29 May 1998
See full report: http://jya.com/hr105-508.txt
105th Congress Report
HOUSE OF REPRESENTATIVES
2d Session 105-508
_______________________________________________________________________
INTELLIGENCE AUTHORIZATION ACT FOR FISCAL YEAR 1999
_______
May 5, 1998.--Committed to the Committee of the Whole House on the
State of the Union and ordered to be printed
_______________________________________________________________________
Mr. Goss, from the Permanent Select Committee on Intelligence,
submitted the following
R E P O R T
[To accompany H.R. 3694]
[Excerpts]
Areas of Special Interest
the national security agency budget, culture, method of operation
The committee has concluded that very large changes in the
National Security Agency's culture and method of operations
need to take place, including changes in its budget
methodology. NSA should be given credit for many changes
already introduced, but the committee believes that the results
have not gone far enough, and that NSA will not meet its
Unified Cryptologic Architecture (UCA) goals without tackling
head-on some very fundamental internal obstacles.
Additions to the Consolidated Cryptologic Program (CCP)
budget are being used as leverage to effect some of the
internal reforms urgently needed. This is being done in several
ways. First, the committee is funding and mandating external
management reviews. Second, the committee is attempting to
infuse fresh thought, needed expertise (especially in systems
engineering), and greater fairness by insisting that
significant portions of certain categories be contracted out
and that outside proposals and expertise be solicited, notably
in systems engineering, advanced research and development, and
in development activities conducted by the Advanced Technology
Centers. Third, fences have been placed on portions of the
budget, with the prospect that a considerable amount of money
could be reprogrammed for other IC needs if NSA does not
develop detailed strategic and business planning.
These steps are taken partially because the committee has
been frustrated in attempts to start needed reforms during
fiscal year 1998. Outside management reviews, budget cuts and
adds to reduce acquisition cycle time, plus cuts to lower the
budget percentage allocated to support, were initiated in the
fiscal year 1998 authorization process, but all have met
resistance and have been deflected from their intended purpose.
Subsequently, the committee also found unreceptiveness to
development of cost effectiveness analyses that could direct
the agency's and SIGINT community's investment priorities. It
also found that fiscal year 1998 and fiscal year 1999
investments of money and personnel in categories critical to
the future, continue to be minimized, at best, and that NSA
often cannot track allocations for critical functions that
cross the old program and bureaucratic lines, much less enforce
implementation of DIRNSA policy priorities.
Therefore, the committee concludes that a far more radical
revision of the budget process than presently contemplated is
necessary. Just as the military must train the way it will
fight, NSA must budget according to the critical categories of
a new and completely different architecture and mode of
operations. Further, the old budget categories have provided
little insight into and fulfillment of the old architecture.
Most difficult of all, NSA must develop a new culture in
which all team together on a new architecture, rather than
bubbling up disparate ideas and programs from across NSA and
expending much of its energy on probable duplication. This
challenge cannot be minimized, because much of NSA's past
strength has come from its localized creativity and quick-
reaction capability, which enabled it to rise when necessary to
overcome the stultifying effect that the bureaucracy of such a large
organization can have.
It has often been said, by both Congress and the
administration, that the IC neglects processing and the entire
``downstream'' area in favor of more exotic and interesting
collection programs, and that this trend has worsened in recent
years. The committee requests that, after receiving this bill,
the Community Management Staff (CMS) organize an effort to
provide statistics on trends for investment in collection as
opposed to processing or downstream areas. Even if comparable
data cannot be found to document the balance over the past ten
years, we should establish a 1997 baseline, if practicable, and
keep track thereafter. Eventually, we may be able to establish
some rule of thumb for the amount of downstream investment
required to use efficiently our investments in collection,
although this could be subject to changing technology and the
effect on costs at either end. The CMS is asked to explore this
possible system for tracking SIGINT investment, in conjunction
with NSA, which has thought about potential methodologies. CMS
participation appears necessary because much SIGINT collection
and processing crosses program boundaries and accumulation of
the data would require access to information outside NSA, as
well as the presence of an objective arbiter.
For the same reasons, CMS is also asked to undertake
immediately the establishment of meaningful metrics to evaluate
henceforth the cost effectiveness of various SIGINT collection
programs. NSA has resisted this on grounds that meaningful
metrics cannot be found, but the committee believes they must
be found and that NSA and other community programs must be run
more like a corporation that systematically evaluates the
productivity of various lines of operation, terminates or
downgrades some accordingly, and switches available dollars to
those that produce the most return or have the greatest
promise. Such data is needed across the IC to determine where
our funds should be placed, and should have been developed to
help guide the UCA deliberations. It can still have a major
impact on UCA implementation plans. There are many other
potential uses, including for decisions on the elimination of
legacy systems within NSA and for DCI and DoD consideration of
cross-program trades.
Finally, the committee has requested that an independent
panel assess community-wide Electronic Intelligence (ELINT)
planning and budgeting.
*****
Joint signals intelligence avionics family, No budgetary change
The budget request contained $80.4 million in PE 35206D8Z
for the joint signals intelligence avionics family (JSAF).
The committee continues to be concerned by problems with
JSAF developments. While the committee is encouraged by
progress in design of the low band subsystem (LBSS), it is
concerned by schedule delays and cost increases that have
forced reduction of system performance to remain within budget.
Further, the committee remains doubtful that the high band
subsystem (HBSS) development can successfully meet its cost and
performance goals. The committee's concerns are heightened by
the fact that the JSAF development is the only planned upgrade
for future airborne SIGINT reconnaissance. If JSAF fails to
provide the needed capabilities, users ranging from theater
tactical forces to national policy makers will be severely
impacted.
Executive Order 12333 charges the Director of the National
Security Agency (NSA) to conduct ``research and development to
meet the needs of the United States for signals intelligence *
* *''. To ensure proper joint oversight of JSAF development,
the committee recommends the budget request be authorized in PE
35885G, the Defense Cryptologic Program. The committee believes
this will allow the Air Force, as the executive agent for JSAF,
to continue to execute the program, while providing joint
oversight by NSA.
*****
Defense imagery program, Funding transfers
The budget request included $29.4 million in research and
development, defense-wide, line 150 for the Common Imagery
Ground/Surface Station (CIGSS) and $1.9 million for development
of the standards for the Distributed Common Ground Station
(DCGS). The committee believes there is a need for the National
Imagery and Mapping Agency (NIMA) to create from within
existing resources a management structure analogous to the
National Security Agency's Defense Cryptologic Program (DCP).
The DCP is responsible for coordinating and providing funding
for advanced research and development of signals intelligence
capabilities that have applicability across all services. This
structure requires close coordination with the services as they
develop, field, and evolve tactical systems, with the service
needs driving the leading edge developments. The committee
believes that, just as the Director, NSA is responsible for
coordinating research and development to meet the tactical
needs of the U.S. Cryptologic System, so should the Director,
NIMA for the U.S. Imagery System.
Therefore, the committee recommends these funding requests
be authorized in research and development, defense-wide, line
138A. Further, the committee directs NIMA to create a
management structure to provide a Defense Imagery Program
within the Defense Imagery andMapping Agency Program of the
Joint Military Intelligence Program. No additional billets are
authorized for this management.
See full report: http://jya.com/sr105-185.txt
105th Congress Report
SENATE
2d Session 105-185
_______________________________________________________________________
AUTHORIZING APPROPRIATIONS FOR FISCAL YEAR 1999 FOR THE INTELLIGENCE
ACTIVITIES OF THE UNITED STATES GOVERNMENT AND THE CENTRAL INTELLIGENCE
AGENCY RETIREMENT AND DISABILITY SYSTEM AND FOR OTHER PURPOSES
_______
May 7, 1998.--Ordered to be printed
_______________________________________________________________________
Mr. Shelby, from the Select Committee on Intelligence, submitted the
following
R E P O R T
[To accompany S. 2052]
[Excerpts]
NSA declassification
The National Security Agency has several declassification
programs, which are split among many offices, and funding for
which is buried in the budget submissions of those offices. NSA
was unable to provide the Committee with the total amount
requested for all declassification programs in fiscal year
1999. In addition, with respect to the only declassification
program specifically identified in the Congressional Budget
Justification Book, NSA was unable to explain how those
resources would be allocated. It is impossible for the
Committee to determine the scale of the declassification
effort, the effectiveness of declassification tools, and how
well NSA is meeting declassification requirements. To enhance
oversight, the Committee directs the Director of NSA to
consolidate all declassification programs into a single budget
submission beginning in fiscal year 2000, to include a
breakdown of how the resources will be allocated.
*****
impact of technology on the intelligence community
Technical Advisory Group
In 1997, the Committee established a Technical Advisory
Group (TAG) to consider selected, highly significant technical
issues relating to national security or intelligence. The TAG
is comprised of leading U.S. scientists and experts in
technology and intelligence. The Committee wishes to thank the
TAG members for the many hours they devoted to examining both
the HUMINT and SIGINT capabilities of the Intelligence
Community (IC). The TAG concluded that intelligence collection
will pay an increasingly important role in defending U.S.
national security interests, and recommended that the IC
develop a comprehensive plan for transition to the future which
recognizes the technically sophisticated, rapidly changing
world that now confronts the IC. The Committee will continue to
review the recommendations of this distinguished group and work
with the Director of Central Intelligence to implement them.
Many of the initial recommendations of the TAG have been
incorporated throughout the Intelligence Authorization Act of
1999.
Encryption
The Committee remains concerned about efforts to
inappropriately ease or remove export restrictions on hardware
and software encryption products. Export controls on encryption
and other products serve a clearly defined purpose--to protect
our nation's security. Therefore, the Committee believes that
the effects on U.S. national security must be the paramount
concern when considering any proposed change to encryption
export policy, and will seek referral of any legislation
regarding encryption export policy under its jurisdiction
established under Senate Resolution 400.
Export restrictions on encryption products assist the
Intelligence Community in its signals intelligence mission. By
collecting and analyzing signals intelligence, U.S.
intelligence agencies seek to understand the policies,
intentions, and plans of foreign state and nonstate actors.
Signals intelligence plays an important role in the formation
of American foreign and defense policy. It is also a
significant factor in U.S. efforts to protect its citizens and
soldiers against terrorism, the proliferation of weapons of
mass destruction, narcotics trafficking, international crime
and other threats to our nation's security.
While the Committee recognizes the commercial interest in
easing or removing export restrictions, it believes the safety
of our citizens and soldiers should be the predominant concern
when considering U.S. policy towards the export of any product.
The Committee supports the continued control of encryption
products, and believes that a comprehensive strategy on
encryption export policy can and must be developed that
addresses national security concerns as well as the promotion
of American commercial interests abroad. The Committee looks
forward to working with senior Administration officials in
developing such a strategy.
Intelligence Community role in national infrastructure protection
The Committee believes the Intelligence Community has an
important role to play in the protection of our nation's
critical infrastructure. The President's Commission on Critical
Infrastructure Protection (PCCIP) issued a report in October
1997 which identified five critical infrastructures--energy,
banking and finance, transportation, vital human services, and
telecommunications--that are essential to national defense,
public safety, economic prosperity, and quality of life. In
pursuit of greater effectiveness and efficiency, the private
and public sector entities which manage these infrastructures
have integrated advanced information and communications
technologies into their systems. However, the widespread use
and interlinkage of computer and telecommunications throughout
these infrastructures has created new vulnerabilities which, if
not addressed, pose significant risks to our national security.
In response to the recommendations included in the PCCIP
Report, the Administration in February 1998 created a National
Infrastructure Protection Center (NIPC) within the Federal
Bureau of Investigation. The NIPC will be composed of the
former Computer Investigations and Infrastructure Threat
Assessment Center (CITAC), originally funded through the NFIP,
and other offices whose responsibilities include operational
response to computer intrusion incidents, and indications and
warnings for infrastructure and key asset protection. To be
successful in performing its mission, the NIPC must rely on the
Intelligence Community to provide timely and reliable
information regarding possible intrusions, disruptions, and
attacks committed by foreign actors on the critical
infrastructures.
In its version of the Intelligence Authorization Act for
Fiscal Year 1998 the Committee directed the Director of Central
Intelligence, the Secretary of Defense, and the Director of the
Federal Bureau of Investigation to submit a report articulating
a counterintelligence strategy for critical infrastructure
protection. The Committee received this report on March 30,
1998. While describing how intelligence agencies have chosen to
approach the infrastructure protection issue, this report did
not provide a detailed counterintelligence strategy nor did it
provide adequate information regarding current or planned
counterintelligence activities. With the creation of the NIPC,
the Committee believes the Intelligence Community needs a
comprehensive strategy to address counterintelligence, threat
assessment, indications and warnings, and other intelligence
requirements necessary to assist the NIPC in its infrastructure
protection mission. Therefore, the Committee directs the
Director of Central Intelligence and the Secretary of Defense
to perform a joint review to determine the proper role of the
Intelligence Community in critical infrastructure protection.
This review should: identify the assets and capabilities of
the Intelligence Community which may be of value to the
protection of the critical infrastructures; identify which
capabilities or technologies useful to intelligence collection
or analysis on infrastructure protection are presently lacking
within the Intelligence Community, including the capability to
provide indications and warnings; provide a counterintelligence
strategy designed to protect information regarding
vulnerabilities in United States infrastructure; state what, if
any, additional collection requirements have been implemented
to gain insight into activity against U.S. systems; describe
any training programs developed to increase awareness and
knowledge of analysts and collectors regarding infrastructure
protection concerns; explain how the Intelligence Community
will use its expertise and assets to assist the critical
infrastructures protection mission of the NIPC and other
government entities; and detail how the Intelligence Community
will provide timely and actionable intelligence regarding
foreign intrusions and attacks to the NIPC and other government
entities involved in critical infrastructure protection. This
review should also propose how protective techniques and
technologies developed or identified by the Intelligence
Community may be shared with the private and public sector
actors that manage these infrastructures. The Committee directs
that the review of the Intelligence Community's role in
infrastructure protection be provided to the Congressional
Intelligence Committees not later than March 15, 1999.
Assessment of the Intelligence Community's information infrastructure
In recent years, the Intelligence Community has
incorporated advanced computer and telecommunications
technologies into its organizations to improve their
intelligence collection and analytical capabilities, to
increase the productivity of its workforce, and to facilitate
communications between different member organizations. As the
agencies and offices of the Intelligence Community become more
reliant on these technologies, they have become more vulnerable
to intrusions, disruptions, and attacks against these systems.
The Committee realizes that any breakdown in the information
infrastructure of the Intelligence Community will adversely
affect its ability to provide timely intelligence to our
national security policymakers and military leaders.
To address this potential vulnerability, the Committee
directs the Director of Central Intelligence and the Secretary
Of Defense to formulate an Intelligence Community information
infrastructure security program to ensure the viability and
effectiveness of the Intelligence Community's information
infrastructure. This program shall develop and implement
procedures, practices, policies, and technologies designed to
secure and protect the IC's information infrastructure from
intrusion, disruptions, and attacks. It should also provide
internal controls, audit features, and other necessary elements
to address possible insider attacks and other
counterintelligence concerns. The Committee directs that the
Director of Central Intelligence and the Secretary of Defense
forward a report to the Congressional Intelligence Committees
not later than March 15, 1999.
The Committee is also concerned that there is no formal,
periodic review of the technologies and practices used by the
Intelligence Community to provide security and protection for
its information infrastructure. Therefore, the Committee
directs the Director of Central Intelligence and the Secretary
of Defense to perform regular, periodic assessments of
theprocedures, policies, and technologies implemented by the various
intelligence agencies and offices to secure and protect their computer
and telecommunications systems. These assessments shall be performed on
at least an annual basis. Further, the Committee directs that the
Intelligence Community complete an initial series of assessments by the
end of fiscal year 1999.
These assessments should include the following: a
determination of the adequacy of information infrastructure
security procedures and policies; a review of any technologies
in use to provide security and/or protect information
infrastructure; and the result of aggressive systematic,
controlled testing of the Intelligence Community's computer and
telecommunications systems for vulnerabilities to intrusion,
denial of use, attack, or other disruptive activity. These
assessments shall be provided by the Director of Central
Intelligence and the Secretary of Defense to the Congressional
Defense Committees not later than March 15, 1999.