Rep. Riley on Security Locks for Classified Containers

Congressional Record: October 17, 2000 (Extensions)
Page E1808



   CONFERENCE REPORT ON H.R. 4205, FLOYD D. SPENCE NATIONAL DEFENSE
                 AUTHORIZATION ACT FOR FISCAL YEAR 2001

                                 ______

                               speech of
                             HON. BOB RILEY
                               of alabama

                    in the house of representatives

                      Wednesday, October 11, 2000

  Mr. RILEY. Mr. Speaker, last year's Defense Appropriations Act (FY
00) contained $10 million for the specific purpose of improving the
safeguards for storing classified material held by Department of
Defense contractors. It is with deep regret that I must report that the
Pentagon refused to release these funds which expired on September 30,
2000. The Assistant Secretary of Defense for Command, Control,
Communications and Information, Arthur Money, sent me and a number of
other House and Senate members a letter on why the Pentagon chose to
ignore the direction of Congress.
  Mr. Speaker, beyond the fact that the Clinton/Gore Administration
defied the law, their rationale for not complying with a federal
security standard is troubling and their basis unfounded. First, on the
issue of cost, DOD claims that upgrading existing security containers
controlled by contractors by replacing old vulnerable mechanical locks
with electronic locks that meet minimum federal security standards
(FFL-2740A) would be cost prohibitive. The referenced report of the
Joint Security Commission II sites an industry estimate from five
contractors that is based on an inflated retail price of the electronic
lock which is popularly called the "X07'' or "X08'' lock, rather than
the wholesale price which would be the price of the lock in this
upgrade program. This is not the first time that DOD has overestimated
the cost of the program in an effort to resist implementation. In 1993,
DOD grossly overestimated the cost of upgrading its own mechanical
locks at $500 million, but the internal upgrade only actually cost $59
million. Based on the number of classified containers held by defense
contractors, a lock upgrade program would cost between $45 million and
$60 million, depending upon how the program was managed.
  Secondly, on the issue of threat Mr. Speaker, the physical security
threat to classified materials that exists with these 1950's vintage
mechanical locks cannot be overstated. The threat is why the GSA
established a federal standard in 1989 that requires locks on secure
containers to withstand an attempt of twenty man-hours of surreptitious
entry. Currently, an "insider'' or foreign agent with readily
available technology can determine the combination of a mechanical lock
in a matter of minutes. Since this "safe cracking'' can be done
without detection on a mechanical lock, no one would ever know that an
"insider'' possessed the combination to access classified information
including sensitive computer hard drives, laptops and access codes. To
combat this problem, all new secure containers are fitted with the X08
lock (the only lock that meets the federal standard), but there are
still thousands of mechanical lock containers and, worse yet, bar-
locked file cabinets that are being used by contractors to protect our
nation's classified information. Until all existing secure containers
are upgraded with modern electronic locks, gaping security lapses will
continue. No perimeter security apparatus involving guns, gates,
guards, alarms, check points and other physical security barriers will
protect against the "insider'' threat to antiquated mechanical locks.
  The Defense Intelligence Agency (DIA) has identified 27 foreign
intelligence organizations that have the capability to penetrate these
old mechanical locks without leaving a visible trace. These espionage
organizations would likely use "insider'' agents for this purpose. In
fact, Mr. Money's view that the "insider'' threat is of greater
concern than the threat of covert entry to a safe or vault is precisely
why the electronic lock upgrade is needed. The X07/X08 lock now
possesses features that help ensure accountability and control access.
More importantly, the lock also has the capability to be equipped with
a time/date stamp feature which would automatically record who entered
the safe and when. This audit trail feature is already used with great
success by large corporations. By adding this feature to the federal
requirements, we add another important counter espionage tool to this
virtually impenetrable lock.
  I certainly understand the many competing interests that DOD must
juggle within a constrained budget, but I cannot accept the Pentagon's
view of contractor lock upgrades as being unnecessary, cost prohibitive
or without commensurate security benefit. The growing volumes of
classified information contained in moveable media (i.e. laptop
computers, hard drives, back-up tapes, etc.) that is used by the
national security agencies and their contractors, and the need to
properly secure this classified material, cannot be pushed aside as a
trivial matter. If the Department of Defense shows leadership in the
proper handling of classified material, I'm certain that government and
contractor employees will take a more serious attitude toward the
proper stewardship of the Nation's secrets. The United States cannot
afford another security lapse like the missing NEST hard drives at Los
Alamos or the missing laptops at the State Department.

                          ____________________