—I want to be very clear there’s a reason we’ve waited, and I’ll talk about that more in closed session, but I don’t want to suggest—and I apologize to your colleague if I may have suggested that I don’t think this is important. We have a reason for doing what we’ve done.

    REP. WALDEN: All right, we’ll look forward to hearing that obviously in the closed session.

    The—I guess the other part of this is: Have you been—does anybody get in contact with, for example, the credit agencies to make sure that these people’s data—that somehow they aren’t becoming a victim of some sort of ID theft?

    MR. BROOKS: The practice of the federal government has been to notify individuals and provide them a mechanism for verifying that on their own. Individuals have certain legal rights, and I believe that the department will follow the standard practice of the federal government.

    REP. WALDEN: I suppose this is best to let Mr. Garman—you’re the deputy secretary, correct?

    MR. GARMAN: Yes, sir, I’m the under secretary—REP. WALDEN: Undersecretary.

    MR. GARMAN:—for energy and environment.

    REP. WALDEN: So do you have jurisdiction over the personnel sides of this? Does anybody at the table have jurisdiction over this issue? So you really can’t—MR. GARMAN: I think to the extent that anybody does, I do, although there are legal implications that the general counsel—REP. WALDEN: Well, I spent some time with the secretary of Veterans Affairs, Mr. Nicholson, listening to him describe what his agency went through, and how he responded to protect the veterans of America and their security and the meetings they’ve had with security agencies—or, excuse me, the credit-rating bureaus. And, you know, his first goal, he told me, was to protect the veterans and their records..

    MR. GARMAN: Sir, my understanding is that was somewhat more extensive data.

    REP. WALDEN: Well, of course it was, but I mean—in the millions, we know that.

    MR. GARMAN: No, but I mean on each individual.

    REP. WALDEN: Oh, I see what you’re saying—yes, sir. But when it comes to identity theft, my name and Social Security number gets somebody probably a cup of coffee or two and can really mess up my credit. Do you have any, given you cyber-ability, do you have any knowledge that anybody has manipulated these data for any nefarious use? Or you track that?

    MR. GARMAN: To the best of my knowledge, and whether or not I go beyond what I’m about to say in open session—to the best of my knowledge, we have absolutely no evidence that anybody has done anything with this. But I have a little bit of a basis for that statement, not a huge basis. And I’ll tell you more in closed session about it.

    REP. WALDEN: Mr. Pyke, it’s my understanding that many of the successful computer intrusions at DOE could have been avoided if DOE applied available network security patches and use of effective passwords. However, the failure to apply security patches and the use of common passwords continues to be a problem at the Department of Energy. I understand that two months ago several employees at DOE were targeted with an e-mail that successfully infected their computers with a Trojan horse program that would have been prevented if DOE had provided current security patches. Can you tell us how you will ensure that security patches and effective passwords will be implemented?

    MR. PYKE: Mr. Walden, we are working to improve the way software patches are tested first and then distributed and applied to all systems, as I mentioned in my statement. And we learn from each incident, from each experience that we have. Fortunately the software patch protection is, again, one way of protecting systems. And in that particular case we were able to protect the systems and the data using other cybersecurity techniques that were applied at that time.

    REP. WALDEN: You know, in the Department of the Interior, federal judges interceded because of the lack of security in some of their data files, and has from time to time literally shut down the entire e-mail and network system for the Department of Interior. And it seems to me the Department of Interior has far less critical data for the country’s security perhaps in some areas than your agency.

    MR. PYKE: Sir, you’re right on target. System security configuration and system software pass management are key parts of cybersecurity.

    REP. WALDEN: So you can understand our concern, and we share yours.

    MR. PYKE: Yes, sir.

    REP. WALDEN: And hopefully together we can get this cleaned up. Thank you, Mr. Chairman.

    REP. WHITFIELD: Thank you, Mr. Walden.

    Mr. Inslee? Mr. Barton.

    REP. BARTON: Thank you, Mr. Chairman. I apologize for having to leave. I had to go give a presentation at a conference, so I missed some of it. So some of what I say and ask I am sure is going to be redundant. But it probably won’t hurt to have it said again.

    Mr. Pyke, what are your duties as chief information officer at the Department of Energy?

    MR. PYKE: Mr. Chairman, I’m responsible for the management of information technology throughout the department, including ensuring that good management practices are provided, that standards are applied in an appropriate way, that capital investment decisions relative to information technology are being made in a systematic way and using all necessary information.

    I am responsible for operations of headquarters systems. And increasingly we are putting into place standardized systems with strong cybersecurity for everyone associated with headquarters. And, very importantly, I am responsible for cybersecurity for the department.

    REP. BARTON: You are. So even though it says “information,” you’re not responsible for disseminating information; you’re responsible for basically coordinating and protecting the information from falling into the wrong hands.

    MR. PYKE: Yes, sir.

    REP. BARTON: And that includes cybersecurity.

    MR. PYKE: Yes, sir.

    REP. BARTON: What is the interrelationship with your position and the National Nuclear Security Administration and Mr. Brooks? Do you all have a co-equal—or is he in his own little sphere? How does that work?

    MR. PYKE: Mr. Chairman, if I may address that relative to cybersecurity, as a part of the revitalization effort, which I have led over these last six months, we have established a structure, working together with the undersecretaries and with me, in which our office establishes top-level policy, we issue guidance, and we work with the undersecretaries as they apply that policy and guidance in a way appropriate to each of the parts of the organization that they’re responsible for. They adapt it. They apply it. They are responsible to take into account the risks associated with each of their organizations in determining how best to apply the top-level guidance.

    REP. BARTON: Okay. In your conduct of your office, if you found something askance in Mr. Brooks’ administration, can you tell him he has to do something? You can inform, advise, but I don’t believe you have the authority—MR. PYKE: We are partners, for example, in the area of cybersecurity. We each have a part of the role to carry out. And I can certainly advise him if I learn of something.

    REP. BARTON: But the short answer is no, you can’t make him do anything.

    MR. PYKE: No, sir.

    REP. BARTON: Okay. Now, Mr. Brooks, how long have you been the administrator in NNSA?

    MR. BROOKS: I’ve been the administrator since 2003. I was acting as administrator for several months before that.

    REP. BARTON: Okay. Now, my understanding is, as administrator, you’re the number one manager at that agency. Is that correct?

    MR. BROOKS: Yes, sir.

    REP. BARTON: Okay. And you’re supposed to know everything that’s going on. Is that correct?

    MR. BROOKS: Conceptually, yes, sir.

    REP. BARTON: Conceptually, okay. Who do you report to, if anybody?

    MR. BROOKS: I report to the deputy secretary—I report through the deputy secretary to the secretary.

    REP. BARTON: Report through the deputy secretary. Is that Mr. Sell?

    MR. BROOKS: Yes, sir.

    REP. BARTON: How often do you meet with either or both of those gentlemen?

    MR. BROOKS: Daily; every other day. I mean, it varies. The average is probably once or twice a day, some days much more, some days not.

    REP. BARTON: Now, when you’re having these daily or every-other- day meetings, is there a formal agenda, kind of a routine agenda, and then special events? Or is it informal and it’s whatever you want to talk about or they want to talk about?

    MR. BROOKS: Normally it’s informal. Normally it’s on a particular topic that one or the other of us wants to talk about. We also collectively—the leadership of the department meets with the secretary every Monday morning, and that’s a go around the table. And we also have one meeting, once again, involving the leadership of the department with the deputy secretary that does have a structured agenda.

    REP. BARTON: Now, are there any classifications of information that you have access to that they don’t? Are they cleared to know any and every thing that you know?

    MR. BROOKS: Yes. I’m trying to think through some of the intelligence compartments. I believe the answer—yes, there is nothing that I am cleared to know that they are not cleared to know.

    REP. BARTON: All right. Now, it’s public knowledge, at least in this hearing room, and unfortunately outside the hearing room, that back in September, we know from the testimony of the prior witnesses, that Mr. Podonsky and his group conducted a red team exercise that penetrated some of the security protections at the Department of Energy. And you were made aware of that at that time. Is that not correct?

    MR. BROOKS: That’s correct.

    REP. BARTON: And we also know that, subsequent to that, there was a real penetration of your administration.

    MR. BROOKS: That’s correct.

    REP. BARTON: And you were informed of that in September.

    MR. BROOKS: That’s correct.

    REP. BARTON: And you meet with the secretary or the deputy secretary almost every day, and yet apparently you didn’t tell them about that.

    MR. BROOKS: That’s correct.

    REP. BARTON: Now, for probably the third or fourth time, why not?

    MR. BROOKS: The—I’m choosing my words carefully, and we can expand on this in the closed session. The department has treated these intrusions, once they happen, as counterintelligence issues. The department has a fragmented counterintelligence organization which it has submitted legislation to correct.

    It appears that each side of that organization assumed that the other side had made the appropriate notification to the deputy secretary.

    REP. BARTON: That’s hogwash. You report directly—MR. BROOKS: Correct.

    REP. BARTON:—to the secretary. You meet with him or the deputy every day.

    MR. BROOKS: And I didn’t tell them—REP. BARTON: You’re the number one manager in the department for these issues. You had a major breach of your own security and your own—I mean, I don’t know how much we’re supposed to say in public about this—and yet you didn’t inform the secretary. To say that somebody else is responsible begs the intelligence of this committee.

    I mean, I’m—I don’t know what to say other than it will be my strong recommendation, after I have had a consultation with the ranking member, Mr. Dingell, that you be removed from your office as expeditiously as possible, and I mean like 5:00 this afternoon if it’s possible. I don’t see how you could meet with the secretary every day for the last seven or eight months and not inform him of a serious, serious breach of security.

    Now, I’m going to ask you another question. Do you think the president of the United States knows? How would he know if you haven’t told the secretary?

    MR. BROOKS: The secretary was aware of the incident but not of the specific context we’re talking about.

    REP. BARTON: Now, the secretary told me personally—personally—that he didn’t know about this—MR. BROOKS: He didn’t know about the—REP. BARTON:—until two or three days ago.

    MR. BROOKS: That’s correct. That’s my understanding as well.

    REP. BARTON: I mean, we’re going to go into closed session. I don’t know how we can have a—I don’t know how we can function in a democracy if those responsible, as appointed by the president of the United States, don’t do their duty to report what’s under their responsibility to the presidential appointees that they’re supposed to report to. I don’t know how we function.

    So if I were you, sir, I would strongly consider your resignation being tendered to the president and the secretary of Energy today. And we’re going to continue—again, I haven’t spoken yet directly with Mr. Dingell, so my official act—I’m not sure what official—you know, I’m not going to do anything that he and I are not together on.

    But I think it’s unconscionable that we’ve been operating since September with a security problem of this magnitude and those responsible for protecting the integrity of the United States of America at the highest level haven’t been notified, because if your explanation is to be believed—there was some sort of a mix-up and you weren’t sure who was supposed to do it—you should have at least notified the secretary that somebody—what you knew. And then you should have worked to clear up any bureaucratic problems with these other officials.

    MR. BROOKS: Yes, sir. I obviously should have done that. I thought he had been notified because of this confusion I referred to. And obviously I was wrong and I should have made sure he knew it himself, as we gained the information which came to us over time.

    REP. BARTON: Mr. Garman, you’re the undersecretary. Do you have any direct report on this? Or are you out of the chain of command on this one?

    MR. GARMAN: I am out of the chain on this incident. And I would offer this as a—REP. BARTON: When did you find out about it?

    MR. GARMAN: Two days ago. But having said that, let me add that I knew and the secretary knew and a lot of people in this room knew that the department faces the same endemic problem that every agency in the government faces, and that we are under attack in the cyber world on a daily basis, and that these attacks are—REP. BARTON: So do you think the way to prevent future attacks is for somebody like Mr. Brooks to not inform the appropriate presidentially appointed officials in the Department of Energy when an attack has been successful?

    MR. GARMAN: I am not going to get drawn into that, Mr. Chairman. The—REP. BARTON: So your position is stick your head in the sand and don’t worry about it.

    MR. GARMAN: No, sir.

    REP. BARTON: That’s what you just said.

    MR. GARMAN: No, sir. And let me be clear about this. I think one of the other elements that has not been vetted in this hearing is the change that is underway at the department. By your line of questioning of Mr. Pyke—and I don’t want anybody to leave this room with the impression, or the public, in the public session of this hearing, that the responsibility for cybersecurity rests on Mr. Pyke’s shoulders alone.

    What we are doing is transitioning and making it crystal clear to every program manager, every office director and every undersecretary that they are responsible. It is a line management responsibility for cybersecurity.

    I would argue, from my vantage point, that this has not always been clear inside the Department of Energy, and that when I was a lower-level—REP. BARTON: No, but is the answer—MR. GARMAN: That has changed—REP. BARTON: Is the answer to not report when there is a breach? If something were to happen within your purview at the Department of Energy—you have jurisdiction or management responsibility for the national laboratories, or some of them. If there were a security breach of this magnitude at Hanford, would you not report it to the secretary of Energy if you knew it?

    MR. GARMAN: There is still—and let me—there is much I do not know about this incident.

    REP. BARTON: I’m not asking what you know right now. I’m asking just fundamental—if I’m responsible for this committee, for the management of this committee as chairman, and I know that something bad happens—one of my staffers embezzles money; somebody does something that’s illegal—I do something about it and report it to the speaker. I don’t just stick my head in the sand.

    MR. GARMAN: No, sir. And that’s not what I’m—REP. BARTON: I’m—MR. GARMAN: That is not—REP. BARTON: I am appalled that nobody seems too concerned about this but the members of Congress. I mean, it’s just another day at the office, I guess. Luckily only 1,500 were stolen.

    Mr. Chairman, we’re going to be in executive session here quickly, I assume.

    REP. WHITFIELD: Yes, sir, Mr. Chairman, as soon as you finish your line of questioning.

    REP. BARTON: I just want to reinforce. Mr. Brooks, I am going to recommend, subject to Mr. Dingell, that you be removed. And I think you would do the country a service if you resign before you have to be removed. You have no credibility with me—none.

    With that, I’ll yield back.

    REP. WHITFIELD: The chair would move at this time, pursuant to Clause 2(g) of Rule 11 of the Rules of the House, the remainder of this hearing will be conducted in executive session to protect information that might endanger national security.

    Is there any discussion on the motion? If there is no discussion, pursuant to the rule, a recorded vote is ordered. Those in favor, say aye. Aye. Those opposed, nay. The ayes appear to have it. The ayes have it, and the motion is agreed to.

    We will reconvene in just a few minutes in Room 2218, and that portion of our hearing will be closed to the public and open only to our witnesses, the members and staff to such members and witnesses who have appropriate clearances.

    The subcommittee will recess.

  2. Michael Roston (History)

    Rose Gottemoeller: Linton gave me the best advice I ever received in my diplomatic career. When you’re up all night negotiating with the Soviets, a hot shower is worth four hours of sleep.

    Brooks: If you take two showers, you don’t even need to sleep…

    Keep an eye on the nuclear testing/nonproliferation credentials of whoever comes next. Since test readiness at this time is 18 months by law (24 months by budgetary restriction), the Bush administration could order someone in to pave the political way forward for a test order mid-year.

  3. Joseph Logan (History)

    “The department has a fragmented counterintelligence organization which it has submitted legislation to correct.

    “It appears that each side of that organization assumed that the other side had made the appropriate notification to the deputy secretary.”

    I can’t think that Brooks or anyone else can be legitimately responsible for a systemic dysfunction, especially when the kneejerk reaction is to legislate a new structure. That tends to be one of the most common red herrings in any federal reform effort. Why dismiss the leader when the presenting issue is predicated upon a structure over which he has no authority?

    Of course, the answer is politics, but structural changes alone are insufficient in addressing the interplay between organizational politics and processes.

  4. Amyfw (History)

    This is just one of a series of “goings on” in both DOE and DOD on nuclear weapons issues that have me more than a bit bothered right now. Things are not always what they seem, and it may be quite appropriate to consider the public “reason” for Ambassador Brooks’ dismissal to be just an excuse. The security lapses really are old news. Other things appear to be bothering Bodman lately. I can’t really be more specific, but, if others want to speculate, I’d be glad to offer an opinion.

    I should caveat, Ambassador Brooks is one of my favorite people in the Arms Control business (his stories from the Rykyavik summit are great!) and I’ve loved working with him over the years.

  5. CKR (History)

    Just a wild idea.

    Brooks’s firing comes at the same time as major rearrangement of other major players. Also with the decision to use a little bit of Livermore, a little bit of Los Alamos for the new RRW, at least according to the NYT.

    Could we be seeing a rearrangement in concert with administration war plans?

    I tend to take the rumors that Admiral Foland is now head of CENTCOM to prepare for a bombing of Iran with a grain of salt (not SALT, unfortunately). But if you were planning to nuke another country, would you want an arms control guy in charge of the nuclear agency?

    Or maybe Brooks suggested that kluging two reportedly fairly different RRW designs together to justify further support of Bechtel at Los Alamos and whoever it will be at Livermore (Halliburton?) might give the country the kind of nuclear weapons that the Osprey is an airplane?

    I haven’t been able to work this in with the rumor that Negroponte may succeed Condi, who may succeed Cheney, but I’ll keep working on it.

  6. Tom Clements (History)

    Based on my interactions over the years with Mr. Brooks, I think Sec. Bodman has made a sound decision and should be congratulated for this move to clean up the DOE house. Mr. Brooks unfortunately proved not only to be discourteous to the engaged public but also deepened the destructive, arrogant attitude in DOE HQ that no information will be provided in response to public inquiries. When in charge of the MOX program and later as head of NNSA, reports to Congress on the status of the MOX program read like fanciful, speculative tales designed to mislead Congress in order to secure yet more funds. Of course Congress and not Brooks was responsible for lack of oversight on the plutonium disposition program and for lack of questioning those reports. Hopefully after years of little oversight of DOE programs and the performance of public servants such as Mr. Brooks, oversight of DOE will now dramatically increase and a process will be developed so that HQ will have to respond to public inquries.

  7. XXX (History)

    Although I often disagreed with his outlook, I have to refute what the previous poster said about Am Brooks’ openness to the public. As a former journalist that dealt with his issues, he generally made himself and his staff available to answer questions on most issues of relevance…A statement I would not make about most of the rest of the Bush Administration’s national security team.

    As to the why’s of his dismissal, I am also skeptical of the official “reason”. I always had the feeling that Brooks was pushing back on those inside DOD that wanted to move forward on new nuclear weapon designs. With the RRW now being called into question by the recent study on PU aging, it seems his opponents may have blamed Brooks for the reports findings and are now maneuvering to start new weapons work. A recent reshuffle in the reporting chain for nuclear efforts in the OSD Policy shop might allow this as the new office focuses on other matters at the senior level..

  8. xxx

    I’d like to offer up a theory and get some feedback from others. It goes like this: Firing Brooks is a step toward dismantling NNSA. For the Bush administration, NNSA has long been a headache. The NW side of NNSA tends not to be as enthusiastic about things like RRW as they “should” be. The nonproliferation side is populated by a bunch of NPT-loving liberals who think treaties are a good way to conduct international relations. Justifying the dismantlement of the nonproliferation side is easy: move Megaports to DHS; move safeguards to the office of Nuclear Energy under the auspices of GNEP; and delete the rest of the NA20 using the NRA view of nonproliferation: nuclear weapons aren’t the problem – bad actors are the problem.

  9. Amyfw (History)

    xxx – a comment on your theory. While it may be true that DOE’s goal is to bring the U.S. nuclear weapons enterprise back under DOE control (even though NNSA wasn’t really all that independent), I don’t think that applies to the nonproliferation side of the house. The DOE nonproliferation programs did not change much when they went from DOE to NNSA, and they are not focused on NPT-types of activities. They are focused on U.S. assistance to other nations in securing their materials or their borders. This is the Bush Admin’s theory of nation-by-nation non-proliferation in action. And I really don’t see the place being run by NPT-softies.

    But the nuclear weapons side, yes, I do see a power play. Also, its worth remembering that Congress created NNSA to give the weapons people some independence from DOE (the Nonpro stuff just went along for the ride). So, if this is a power-play, don’t expect the new chairs of the relevant committees to sit quietly by.

  10. xxx

    Amyfw: to be clear, I don’t see the NA20 being run by “NPT-softies” either, but on the whole, NA20 is certainly more friendly to arms control, treaties and universally applied obligations than the Administration.

    WRT your comment that NA20 activities are predominantly (at least by funding levels) directed at securing materials: I agree. However, I’d point to the strong desire to be rid of the Russia/FSU work as soon as possible as another justification for eliminating the NNSA bureaucracy. The other work (GTRI, etc.) could easily be shed to DTRA or moved under DOE.

    My larger point is that a case can be made that NNSA is both irrelevant and antithetical to the Administration’s goals. Given the rather insubstantial role NNSA has played in the major proliferation challenges of the last few years, you don’t have to see eye-to-eye with the Bush administration to find credibility in the irrelevance argument.

    To be clear: I don’t support the dismantlement of NNSA. A strong, competent nonproliferation agency with access to substantial technical knowledge would be a good thing. At present, however, that is not what we have.

  11. Amyfw (History)

    xxx- I’m not sure I agree with your perception that someone (the Admin?)wants to be “rid of” the FSU nonproliferation work. That’s where most of the money is, and most of the materials are, and other programs, like GTRI, are really just press relations announcing the collection of other programs into a single heading. The Russia stuff is the core of the NNSA nonproliferation work, and likely to remain so for a while (we’re nowhere near done.) I’ll agree that money has been shifting to out of the FSU in recent years, but the shift is small relative to the whole (and we have a 10-year commitment to provide $1 billion per year to Russia, so I’m not sure where you see an interest in getting out of that business.) Also, if DOE wanted to take the nonpro stuff out NNSA, it could do so. NNSA was created by Congress to consolidate U.S. weapons work, the nonpro stuff just went along for the ride. It doesn’t have to stay there. Finally, I don’t think the folks at NNSA are committed arms controllers, they are committed cooperative nonproliferation people (which really isn’t the same thing as old-style arms control.) They’re more into it than the Pentagon folks, but that’s because the labs took this on themselve in the early 1990s and really started drawing in some money after that. As in all things, money counts. If you get $600 million per year for a project, you’re going to like it alot.