<DOC>
[107th Congress House Hearings]
[From the U.S. Government Printing Office via GPO Access]
[DOCID: f:85840.wais]
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpr.gov Phone: toll free (866) 512-1800; (202) 512ÿ091800
Fax: (202) 512ÿ092250 Mail: Stop SSOP, Washington, DC 20402ÿ090001
85-840 PDF
______
2003
COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TECHNOLOGY AND PROCUREMENT POLICY
of the
COMMITTEE ON
GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
JUNE 7, 2002
__________
Serial No. 107-182
__________
Printed for the use of the Committee on Government Reform
Available via the World Wide Web: http://www.gpo.gov/congress/house
http://www.house.gov/reform
COMMITTEE ON GOVERNMENT REFORM
DAN BURTON, Indiana, Chairman
BENJAMIN A. GILMAN, New York HENRY A. WAXMAN, California
CONSTANCE A. MORELLA, Maryland TOM LANTOS, California
CHRISTOPHER SHAYS, Connecticut MAJOR R. OWENS, New York
ILEANA ROS-LEHTINEN, Florida EDOLPHUS TOWNS, New York
JOHN M. McHUGH, New York PAUL E. KANJORSKI, Pennsylvania
STEPHEN HORN, California PATSY T. MINK, Hawaii
JOHN L. MICA, Florida CAROLYN B. MALONEY, New York
THOMAS M. DAVIS, Virginia ELEANOR HOLMES NORTON, Washington,
MARK E. SOUDER, Indiana DC
STEVEN C. LaTOURETTE, Ohio ELIJAH E. CUMMINGS, Maryland
BOB BARR, Georgia DENNIS J. KUCINICH, Ohio
DAN MILLER, Florida ROD R. BLAGOJEVICH, Illinois
DOUG OSE, California DANNY K. DAVIS, Illinois
RON LEWIS, Kentucky JOHN F. TIERNEY, Massachusetts
JO ANN DAVIS, Virginia JIM TURNER, Texas
TODD RUSSELL PLATTS, Pennsylvania THOMAS H. ALLEN, Maine
DAVE WELDON, Florida JANICE D. SCHAKOWSKY, Illinois
CHRIS CANNON, Utah WM. LACY CLAY, Missouri
ADAM H. PUTNAM, Florida DIANE E. WATSON, California
C.L. ``BUTCH'' OTTER, Idaho STEPHEN F. LYNCH, Massachusetts
EDWARD L. SCHROCK, Virginia ------
JOHN J. DUNCAN, Jr., Tennessee BERNARD SANDERS, Vermont
JOHN SULLIVAN, Oklahoma (Independent)
Kevin Binger, Staff Director
Daniel R. Moll, Deputy Staff Director
James C. Wilson, Chief Counsel
Robert A. Briggs, Chief Clerk
Phil Schiliro, Minority Staff Director
Subcommittee on Technology and Procurement Policy
THOMAS M. DAVIS, Virginia, Chairman
JO ANN DAVIS, Virginia JIM TURNER, Texas
STEPHEN HORN, California PAUL E. KANJORSKI, Pennsylvania
DOUG OSE, California PATSY T. MINK, Hawaii
EDWARD L. SCHROCK, Virginia
Ex Officio
DAN BURTON, Indiana HENRY A. WAXMAN, California
Melissa Wojciak, Staff Director
Victoria Proctor, Professional Staff Member
Teddy Kidd, Clerk
Mark Stephenson, Minority Professional Staff Member
C O N T E N T S
----------
Page
Hearing held on June 7, 2002..................................... 1
Statement of:
Harman, Hon. Jane, a Representative in Congress from the
State of California........................................ 85
Sugar, Ronald D., Ph.D., president and chief operating
officer, Northrop Grumman Corp.; Leonard Pomata, president,
Federal Group, webMethods, Inc.; S. Daniel Johnson,
executive vice president, public services, KPMG Consulting,
Inc.; and Kevin J. Fitzgerald, senior vice president,
government, education & healthcare, Oracle Corp............ 100
Yim, Randall, Managing Director, National Preparedness Team,
General Accounting Office; Mark Forman, Associate Director,
Information Technology and E-Government, Office of
Management and Budget; Robert J. Jordan, Director,
Information Sharing Task Force, Federal Bureau of
Investigation; George H. Bohlinger III, Executive Associate
Commissioner for Management, Immigration and Naturalization
Service; and William F. Raub, Ph.D., Deputy Director,
Office of Public Health Preparedness, Department of Health
and Human Services......................................... 11
Letters, statements, etc., submitted for the record by:
Bohlinger, George H., III, Executive Associate Commissioner
for Management, Immigration and Naturalization Service,
prepared statement of...................................... 51
Davis, Hon. Thomas M., a Representative in Congress from the
State of Virginia:
Briefing memo............................................ 135
Prepared statement of.................................... 4
Fitzgerald, Kevin J., senior vice president, government,
education & healthcare, Oracle Corp., prepared statement of 109
Forman, Mark, Associate Director, Information Technology and
E-Government, Office of Management and Budget, prepared
statement of............................................... 41
Harman, Hon. Jane, a Representative in Congress from the
State of California, prepared statement of................. 88
Horn, Hon. Stephen, a Representative in Congress from the
State of California, prepared statement of................. 8
Johnson, S. Daniel, executive vice president, public
services, KPMG Consulting, Inc., prepared statement of..... 115
Jordan, Robert J., Director, Information Sharing Task Force,
Federal Bureau of Investigation, prepared statement of..... 75
Pomata, Leonard, president, Federal Group, webMethods, Inc.,
prepared statement of...................................... 124
Raub, William F., Ph.D., Deputy Director, Office of Public
Health Preparedness, Department of Health and Human
Services, prepared statement of............................ 61
Sugar, Ronald D., Ph.D., president and chief operating
officer, Northrop Grumman Corp., prepared statement of..... 103
Yim, Randall, Managing Director, National Preparedness Team,
General Accounting Office, prepared statement of........... 14
COORDINATED INFORMATION SHARING AND HOMELAND SECURITY TECHNOLOGY
----------
FRIDAY, JUNE 7, 2002
House of Representatives,
Subcommittee on Technology and Procurement Policy,
Committee on Government Reform,
Washington, DC.
The subcommittee met, pursuant to notice, at 10 a.m., in
room 2154, Rayburn House Office Building, Hon. Thomas M. Davis
(chairman of the subcommittee) presiding.
Present: Representatives Tom Davis of Virginia, Jo Ann
Davis of Virginia, Horn and Turner.
Also present: Representative Harman.
Staff present: Melissa Wojciak, staff director; George
Rogers, Uyen Dinh, and John Brosnan, counsels; Victoria
Proctor, professional staff member; Teddy Kidd, clerk; Todd
Greenwood and Nick Vaughan, interns; Mark Stephenson, minority
professional staff member; and Jean Gosa, minority assistant
clerk.
Mr. Tom Davis of Virginia. We have Members moving to take
their seats. We're going to start with Members' statements.
Good morning. I want to welcome everybody to today's
oversight hearing. After September 11th, there's been a sea
change in the mission of government. The first priority of the
Nation has become homeland security. To win this fight, the
government must be able to detect and respond to terrorist
activity. We also must be ready to manage the crisis and
consequences of future attacks, to treat casualties, and to
protect the functioning of critical infrastructures. Thus,
defending America in the new war against terrorism will require
every level of government to work together with citizens and
the private sector.
More than ever our success is dependent upon collecting,
analyzing and appropriately sharing information that exists in
data bases, transactions and other data points. Effective use
of accurate information from divergent sources is critical to
our success in this fight. Indeed as the President said last
night in his speech to the Nation, ``Information must be fully
shared so we can follow every lead to find the one that may
prevent a tragedy.''
The President spoke with vision about our Nation's titanic
struggle against terrorism and the triumph of freedom over
fear. I applaud his leadership in asking the Congress to create
a Department of Homeland Security. I'll be working with our
colleagues to enact legislation to meet his call. I believe the
proposed Department of Homeland Security will greatly assist
information sharing by reorganizing the government along the
more rational strategic lines that will more efficiently pursue
homeland security. The new Department will be a customer of the
FBI and the CIA and will be able to analyze, diffuse and
disseminate information to Federal, State and local agencies,
the private sector and citizens.
However, integration of the information systems and
practices of the agencies to be consolidated into the new
Department will be a prime concern, as will the new
information-sharing relationships that will evolve between the
Department of Homeland Security, the FBI, the CIA and other
agencies.
I'm also heartened to see that the plan for the new
Department of Homeland Security includes flexible acquisition
policies to encourage innovation and rapid development of
critical technologies. This concept is at the core of H.R.
3832, the Services Acquisition Reform Act that I recently
introduced. I look forward to discussions with the
administration to further redefine the legislation and move
forward the new Department.
Today's hearing continues the subcommittee's oversight of
the barriers to robust information sharing, both within and
between agencies. In February of this year, we reviewed some of
the management initiatives and technology acquisitions needed
to ensure that stovepipes of knowledge and a lack of
coordination between agencies would not compromise homeland
security. While new funding for procurement of products and
services is certainly needed if the government is going to
effectively modernize, share information and win the war
against terrorism, we should also continually measure the
results of the government's efforts. When it comes to the war
on terrorism, Americans are not asking for more spending; they
are asking for more spending that works.
Unfortunately, as witnessed in the February hearing
revealed, there has not been an organized, cohesive and
comprehensive process within the government to evaluate private
sector solutions to the problems of information sharing and
homeland security. Many technology firms with expertise to
address homeland security matters have indicated that they are
having a hard time getting a real audience for their products.
Addressing the acquisition challenges to achieve homeland
security must be a priority so that we can begin to leverage
America's competitive advantage in IT innovation for the
benefit of all Americans. After the February hearing we
introduced legislation to facilitate private sector innovation
by establishing an interagency team of subject matter experts
to issue major announcements seeking unique and innovative
anti-terror solutions. These experts would also screen and
evaluate innovative proposals for industry and send them to the
proper Federal agencies for action. This legislation would also
launch a program offering monetary awards to companies with the
best and most cutting-edge terror-fighting solutions. In
addition, it would establish an acquisition pilot program to
encourage agency professionals to creatively use streamlined
authorities and waivers to buy commercial, off-the-shelf
solutions with immediate impact on homeland security.
In this hearing I look forward to hearing from the agencies
and leading companies represented for their insights into how
programmatic changes, management initiatives and technology
acquisitions can contribute to the better sharing of
information and the achievement of the homeland security
mission.
[The prepared statement of Hon. Thomas M. Davis follows:]
[GRAPHIC] [TIFF OMITTED] T5840.001
[GRAPHIC] [TIFF OMITTED] T5840.002
Mr. Tom Davis of Virginia. I now yield to my ranking
member, Mr. Turner from Texas, for his opening statement.
Mr. Turner. Thank you, Mr. Chairman. I appreciate the good
timing of the hearing that you called this morning, and I join
with you in commending the President on his initiative to
create a new Cabinet-level position for homeland security. As
you know, there has been legislation pending in the Congress
which I have supported to accomplish that, and I think that the
President's initiative will be well received, and I look
forward to the work that our committee will have the
opportunity to do in refining that proposal.
We all know that the attacks of September 11th have created
the greatest challenge our Nation has faced in its history, and
the sophistication and fanaticism of al Qaeda and similar
organizations no doubt represent a challenge that all of us
must work together to address.
I appreciate all of our government agency witnesses here
today, as well as the private sector witnesses who have come.
One of the common complaints that I've heard from the private
sector business folks during the last few months is that they
go to the Office of Homeland Security, and they present their
ideas and offer up various proposals, and yet they never hear
anything, and obviously part of that problem exists because of
the lack of authority in the Office of Homeland Security. The
President's reorganization effort will, I think, resolve that,
and we will be on our way toward utilizing the best that the
private sector has to offer in the war on terrorism.
I think the American people have been quite tolerant and
forgiving of the intelligence failures that led to the tragic
events of September 11th, but I have no doubt that we will be
all held accountable in the event of another similar event. And
so it is up to us to put our shoulder to the wheel, both in the
government sector, as well as to bring in the best assistance
we can find from the business community to be vigilant,
prepared and to address the threats that we face.
Responding to the challenge requires, I think, new
thinking, thinking out of the box, new methods, new
technologies. All of this can be provided if we build a good,
strong working relationship with the powerful forces of the
private sector in this country, and I look forward to working
with the chairman to accomplish that. And, again, I thank our
witnesses for being here today.
Thank you, Mr. Chairman.
Mr. Tom Davis of Virginia. Thank you, Mr. Turner.
Mrs. Davis, any statement?
Mr. Horn.
The gentleman from California is recognized.
Mr. Horn. Thank you, Mr. Chairman.
This is a very important hearing. My Subcommittee on
Government Efficiency, Financial Management and
Intergovernmental Relations has been holding a series of field
hearings on how effectively the Federal Government is helping
State and local agencies prepare for another terrorist attack.
We started in Nashville, and we've done a few more: Phoenix,
Albuquerque, Los Angeles, San Francisco. Witnesses from local
agencies in each of these cities have said that intelligence
sharing and their ability to communicate with other local and
Federal agencies are among the very leading concerns. These are
the men and women who will be on the front lines should another
attack occur.
We must do everything possible to ensure that they're
equipped with the best information possible so that they can
effectively and efficiently protect and serve the American
people, and I would like to, Mr. Chairman, put in the record a
letter that Mr. Shays and myself sent to Mr. Sensenbrenner, the
chairman of the Committee on the Judiciary, with the bill we
put in, H.R. 3483, the Intergovernmental Law Enforcement
Information Sharing Act of 2001. Mr. Burton is very supportive
of this, and Mr. Shays and myself, Ms. Schakowsky, Mrs.
Maloney, so forth, and if I might put that in and----
Mr. Tom Davis of Virginia. Without objection, it will be
put in the record.
[The prepared statement of Hon. Stephen Horn follows:]
[GRAPHIC] [TIFF OMITTED] T5840.003
[GRAPHIC] [TIFF OMITTED] T5840.004
[GRAPHIC] [TIFF OMITTED] T5840.005
Mr. Horn. Because whatever you'd like to put on language,
we don't have a big ego about this, we just want to get the job
done.
Mr. Tom Davis of Virginia. Well, thank you very much, Mr.
Horn.
The subcommittee is now going to hear testimony from our
first panel. We have Mr. Randall Yim, the Managing Director of
the National Preparedness Team at GAO; Mr. Mark Forman, a
frequent contributor to this subcommittee's work, the Associate
Director of Information Technology and E-government at OMB;
George Bohlinger, the Executive Associate Commissioner for
Management at INS; Dr. William Raub, the Deputy Director,
Office of Public Health Preparedness at HHS; and Mr. Robert
Jordan, the Director of the Information Sharing Task Force at
the FBI. I appreciate everyone being here.
It's the policy of this subcommittee that all witnesses be
sworn, so if you would stand with me and raise your right
hands.
[Witnesses sworn.]
Mr. Tom Davis of Virginia. Thank you very much.
Mr. Yim, why don't we start with you and move straight down
the line. Your total testimony is going to be--is a part of the
record, so it's in the record. What I'd like you to do is try
to use 5 minutes to hit your key points. There's a light in
front of you. When it turns orange, you have a minute to try to
hit your 5 minutes and try to keep it moving along. Most of the
Members have read the total testimony, so our questions are
kind of ready, but we'd like you to hold it to 5 minutes.
Mr. Yim, thank you for being with us.
STATEMENTS OF RANDALL YIM, MANAGING DIRECTOR, NATIONAL
PREPAREDNESS TEAM, GENERAL ACCOUNTING OFFICE; MARK FORMAN,
ASSOCIATE DIRECTOR, INFORMATION TECHNOLOGY AND E-GOVERNMENT,
OFFICE OF MANAGEMENT AND BUDGET; ROBERT J. JORDAN, DIRECTOR,
INFORMATION SHARING TASK FORCE, FEDERAL BUREAU OF
INVESTIGATION; GEORGE H. BOHLINGER III, EXECUTIVE ASSOCIATE
COMMISSIONER FOR MANAGEMENT, IMMIGRATION AND NATURALIZATION
SERVICE; AND WILLIAM F. RAUB, Ph.D., DEPUTY DIRECTOR, OFFICE OF
PUBLIC HEALTH PREPAREDNESS, DEPARTMENT OF HEALTH AND HUMAN
SERVICES
Mr. Yim. Thank you very much, Mr. Chairman and members of
this committee. Thank you for inviting me to share information
with you about the critical need for information sharing, and
integration of new and existing technologies, and to an
effective strategy for homeland security.
Although there are many players in this complex arena of
homeland security, we all share the same goal, to make our
great Nation more secure against terrorists and to prevent
tragedies such as September 11th from ever occurring again.
This will be a formidable task, since it will be very difficult
to stop an enemy that is fluid, less structured and
deliberately tries to blend into the background with our
Federal, State and local governmental institutions that are
more highly structured and less agile, making it all the more
important that our governments adopt the innovative and
creative tools of government that are flexible and have
adaptable characteristics.
We could never be 100 percent secure or 100 percent
prepared, but we can be better prepared. Everyone cannot do
everything, and everyone cannot and should not do the same
things. Instead we must augment, foster, develop and maintain
what particular governments do best, what the private sector
and local communities do best and integrate these efforts
through our national strategy.
To fashion such a strategy, we'll need to identify those
key enablers to the creation and implementation of the
strategy. Clearly better information sharing and IT
architectures are one of the most critical enablers, and
expanding and adapting our sizable advantages in technology and
research and development, using our positive asymmetries
effectively against the asymmetric threats posed by terrorists
will be a key enabler. We must overcome roadblocks that have
been identified, such as protection of proprietary and
sensitive information, including information that may adversely
affect business value and financing, legal barriers such as
antitrust and liability concerns, jurisdictional and turf
issues such as those being highlighted in the current
exploration of stovepiping in intelligence and law enforcement
communities, and format and architecture mismatches to prevent
sharing and interconnectivety even when people want to share.
And we will need to identify an investment strategy that
maximizes the use of our finite human and fiscal capital
resources so our strategy is both affordable and sustainable,
and we need to begin now since our threats are now. This means
we cannot, unfortunately, wait to and only design new
architectures from scratch, but we must assess what we
currently have; assess what others have done and what they are
doing when facing problems that share characteristics with our
fight against terrorism; determine how we can adapt and refine
existing or analogous mechanisms; and also consider good old-
fashioned low-tech and common-sense solutions and solutions
that rely on the smarts of our citizens and government leaders.
And finally, we have to acknowledge that any national strategy
lacking measurable objectives, measurable performance
indicators and accountability mechanisms will not be
sustainable.
There is no doubt that there is more than one way to
accomplish these goals. The GAO has focused upon the factors
relevant to the decisionmaking process and some of the emerging
and best practices that may be adaptable to the homeland
security mission. It is important not only to do things right,
but also to do the right things. This means we have to get the
right information to the right people at the right times, and
we also have to do the right things with that information. So
we will need an integrating strategy that makes sense of the
information that separates the relevant few from the general
noise, that helps us to find the relevant needles in the
haystack that spur us to take further action to prevent,
interdict and respond to terrorists; and we have to do this in
ways that are already familiar to State and local and private
sector first responders so that we don't start from scratch,
and consider adaptive use of programs that are already
integrated into State and local and private sector response
mechanisms, that complement rather than become additional
burdens, because we all know that we are asking these people to
undertake significant homeland security tasks in addition to
their other duties and responsibilities, all with finite human
and fiscal resources.
Some good examples of effective use of information in new
technologies exist, and more are beginning to emerge. We've
illustrated some of these for you in the one-page handout that
we've distributed for you today. For example, computer
intrusion detection systems constantly try to monitor
deviations from, ``normal background,'' to detect potential
threats.
The same know-how can be applied to airline data bases,
energy supply and infrastructure monitoring systems, cargo
container tracking or manifest systems, all to try to detect
anomalies from a, ``background that may be an indicator to spur
further action.''
Increasing use of digitized information, the power of
digitization, integrating satellite-derived digital imagery
with digitized maps of critical infrastructure and computer
modeling to provide gaming simulations to guide preparedness or
predict attacks or identify vulnerabilities. These models could
even help us determine what types of data needs to be collected
now, not only once, but consistently over time, to develop
trends that would help us establish a background, and models
could also be used to perhaps assign responsibilities to
different jurisdictions or Federal agencies for detection and
prevention.
We will need not only, thus, to rely on new technologies,
such as advancements in biometrics and devices to detect
biological and radioactive agents in hidden locations, such as
within cargo containers, but also adaptive use of existing
technologies as well as common-sense and low-tech approaches.
Above all, we will need to foster and augment and stimulate
creative tools of government, combinations of high and low tech
in ways we might not have imagined. Who would have thought that
one of our most effective weapons in Afghanistan would have
been 21st-century airplanes and smart weaponry guided to their
targets by the cavalry on horseback?
Mr. Chairman, this concludes my statement, and GAO is
pleased to assist in whatever way we can.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Yim follows:]
[GRAPHIC] [TIFF OMITTED] T5840.006
[GRAPHIC] [TIFF OMITTED] T5840.007
[GRAPHIC] [TIFF OMITTED] T5840.008
[GRAPHIC] [TIFF OMITTED] T5840.009
[GRAPHIC] [TIFF OMITTED] T5840.010
[GRAPHIC] [TIFF OMITTED] T5840.011
[GRAPHIC] [TIFF OMITTED] T5840.012
[GRAPHIC] [TIFF OMITTED] T5840.013
[GRAPHIC] [TIFF OMITTED] T5840.014
[GRAPHIC] [TIFF OMITTED] T5840.015
[GRAPHIC] [TIFF OMITTED] T5840.016
[GRAPHIC] [TIFF OMITTED] T5840.017
[GRAPHIC] [TIFF OMITTED] T5840.018
[GRAPHIC] [TIFF OMITTED] T5840.019
[GRAPHIC] [TIFF OMITTED] T5840.020
[GRAPHIC] [TIFF OMITTED] T5840.021
[GRAPHIC] [TIFF OMITTED] T5840.022
[GRAPHIC] [TIFF OMITTED] T5840.023
[GRAPHIC] [TIFF OMITTED] T5840.024
[GRAPHIC] [TIFF OMITTED] T5840.025
[GRAPHIC] [TIFF OMITTED] T5840.026
[GRAPHIC] [TIFF OMITTED] T5840.027
[GRAPHIC] [TIFF OMITTED] T5840.028
[GRAPHIC] [TIFF OMITTED] T5840.029
[GRAPHIC] [TIFF OMITTED] T5840.030
Mr. Davis of Virginia. Mr. Forman, thanks for being here.
Mr. Forman. Good morning, Mr. Chairman, Congressman Turner
and members of the subcommittee. I thank you for your
leadership in holding hearings on information sharing and
knowledge management issues for Federal agencies in the wake of
the terrorism attacks. The President's announcement last night
demonstrates that the administration considers homeland
security to be a top priority. The enterprise architecture and
e-government initiatives I'll discuss today will assist in
accomplishing this mission.
As you know, many Federal agencies are engaged in homeland
security efforts that will require sharing information.
Associated with that are many IT projects that are overlapping
or redundant, when we need them to be integrated and unified.
For example, there are eight law enforcement case management
systems among our largest IT investments. To ensure investments
improve operational performance across agencies, the President
proposed in the fiscal year 2003 budget request the creation of
an information integration program office known in the budget
as the Homeland Security Information Technology and Evaluation
Program within the Department of Commerce's Critical
Infrastructure Assurance Office.
I'll discuss five key barriers that need to be addressed
for finding, tracking and responding to terrorist threats.
Creating the Information Integration Program Office is critical
to overcoming these barriers.
The first impediment concerns agency culture. Agency
cultures reflect long-standing roles and responsibilities.
Homeland security activities affect roles and responsibilities
that cut across jurisdictions of Federal, State and local
government organizations. Barriers associated with insular
agency cultures will be overcome by providing a sustained
level, high level of leadership and commitment, establishing an
interagency government structure and giving priority to cross-
agency work.
Second, citizens must trust the security and privacy of the
government. Achieving a secure homeland must be accomplished in
a manner that builds trust, preserves liberty and strengthens
our economy. Agencies are currently building strong controls
into both e-government and homeland security systems. OMB will
monitor agency security and privacy performance, as I've noted
in previous statements before this subcommittee.
Third, a major obstacle is a lack of funding for
initiatives that cross agency boundaries. Funding is provided
in a manner that matches long-standing departmental silos. We
are seeing this issue as we've tried to obtain funding for
cross-agency e-government initiatives and the Information
Integration Program Office. We have recommended approaches such
as greater Appropriations Committee attention to cross-agency
issues.
A fourth difficulty is stakeholder resistance. The Federal
Government is not structured for undertaking cross-agency
initiatives. These initiatives threaten traditional concepts of
accountability and responsibility. Stakeholder resistance will
be minimized by timing performance evaluations to cross-agency
success and having members of the President's Management
Council work collectively on initiatives. The Information
Integration Program Office will also assist in this regard.
Fifth and finally, the lack of a Federal enterprise
architecture hampers efforts to communicate across business
lines. Agencies generally buy systems that address internal
needs, and rarely are those systems able to interoperate or
communicate with people in other agencies. A common integrated
business and technology architecture will help to organize
these systems and the information they contain in order to
retrieve, analyze and act upon information.
The Federal Government requires business processes that
allow for a comprehensive approach to prepare for, mitigate and
respond to terrorist activities. It's critical to have the
Information Integration Program Office design interagency
business and information architectures that will support this
interagency access to information.
OMB and the Office of Homeland Security are currently
defining a baseline of homeland security-related activities
that serve as components in the Federal business reference
model. The baseline lists those problems, constraints and gaps
within the government's information and data base and
recommends actions to address those gaps; additionally will
identify modular and reusable IT capabilities and ways to
configure it to support key homeland functions and the lines of
business.
As noted in the President's budget, e-government projects
have significant impact on homeland security efforts, and today
I'd like to discuss three of those projects.
Project SAFECOM will identify and implement solutions that
enable interoperability for public safety communication across
all levels of government. Additionally, the administration's
Geospatial One-Stop will build a distributed infrastructure
that enables use of seamless, standardized geographic and
geospatial data. Third, the administration's disaster
management e-government initiative will be the authoritative
one-stop shop for end-to-end information and services related
to Federal disaster management activities.
Improving our interoperability with State and local
partners is a key piece of the President's management agenda
for e-government and for homeland security.
In conclusion, the administration is focused on
identifying, locating and establishing mechanisms to share
across government the information required to protect the
Nation's border and to prepare for, mitigate and respond to
terrorist activities. The President's budget noted that we need
to focus these efforts on two measures of success: First,
accelerating response time, and second, improving
decisionmaking quality.
I appreciate the opportunity to brief you today on how we
are integrating the work and results of homeland security
enterprise architecture and e-government initiatives.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Forman follows:]
[GRAPHIC] [TIFF OMITTED] T5840.031
[GRAPHIC] [TIFF OMITTED] T5840.032
[GRAPHIC] [TIFF OMITTED] T5840.033
[GRAPHIC] [TIFF OMITTED] T5840.034
[GRAPHIC] [TIFF OMITTED] T5840.035
[GRAPHIC] [TIFF OMITTED] T5840.036
[GRAPHIC] [TIFF OMITTED] T5840.037
[GRAPHIC] [TIFF OMITTED] T5840.038
Mr. Tom Davis of Virginia. Mr. Bohlinger.
Mr. Bohlinger. Morning, Mr. Chairman and members of the
committee. I appreciate the opportunity to participate in your
continuing review of information sharing and knowledge
management between and among Federal agencies in the war
against terrorism.
Since September 11th, we at the Immigration and
Naturalization Service have seen the unprecedented sharing of
data and knowledge among Federal agencies. Under the direction
and leadership of the Attorney General, all components of the
Department of Justice have stepped up efforts to coordinate
information and improve data sharing in the common effort to
prevent terrorism and disrupt its sources.
The INS is clearly one of the core agencies that requires
enhanced information-sharing capabilities. Just as we need to
tap into additional external sources of data to support our
enforcement and intelligence functions, so can the data we
collect be crucial to other law enforcement and intelligence
communities. Consequently, we are deeply involved in efforts to
overcome the barriers to the appropriate and secure exchange of
data and, just as importantly, the conversion of data to useful
information that supports clear operational objectives.
The INS has worked on important data-sharing initiatives in
both the pre- and post-September 11th periods. As early as
1985, INS was sharing vital information with the U.S. Customs
Service. Other data-sharing programs have been under way for
some time with the Department of State, the U.S. Marshals
Service, the FBI and the Social Security Administration. INS
also assists State and local law enforcement through its Law
Enforcement Support Center.
We also verify immigration status for State and local
benefit-granting agencies, some employers and some State
driver's license bureaus. However, in all of these data-sharing
initiatives, we have to be sensitive to established regulatory,
statutory and policy constraints in the routine and customary
use of information by other agencies. While making information
available to other entities, security, privacy considerations
and appropriate user access are primary considerations.
The management principle guiding INS's approach to
development of information systems is to build a sound
strategic foundation. INS has established important mechanisms
to address this principle internally. Our initial contribution
to a governmentwide effort is to assure that our own
information environment is sound and interoperable. Our formal
enterprise architecture and technical architectures are nearing
completion. Additionally, our information technology investment
management process ensures that IT investments are spent wisely
and coordinated among INS components. In doing so, we are
mindful of the relationships that we must support with our
technical enhancements while integrating our business
objectives and developing technical solutions.
The development and prioritization of clear and integrated
Federal law enforcement in intelligence mission requirements is
an undertaking that must be completed quickly. Only when these
are clearly articulated can industry assist us meaningfully in
applying the best technical solutions.
Some of the most compelling progress that I have seen in
recent months has been the formalization of the planning and
management processes that must occur if the wide array of
Federal, State, local and private entities are to achieve the
level of information sharing that we all desire. This will
ensure that we first define what our operational objectives
should be, identify the data and data sources needed to support
those objectives, and then apply the appropriate technological
solutions to deliver that information. This leads to the
crucial task of examining the barriers that may inhibit or
otherwise thwart full partnership between public and private
sectors in coming together in the war against terrorism.
Barriers come in two forms, human and technological, and
they manifest themselves three ways, through cultural,
organizational or resource approaches. Like many of my
colleagues, I have met with representatives from the private
sector who have proffered technologically based products and
solutions to any number of counterterrorism-driven prevention,
detection and mitigation scenarios. Their sincerity and
commitment are of the highest order. Unfortunately, in many
instances, they perceive the Federal Government as an
unresponsive bureaucracy. Some have suggested that the Federal
procurement process may be to blame. However, I believe it
would be a mistake to look at the procurement process as the
sole culprit. If clear requirements can be formulated, many
procurement alternatives are available that can fulfill our
needs while ensuring broad participation by industry.
Without well-defined requirements, even the best solutions
stand little chance of effective and timely application.
Encouraging the private sector to participate in problem
solution through the request for information as well as other
processes prior to the initiation of a formal procurement makes
good sense. This will preserve a fair and open procurement
process enabling the government to make best use of America's
technological superiority and the creative problem-solving
resources in the private sector.
In summary, we in the Federal Government must establish and
employ standards for information sharing between and amongst
ourselves and further fully define our mission requirements or
needs. Then we can take advantage of the wealth of existing
technology solutions that currently exist within Federal
agencies and corporations. This will enable us to develop
solutions that better balance our openness to new ideas with
applications that directly address our needs.
Thank you, Mr. Chairman, for this opportunity, and I
appreciate the opportunity to appear with you--before you and
the committee.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Bohlinger follows:]
[GRAPHIC] [TIFF OMITTED] T5840.039
[GRAPHIC] [TIFF OMITTED] T5840.040
[GRAPHIC] [TIFF OMITTED] T5840.041
[GRAPHIC] [TIFF OMITTED] T5840.042
[GRAPHIC] [TIFF OMITTED] T5840.043
[GRAPHIC] [TIFF OMITTED] T5840.044
[GRAPHIC] [TIFF OMITTED] T5840.045
[GRAPHIC] [TIFF OMITTED] T5840.046
Mr. Tom Davis of Virginia. Dr. Raub.
Mr. Raub. Morning, Mr. Chairman, Mr. Turner, members of the
committee. I appreciate the opportunity to represent the
Department----
Mr. Tom Davis of Virginia. Push your button there.
Mr. Raub. I appreciate the opportunity to represent the
Department of Health and Human Services and describe our
activities related to the theme of the hearing this morning.
With your permission, Mr. Chairman, I'll submit my prepared
statement for the record and make only a few comments now.
First has to do with the item on our perception of barriers to
achieving homeland security.
With respect to bioterrorism and other aspects of public
health emergencies, we believe we face formidable problems, but
that none of them are intrinsically insurmountable. We don't
believe that we can anticipate every threat scenario, but we do
believe that with a strong, sustained and closely coordinated
effort among public health, medical, scientific and
technological communities, we can develop the basic
capabilities we need to respond effectively.
On pages 3 and 4 of my prepared statement, I summarize five
fundamental functions that a local community must be able to do
if it is able to respond effectively to bioterrorism or some
other public health emergency. All five of those functions
currently are doable with current knowledge and current
technology. Doing any one of them is hard. Doing all five is
very hard. Doing all five in every community in the country is
daunting. But that's, in fact, what we're attempting to do.
We have a vigorous effort under way and our State and our
local partners are responding enthusiastically to this. The
President and the Congress for this fiscal year have provided
more than $1 billion for this purpose, and we have moved very
quickly to mobilize it. Moreover, the President is requesting
more than $1.5 billion for the similar purpose in fiscal year
2003. We have in place cooperative agreements with every State
and other eligible entities. We are well along with them in
their work plans for use of these funds. These plans focus on
particular targets, things we call critical benchmarks and
critical capacities, and the watchwords for all of this are
speed, flexibility and accountability; speed in getting the
money out, flexibility in giving the State and others
considerable discretion in how they address the benchmarks
we've set out, but also accountability, because at the end of
the day, unless we have measurable milestones and objective
evidence of enhanced preparedness, we will not have met the
charge of the President and the Congress.
My second area of comment has to do with information
technology and its applications in that in every one of those
five fundamental functions and many other aspects of public
health, information technology is absolutely central to public
health preparedness. I'm talking about electronic
communications, computer-manipulable data bases and about
statistical and analytical software. The information technology
community has presented us with a wealth of tools and, in fact,
is way ahead of our ability to apply them right now.
In some States in this Nation, the public health
capabilities are already linked by high-speed Internet
connections with substantial computer systems supporting them.
In other public health departments in our Nation, there are no
computers. There are no Internet connections. There are rotary
telephones, and case reports arrive by postcard. We have a
substantial effort in front of us to reduce the variance in
this.
Our immediate challenge is to choose judicially amongst the
information technology options available to us as a community
with respect to the effectiveness for our immediate and longer-
term purposes, the efficiency and the economy with which we can
deploy them, and, most of all, achieving the interoperability.
Unless these systems link at every level from the fundamental
connections to the operating systems, to the applications
programs, we will fail in achieving the kind of true public
health system we must achieve.
Our Centers for Disease Control and Prevention has
promulgated a set of information technology standards. It's
been adopted by our other agencies and is being used in our
efforts with not only State and local health departments, but
also hospitals throughout the United States.
As this effort evolves with our State and local partners,
we look forward to our and their collaborations with the
information technology industry as we can catch up and make
more effective use of what's available and as they proceed to
offer us a still richer array of capabilities for us.
Thank you, Mr. Chairman.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Raub follows:]
[GRAPHIC] [TIFF OMITTED] T5840.047
[GRAPHIC] [TIFF OMITTED] T5840.048
[GRAPHIC] [TIFF OMITTED] T5840.049
[GRAPHIC] [TIFF OMITTED] T5840.050
[GRAPHIC] [TIFF OMITTED] T5840.051
[GRAPHIC] [TIFF OMITTED] T5840.052
[GRAPHIC] [TIFF OMITTED] T5840.053
[GRAPHIC] [TIFF OMITTED] T5840.054
[GRAPHIC] [TIFF OMITTED] T5840.055
[GRAPHIC] [TIFF OMITTED] T5840.056
[GRAPHIC] [TIFF OMITTED] T5840.057
[GRAPHIC] [TIFF OMITTED] T5840.058
Mr. Tom Davis of Virginia. Mr. Jordan.
Mr. Jordan. Good morning, Mr. Chairman and members of the
subcommittee. My name is Bob Jordan, and I serve as the head of
the FBI's Information Sharing Task Force. I welcome this
opportunity to meet with you today about the status of the
FBI's information-sharing initiatives within the Bureau and
with other government agencies for homeland defense purposes.
The FBI is an organization in change. Not only are we
structurally different, but in very fundamental ways Director
Mueller has revamped our approaches to counterterrorism and
prevention. Since September 11th, we have seen massive shifts
in our resource deployments. Our missions and priorities are
being redefined to better reflect the post September 11th
realities. As an agency we are committed to devoting whatever
resources are necessary to meet our prevention mission and
continue to sustain a dramatically enhanced worldwide
counterterrorism effort. A substantial component of this
approach is information sharing not only at the Federal level,
but also within the entire law enforcement and intelligence
communities. Over the last several years, much has improved,
but this seemingly simple issue is actually a complex myriad of
technology, legal policy and cultural issues.
Since the tragic events of September 11th, this single
issue critical to public safety is receiving the sustained
high-level attention necessary to ensure that everything that
can be done is being done. In that regard, I'm happy to say
that the spirit of collaboration and willingness to exchange
data has never been stronger or more pronounced than it is
today. Many of the legal and policy impediments that kept us
from more fully exchanging information in the past have been or
are now being changed.
The Patriot Act has greatly improved our ability to
exchange data within the Intelligence Community and across law
enforcement. In addition, the Attorney General's recent
directive to increase coordination and sharing of information
between DOJ, FBI, INS, Marshals Service and the Foreign
Terrorist Tracking Task Force on terrorist matters and to
establish secure means of working with State and local
officials are major milestones in improving our information-
sharing and collaboration efforts.
Equally important, the difficult technology challenges we
all face are on top of everyone's list. This is especially so
at the FBI. Under Director Mueller's leadership, the FBI on
every front is hard at work carrying out the Attorney General's
information-sharing directive.
Within the FBI, Director Mueller has taken on the challenge
of improving information sharing and has directed FBI executive
management to develop every means necessary to share as much
information as possible with other agencies, as well as State
and local law enforcement. Years of experience have
demonstrated that joint terrorism task forces, JTTFs, have
proven to be one of the most effective methods of unifying
Federal, State and local law enforcement efforts to prevent and
investigate terrorist activity. There are currently 47 JTTFs.
We are working expeditiously to establish JTTFs in each of our
56 field offices. As recently as 1996, there were only 11 of
these task forces.
The creation of JTTFs this year is resulting in an expanded
level of interaction and cooperation between the FBI and our
Federal, State and local counterparts. Among the full-time
participants in JTTFs are INS, Marshals Service, Secret
Service, the FAA, Customs, ATF, State Department, Postal
Inspection, IRS, Department of Defense and U.S. Park Police.
State and local agencies are heavily represented. Information
is also being shared with the Transportation Security
Administration and the U.S. Coast Guard.
The FBI has a long tradition of exchanging unclassified
information with Federal, State and local law enforcement
agencies on warrants, fingerprints, forensic information and
watch lists. The last few years have seen dramatic increases in
the exchange of specific case-related information, due in large
part to the proliferation of JTTFs. Now we are improving our
sharing of classified information again through such mechanisms
as the JTTFs.
Director Mueller has undertaken several initiatives that
directly enhance the FBI's information-sharing capacities. All
of these efforts are designed around the recognition that post-
September 11th, the FBI has adopted both a new focus and
priorities that recognize that a substantial investment is
being made in prevention. A few examples include Director
Mueller has named Lewis Kay, who is currently chief of the High
Point, North Carolina, Police, to be the FBI's Assistant
Director for Law Enforcement Coordination. Our Office of
Intelligence is now part of the FBI's organizational structure.
The FBI has undertaken major recruiting and hiring initiatives
to bring into the FBI private sector IT experts who can greatly
assist our sizable IT projects. We have a new Records
Management Division that has been established, and the FBI is
detailing personnel to other agencies and vice versa to ensure
that information is shared and understood within our agencies.
These efforts are particularly critical to programs like our
National Infrastructure Protection Center, the Counterterrorism
Center at CIA and others.
Information security is a significant issue in these
initiatives. We must balance our desire to share information as
freely as possible with the need for the security of
information.
I'm going to go to the last part of my comments here. The
FBI's future ability to deter and prevent crimes requires the
use of current and relevant IT. We have several critical
initiatives under way to upgrade the FBI's IT infrastructure
and investigative applications. Funding for these programs is
essential to provide our investigators and analysts with IT
resources and tools.
That concludes my prepared remarks, Mr. Chairman. I'll be
happy to answer any questions.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Jordan follows:]
[GRAPHIC] [TIFF OMITTED] T5840.059
[GRAPHIC] [TIFF OMITTED] T5840.060
[GRAPHIC] [TIFF OMITTED] T5840.061
[GRAPHIC] [TIFF OMITTED] T5840.062
[GRAPHIC] [TIFF OMITTED] T5840.063
[GRAPHIC] [TIFF OMITTED] T5840.064
[GRAPHIC] [TIFF OMITTED] T5840.065
[GRAPHIC] [TIFF OMITTED] T5840.066
[GRAPHIC] [TIFF OMITTED] T5840.067
[GRAPHIC] [TIFF OMITTED] T5840.068
Mr. Tom Davis of Virginia. The subcommittee is pleased to
have Representative Jane Harman from California sit in with us
today, and I would ask unanimous consent to allow her to give a
statement and participate in a hearing.
Hearing no objection, the gentlelady from California is
recognized.
STATEMENT OF HON. JANE HARMAN, A REPRESENTATIVE IN CONGRESS
FROM THE STATE OF CALIFORNIA
Ms. Harman. Thank you, Mr. Chairman, and Mr. Turner and
members of the subcommittee. I'm delighted to be here, and I
want to commend you on your perfect timing. So far as I can
tell, this is the first hearing on a critical piece of the
homeland security subject to be held following the President's
dramatic, bold and courageous announcement of last night. Good
work.
Mr. Tom Davis of Virginia. Thank you. We saw it coming.
Ms. Harman. I also want to say about you, Mr. Chairman,
that we go way back. You know, the Smith-Amherst Axis is pretty
powerful, but also we represent communities that have some of
the fastest growing tech communities on the planet. In my case,
my district in southern California has a very large aerospace
base. I know yours does, too, but I think mine is bigger. No
competition here. It's diversified, and a lot of the aerospace
companies--in fact, we're going to hear from one later--have
large IT businesses.
I would like to, if you don't mind, welcome one of my
constituents who will testify on your second panel, Ron Sugar,
who is the president and chief executive officer of a tiny
little firm called Northrop Grumman, and that is an example of
the diversification that I'm talking about.
I just wanted to make a few points. First, I am late and I
apologize, because I was one of 10 Members of the House and
Senate who was at the White House meeting with the President
and Governor Ridge today to talk about next steps in the turf
and other battles related to unfolding this new Department of
Homeland Security. I thought it was a very constructive
meeting, and I think that this topic that you are exploring
today is absolutely central to an effective homeland security
effort, and the effort to put more functions into one
department is related, does have a relationship to the need to
improve information sharing.
It's not that it's a magic answer. It's not that all the
information sharing we need will happen inside the borders of
the Department of Homeland Security. Obviously other
departments are represented here, and they need to share, too.
But it is that this is a critical piece of the reason why we
need to do this Department of Homeland Security.
Let me just touch on three issues, and I'll just summarize
my testimony. First is procurement. As I mentioned, I represent
a huge IT base in the South Bay of Los Angeles. Lots of the
firms there, both aerospace and nonaerospace, have developed
critical technologies that we need for a successful homeland
security effort, and they don't really know how to access the
Federal Government, how to learn about what's needed, and how
to conform whatever products they make and services they render
to what's needed. And we have tried hard to find places in the
Federal Government that should be the right places to access,
like the Technical Support Working Group, TSWG, at DOD, and
that effort, for example, has a very capable leader, John
Reingrubber, who came to Los Angeles to meet with members of
these firms. But his group has been overwhelmed by requests,
and there's no possible way that one place in the Defense
Department can handle all of the needs.
I want to commend you for H.R. 4629, of which I am a
cosponsor, and I know that legislation would create a body
responsible for receiving and routing technology proposals to
the right government agencies. I think that's a good start. I
think we need that regardless of the need to create the
Department of Homeland Security. But as you know, none of this
is easy. The new organization would have many bureaucratic
challenges, need to recruit staff and so forth. Nonetheless, I
think it is an important thing that we consider your
legislation, and I strongly support it.
The second issue is data integration. I think, again, both
the government and private witnesses understand this. Example:
The Intelligence Community needs to be able to access
information in any agency and to search multiple data bases for
common themes. Looking backward in hindsight is always better.
Wouldn't it have been great if we could punch in ``flight
training'' and ``Moussaoui,'' just two random ideas, and have
multiple hits in FBI reports, the CIA watch list, FAA rosters?
When you talk about connecting the dots, you talk about
data integration, and we need work on our data integration
processes, and in that regard I think this new analytical
capability that the President is proposing for the Office of
Homeland Security is a terrific idea. Even this morning the
press was asking about, well, what about the CIA and the FBI
and all of the other agencies? Isn't this duplication? Or
shouldn't they be pulled into all of this? And my answer is,
yes and no. Yes, it's duplication. Another set of eyes, an
analytical capability focused on homeland security to make sure
that we do connect the dots and that our threat condition
warnings are as accurate and informational as possible is a
great idea. The no is that, no, we don't need to move the FBI
and the CIA someplace else. They have important functions which
they should still continue to perform. But at any rate, data
integration is a big deal.
Final comment is on public-private partnerships, and,
again, Mr. Chairman, I want to commend you and Mr. Turner and
the others for all of the work that you do. It was true
sometime back that we had and could afford separate industrial
bases, a defense industrial base and a commercial industrial
base. We invested huge amounts of money in government R&D. A
lot of the most critical technologies that we employ across the
board now, like GPS, were invented by the government, and with
all affection for Al Gore, the Internet was invented by the
government. But nonetheless, it is now true that we can no
longer afford separate industrial bases. We need one industrial
base with both commercial and government application, and most
of that base does presently reside and should reside in the
private sector, and that is why it is so critically important
that we leverage private sector technologies for government
uses.
In many cases the government can serve as an information
clearinghouse, sharing best practices and reports. The Cyber
Security Information Act, H.R. 2435, is a good example of this.
But it is also true that the government has to find better
mechanisms to leverage technologies. The future of homeland
security will depend on whether we do this well, and I have no
doubt that our second panel will talk about how best to do
that.
I just want to commend you one more time, and it's the last
time I'm planning to flatter you this week, no matter what, for
your enormous leadership and your partnership on a bipartisan
basis with those of us in this House who have focused on this
issue for a long time. I think that this is the future, and I'm
very happy that you let me participate in your hearing. Thank
you.
Mr. Tom Davis of Virginia. Well, thank you, and you keep
talking that way, you can come to any of our hearings.
[The prepared statement of Hon. Jane Harmon follows:]
[GRAPHIC] [TIFF OMITTED] T5840.069
[GRAPHIC] [TIFF OMITTED] T5840.070
[GRAPHIC] [TIFF OMITTED] T5840.071
Mr. Tom Davis of Virginia. Thank you very much, Ms. Harman.
Let me just say your leadership on a number of these issues has
been very, very important to our coalition in the House, and
I'll continue to value your advice, expertise and leadership as
we move through this. So thank you very much for being here.
I'm going to start the questioning with Mrs. Davis. We'll
do 5 minutes around the first time. Then we'll move to Mr.
Turner and back and forth.
Mrs. Jo Ann Davis of Virginia. Thank you, Mr. Chairman, and
thank you, gentlemen, for being here to testify this morning.
Sort of in conjunction with what my colleague from
California said, I believe she stated that she has a lot of
private IT companies that don't know how to access what the
Federal Government needs, and in that regard are your agencies
or your departments, are they inundated with private sector
security technology proposals, No. 1? And two, do you believe
you have the staff qualified to sort out what would be useful
and what would not be useful? And do you have the procedures in
place to accomplish your goals? Any of you? Do you want to
start, Mr. Yim?
Mr. Yim. Yes. I think one of the concerns that the GAO has
is how will the variety of technical solutions be evaluated. I
think a lot of agencies would be deluged with proposals, and do
we have effective mechanisms to assess the viability efficacies
of that? The GAO has undertaken a pilot project working with
the National Academy of Sciences to evaluate, for example,
emerging biometric techniques. So even though we may not have
the expertise in-house, although we have substantial expertise
in-house, we wish to augment that with the significant
scientific base provided by the National Academy, and that is
one model I think that we could pursue.
Mr. Tom Davis of Virginia. Anyone else?
Mr. Forman. I'd like to speak a little bit about the
framework that was laid out in the Clinger-Cohen Act. I really
don't think the problem at this point is with the procurement
work force in terms of staffing requirements. I think the
problem, as was indicated, is in the requirements definition.
You know, the issue of how we bring technology in the
government has been going on for several decades and is--just
as the Congresswoman stated, a shift from the government being
at the leading edge of technology to being significantly behind
commercial industry technology led to several rounds of
legislation. Most of that legislation said we're trying to
choose technology through the procurement process, but we don't
have the requirements well enough defined to make any use of
the technology. So we tend to buy it as commercial best
practices, and we hear terms like ``governmentizing the
technology.'' If we risked that with some of this leading-edge
technology, we're not going to get the benefit out of it. We're
going to expend too much out of it.
So the issue is if we've got 50 proposals for different
aspects of security technology, can the government today become
the systems integrator? Do we want it to become a systems
integrator? Right now we don't have the talent, and we don't
have the technical skills. I know this has been a subject of
another hearing in another very fine piece of legislation from
this subcommittee. We have to focus on clearly understanding
our requirements, and we also, I think, have to focus on
getting good teamwork in industry.
You know, when a company goes out to buy security
technology, it's not quite the same as they announce that
they've been hit by some cybervandals, and then people start
showing up. They generally look for a security architecture, a
comprehensive solution approach. That's what we are trying to
do in the Federal Government as well, and I think that may be
tough to understand for a lot of industry, that the government
works not by being our own integrator oftentimes. So when they
come to--many companies that have just pieces of the technology
puzzle come to talk to us, they expect us to know how to
integrate it together and to buy the pieces. That's very
difficult right now for the Federal Government.
Mr. Bohlinger. I'd like to assure you that the three of us
did not get together before we were making these comments,
but--and not to sound like just reiterating----
Mrs. Jo Ann Davis of Virginia. It's OK.
Mr. Bohlinger. The issue is requirements. There's no
question about it. We are significantly engaged in meeting with
people from the private sector and have been going to their
forums, talking with them individually, meeting with the senior
people from these corporations, and there are many wonderful
ideas out there, but can you imagine ideas just being thrown
over the transom, all of which are good? How do you sort them
out?
And what I said in my testimony I think I'd like to
emphasize again is that we need to be able to tell the people
in the private sector exactly what our needs are and allow them
to----
Mrs. Jo Ann Davis of Virginia. Let me interrupt you there,
because my time is about running out. Where do you get what
your needs are? Who gives them to you? All three of you have
said requirements. Where do you get them from?
Mr. Forman. I--especially in this area of security, there
are two areas. One is in the Government Information Security
Reform Act requirements that were laid out. The baseline set of
best practices identified by the National Institute for
Standards and Technology gave us the ability to do a gap
analysis. It's a very comprehensive gap analysis. That's led to
a listing, a plan of actions and milestones, that in some
agencies are 2 or 3 inches thick, and those are the
requirements. So we're first year into the process, several
months into the process. We now--the requirements are there,
and we can make sense and go buy the technology.
Mr. Bohlinger. If I might just continue for a second on the
requirements issue, I think it's both on a macro and a micro
scale. On the macro scale, it's something that has also been
discussed here in talking about enterprise architectures.
Federal agencies must have robust and thoroughly vetted
enterprise architectures, and this is exactly how we are doing
our business. On the micro area of requirements, it's as you go
out with specific requests, and that might be a particular
system having to do with something that just is local, it may
be a nationwide system, but being able to clearly lay out in
the request for information--and I'm a great proponent of that,
of allowing corporations that come in and suggesting solutions
to well-defined requirements, then allow you to go out with
RFPs that people can apply their best technology to.
Mrs. Jo Ann Davis of Virginia. Mr. Chairman, can they all
have the time to answer?
Mr. Tom Davis of Virginia. Go ahead.
Mr. Raub. I can just comment briefly. With respect to
Health and Human Services, we won't claim perfection in our
interface with the private sector, but we believe we're doing
well and are getting better.
Secretary Thompson is taking two major structural steps
that have helped us along. One is the creation of the office I
represent, the Office of Public Health Preparedness, last
November. He's given us a focal point within the Secretary's
office for all $3 billion worth of it related to bioterrorism
across our 11 agencies in the Department. And representatives
of the technology community have not been bashful in seeking us
out, nor have we in our interactions with them, either for
activities of our own office or steering them to the Centers
for Disease Control and Prevention, the National Institutes of
Health, the drug administration or other elements of our
Department.
Even before that, last summer the Secretary created his
Council on Private Sector Initiatives. The idea was to bring
together a team of representatives from every agency in the
Department that would meet on a regular basis and be a one-stop
shop for members of the community to bring ideas that might
have some pertinence to programs of Health and Human Services.
This is not limited to terrorism. It's much more broadly
including the hospital sector. At a most recent meeting of that
team, no fewer than nine company representatives were present
describing their activities, how they might relate to Health
and Human Services, and seeking some requirements and general
guidance of how best to relate to the Department.
Mrs. Jo Ann Davis of Virginia. Thank you.
Mr. Jordan.
Mr. Jordan. As I mentioned in my direct testimony, the FBI
has begun to hire outside IT experts who are helping us sift
through the various suggestions made to us, and we are well
along in that process. And we have an established process for
interfacing with the private sector.
Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman.
Mr. Tom Davis of Virginia. Thank you very much.
Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Forman, talk to us a little bit about how far along we
are in developing the enter prise architecture that is
necessary for homeland security and how the new Homeland
Security Department or office will function with regard to the
work that, apparently, currently you are responsible for.
Mr. Forman. I can't at this point discuss any of the issues
related to the President's announcement last night. It is just
too early in the process. But as you point out, there are many
issues that need to be addressed. So let me go through what
issues you raise.
We are taking a two-tiered approach with respect to
homeland security that there very clearly has to be progress
made in homeland security lines of business, is the way we
refer to them. A line of business could be disaster management
preparedness. Within that, people have to make architecture
decisions. They have got to look at which agencies, which
organizations within those agencies have what roles and
responsibilities, and what performance results or outcomes
those organizations are supposed to achieve. Within that, there
is an awful lot of overlap, so we have to have some clear way
to identify those. We call those business functions.
And so you could have, for example, within disaster
management, emergency planning, and you would find out that
there are many bureaus involved in that planning. You would
also find out that there is a core business process, a way of
doing disaster planning that cuts across those department--
departments, and is probably replicated multiple times. They
probably have redundant information systems. And the
unfortunate thing about this is, when you pull in the focus of
this, the citizen voice, the customer, if you will, which tends
to be State and local emergency management officials, they have
told us consistently, it is too confusing to deal with all
these different activities, these different processes run by
these different entities of the Federal Government.
So identifying that, consolidate it, that's what I call
simplified business process. To interoperate with State and
local government requires pulling people together and
identifying, depicting, laying out the way we are going to work
together, and we call that process design or process
integration.
So, indeed, you have these in the multiple: homeland
security functions. Steve Cooper, who is doing terrific work as
essentially the CIO for the Office of Homeland Security, has
laid out a concept as referred to as Foundation Projects; and,
within those types of projects are essentially these kind of
more detailed architecture projects. At a high level, we are
making sure that all the different departments and agencies
that play in that line of business are working together with
him.
The actual work that needs to be done has to be done under
some cross-agency organization. We have laid that out as the
Information Integration Program Office, and we have requested
accelerating that fund--that funding into the supplemental, and
then that would be managed under the CIAO, the Critical
Infrastructure Assurance Office.
So, at the high level, my office is making sure we are
moving forward on the architecture, those business components
that we have measures of effectiveness.
At the next tier down this Information Integration Program
Office, working with the Office of Homeland Security, making
sure that people are coming together to actually lay that out
and go through the thought work, which can then define
requirements. That work is due to be completed at the end of
this fiscal year, so the end of September.
Mr. Turner. It has been suggested by the GAO that we can't
wait for this architecture to be developed, we have got to move
faster. How do you respond to that?
Mr. Forman. We are moving faster, and the tradeoff I have
is between roughly 2,900 major and significant IT projects in
the budget. At the same time, we do not have 2,900 solutions
architects. We don't have 2,900 world-class program managers.
So the trick is to allow enough good things to move forward
without tying up resources that we need to focus. We are
focusing our efforts on the strategic priorities that were in
the budget: the war on terrorism, homeland security,
revitalizing the economy. So we are not trying to boil the
ocean, per se, but focus our resources.
Mr. Turner. Do you have any comments on that from the GAO's
perspective?
Mr. Yim. Well, I think that is actually the right strategy,
but we also need to look and see what we currently have, what
capabilities are currently already integrated into State and
locals and the private sector which would be feeding the
information up into the integrating strategy that would be
included in the Office of Homeland Security and the national
strategy. There is existing architecture that already is there
that could be adapted, and one of the reasons why we may want
to look at that is not only because it is familiar to State and
local governments, and this would not be viewed as an
additional burden upon them, but much of the information being
collected there is being collected for other purposes, which,
frankly, would help assure the reliability and validity of some
of that data, rather than specialized data calls related to the
Office of Homeland Security or any Federal agency asking for
specific information.
For example, if highway information was being collected for
highway improvement or Federal funding of highway projects, for
example, but that was also relevant to evacuation proposals or
the ability to bring law enforcement or first responders into
an area of concern quickly, we would hate to see a specialized
data call that, frankly, could be skewed or perhaps being done
on too quick of a basis. We would like to have the ability to
draw from existing data sets that were generated for other
purposes. So the key would be integrating those data sets,
being able to define some set of format or to focus on
middleware that could integrate diverging formats so that there
could be some central model in which these disparate data
pieces could be sent and something made of the information in a
timely manner.
Mr. Forman. I concur 100 percent with that.
Mr. Turner. Do we have the staffing and expertise to
accomplish this?
Mr. Forman. We do. We have to supplement it with the
wonders of the IT industry. There is no question about it. Part
of the emerging technologies, especially in the middleware
arena in what's referred to as objectory architectures, where
things--you hear terms like plug and play--now give you the
ability to quickly leverage that data base or that work flow
that was built for a different purpose, but fits this new
mission. That's new technology. That's come out over the last 9
months to 12 months. And so we have to operate with the
contractors helping us in this arena, consultants helping us
who have already thought through this. We are not the first
industry to grapple with this issue.
Mr. Turner. Thank you, Mr. Chairman.
Mr. Tom Davis of Virginia. Thank you very much.
Let me ask a general question. First I will start with Mr.
Bohlinger.
I understand that the development of requirements is a key
challenge, but are those requirements not the result of agency
and government interaction? Would that process not be enhanced
by a single portal type of process that we envision in our
legislation? What I'm trying to say is, I am not sure you even
know all your requirements sometimes until you have gone out to
the private sector and seen what they have available and some
of the issues they are tackling. There is an awareness gap
sometimes between what government is doing and working on and
what the private sector is out there doing.
Mr. Bohlinger. I certainly concur with that, and as I said
the request for information process and also more informal
process working with the various private sector associations.
Heaven knows, we don't know what the universe is out there, and
it's a continuing education process, an education process for
us in the Federal Government, and an education process for
those in the private sector, on not only how you access the
Federal Government, but how you assist. There are ways to
assist that make a great deal of sense in helping refine
requirements, in helping us understand, on the Federal side,
the best way to apply technologies.
So I certainly do agree with you that these avenues have to
be explored just because of the volume and complexity of the
data.
Mr. Tom Davis of Virginia. OK. Dr. Raub, let me ask you;
you refer to Secretary Thompson's Council on Private Sector
Initiatives to improve the security, safety, and quality of
health care. The Council was established in part to provide the
private sector with a single point of contact for innovative
ideas that cut across HHS's agencies and departments. Now, H.R.
4629, which I've introduced, would, among other things,
establish a similar mechanism in the Office of Federal
Procurement Policy, would apply to all agencies for innovative
homeland security solutions. What do you think about extending
the concept you use at HHS government-wide?
Mr. Raub. Well, the concept has proved quite efficacious
for HHS, and, in principle, I see no reason why it couldn't
work on a broader basis across other agencies. Were that to be
established, we would certainly work cooperatively and hard to
ensure its success.
Mr. Tom Davis of Virginia. OK. Some allege that there was a
communications breakdown between the CDC and the FBI and others
when the anthrax letters came to Capitol Hill, New York and
Philadelphia. Do you have any thoughts on that?
Mr. Raub. Yes, sir, I do. I think both agencies have worked
hard at that communication issue, and we believe will continue
to improve. Some of the issues are the fundamental differences
in our missions and our cultures that I think both agencies are
doing better to recognize and understand one another. For
example, when a matter involves a potential crime scene or a
subject under surveillance from the FBI's perspective, which we
appreciate significantly, a close hold of that kind of
information and a very deliberate process is critical to be
able to bring an ultimate successful prosecution. At the same
time, the public health community needs to ensure that it has
the information early enough to be able to mount various kinds
of protective initiatives in the community.
So I think in general our view is the more time we spend
interacting with one another, understanding the missions, the
restraints, the better those communication systems can be.
Mr. Tom Davis of Virginia. Thank you.
Mr. Jordan, let me ask you a couple questions. FBI Agent
Rowley testified yesterday at the Senate hearing that field
agents have less access to information than the press because
there are too many layers within the organization that clog
information sharing. Do you have any comments on the
reorganization efforts that have been announced by the FBI and
how they might contribute to better information sharing?
Mr. Jordan. Well, the reorganization efforts plan that the
Director has submitted focus on having the FBI recognize that
terrorism is our No. 1 mission, and that we are going to put
more resources on terrorism, not just the investigation, but
the prevention of it. And as we respond to that challenge, we
are going to have new information needs and challenges to share
our information outside the FBI with other intelligence and law
enforcement agencies as well as make sure that information gets
out to our field, which Special Agent Rowley is a
representative.
So we recognize the need to--we need to share our
information outside, but internally first, and we are making
efforts in that regard.
Mr. Tom Davis of Virginia. Well, one of the reasons we
called the hearing today was to determine the progress that
Federal agencies involved in the homeland security were making
in assessing the respective knowledge needs and information-
sharing requirements.
There has been a lot of Monday-morning quarterbacking on
this. Where are we in the process, in your opinion, over at the
FBI?
Mr. Jordan. We have made great strides. Our--outside of the
Intelligence Community, our single largest group of partners in
the prevention of terrorism are 650,000 State and local police
officers who are the largest single available force to help us
in a war against terrorism. We have met with them through their
major city chiefs, through the ,IACP, International Association
of Chiefs of Police, their representatives. We have attended
their recent information-sharing summit. Director Mueller was
the keynote speaker.
As I mentioned in my direct testimony, the directors
brought in a high-profile chief to basically ensure that we
recognize that State and local law enforcement are our partners
in this effort, and that we get them the information they need,
and that they share with us the--exactly what it is that they
need. There are some obstacles, and, for example, some of the
information that would be valuable to them is classified. It's
probably not feasible to get Secret or Top Secret security
clearances for 650,000 police officers. Maybe there is
something in the middle that we can do, maybe some middle--or
maybe there is a way to create a classification level below
Secret where we can take information and change some of its
attributes so that it could be disseminated at a below Secret
level.
I mean, these are all the things we are working on. We are
working on them with State and local law enforcement, and our
Joint Terrorism Task Forces are probably one of the best and
most successful and, historically, best efforts in this regard.
Mr. Tom Davis of Virginia. Some of the Secret stuff always
gets in the hands of the press. So, you know, you want to get
it in the hands of the agents as well.
Mr. Jordan. Yeah.
Mr. Tom Davis of Virginia. All right. Thanks.
Let me ask Mr. Forman. Your statement stresses the
important role that standards play in ensuring that the
different systems can work together in furthering the homeland
security mission. Where does the responsibility rest for
developing and enforcing these standards?
Mr. Forman. There are two types of standards. One is at the
technology level, and that resides with the Secretary of
Commerce, and largely standards being defined at the National
Institute for Standards and Technology. The other is a common
component or standard of functionality, if you will. That's
what we have undertaken via the CIO Council, and with the
Federal Enterprise Architecture Program Office work that my
office is overseeing. So I have kind of taken on that
responsibility in my role at OMB on those functional standards.
But we are doing it and the enforcement of it via the CIO
Council's architecture committee. And, in that manner, as you
know, probably the fastest way to get a standard is to get
everybody who has to buy the technology to agree that this is
what they are going to buy, this type of functional capability,
and therefore ensuring not just the agreement on the standard,
but the enforcement of that standard.
Mr. Tom Davis of Virginia. Thank you. I'm just going to
make a final comment, and then I think Ms. Davis has a couple
more questions.
Do you have a couple more questions for this panel? I think
Jo Ann wants to get a question cleared up.
You know, we have gone through some of these security
briefings on the House floor, and I get more out of CNN and Fox
News than I do from our security briefings. And, of course,
they are so nervous that somebody is going to leak something I
assume they have the same kind of problems in the FBI and other
agencies with getting word down to members on the street, to
employees on the street who could use information, but are just
so afraid that the classification, whether it's Secret or Top
Secret or classified doesn't fit. And we have got to find a way
to cut through this and get the information to the people on
the street appropriately.
That has been one of the problems; as we look back and try
to Monday-morning-quarterback this we get so hung up on all
these classification systems that the word is not getting out
in an appropriate fashion to the people who could benefit from
it. The press has no problem getting ahold of a lot of this
stuff and so we are basically victims of our own overregulation
and inability to classify. And it's something we have got to
continue to wrestle with. And also in our conversations with
the private sector, some of this stuff I think we are overly
protective of. That's just an observation, stepping back.
But I see a lot of progress being made, and I appreciate
everybody taking the time to share with us and answer our
questions today.
Ms. Davis.
Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. And
I don't mean to beat a dead horse, but I'm sort of just a
straight-talking person, and I've got to say, I didn't
understand your answers. The best I could understand is that
the resources aren't the problem; the problem is the
requirements and defining the requirements. But aren't you all
supposed to define the requirements?
Mr. Forman. Well, we have new major IT investments in this
year's budget, roughly $30 billion, and so the requirements
have to come, we know best practices, from the people who are
actually doing the work. When we bring in modern tools and
techniques for essentially e-business in the private sector,
that has tremendous applicability in virtually all the homeland
security areas.
Ms. Jo Ann Davis of Virginia. So are you supposed to, sir,
define the requirements?
Mr. Forman. No. It's got to be at the level of the people
actually who will use it in doing the work, married together
with the CIOs or people within the CIO organization who are
responsible for identifying.
Ms. Jo Ann Davis of Virginia. How long does it take to do
that and then to get the--I mean, by the time you do all that
and get the technology in place, isn't it outdated?
Mr. Forman. No. Unfortunately, we tend to hide behind that
in resisting change in many of the Federal agencies. It
shouldn't take more than a couple weeks or a month to do this.
Ms. Jo Ann Davis of Virginia. So, then, the problem more is
in the culture and not requirements?
Mr. Forman. And resistance to change.
Ms. Jo Ann Davis of Virginia. Which is the culture.
Mr. Forman. I tend to focus on, both dealing with the
industry and with the agencies, these two simple measures of
outcome that I mentioned before. How do we increase their
response time, cycle time, the decisionmaking time? How do we
improve the quality of the decisions that you are responsible
for?
And I give the same test to the industry folks that come
in, and I found from industry, some of the folks will come back
to us with a very low-cost, very modern solution just because
of the technologies that are out there. And when I look at low
cost, I mean 40-, 50-, $60,000 for a program that had been
budgeted for $30 million. To me, that's the pay off of bringing
these modern technologies in; but what it means is people in
the line of business do their work differently. If they don't
sign up to doing their work that way, then we won't get that
acceleration in decisionmaking, we won't get the results. What
we will get is a 50-, $60,000 effort that turns into a $30
million effort and doesn't give us the results.
This is a chronic problem. It's been around for about 10
years now in government. It's part of change management, and,
at the end of the day, a big part of the puzzle that we are
using here is the management scorecard. We are literally
tracking whether the agencies are adopting these modern
business approaches and scoring them on that on a quarterly
basis.
Ms. Jo Ann Davis of Virginia. Well, maybe I just did things
a little different in the private sector, but when I had people
that worked for me, if they didn't do the changes the way I
wanted them, they weren't there anymore.
Thank you, Mr. Chairman.
Mr. Tom Davis of Virginia. Thank you very much.
Anything anyone on the panel want to add additionally?
Well, thank you all very much for your testimony today and
in your answering our questions. If you want to supplement
anything over the next couple of weeks, feel free to. I'll put
it in the record.
I'm going to declare about a 2-minute recess as we switch
panels. We have an outstanding panel coming up: Dr. Sugar of
Northrop Grumman, who has already been introduced by Ms.
Harman; Mr. Johnson, KPMG; Mr. Fitzgerald from Oracle, I see in
the audience; and Mr. Pomata from webMethods. We will just take
a couple minutes to exchange, and we will be back in 2 minutes.
Thank you.
[Recess.]
Mr. Tom Davis of Virginia. I think we can resume the
hearing. If everyone could just remain standing here, I want to
swear our next distinguished panel in.
[Witnesses sworn.]
Mr. Tom Davis of Virginia. Let me just explain. This isn't
the major investigative committee in Congress; so, by our
rules, we swear every witness in. We are not trying to catch
you on everything, but those are just the rules we operate
under.
And so let me start with Dr. Sugar and work our way down.
Try to keep it to 5 minutes. Again, we have the lights on
there, and we will give some time for questions and then
submit. And thank you for being with us today, Dr. Sugar.
STATEMENTS OF RONALD D. SUGAR, Ph.D., PRESIDENT AND CHIEF
OPERATING OFFICER, NORTHROP GRUMMAN CORP.; LEONARD POMATA,
PRESIDENT, FEDERAL GROUP, WEBMETHODS, INC.; S. DANIEL JOHNSON,
EXECUTIVE VICE PRESIDENT, PUBLIC SERVICES, KPMG CONSULTING,
INC.; AND KEVIN J. FITZGERALD, SENIOR VICE PRESIDENT,
GOVERNMENT, EDUCATION & HEALTHCARE, ORACLE CORP.
Mr. Sugar. Can you hear me?
Thank you, Mr. Chairman, Ms. Davis, Mr. Turner. It's always
a pleasure to meet with you. My name is Ron Sugar, president
and chief operating officer of Northrop Grumman, Incorporated,
one of our Nation's major defense industrial firms. Northrop
Grumman has a dedicated work force of over 100,000 engineers,
scientists, and other professionals applying advanced
technology in support of our military services and other
governmental agencies. It's a great privilege to appear before
you today and to talk about some of my observations on the
important issue of providing technology solutions to the
serious homeland security challenges facing our Nation today.
As a senior executive of a major defense firm, I cannot
advise you on national policy or how to organize the government
to approach this daunting task of homeland security. I can,
however, provide a perspective on how those of us in the world
of technology can help address this major challenge, and I can
suggest certain steps the government can take to create a
favorable environment where the innovative thinking, the
manufacturing skills, and the procedural discipline of the
defense industry could be applied to this pressing national
need.
One should not underestimate the power of American
industry, working with government, to provide good solutions to
major challenges. We do rise to the occasion. The record of the
past speaks for itself. The Manhattan Project of World War II,
the development of strategic weapons and ICBMs during the cold
war, and the placing of a man on the moon in the 1960's
demonstrate what can be accomplished in a relatively short
period of time when efforts are focused, resources are
provided, and there is a national will to do it. As with these
past examples, of course, urgency must now prevail.
I would like to identify for you three concerns that I
believe may be inhibiting our ability to bring the power of
American technological capability into this effort, and I will
call them the three Rs, for lack of a better term:
requirements, resources, and release from unreasonable
liabilities. Requirements, resources, and release from
unreasonable liabilities. Addressing these three Rs will
greatly improve the requirement for industry to innovate and
create effective technology solutions for this problem.
Now, let me briefly address what I mean by these three
items. First, requirements. Despite the passage of 9 months,
there are still very few specific requirements that have been
identified by the many numerous agencies at all levels of
government on what they need to meet the challenges that they
face. We typically in industry provide technological solutions
in response to governmental requests for proposals or requests
for information, and their companion statements of requirements
or specifications. Because there is great uncertainty among
many agencies about their exact roles and missions in homeland
security, there have been to date very few RFPs as a result of
September 11th, and I would strongly second the testimony of
Mr. Bohlinger from the INS on this matter. Requirements are
very, very important here.
Second, resources. Now, certainly much money has been
appropriated to date for this effort. With the original
emergency funding, the current supplemental under
consideration, and the fiscal 2003 proposal, there has been
over $100 billion identified for homeland security, but the
large percentage of these funds is for response and recovery.
Very little to date has translated into requests for specific
technology solutions. Neither Northrop Grumman Corp., nor any
other major corporation that I know of at the moment, is yet
able to determine from a business standpoint the additional
business or revenue potential of this important emerging
homeland security market. We know something is there, but we
are not quite sure what it is and how we are going to address
it.
And, finally, there is the third R: release from
unreasonable liability, or indemnification. Many companies,
including our own, now have technologies available to assist
all levels of government in detecting and preventing future
terrorist attacks. Paradoxically, our tort system has the
capability of shifting the economic loss due to a terrorist
criminal act onto those providing the tools to detect and
prevent such acts.
Despite our best efforts, no technical system is
infallible. The unintended consequence of even a single failure
in a well-intended system or device that we might provide could
result in a significant legal exposure that could financially
ruin a company. Prudent companies may find themselves unwilling
to provide their critical technologies to the government and
its agencies that need them because of the great financial risk
involved. At Northrop Grumman, for example, we find ourselves
face to face with this very issue now in our efforts to provide
the Postal Service with a biological detection system to
counter the anthrax threat. Clearly, containing liability
exposure for those in industry who are trying to do good is a
major policy issue that must be addressed by both Congress and
the executive branch.
Now, if we can successfully deal with these three Rs, we
can do a lot of good things. We have, for example, at Northrop
Grumman sophisticated airborne surveillance platforms, such as
the Global Hawk, that can be adapted for use in improving
border and coastline security. We have Fire Scout, a smaller
unmanned helicopter that can provide point surveillance around
ports or other vulnerable national assets such as nuclear power
stations. We have modern command, control, communications
systems that can be adapted for domestic use by State and local
organizations. We have increasingly effective systems for
detecting and tracking chemical and biological agents. We have
sophisticated information technology systems capable of
managing and integrating large amounts of data, making it
rapidly available. This can assist security officials,
immigration officers, Customs agents, and the Border Patrol in
greatly complicating any terrorist efforts to launch
coordinated and deadly attacks against American facilities and
citizens. We can do a lot right now.
Now, from a classical business perspective, however,
homeland security would be viewed as an emerging market. But to
be vibrant and viable, any market needs customers with clearly
defined needs who have funds they are willing to spend to
secure goods and services. Presently, with a handful of
exceptions, the homeland security market is still somewhat
clouded.
Mr. Chairman, your legislation, H.R. 4629, aimed at
promoting innovative solutions for homeland security is a very
appropriate first step. Its recommendation establishing an
office to rapidly review technology proposals while providing
procurement point of entry will be most helpful. I would urge
you to move this legislation forward as quickly as possible.
Combined with the President's announcement last evening about
an establishing a Department of Homeland Security, this should
provide increased momentum to allow us to bring the full power
of our industry to bear.
Finally, let me be frank. I am concerned about the rate of
progress we are making in protecting the Nation. This is a
serious issue. Many good ideas are flowing from both the
government and from industry. What we need now are the firm,
specific requirements, immediately available funding resources,
and protection from the risks of unreasonable liability. Give
us these and we in industry will provide our Nation the tools
to do this job.
Mr. Chairman, I applaud the efforts of the committee. I
wish you well in your important endeavors, and thank you very
much for having me here today.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Sugar follows:]
[GRAPHIC] [TIFF OMITTED] T5840.072
[GRAPHIC] [TIFF OMITTED] T5840.073
[GRAPHIC] [TIFF OMITTED] T5840.074
Mr. Tom Davis of Virginia. Mr. Fitzgerald.
Mr. Fitzgerald. Mr. Chairman, Ranking Member Turner,
Congressman Davis, my name is Kevin Fitzgerald. I am the senior
vice president of Oracle Corp., and on behalf of Oracle, I
would like to thank you for inviting me to share experiences
and perspective on information sharing and homeland security
technology.
Mr. Chairman, since September 11th, we have been engaged in
a battle on two fronts. First, we have been fighting to protect
the lives of Americans from the threat of terrorism, and at the
same time we have been struggling to protect the single most
important asset needed to promote and preserve liberty and
prosperity: the U.S. economy. If the investments made today to
improve our homeland security prove ineffective, we will have
missed a seminal opportunity to shape our future for the
better, an opportunity that we are unlikely to see again.
If we step back and look at the goal of strengthening
homeland security, the over whelming obstacle will be the
effective partnering of the organizations, public and private,
involved in the process. There are national, State, and local
organizations geared toward law enforcement and intelligence,
first responders, health care, Border Patrol, transportation,
agriculture, and countless others. It is difficult to know
where to start, and spending our Nation's tax dollars
effectively will be challenging.
In order to protect the United States, we need an
integrated national strategy and information infrastructure;
yet implementing a national strategy with countless independent
organizations will be like building a plane with at least 50
totally independent contractors. One builds the wings, another
builds a navigation system, and yet another builds the fuselage
and so on. Even if each organization excels at his or her given
task, it will still work in a vacuum without any guidance on
how and whether these separate parts work together in an
effective whole, the combined concoction could never fly.
Imagine building our homeland security information systems
airplane--like this airplane, not having any way to ensure they
fit into a broader national strategy. The result will be a
waste.
Fortunately, the President took a step in the right
direction yesterday with his proposal to create a Department of
Homeland Security, which would provide for a clearinghouse for
terrorism intelligence. This is a significant and positive
development, and I hope Congress will act on the President's
proposal before you adjourn later this year.
For this new Department to succeed, Congress will have to
target a significant amount of investments toward information
technology. No doubt information is one of the most powerful
weapons that we have in the fight against terrorism. The fact
is that we have an extraordinary amount of information, but we
lack sufficient capability to establish relationships between
various information sources. Even today we see there are lots
of facts we had about the individual terrorists responsible for
the attacks on September 11th. Since we were unable to bring
these facts together, intelligence agencies and law enforcement
were not able to see the whole picture.
It would not be possible, prudent, or politically expedient
to try and build a single national system for homeland security
information; we can, however, make it possible for the relevant
organizations to build their systems in such a way that,
although they are different, they can work in concert to
support a national homeland security strategy, or, in more
practical terms, a Department of Homeland Security.
Accomplishing this requires a commitment to standards. If
Congress provides homeland security resources to 50 States,
absent any kind of systematic direction, it will be used in at
least 50 different ways, and certainly far more if these
resources flow to localities. The system that would be built
under this scenario may have local needs, but they will almost
certainly not talk to one another unless there is an effort on
a national level to require a few standards for information
sharing and security. For information systems, those standards
fall into three categories: data, integration, and security.
Data standards provide guidelines for how data is collected
and stored, making data possible--sharing possible. For
example, in law enforcement, the Department of Justice has
defined a standard called the National Incident-Based Reporting
System, or NIBRS. This standard defines guidelines for
collecting and reporting information related to criminal
incidents. So if my system is NIBRS-compliant, and your system
is NIBRS-compliant, then we can compare data with one another
because we both use and understand the codes that represent
that type of criminal incident. Data standards like NIBRS are
critically important for ensuring that once we establish
connectivity between systems, we will know how to compare and
interpret the results.
Integration standards define how a system exposes its data
to other systems. For example, Web Services standards like
WSDL, UDDI, and SOAP, define how a system wraps its data and
publishes it to other systems. So a system can use these
standards to say, in effect, I know all about pilot licenses in
the State of Florida. If you give me a Social Security number,
I will check your credentials and then give you XML in the
following format that includes that person's license
information. This approach means that I don't care what a
system does or how it was built, I only care that it can accept
and answer my question.
Perhaps the most important form of information standard is
geared toward security. The most significant barrier to
information sharing will not be technical issues, but concerns
raised by organizations about exposing their data to
potentially insecure systems. There are well-established
standards in existence, and they have matured around the world,
and they are now accepted globally. In the United States their
use is managed by NIAP, the National Information Assurance
Partnership. This is a collaboration between the National
Security Agency and the National Institute of Standards and
Technology.
Consistent government enforcement of security standards has
been a source of frustration for Oracle. Despite its importance
to national security, what we too often see is that the
requirements for independent security evaluations are waived in
procurement. This summer, a National Information Assurance
Acquisition policy called NSTISSP No. 11 is scheduled to go
into effect for systems that contain information relating to
national security and requires these systems to use products
that have undergone an independent security evaluation. After
September 11th, it is fair to say more and more Federal systems
have a direct link to national security. Thus, policies like
this one need to be strengthened and enforced through the
procurement policy.
What can the Federal Government do to better ensure the use
of these standards? First, national agencies need to take
responsibility for defining more data standards as the Justice
Department has done in the defining of NIBRS. Second, we urge
Congress not to try and create integration standards. Industry
and the Internet are defining and refining these standards
faster than the government possibly could. Exploit what they
develop. Third, Congress should encourage relevant agencies to
enforce NSTISSP No. 11. These standards and processes are
already in place.
We all know there will be an accounting for how Congress
has targeted Federal spending on homeland security, and, with
the President's announcement yesterday, this new Department,
should Congress create it, will likely be held accountable as
well for the administrative success of homeland security. If
the result is 1,000 little systems with no improved national
capacity to deal with the threat of terrorism, the American
people will recognize this failure of planning and protection.
Let's work together to make sure that doesn't happen. Congress,
in its role as policy leader, can include appropriate standards
to guide Federal, State, and local organizations down a common
path of information sharing. The information technology
industry can devise the systems to make sure these policies can
work to accomplish our national goals.
Thank you again, Mr. Chairman, for the opportunity to be
heard today. I look forward to answering any questions you
have.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Fitzgerald follows:]
[GRAPHIC] [TIFF OMITTED] T5840.075
[GRAPHIC] [TIFF OMITTED] T5840.076
[GRAPHIC] [TIFF OMITTED] T5840.077
[GRAPHIC] [TIFF OMITTED] T5840.078
Mr. Tom Davis of Virginia. Mr. Johnson.
Mr. Johnson. Mr. Chairman and members of the subcommittee,
thank you for this opportunity to share KPMG Consulting's views
on the topic of homeland security. My name is Dan Johnson, and
I lead our public services business unit, which is comprised of
over 3,000----
Mr. Tom Davis of Virginia. Mr. Johnson, you don't need to
keep it a secret; you need to turn on your microphone.
Mr. Johnson. Got it now?
Mr. Tom Davis of Virginia. Got it.
Mr. Johnson. Sorry. I'll start over again.
Mr. Chairman and members of the subcommittee, thank you for
this opportunity to share KPMG Consulting's views on the topic
of homeland security. My name is Dan Johnson, and I lead our
public services business unit, which is comprised of over 3,000
professionals serving Federal, State, and local government
clients.
KPMG Consulting supports large-scale information technology
modernization programs at many of the Federal agencies that are
critical to our homeland security efforts, including the
Immigration and Naturalization Service, the Customs Service,
the Department of State, the Internal Revenue Service, the
Federal Aviation Administration, Coast Guard, and the military
departments, as well as many public safety agencies in key
States such as Pennsylvania, New York, Texas, California, South
Carolina, and the District of Columbia. Most recently we have
been engaged to help stand up the Transportation Security
Agency in defining its mission activities in business processes
as well as supporting development of an entry/exit system at
Immigration and Naturalization Service which would document the
arrival and departure of aliens at U.S. ports of entry.
Mr. Chairman, we feel that our 40 years of experience in
serving government entities such as these and the knowledge of
their organizations, systems, processes, and protocols that
experience brings uniquely qualifies KPMG Consulting to discuss
change management issues and technology acquisition measures as
they relate to homeland security. In the aftermath of September
11th, when KPMG Consulting mobilized to provide recovery
assistance to our New York Port Authority and New York
Department of Finance clients at the World Trade Center, as
well as our DOD Office of the Comptroller clients at the
Pentagon, the requirements for a higher level of cooperation
and collaboration between Federal, State, and local
governments, as well as the private sector, has reached a new
level of urgency. We would like to address several areas which
will impact and challenge attaining that higher level of
integration.
The first is leveraging existing capabilities. We must get
a firm grasp of the information available today, the
technologies that are being employed, and match that data and
those technologies to identifiable programs. An example we are
most familiar with is the Pennsylvania Criminal Justice
Network, commonly referred to as JNET. Following the crash of
United Airlines Flight 93 in Western Pennsylvania, a JNET
terminal was set up for the FBI. Running the Flight 93
passenger list through JNET and searching multiple Commonwealth
justice system data bases simultaneously, the FBI was able to
identify one of the suspected terrorists on board, and
confirmed that another suspected terrorist was, in fact,
already incarcerated.
The JNET story is a microcosm of the challenges that
homeland security faces. Initiated in 1998, it overcame the
stovepipe territorial issues of sharing sensitive information
across 17 different State agencies, 2 cities, and 20 counties,
now totaling over 5,000 users this year. It did so with an
architecture which lent itself to gradual and interactive
development showing incremental benefit and promoting comfort
among its stakeholders as it evolved. It did so through strong
executive sponsorship and a centralized independent budget for
it alone. It did so through protecting the integrity of the
individual stakeholder data bases by implementing rigid access
controls, and it did so by establishing a government structure
in which all the key stakeholders were represented.
The second area, as agencies look across their investments
with an eye toward addressing homeland security missions, they
must first determine what information is needed before looking
for new technology solutions. They must match this with their
understanding of what their problems are, what technologies
exist today to address those problems, and how can they best
leverage those technology solutions and improve upon them.
Then, and only then, can agencies take the next step of
determining what else needs to be done, what other technologies
must be acquired.
Last, Mr. Chairman, we commend you for introducing H.R.
4629, which would establish a program to encourage and support
carrying out innovative proposals to enhance homeland security.
Its provisions for the streamlined acquisition of innovative
solutions certainly is needed.
In our experience, application of IT investment and
portfolio management disciplines is essential to the success of
a technology program of the magnitude of homeland security. A
set of standard criteria should be established to streamline
and focus the screening of these technology proposals and to
normalize the evaluation of their potential. Using this type of
approach, each proposal is viewed as a component of an overall
homeland security technology portfolio. The portfolio would be
continuously monitored and adjusted as new proposals were
presented and technologies were tested and implemented, and
would ensure that all components of homeland security are
considered against an integrated framework.
Mr. Chairman, again, thank you for holding this important
hearing today. We look forward to working closely with you and
the rest of the subcommittee in any way you deem appropriate.
Mr. Tom Davis of Virginia. Thank you very much.
[The prepared statement of Mr. Johnson follows:]
[GRAPHIC] [TIFF OMITTED] T5840.079
[GRAPHIC] [TIFF OMITTED] T5840.080
[GRAPHIC] [TIFF OMITTED] T5840.081
[GRAPHIC] [TIFF OMITTED] T5840.082
[GRAPHIC] [TIFF OMITTED] T5840.083
[GRAPHIC] [TIFF OMITTED] T5840.084
Mr. Tom Davis of Virginia. Mr. Pomata, you are our cleanup
speaker here.
Mr. Pomata. Thank you. Mr. Chairman, thank you for the
opportunity to testify today. My name is Len Pomata, and I
serve as the president of webMethods' Federal business unit,
part of webMethods, Incorporated, a Fairfax, Virginia, company.
WebMethods manufactures integration software, a technology
that enables the government agencies and companies of all sizes
to connect their computers and data systems together. The
technology is straightforward, cost-effective, reliable,
secure, and readily available. It facilitates the right
information getting to the right people at the right time.
It is interesting that much of America's investment to date
in homeland security has been spent on the last line of
defense, guards, gates, and guns. That's a natural and critical
part of the response, but there is a part of the September 11th
answer that has still received too little public attention, and
that is the use of information technology as a proactive first
line of defense. It is ironic, because it is information
technology and those capabilities that give America one of the
greatest competitive advantages in combating terrorism and
securing the homeland.
The INS and the FBI are currently highly visible examples
of the need for integration software and the sharing of
information across agencies. Like most Americans, I applaud
these agencies for their dedicated employees and their
leadership, but there are lessons we have learned and can learn
from the events of September and the importance of sharing
critical information. In some instances agencies had identified
important information, but the information was not effectively
coordinated into a common view or given to relevant officials.
I realize that in many instances substantial policy and
political issues may argue against sharing, but there is no
technological reason. My point, Mr. Chairman, is that sharing
of critical information, both inside and outside the
government, is straightforward and relatively easy. Linking
systems has become secure and affordable. At webMethods, we
know this because we do this every day in our business.
Public and private sector organizations alike face the
cultural policy issues, but I would like to mention a few
lessons that we have learned in addressing this with our
customers.
First, organizations don't have to share or integrate
entire systems, only that which is important, only that which
is defined as part of their critical mission. Defining those as
precisely as possible can make the cultural and political
boundaries and barriers seem much lower than they may first
appear.
Second, simply connecting data bases and applications does
not produce the right information to the right people. It is
necessary to define the mission and particular information to
be shared in a logical process, and not an artificial
organization. That is what determines what--and you need to
determine who is providing and who is receiving information.
Those are the critical parts.
Third, it should be remembered the purpose of integrating
information is not just to distribute it, but to be able to
push it or give it to those--that right information to the
high-level officials as well as down to the field agents that
may need it in a push technology.
Fourth, as customers like Covisint, an e-business exchange
for major automakers, we have discovered the utility of
building an online hub, for instance, that has competitive
organizations plugging in, and without disclosing proprietary
information works very well in the commercial sector, and this
is a model that I think the government may use for sharing
information in the public sector.
You know, there is a temptation to think that with so much
money already spent on information systems, surely we can be
much better at coordinating information; but these systems have
become increasingly more complex, and have been dedicated to
very specific tasks, and have become individual silos and
islands of information, which actually can sometimes hamper the
facilitation of information coordination. These systems contain
mountains of information, and, as a result, helping them simply
to communicate with each other has the potential to tap
tremendous new value from existing resources.
Traditionally this integration of disparate systems,
applications, and data bases has taken place through costly,
time-consuming customization efforts. Until recently, it would
require deploying scores of programmers and software writers to
go into a company or agency and manually write code to create
custom connections among these systems. In recent years,
particularly in the last 12 to 17 months, this has become
virtually unnecessary. It can now be done far more quickly,
cheaply, and reliably, largely through off-the-shelf software.
As a result, companies and agencies can now modernize and
extend the life of old systems and avoid the huge expense of
replacing them, much like the Navy might view in extending the
life with modernization of one of their ships.
Integration software can make this happen now amongst the
vast--and makes this happen now amongst the vast majority of
the top 2,000 global companies. Government, too, is now
appreciating the power and the potential of this latest IT
revolution.
Integration software depends on language protocols. One of
those is XML. Recently the GAO emphasized the importance of XML
and the need for government to focus on it in terms of
standards and utilization. As the GAO pointed out, XML offers
the greatest potential for agencies to share information with
each other and across the government. XML is here now and is
the language that can be used to integrate complex technology
systems, built over time, multiple platforms, and they can work
together.
Mr. Chairman and members of the committee, every American
recognizes the importance of homeland security, and for obvious
reasons. My message to you is that government, recognizing the
importance of information technology, information sharing, and
new integration technologies, can contribute to this effort.
This subcommittee in particular, and the committee in general,
has been the voice of ensuring the effective use of different
technology gets distributed across the government. Mr.
Chairman, I applaud this hearing and encourage you to continue
this program.
Finally, Mr. Chairman, I, as well as some of the other
panelists, would like to take this opportunity to express my
strong support for H.R. 4629, your bill. As any business
executive can tell you, even the brightest and best ideas would
not advance unless there was a process and organization that
could properly review them and advance them. Especially in
times that call for urgent action, there must be an effective
and efficient clearinghouse within the government to consider
leading-edge technology. Your idea was well thought out and
responded to concerns of your February hearing. I know that the
committee considers the testimony of its witnesses, and I
appreciate the opportunity for the private sector to be at this
hearing. I stand ready to answer any questions.
Mr. Tom Davis of Virginia. Thank you.
[The prepared statement of Mr. Pomata follows:]
[GRAPHIC] [TIFF OMITTED] T5840.085
[GRAPHIC] [TIFF OMITTED] T5840.086
[GRAPHIC] [TIFF OMITTED] T5840.087
[GRAPHIC] [TIFF OMITTED] T5840.088
Mr. Tom Davis of Virginia. I am going to recognize.
Ms. Davis to start the questions, but I've got to ask this
question: This XML, this is new to me. Is this kind of a
universal language that everybody can tap into?
Mr. Fitzgerald. Central markup language.
Mr. Pomata. And it is used within the Internet. It's an
Internet technology language. It allows many different types of
systems over many different platforms to communicate through
the Internet and share information.
Mr. Tom Davis of Virginia. How widely used is that in the
private sector?
Mr. Pomata. Very, very extensively.
Mr. Fitzgerald. Pervasively.
Mr. Tom Davis of Virginia. You have got to remember, I left
PRC in, what, 1994.
Mr. Pomata. A few years ago.
Mr. Tom Davis of Virginia. I'm just trying to get it.
OK. Ms. Davis.
Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman.
And thank you, gentlemen, for being here.
And, Dr. Sugar, it is a pleasure to see you again.
You know, I sit on the House Armed Services Committee, and
you talk about turf wars, you have got the Army, Navy, Air
Force, Marines, and there is a little turf war there sometimes.
But in this war in Afghanistan, I was able to watch how, when
there was a requirement, we had an Army fellow on a horse, and
we had a Navy pilot in the sky, and within a 2-week period they
developed technology on a Palm Pilot for that Army fellow, the
soldier on the horse, to let the Navy pilot know exactly where
to drop the bomb. So in a 2-week period, we can get the
technology.
And, Mr. Johnson, I want to go to you.
Well, Dr. Sugar, I heard you say that requirements were--
you were still waiting on the requirements. And you heard me in
the former panel ask those why we don't have them; and, if I
heard you correct, Mr. Johnson, you said that relatively, you
know, in a short period of time, you could get those
requirements. Those weren't your words, but that's what I
gleaned out of it. But we are 9 months since September 11th,
and we don't have requirements. We are nowhere close in many of
these agencies to seeing what we need to help us with homeland
security, and we are getting ready here to vote on the proposed
new Department of Homeland Security.
Should we be having a struggle getting those requirements
from these agencies? I know you are contracted with some of
them, but not all of them. Can you help us out, help me out,
there to understand why we don't have them?
Mr. Johnson. Well, I think the driver here is the sense of
urgency. When we were prosecuting the war in Afghanistan, the
sense of urgency was very, very high in terms of being able to
get things done on short notice. The example I used in
Pennsylvania, again, was a situation where it is a somewhat
smaller group of people, a little narrowly focused effort to go
forward with. But the driver is--this country can do amazing
things in short order when there is a sense of urgency to drive
it to that, and I think many of us see that we don't see that
sense of urgency as being pushed down through the organization
to execute those things in a rapid fashion.
Ms. Jo Ann Davis of Virginia. Well, I would certainly hope
we don't have a another disaster for that sense of urgency.
Dr. Sugar, do you want to add something?
Mr. Sugar. Could I add to that? I certainly agree on the
urgency sense. There is no question about that necessity is the
mother of invention. When lives are on the line, people do
remarkable things and put aside partisan and parochial
boundaries.
There is also an issue of skills, and skills and the
ability to know how to define requirements, how to transform a
nebulous set of needs or vague sense of wants into very
specific actionable statements and quantitative measures that
can be used, and then put in place the technology that solves
the problem. That's a skills set which doesn't generally
reside, quite frankly, in most of the agencies in the U.S.
Government, and generally does not reside in great abundance in
the State and local government agencies around the country.
That is not an indictment of them, it is just simply a fact
that it is just not something that has been done. It has been
developed in the Intelligence Community, it has been developed
in the Department of Defense. Certainly the ballistic missile
program and all these things have enforced that discipline.
So, there is an issue of not just urgency and a desire, but
there is an issue of skills and capability.
One thought could be that, for the Office of Homeland
Security and perhaps even for this agency that might be created
by such a bill as proposed here, you could have either a DARPA-
like or a systems-engineering-like organization, a seat-like
organization whose job it is to look at being sort of a central
clearinghouse of requirements and standards so that you don't
have to replicate the creation of something every police
department in the Nation is going to need, you know, at every
police department. So the thought of skills and methodology
would be very helpful here as well.
Ms. Jo Ann Davis of Virginia. Well, let me ask, on the
Department of Homeland Security that is proposed, as I
understand it, there is going to be one element that would
analyze all the information. So if I am hearing you correct--
all the information from, I guess, the FBI, everyone, I guess.
If I'm hearing you all correctly, that wouldn't even be--I
mean, it's not possible because we can't get the information to
them; is that correct?
Mr. Fitzgerald. That's----
Ms. Jo Ann Davis of Virginia. Is that what I'm hearing?
Mr. Fitzgerald [continuing]. Pretty much correct. Grants
will be given by the Justice Department to local police
departments to build systems, and then we will have necessary
standards associated with those, so when the information that
they gather is requested, it may not be able to be understood
by the Office of Homeland Defense.
Ms. Jo Ann Davis of Virginia. Thank you, Mr. Chairman. I
think that is all I have.
Mr. Tom Davis of Virginia. Thank you very much.
Mr. Turner.
Mr. Turner. Thank you, Mr. Chairman.
Dr. Sugar, talk to us a little bit about the problem that
you mentioned briefly in your testimony that you had with the
Postal Service on the liability issue for the anthrax, the
detection equipment purchase.
Mr. Sugar. Yeah. And, again, this is not the forum to talk
about a very specific issue and a specific contract, but it
does, I think, represent a problem we are all facing.
We have a system which we think can solve a problem. We had
a certain quantity of these things planned to be ordered. We
had to cut back that quantity because we were unwilling to take
it past the stage of prototype demonstration until we were
certain that putting it in the field, and if there were any
unintended consequences, it would not come back and materially
impact or financially destroy our company. That's really the
situation.
Now, there is an indemnification, I guess the 85804, which
is in place for--which is public law, which helps; it's nuclear
and other identification, and that is very helpful. It is used
certainly in all of our defense work.
What's not as clear is when we migrate the products to
other civilian agencies, the State and local agencies or,
frankly, even the private sector, for example, a private
company that owns and operates a nuclear power plant and wants
to utilize one of our great devices that one of our companies
comes up with, how do you ensure that we're not going to end
up, you know, having a situation where no good deed ever goes
unpunished? We do something good, and we have something happen
bad. It's a serious issue.
I'm not a lawyer, but I know that this is now becoming--
emerging as a stumbling block on even the very few RFPs and
programs we're seeing. I think you're going to see this become
a very broad issue. It's going to become a policy issue for the
Nation.
On the other hand, I would say that no Federal agency wants
to take on unlimited liability that may be created by a
contractor who provides a device which then reflects back on
the government.
So we're going to have to find some way as a Nation to
figure out how to share this so we can get on with applying
technology correctly.
Mr. Turner. So you're saying there's no statutory authority
now for an agency to negotiate this issue of liability with a
private sector vendor?
Mr. Sugar. I think there is in some cases. I know, for
example, with the U.S. Navy we can receive, because we build
nuclear aircraft carriers, a nuclear indemnification as part of
85804. I'm not sure how widely that is allowed with other
agencies or whether it, in fact, becomes a local decision of
the contracting officer on any given procurement.
Mr. Fitzgerald. Capping liabilities would clearly be a step
in the right direction.
Mr. Turner. Thank you.
Mr. Tom Davis of Virginia. Thank you. I appreciate you
raising the liability issue, because we don't think about that.
Many times as we go out to contracting and--government
lawyers are trained to protect the government. If something
goes wrong, it's the other guy's fault; and, of course, it has
the end result of sometimes discouraging some of those
innovative ideas, innovative companies, from doing business
with the government. You get higher markups in the private
sector, you know, why do you have to come here?
So I appreciate you raising that. I think we will take a
closer look at that.
Any more specific examples that you can give to the
subcommittee in terms of where that has been a deterrent or
where maybe a company has in good faith provided a service and
it went awry and they ended up losing their shirt? I know some
State and local government instances of that, but at the
Federal level that would be helpful to get it into the record
so the members could understand why they're waiving something
that otherwise it seems we wouldn't do. So I appreciate you
raising that factor, and we'll take a closer look at that.
You know, virtually all of the private-sector witnesses
here today have, in one way or another, expressed a concern
about our ability to take advantage of the technology that the
private sector has to offer. I think there's a great
frustration at this point among companies who have invested in
new ideas and think they can be of service, maybe make a profit
along the way. But you have ideas that we're just not
utilizing. What are the specific problems you face in getting
that to market at this point?
Maybe this homeland security agency will be more of a
clearinghouse. Maybe our legislation, if it is enacted, can at
least give you some kind of organized route where you can
pursue some of these. But do you have particular concerns
regarding attacks on computer systems and infrastructure and
intellectual property piracy issues?
Let me just try to hit those two offhand. Does anybody want
to go----
Mr. Fitzgerald. Yeah, sure.
For Oracle Corp., I think our frustration comes in--we
built systems specifically for the government for intelligence
and defense purposes to share classified data, various
classifications to audit all data to make sure we know who sees
what. Once we spent the millions and tens of millions of
dollars to build these systems, the government tends not to
include them as part of the procurement process; and we sit
there and scratch our heads at that. We've built a solution
specifically to attack a problem like this, and then when it's
waived or it's--agencies are given waivers around the policies
associated with security and the sharing of classified data, we
wonder why we spent the money to do it.
So I guess our situation is slightly different, Congressman
Davis, in the sense that we stepped up the ante and put the
money to do the development. Then we find that many agencies
won't use what we've developed, and it's been developed for
that purpose.
Mr. Tom Davis of Virginia. Let me ask--Mr. Pomata, let me
ask you. You've been in the business a long time.
The Federal Government has a history of failed system
development efforts. A lot of times we've spent a lot of money
and we don't get what we want. It used to be that it was driven
by the procurements itself, that we were so afraid of--once
you'd go out with an RFP, you were so afraid of changing it
even as your needs changed, because you'd have to go back out
to the street. You're afraid of protests.
We've tried to loosen that up a little bit. I don't know
how it's actually working, but we're trying to loosen it up a
little bit so that the government buyers who know what they
want can go off and they have GWACS and schedules and areas
where they can go out and say, here's what we want, how do you
provide it? And not have to go out the route we used to have to
have.
Can you think of other steps that the government can take
to ensure that systems that we get work properly? You've sat on
the other side of this for years.
Mr. Pomata. I think a couple things. I think----
Mr. Tom Davis of Virginia. Go ahead.
Mr. Pomata. Did you----
Mr. Tom Davis of Virginia. No. I was going to go with you
first.
Mr. Pomata. Sorry. One of the things I think of is that
requirements need to be well defined. We know that. But as
procurements progress, there are typically requirement changes.
So there needs to be some flexibility on both sides to be able
to understand as changes come up how to handle them.
The other thing we found is that a lot of the requirements
in the IT world and a lot of the way procurements were proposed
and executed was that, rather than utilize commercial
standards, rather than utilize commercial off-the-shelf
software, the government always insisted that they had unique
requirements and that they had to be custom tailored to what
they needed to do, as opposed to try to change some of the
processes to conform and to use off-the-shelf software, a lower
risk approach. So, typically, the risk is higher when you try
to customize things.
Mr. Tom Davis of Virginia. And more expensive, too.
Mr. Pomata. And more expensive. And I think part of the
solution there is for--even in homeland defense certainly there
are mission-critical things that are going to be very specific
and very important to the way the government needs to look at
data and needs to do business, but I would suggest there are
robust off-the-shelf technologies available that can be
implemented quicker, faster and more--and cheaper into the
systems at lower risks to solve the government's problem. I
think we should look at that.
Mr. Tom Davis of Virginia. OK. Does anyone else want to add
anything to that?
Mr. Johnson. Yes, I'd like to add a few things.
There are a couple of aspects that are common to many of
the failures that we've seen. One is in some cases a lack of
top leadership which can push down activity requirements and
implementation across multiple stovepipes. In other words,
without top management, emphasis on a major program of that
size is typically doomed to failure.
A second one is there has to be a very strong government
project manager and project team involved going forward, and
oftentimes there's a shortage of those within government
agencies.
A third one is that these large-scale systems and
implementation efforts are certainly team approaches. They
cannot be executed from an arm's-length arrangement between
contractor and government agency. The team going forward needs
to be effectively transparent and committed to the success of
the program, rather than operating in an impeding communication
kind of atmosphere.
Mr. Tom Davis of Virginia. OK. Anyone else on that?
Let me address the culture issues. Improving information
sharing for homeland security is one of the largest changes to
management initiatives I think that's ever been attempted. Many
view the culture gap between the public and the private sectors
as just a significant impediment to leveraging private sector
management expertise to private and the information sharing
that we need to get to. Any suggestions for bridging the gap?
Mr. Fitzgerald. Well, I think it's somewhat hard, because
there's an arm's-length relationship between the government and
the contractors on many of these projects. We all have to
remember, at the same time, we all have the best interests of
the country involved. We want to bring our skills to bear on
these innovative solutions, as the bill you're sponsoring
points out, and there has to be a little bit of a trust factor.
I know trust is a difficult commodity to have between
government and industry, but the stakes are very high.
Mr. Tom Davis of Virginia. Now, you all hire people who
worked for the government to come work for you.
Mr. Fitzgerald. Yes.
Mr. Tom Davis of Virginia. They could have some knowledge
to try to at least do translations and speak the language.
Mr. Fitzgerald. Yeah. And that does help, Congressman. But,
again, there is still an insular attitude toward the private
sector. So I think there just has to--and I'm not sure what the
answer to that is. We really don't. We've all struggled with
that. But I know from speaking with the other members with me
today, I mean, we're all sitting here with one purpose. We are
interested, we are capable, and we all believe in what we have
ahead of us is a very important project.
Mr. Tom Davis of Virginia. Dr. Sugar, let me ask you a
question. In your testimony, you talked about much of what
Northrop Grumman has done for years and that the defense
program area can be adopted for use domestically by State and
even local organizations. In your experience, do the State and
local organizations have the human resources needed to
implement these programs?
Mr. Sugar. Well, the fact is it varies, but generally not
at the levels that you'd want. I think that the challenge here
is to create standard solutions that we can replicate, that are
easy to use, that we can also assist with training and to
conduct exercises in standard ways so that you're not
reinventing the wheel.
You know, if you think about it, we have 40 or 50 Federal
agencies, 50 States and probably 200 cities of more than
100,000 or 200,000 people. So you can imagine that if everybody
is trying to solve a problem like this, you might have 10,000,
50,000 solutions, and that is total chaos. And the irony is
it's basically the same problem. It's the same problem being
replicated.
So one value we could have here from your bill and from a
central department is that a certain class of problems which
are going to clearly be what you might call killer apps in the
software business, where you have a standard need for a baggage
detection or a standard need for a sniffer for biochem or
something, can be identified. Requirements can be quickly
finalized for it. RFPs can go out. The best ideas from industry
can be brought together, and that can become a standard
solution.
It doesn't even necessarily have to be the same guy. It can
be a standard set of specifications that apply; and as long as
you comply with that you've got a qualified device that is
homeland security, department-qualified, and that becomes the
standard.
By the way, if that is used in some way which creates an
unintended consequence but you did comply with this in good
faith, you have some limitations around your liability. I think
that is the way to address the issue of the training and
viability for the people around----
Mr. Tom Davis of Virginia. We don't even have to legislate
this. We're such a huge purchaser in the market that if we
could keep our procurement needs consistent we would be able to
define the marketplace. But we're not consistent. That's one of
the problems.
Mr. Fitzgerald. In the granting process as well, too,
because many of these systems will be purchased through grants
from various agencies.
Mr. Tom Davis of Virginia. That's where Mr. Forman and the
previous panel just need to step up. Still so often within
agencies we're finding disparate ways to get there, and it's
just not consistent. That really rings true.
Well, I want to thank you all. Those are all the questions
I have.
Any other questions for the panelists?
I said I'd get us out at 12, and we're a few minutes late,
but actually the questions took a little longer.
I think this has been a good panel and a very timely panel,
and I appreciate the thoughtfulness and reflection that each of
you have brought to this today.
Let me sum up. I'm going to enter into the record the
briefing memo distributed to the subcommittee members.
[The information referred to follows:]
[GRAPHIC] [TIFF OMITTED] T5840.089
[GRAPHIC] [TIFF OMITTED] T5840.090
[GRAPHIC] [TIFF OMITTED] T5840.091
[GRAPHIC] [TIFF OMITTED] T5840.092
[GRAPHIC] [TIFF OMITTED] T5840.093
Mr. Tom Davis of Virginia. We'll hold the record open for 2
weeks from today for those who want to forward submissions for
possible inclusion. I suggest, with the delay of regular mail
going in and out of the Capitol campus, that you e-mail these
submissions to the attention of my counsel, George Rogers, and
we'll get them in.
All right. Thank you very much. These proceedings are
closed.
[Whereupon, at 12:12 p.m., the subcommittee was adjourned.]
-