29 May 1998

See full report: http://jya.com/hr105-508.txt

105th Congress                                                   Report
                        HOUSE OF REPRESENTATIVES

 2d Session                                                     105-508



  May 5, 1998.--Committed to the Committee of the Whole House on the 
              State of the Union and ordered to be printed


    Mr. Goss, from the Permanent Select Committee on Intelligence, 
                        submitted the following

                              R E P O R T

                        [To accompany H.R. 3694]

                       Areas of Special Interest

   the national security agency budget, culture, method of operation

    The committee has concluded that very large changes in the 
National Security Agency's culture and method of operations 
need to take place, including changes in its budget 
methodology. NSA should be given credit for many changes 
already introduced, but the committee believes that the results 
have not gone far enough, and that NSA will not meet its 
Unified Cryptologic Architecture (UCA) goals without tackling 
head-on some very fundamental internal obstacles.
    Additions to the Consolidated Cryptologic Program (CCP) 
budget are being used as leverage to effect some of the 
internal reforms urgently needed. This is being done in several 
ways. First, the committee is funding and mandating external 
management reviews. Second, the committee is attempting to 
infuse fresh thought, needed expertise (especially in systems 
engineering), and greater fairness by insisting that 
significant portions of certain categories be contracted out 
and that outside proposals and expertise be solicited, notably 
in systems engineering, advanced research and development, and 
in development activities conducted by the Advanced Technology 
Centers. Third, fences have been placed on portions of the 
budget, with the prospect that a considerable amount of money 
could be reprogrammed for other IC needs if NSA does not 
develop detailed strategic and business planning.
    These steps are taken partially because the committee has 
been frustrated in attempts to start needed reforms during 
fiscal year 1998. Outside management reviews, budget cuts and 
adds to reduce acquisition cycle time, plus cuts to lower the 
budget percentage allocated to support, were initiated in the 
fiscal year 1998 authorization process, but all have met 
resistance and have been deflected from their intended purpose. 
Subsequently, the committee also found unreceptiveness to 
development of cost effectiveness analyses that could direct 
the agency's and SIGINT community's investment priorities. It 
also found that fiscal year 1998 and fiscal year 1999 
investments of money and personnel in categories critical to 
the future, continue to be minimized, at best, and that NSA 
often cannot track allocations for critical functions that 
cross the old program and bureaucratic lines, much less enforce 
implementation of DIRNSA policy priorities.
    Therefore, the committee concludes that a far more radical 
revision of the budget process than presently contemplated is 
necessary. Just as the military must train the way it will 
fight, NSA must budget according to the critical categories of 
a new and completely different architecture and mode of 
operations. Further, the old budget categories have provided 
little insight into and fulfillment of the old architecture.
    Most difficult of all, NSA must develop a new culture in 
which all team together on a new architecture, rather than 
bubbling up disparate ideas and programs from across NSA and 
expending much of its energy on probable duplication. This 
challenge cannot be minimized, because much of NSA's past 
strength has come from its localized creativity and quick-
reaction capability, which enabled it to rise when necessary to 
overcome the stultifying effect that the bureaucracy of such a large 
organization can have.
    It has often been said, by both Congress and the 
administration, that the IC neglects processing and the entire 
``downstream'' area in favor of more exotic and interesting 
collection programs, and that this trend has worsened in recent 
years. The committee requests that, after receiving this bill, 
the Community Management Staff (CMS) organize an effort to 
provide statistics on trends for investment in collection as 
opposed to processing or downstream areas. Even if comparable 
data cannot be found to document the balance over the past ten 
years, we should establish a 1997 baseline, if practicable, and 
keep track thereafter. Eventually, we may be able to establish 
some rule of thumb for the amount of downstream investment 
required to use efficiently our investments in collection, 
although this could be subject to changing technology and the 
effect on costs at either end. The CMS is asked to explore this 
possible system for tracking SIGINT investment, in conjunction 
with NSA, which has thought about potential methodologies. CMS 
participation appears necessary because much SIGINT collection 
and processing crosses program boundaries and accumulation of 
the data would require access to information outside NSA, as 
well as the presence of an objective arbiter.
    For the same reasons, CMS is also asked to undertake 
immediately the establishment of meaningful metrics to evaluate 
henceforth the cost effectiveness of various SIGINT collection 
programs. NSA has resisted this on grounds that meaningful 
metrics cannot be found, but the committee believes they must 
be found and that NSA and other community programs must be run 
more like a corporation that systematically evaluates the 
productivity of various lines of operation, terminates or 
downgrades some accordingly, and switches available dollars to 
those that produce the most return or have the greatest 
promise. Such data is needed across the IC to determine where 
our funds should be placed, and should have been developed to 
help guide the UCA deliberations. It can still have a major 
impact on UCA implementation plans. There are many other 
potential uses, including for decisions on the elimination of 
legacy systems within NSA and for DCI and DoD consideration of 
cross-program trades.
    Finally, the committee has requested that an independent 
panel assess community-wide Electronic Intelligence (ELINT) 
planning and budgeting.


Joint signals intelligence avionics family, No budgetary change

    The budget request contained $80.4 million in PE 35206D8Z 
for the joint signals intelligence avionics family (JSAF).
    The committee continues to be concerned by problems with 
JSAF developments. While the committee is encouraged by 
progress in design of the low band subsystem (LBSS), it is 
concerned by schedule delays and cost increases that have 
forced reduction of system performance to remain within budget. 
Further, the committee remains doubtful that the high band 
subsystem (HBSS) development can successfully meet its cost and 
performance goals. The committee's concerns are heightened by 
the fact that the JSAF development is the only planned upgrade 
for future airborne SIGINT reconnaissance. If JSAF fails to 
provide the needed capabilities, users ranging from theater 
tactical forces to national policy makers will be severely 
    Executive Order 12333 charges the Director of the National 
Security Agency (NSA) to conduct ``research and development to 
meet the needs of the United States for signals intelligence * 
* *''. To ensure proper joint oversight of JSAF development, 
the committee recommends the budget request be authorized in PE 
35885G, the Defense Cryptologic Program. The committee believes 
this will allow the Air Force, as the executive agent for JSAF, 
to continue to execute the program, while providing joint 
oversight by NSA.


Defense imagery program, Funding transfers

    The budget request included $29.4 million in research and 
development, defense-wide, line 150 for the Common Imagery 
Ground/Surface Station (CIGSS) and $1.9 million for development 
of the standards for the Distributed Common Ground Station 
(DCGS). The committee believes there is a need for the National 
Imagery and Mapping Agency (NIMA) to create from within 
existing resources a management structure analogous to the 
National Security Agency's Defense Cryptologic Program (DCP). 
The DCP is responsible for coordinating and providing funding 
for advanced research and development of signals intelligence 
capabilities that have applicability across all services. This 
structure requires close coordination with the services as they 
develop, field, and evolve tactical systems, with the service 
needs driving the leading edge developments. The committee 
believes that, just as the Director, NSA is responsible for 
coordinating research and development to meet the tactical 
needs of the U.S. Cryptologic System, so should the Director, 
NIMA for the U.S. Imagery System.
    Therefore, the committee recommends these funding requests 
be authorized in research and development, defense-wide, line 
138A. Further, the committee directs NIMA to create a 
management structure to provide a Defense Imagery Program 
within the Defense Imagery andMapping Agency Program of the 
Joint Military Intelligence Program. No additional billets are 
authorized for this management.

See full report: http://jya.com/sr105-185.txt 105th Congress Report SENATE 2d Session 105-185 _______________________________________________________________________ AUTHORIZING APPROPRIATIONS FOR FISCAL YEAR 1999 FOR THE INTELLIGENCE ACTIVITIES OF THE UNITED STATES GOVERNMENT AND THE CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM AND FOR OTHER PURPOSES _______ May 7, 1998.--Ordered to be printed _______________________________________________________________________ Mr. Shelby, from the Select Committee on Intelligence, submitted the following R E P O R T [To accompany S. 2052] [Excerpts] NSA declassification The National Security Agency has several declassification programs, which are split among many offices, and funding for which is buried in the budget submissions of those offices. NSA was unable to provide the Committee with the total amount requested for all declassification programs in fiscal year 1999. In addition, with respect to the only declassification program specifically identified in the Congressional Budget Justification Book, NSA was unable to explain how those resources would be allocated. It is impossible for the Committee to determine the scale of the declassification effort, the effectiveness of declassification tools, and how well NSA is meeting declassification requirements. To enhance oversight, the Committee directs the Director of NSA to consolidate all declassification programs into a single budget submission beginning in fiscal year 2000, to include a breakdown of how the resources will be allocated. ***** impact of technology on the intelligence community Technical Advisory Group In 1997, the Committee established a Technical Advisory Group (TAG) to consider selected, highly significant technical issues relating to national security or intelligence. The TAG is comprised of leading U.S. scientists and experts in technology and intelligence. The Committee wishes to thank the TAG members for the many hours they devoted to examining both the HUMINT and SIGINT capabilities of the Intelligence Community (IC). The TAG concluded that intelligence collection will pay an increasingly important role in defending U.S. national security interests, and recommended that the IC develop a comprehensive plan for transition to the future which recognizes the technically sophisticated, rapidly changing world that now confronts the IC. The Committee will continue to review the recommendations of this distinguished group and work with the Director of Central Intelligence to implement them. Many of the initial recommendations of the TAG have been incorporated throughout the Intelligence Authorization Act of 1999. Encryption The Committee remains concerned about efforts to inappropriately ease or remove export restrictions on hardware and software encryption products. Export controls on encryption and other products serve a clearly defined purpose--to protect our nation's security. Therefore, the Committee believes that the effects on U.S. national security must be the paramount concern when considering any proposed change to encryption export policy, and will seek referral of any legislation regarding encryption export policy under its jurisdiction established under Senate Resolution 400. Export restrictions on encryption products assist the Intelligence Community in its signals intelligence mission. By collecting and analyzing signals intelligence, U.S. intelligence agencies seek to understand the policies, intentions, and plans of foreign state and nonstate actors. Signals intelligence plays an important role in the formation of American foreign and defense policy. It is also a significant factor in U.S. efforts to protect its citizens and soldiers against terrorism, the proliferation of weapons of mass destruction, narcotics trafficking, international crime and other threats to our nation's security. While the Committee recognizes the commercial interest in easing or removing export restrictions, it believes the safety of our citizens and soldiers should be the predominant concern when considering U.S. policy towards the export of any product. The Committee supports the continued control of encryption products, and believes that a comprehensive strategy on encryption export policy can and must be developed that addresses national security concerns as well as the promotion of American commercial interests abroad. The Committee looks forward to working with senior Administration officials in developing such a strategy. Intelligence Community role in national infrastructure protection The Committee believes the Intelligence Community has an important role to play in the protection of our nation's critical infrastructure. The President's Commission on Critical Infrastructure Protection (PCCIP) issued a report in October 1997 which identified five critical infrastructures--energy, banking and finance, transportation, vital human services, and telecommunications--that are essential to national defense, public safety, economic prosperity, and quality of life. In pursuit of greater effectiveness and efficiency, the private and public sector entities which manage these infrastructures have integrated advanced information and communications technologies into their systems. However, the widespread use and interlinkage of computer and telecommunications throughout these infrastructures has created new vulnerabilities which, if not addressed, pose significant risks to our national security. In response to the recommendations included in the PCCIP Report, the Administration in February 1998 created a National Infrastructure Protection Center (NIPC) within the Federal Bureau of Investigation. The NIPC will be composed of the former Computer Investigations and Infrastructure Threat Assessment Center (CITAC), originally funded through the NFIP, and other offices whose responsibilities include operational response to computer intrusion incidents, and indications and warnings for infrastructure and key asset protection. To be successful in performing its mission, the NIPC must rely on the Intelligence Community to provide timely and reliable information regarding possible intrusions, disruptions, and attacks committed by foreign actors on the critical infrastructures. In its version of the Intelligence Authorization Act for Fiscal Year 1998 the Committee directed the Director of Central Intelligence, the Secretary of Defense, and the Director of the Federal Bureau of Investigation to submit a report articulating a counterintelligence strategy for critical infrastructure protection. The Committee received this report on March 30, 1998. While describing how intelligence agencies have chosen to approach the infrastructure protection issue, this report did not provide a detailed counterintelligence strategy nor did it provide adequate information regarding current or planned counterintelligence activities. With the creation of the NIPC, the Committee believes the Intelligence Community needs a comprehensive strategy to address counterintelligence, threat assessment, indications and warnings, and other intelligence requirements necessary to assist the NIPC in its infrastructure protection mission. Therefore, the Committee directs the Director of Central Intelligence and the Secretary of Defense to perform a joint review to determine the proper role of the Intelligence Community in critical infrastructure protection. This review should: identify the assets and capabilities of the Intelligence Community which may be of value to the protection of the critical infrastructures; identify which capabilities or technologies useful to intelligence collection or analysis on infrastructure protection are presently lacking within the Intelligence Community, including the capability to provide indications and warnings; provide a counterintelligence strategy designed to protect information regarding vulnerabilities in United States infrastructure; state what, if any, additional collection requirements have been implemented to gain insight into activity against U.S. systems; describe any training programs developed to increase awareness and knowledge of analysts and collectors regarding infrastructure protection concerns; explain how the Intelligence Community will use its expertise and assets to assist the critical infrastructures protection mission of the NIPC and other government entities; and detail how the Intelligence Community will provide timely and actionable intelligence regarding foreign intrusions and attacks to the NIPC and other government entities involved in critical infrastructure protection. This review should also propose how protective techniques and technologies developed or identified by the Intelligence Community may be shared with the private and public sector actors that manage these infrastructures. The Committee directs that the review of the Intelligence Community's role in infrastructure protection be provided to the Congressional Intelligence Committees not later than March 15, 1999. Assessment of the Intelligence Community's information infrastructure In recent years, the Intelligence Community has incorporated advanced computer and telecommunications technologies into its organizations to improve their intelligence collection and analytical capabilities, to increase the productivity of its workforce, and to facilitate communications between different member organizations. As the agencies and offices of the Intelligence Community become more reliant on these technologies, they have become more vulnerable to intrusions, disruptions, and attacks against these systems. The Committee realizes that any breakdown in the information infrastructure of the Intelligence Community will adversely affect its ability to provide timely intelligence to our national security policymakers and military leaders. To address this potential vulnerability, the Committee directs the Director of Central Intelligence and the Secretary Of Defense to formulate an Intelligence Community information infrastructure security program to ensure the viability and effectiveness of the Intelligence Community's information infrastructure. This program shall develop and implement procedures, practices, policies, and technologies designed to secure and protect the IC's information infrastructure from intrusion, disruptions, and attacks. It should also provide internal controls, audit features, and other necessary elements to address possible insider attacks and other counterintelligence concerns. The Committee directs that the Director of Central Intelligence and the Secretary of Defense forward a report to the Congressional Intelligence Committees not later than March 15, 1999. The Committee is also concerned that there is no formal, periodic review of the technologies and practices used by the Intelligence Community to provide security and protection for its information infrastructure. Therefore, the Committee directs the Director of Central Intelligence and the Secretary of Defense to perform regular, periodic assessments of theprocedures, policies, and technologies implemented by the various intelligence agencies and offices to secure and protect their computer and telecommunications systems. These assessments shall be performed on at least an annual basis. Further, the Committee directs that the Intelligence Community complete an initial series of assessments by the end of fiscal year 1999. These assessments should include the following: a determination of the adequacy of information infrastructure security procedures and policies; a review of any technologies in use to provide security and/or protect information infrastructure; and the result of aggressive systematic, controlled testing of the Intelligence Community's computer and telecommunications systems for vulnerabilities to intrusion, denial of use, attack, or other disruptive activity. These assessments shall be provided by the Director of Central Intelligence and the Secretary of Defense to the Congressional Defense Committees not later than March 15, 1999.