Good morning, Mr. Chairman and Members of the Subcommittee. Thank you for inviting me here to discuss the FBI's efforts in the area of computer security. The FBI shares your conviction that computer security is of vital concern. That concern is manifested in a variety of levels --- first, the concern within the FBI itself as to how the FBI collects and handles sensitive and personal information; the concern as a member of the U S. intelligence community where there is a growing awareness and desire to achieve a collaborative sharing of intelligence information while at the same time securing highly sensitive and classified sources and techniques; the concern as a member of the law enforcement community often called upon to investigate, identify and apprehend those responsible for hacking into Government systems and critical infrastructures of this nation; and the concern a Federal law enforcement agency called upon to investigate computer and computer-related crimes as diverse as a pedophile seeking to prey on a youngster, Internet fraud crimes which victimize all elements of our society including persons and businesses, and those who would seek to enrich themselves by illegally manipulating stock prices.

The FBI's internal computer policies and practices present a somewhat unusual picture as far as Federal agencies are concerned. The FBI is, as I have stated, an agency charged with the investigation of many computer-related crimes and it is charged with the conduct of all counterintelligence activities in the United States. In addition, the FBI operates several systems on which state and local law enforcement agencies have come to rely as a necessity. As such, the FBI must operate both classified and unclassified systems, and many of those unclassified systems have strong requirements for the protection of personal data about American citizens as well as a need to maintain instant availability. In addition, the nature of some of the unclassified systems presents special requirements in that the data represent information gathered through a variety of methods each requiring its own specialized method of handling and protecting the information. These methods include the use of Federal Grand Jury subpoenas and are thus subject to the requirements of Rule 6(e) of the Federal Rules of Criminal Procedure, material identifiable as Federal Taxpayer information and thus subject to specialized handling and disclosure requirements, as well as other specialized requirements. Of course the specific requirements of classified information material, obtained as a result of Title 50 (FISA) activities or by other intelligence community agencies, must also be respected.

To accomplish these tasks, the FBI operates 35 general support systems and 12 major applications. Twenty-four of the 35 general support systems are classified. Six of the 12 major applications are classified. Therefore, the FBI operates 30 national security systems. It should be noted that the vast majority of the FBI's classified systems are currently internal systems and thus do not have external connections to non-secure/unclassified systems.

The FBI's information systems security policy is codified in our Manual of Investigative Operations, Part II, Section 35. A copy of this policy has previously been made available to this subcommittee. The policy is a compilation of requirements from a number of sources which are outlined in Section 35-11 of this policy. In general, let me state that because of the variety of types of systems used by the FBI, our practice, where practical, involves using a hierarchical approach to any requirement from these sources based on the respective system's criticality and risk. This is to avoid any possible confusion about whether or not a system should follow this or that set of rules and regulations. To choose any other course of action would be folly.

The FBI's policy is coordinated by the Information Systems Security Unit (ISSU) which is part of our National Security Division (NSD). ISSU works closely with both of the Department of Justice entities which oversee the classified and unclassified computer systems. In addition, ISSU maintains a good working relationship with national entities responsible for computer security policy such as the NSTISSC and NIST and the Security Policy Board to ensure that the latest information is available.

There are many challenges which face the FBI in today's computerized world. One of the biggest challenges involves the rapidly changing environment and the rapidly changing world in which we all live. New technologies are moving to the marketplace at a frenetic pace; old technologies are undergoing metamorphosis. Each of these new products presents particular problems and a careful and thoughtful analysis to ensure that the FBI continues to maintain a policy which recognizes the business needs of the computerized world while still practicing meaningful security practices.

The FBI is currently practicing a risk management approach in the certification and accreditation of its computer systems. As I have previously stated, most FBI systems are internal and not connected to non-secure/unclassified systems. This isolation permits some sense of comfort in that systems not connected to the outside are far less vulnerable to compromise and attack. In this manner, our approach has been to identify those systems which pose the largest risk in terms of their data and the sensitivity of that data. Those systems are approached before systems which play a lesser role in either their data or their sensitivity. The FBI is currently engaged in a series of activities which will hopefully lead to the speedy completion of certification and accreditation activities of all systems. Resources have been loaned to the FBI from the Department of Justice and additional assistance is being sought from the U. S. intelligence community under their ICAP program.

Moreover, the ISSU has undertaken a series of steps to ensure that system owners and developers assume some of the initial and continuing responsibilities for a system. ISSU has developed and made available to all other FBI employees templates of system security plans and examples of risk assessments so that the efforts of the other entities will be more productively focused while at the same time lifting the operational and/or consulting efforts. In addition, ISSU has undertaken to develop a robust computer security education program for all users of systems.

Future direction of the FBI's information systems security program include a focusing of the security requirements as an initial and life cycle requirement of all systems by the system owners and developers. By insuring that security is "built into" all systems and that the continuing costs are specifically identified as a separate line in proposals, the FBI will continue to meet the expectations of the American public and this Congress as to computer security. As the FBI increases its connections to external systems, additional demands will be placed on those responsible for security. These responsibilities include such methodologies as network operating/monitoring centers to include intrusion detection.

In conclusion, let me reiterate that the FBI appreciates the interest of this Subcommittee, indeed the interest of all parts of the Congress, in this area where we share your interests and concerns. Our efforts will continue to ensure that all computer systems, including those of the FBI, meet the expectations of the American public to appropriately protect that information which must be protected, while at the same time sharing that information which may be shared. The FBI respects the trust placed in it by the American public and this Congress and will do its utmost to continue that trust.

Thank you.