29 May 1998
See full report: http://jya.com/hr105-508.txt 105th Congress Report HOUSE OF REPRESENTATIVES 2d Session 105-508 _______________________________________________________________________ INTELLIGENCE AUTHORIZATION ACT FOR FISCAL YEAR 1999 _______ May 5, 1998.--Committed to the Committee of the Whole House on the State of the Union and ordered to be printed _______________________________________________________________________ Mr. Goss, from the Permanent Select Committee on Intelligence, submitted the following R E P O R T [To accompany H.R. 3694] [Excerpts] Areas of Special Interest the national security agency budget, culture, method of operation The committee has concluded that very large changes in the National Security Agency's culture and method of operations need to take place, including changes in its budget methodology. NSA should be given credit for many changes already introduced, but the committee believes that the results have not gone far enough, and that NSA will not meet its Unified Cryptologic Architecture (UCA) goals without tackling head-on some very fundamental internal obstacles. Additions to the Consolidated Cryptologic Program (CCP) budget are being used as leverage to effect some of the internal reforms urgently needed. This is being done in several ways. First, the committee is funding and mandating external management reviews. Second, the committee is attempting to infuse fresh thought, needed expertise (especially in systems engineering), and greater fairness by insisting that significant portions of certain categories be contracted out and that outside proposals and expertise be solicited, notably in systems engineering, advanced research and development, and in development activities conducted by the Advanced Technology Centers. Third, fences have been placed on portions of the budget, with the prospect that a considerable amount of money could be reprogrammed for other IC needs if NSA does not develop detailed strategic and business planning. These steps are taken partially because the committee has been frustrated in attempts to start needed reforms during fiscal year 1998. Outside management reviews, budget cuts and adds to reduce acquisition cycle time, plus cuts to lower the budget percentage allocated to support, were initiated in the fiscal year 1998 authorization process, but all have met resistance and have been deflected from their intended purpose. Subsequently, the committee also found unreceptiveness to development of cost effectiveness analyses that could direct the agency's and SIGINT community's investment priorities. It also found that fiscal year 1998 and fiscal year 1999 investments of money and personnel in categories critical to the future, continue to be minimized, at best, and that NSA often cannot track allocations for critical functions that cross the old program and bureaucratic lines, much less enforce implementation of DIRNSA policy priorities. Therefore, the committee concludes that a far more radical revision of the budget process than presently contemplated is necessary. Just as the military must train the way it will fight, NSA must budget according to the critical categories of a new and completely different architecture and mode of operations. Further, the old budget categories have provided little insight into and fulfillment of the old architecture. Most difficult of all, NSA must develop a new culture in which all team together on a new architecture, rather than bubbling up disparate ideas and programs from across NSA and expending much of its energy on probable duplication. This challenge cannot be minimized, because much of NSA's past strength has come from its localized creativity and quick- reaction capability, which enabled it to rise when necessary to overcome the stultifying effect that the bureaucracy of such a large organization can have. It has often been said, by both Congress and the administration, that the IC neglects processing and the entire ``downstream'' area in favor of more exotic and interesting collection programs, and that this trend has worsened in recent years. The committee requests that, after receiving this bill, the Community Management Staff (CMS) organize an effort to provide statistics on trends for investment in collection as opposed to processing or downstream areas. Even if comparable data cannot be found to document the balance over the past ten years, we should establish a 1997 baseline, if practicable, and keep track thereafter. Eventually, we may be able to establish some rule of thumb for the amount of downstream investment required to use efficiently our investments in collection, although this could be subject to changing technology and the effect on costs at either end. The CMS is asked to explore this possible system for tracking SIGINT investment, in conjunction with NSA, which has thought about potential methodologies. CMS participation appears necessary because much SIGINT collection and processing crosses program boundaries and accumulation of the data would require access to information outside NSA, as well as the presence of an objective arbiter. For the same reasons, CMS is also asked to undertake immediately the establishment of meaningful metrics to evaluate henceforth the cost effectiveness of various SIGINT collection programs. NSA has resisted this on grounds that meaningful metrics cannot be found, but the committee believes they must be found and that NSA and other community programs must be run more like a corporation that systematically evaluates the productivity of various lines of operation, terminates or downgrades some accordingly, and switches available dollars to those that produce the most return or have the greatest promise. Such data is needed across the IC to determine where our funds should be placed, and should have been developed to help guide the UCA deliberations. It can still have a major impact on UCA implementation plans. There are many other potential uses, including for decisions on the elimination of legacy systems within NSA and for DCI and DoD consideration of cross-program trades. Finally, the committee has requested that an independent panel assess community-wide Electronic Intelligence (ELINT) planning and budgeting. ***** Joint signals intelligence avionics family, No budgetary change The budget request contained $80.4 million in PE 35206D8Z for the joint signals intelligence avionics family (JSAF). The committee continues to be concerned by problems with JSAF developments. While the committee is encouraged by progress in design of the low band subsystem (LBSS), it is concerned by schedule delays and cost increases that have forced reduction of system performance to remain within budget. Further, the committee remains doubtful that the high band subsystem (HBSS) development can successfully meet its cost and performance goals. The committee's concerns are heightened by the fact that the JSAF development is the only planned upgrade for future airborne SIGINT reconnaissance. If JSAF fails to provide the needed capabilities, users ranging from theater tactical forces to national policy makers will be severely impacted. Executive Order 12333 charges the Director of the National Security Agency (NSA) to conduct ``research and development to meet the needs of the United States for signals intelligence * * *''. To ensure proper joint oversight of JSAF development, the committee recommends the budget request be authorized in PE 35885G, the Defense Cryptologic Program. The committee believes this will allow the Air Force, as the executive agent for JSAF, to continue to execute the program, while providing joint oversight by NSA. ***** Defense imagery program, Funding transfers The budget request included $29.4 million in research and development, defense-wide, line 150 for the Common Imagery Ground/Surface Station (CIGSS) and $1.9 million for development of the standards for the Distributed Common Ground Station (DCGS). The committee believes there is a need for the National Imagery and Mapping Agency (NIMA) to create from within existing resources a management structure analogous to the National Security Agency's Defense Cryptologic Program (DCP). The DCP is responsible for coordinating and providing funding for advanced research and development of signals intelligence capabilities that have applicability across all services. This structure requires close coordination with the services as they develop, field, and evolve tactical systems, with the service needs driving the leading edge developments. The committee believes that, just as the Director, NSA is responsible for coordinating research and development to meet the tactical needs of the U.S. Cryptologic System, so should the Director, NIMA for the U.S. Imagery System. Therefore, the committee recommends these funding requests be authorized in research and development, defense-wide, line 138A. Further, the committee directs NIMA to create a management structure to provide a Defense Imagery Program within the Defense Imagery andMapping Agency Program of the Joint Military Intelligence Program. No additional billets are authorized for this management.
See full report: http://jya.com/sr105-185.txt 105th Congress Report SENATE 2d Session 105-185 _______________________________________________________________________ AUTHORIZING APPROPRIATIONS FOR FISCAL YEAR 1999 FOR THE INTELLIGENCE ACTIVITIES OF THE UNITED STATES GOVERNMENT AND THE CENTRAL INTELLIGENCE AGENCY RETIREMENT AND DISABILITY SYSTEM AND FOR OTHER PURPOSES _______ May 7, 1998.--Ordered to be printed _______________________________________________________________________ Mr. Shelby, from the Select Committee on Intelligence, submitted the following R E P O R T [To accompany S. 2052] [Excerpts] NSA declassification The National Security Agency has several declassification programs, which are split among many offices, and funding for which is buried in the budget submissions of those offices. NSA was unable to provide the Committee with the total amount requested for all declassification programs in fiscal year 1999. In addition, with respect to the only declassification program specifically identified in the Congressional Budget Justification Book, NSA was unable to explain how those resources would be allocated. It is impossible for the Committee to determine the scale of the declassification effort, the effectiveness of declassification tools, and how well NSA is meeting declassification requirements. To enhance oversight, the Committee directs the Director of NSA to consolidate all declassification programs into a single budget submission beginning in fiscal year 2000, to include a breakdown of how the resources will be allocated. ***** impact of technology on the intelligence community Technical Advisory Group In 1997, the Committee established a Technical Advisory Group (TAG) to consider selected, highly significant technical issues relating to national security or intelligence. The TAG is comprised of leading U.S. scientists and experts in technology and intelligence. The Committee wishes to thank the TAG members for the many hours they devoted to examining both the HUMINT and SIGINT capabilities of the Intelligence Community (IC). The TAG concluded that intelligence collection will pay an increasingly important role in defending U.S. national security interests, and recommended that the IC develop a comprehensive plan for transition to the future which recognizes the technically sophisticated, rapidly changing world that now confronts the IC. The Committee will continue to review the recommendations of this distinguished group and work with the Director of Central Intelligence to implement them. Many of the initial recommendations of the TAG have been incorporated throughout the Intelligence Authorization Act of 1999. Encryption The Committee remains concerned about efforts to inappropriately ease or remove export restrictions on hardware and software encryption products. Export controls on encryption and other products serve a clearly defined purpose--to protect our nation's security. Therefore, the Committee believes that the effects on U.S. national security must be the paramount concern when considering any proposed change to encryption export policy, and will seek referral of any legislation regarding encryption export policy under its jurisdiction established under Senate Resolution 400. Export restrictions on encryption products assist the Intelligence Community in its signals intelligence mission. By collecting and analyzing signals intelligence, U.S. intelligence agencies seek to understand the policies, intentions, and plans of foreign state and nonstate actors. Signals intelligence plays an important role in the formation of American foreign and defense policy. It is also a significant factor in U.S. efforts to protect its citizens and soldiers against terrorism, the proliferation of weapons of mass destruction, narcotics trafficking, international crime and other threats to our nation's security. While the Committee recognizes the commercial interest in easing or removing export restrictions, it believes the safety of our citizens and soldiers should be the predominant concern when considering U.S. policy towards the export of any product. The Committee supports the continued control of encryption products, and believes that a comprehensive strategy on encryption export policy can and must be developed that addresses national security concerns as well as the promotion of American commercial interests abroad. The Committee looks forward to working with senior Administration officials in developing such a strategy. Intelligence Community role in national infrastructure protection The Committee believes the Intelligence Community has an important role to play in the protection of our nation's critical infrastructure. The President's Commission on Critical Infrastructure Protection (PCCIP) issued a report in October 1997 which identified five critical infrastructures--energy, banking and finance, transportation, vital human services, and telecommunications--that are essential to national defense, public safety, economic prosperity, and quality of life. In pursuit of greater effectiveness and efficiency, the private and public sector entities which manage these infrastructures have integrated advanced information and communications technologies into their systems. However, the widespread use and interlinkage of computer and telecommunications throughout these infrastructures has created new vulnerabilities which, if not addressed, pose significant risks to our national security. In response to the recommendations included in the PCCIP Report, the Administration in February 1998 created a National Infrastructure Protection Center (NIPC) within the Federal Bureau of Investigation. The NIPC will be composed of the former Computer Investigations and Infrastructure Threat Assessment Center (CITAC), originally funded through the NFIP, and other offices whose responsibilities include operational response to computer intrusion incidents, and indications and warnings for infrastructure and key asset protection. To be successful in performing its mission, the NIPC must rely on the Intelligence Community to provide timely and reliable information regarding possible intrusions, disruptions, and attacks committed by foreign actors on the critical infrastructures. In its version of the Intelligence Authorization Act for Fiscal Year 1998 the Committee directed the Director of Central Intelligence, the Secretary of Defense, and the Director of the Federal Bureau of Investigation to submit a report articulating a counterintelligence strategy for critical infrastructure protection. The Committee received this report on March 30, 1998. While describing how intelligence agencies have chosen to approach the infrastructure protection issue, this report did not provide a detailed counterintelligence strategy nor did it provide adequate information regarding current or planned counterintelligence activities. With the creation of the NIPC, the Committee believes the Intelligence Community needs a comprehensive strategy to address counterintelligence, threat assessment, indications and warnings, and other intelligence requirements necessary to assist the NIPC in its infrastructure protection mission. Therefore, the Committee directs the Director of Central Intelligence and the Secretary of Defense to perform a joint review to determine the proper role of the Intelligence Community in critical infrastructure protection. This review should: identify the assets and capabilities of the Intelligence Community which may be of value to the protection of the critical infrastructures; identify which capabilities or technologies useful to intelligence collection or analysis on infrastructure protection are presently lacking within the Intelligence Community, including the capability to provide indications and warnings; provide a counterintelligence strategy designed to protect information regarding vulnerabilities in United States infrastructure; state what, if any, additional collection requirements have been implemented to gain insight into activity against U.S. systems; describe any training programs developed to increase awareness and knowledge of analysts and collectors regarding infrastructure protection concerns; explain how the Intelligence Community will use its expertise and assets to assist the critical infrastructures protection mission of the NIPC and other government entities; and detail how the Intelligence Community will provide timely and actionable intelligence regarding foreign intrusions and attacks to the NIPC and other government entities involved in critical infrastructure protection. This review should also propose how protective techniques and technologies developed or identified by the Intelligence Community may be shared with the private and public sector actors that manage these infrastructures. The Committee directs that the review of the Intelligence Community's role in infrastructure protection be provided to the Congressional Intelligence Committees not later than March 15, 1999. Assessment of the Intelligence Community's information infrastructure In recent years, the Intelligence Community has incorporated advanced computer and telecommunications technologies into its organizations to improve their intelligence collection and analytical capabilities, to increase the productivity of its workforce, and to facilitate communications between different member organizations. As the agencies and offices of the Intelligence Community become more reliant on these technologies, they have become more vulnerable to intrusions, disruptions, and attacks against these systems. The Committee realizes that any breakdown in the information infrastructure of the Intelligence Community will adversely affect its ability to provide timely intelligence to our national security policymakers and military leaders. To address this potential vulnerability, the Committee directs the Director of Central Intelligence and the Secretary Of Defense to formulate an Intelligence Community information infrastructure security program to ensure the viability and effectiveness of the Intelligence Community's information infrastructure. This program shall develop and implement procedures, practices, policies, and technologies designed to secure and protect the IC's information infrastructure from intrusion, disruptions, and attacks. It should also provide internal controls, audit features, and other necessary elements to address possible insider attacks and other counterintelligence concerns. The Committee directs that the Director of Central Intelligence and the Secretary of Defense forward a report to the Congressional Intelligence Committees not later than March 15, 1999. The Committee is also concerned that there is no formal, periodic review of the technologies and practices used by the Intelligence Community to provide security and protection for its information infrastructure. Therefore, the Committee directs the Director of Central Intelligence and the Secretary of Defense to perform regular, periodic assessments of theprocedures, policies, and technologies implemented by the various intelligence agencies and offices to secure and protect their computer and telecommunications systems. These assessments shall be performed on at least an annual basis. Further, the Committee directs that the Intelligence Community complete an initial series of assessments by the end of fiscal year 1999. These assessments should include the following: a determination of the adequacy of information infrastructure security procedures and policies; a review of any technologies in use to provide security and/or protect information infrastructure; and the result of aggressive systematic, controlled testing of the Intelligence Community's computer and telecommunications systems for vulnerabilities to intrusion, denial of use, attack, or other disruptive activity. These assessments shall be provided by the Director of Central Intelligence and the Secretary of Defense to the Congressional Defense Committees not later than March 15, 1999.