[House Hearing, 113 Congress]
[From the U.S. Government Publishing Office]
FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS
=======================================================================
HEARING
before the
SUBCOMMITTEE ON GOVERNMENT OPERATIONS
of the
COMMITTEE ON OVERSIGHT
AND GOVERNMENT REFORM
HOUSE OF REPRESENTATIVES
ONE HUNDRED THIRTEETH CONGRESS
FIRST SESSION
__________
MAY 9, 2013
__________
Serial No. 113-25
__________
Printed for the use of the Committee on Oversight and Government Reform
Available via the World Wide Web: http://www.fdsys.gov
http://www.house.gov/reform
U.S. GOVERNMENT PRINTING OFFICE
81-281 WASHINGTON : 2013
-----------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing Office,
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected].
COMMITTEE ON OVERSIGHT AND GOVERNMENT REFORM
DARRELL E. ISSA, California, Chairman
JOHN L. MICA, Florida ELIJAH E. CUMMINGS, Maryland,
MICHAEL R. TURNER, Ohio Ranking Minority Member
JOHN J. DUNCAN, JR., Tennessee CAROLYN B. MALONEY, New York
PATRICK T. McHENRY, North Carolina ELEANOR HOLMES NORTON, District of
JIM JORDAN, Ohio Columbia
JASON CHAFFETZ, Utah JOHN F. TIERNEY, Massachusetts
TIM WALBERG, Michigan WM. LACY CLAY, Missouri
JAMES LANKFORD, Oklahoma STEPHEN F. LYNCH, Massachusetts
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
PAUL A. GOSAR, Arizona GERALD E. CONNOLLY, Virginia
PATRICK MEEHAN, Pennsylvania JACKIE SPEIER, California
SCOTT DesJARLAIS, Tennessee MATTHEW A. CARTWRIGHT,
TREY GOWDY, South Carolina Pennsylvania
BLAKE FARENTHOLD, Texas MARK POCAN, Wisconsin
DOC HASTINGS, Washington TAMMY DUCKWORTH, Illinois
CYNTHIA M. LUMMIS, Wyoming ROBIN L. KELLY, Illinois
ROB WOODALL, Georgia DANNY K. DAVIS, Illinois
THOMAS MASSIE, Kentucky PETER WELCH, Vermont
DOUG COLLINS, Georgia TONY CARDENAS, California
MARK MEADOWS, North Carolina STEVEN A. HORSFORD, Nevada
KERRY L. BENTIVOLIO, Michigan MICHELLE LUJAN GRISHAM, New Mexico
RON DeSANTIS, Florida
Lawrence J. Brady, Staff Director
John D. Cuaderes, Deputy Staff Director
Stephen Castor, General Counsel
Linda A. Good, Chief Clerk
David Rapallo, Minority Staff Director
Subcommittee on Government Operations
JOHN L. MICA, Florida, Chairman
TIM WALBERG, Michigan GERALD E. CONNOLLY, Virginia
MICHAEL R. TURNER, Ohio Ranking Minority Member
JUSTIN AMASH, Michigan JIM COOPER, Tennessee
THOMAS MASSIE, Kentucky MARK POCAN, Wisconsin
MARK MEADOWS, North Carolina
C O N T E N T S
----------
Page
Hearing held on May 9, 2013...................................... 1
WITNESSES
Mr. Stephen Sadler, Assistant Administrator, Office of
Intelligence and Analysis, Transportation Security
Administration
Oral Statement............................................... 7
Written Statement............................................ 9
Mr. Stephen A. Lord, Director, Forensic Audits and
Investigations, U.S. Government Accountability Office
Oral Statement............................................... 16
Written Statement............................................ 18
FEDERAL GOVERNMENT APPROACHES TO ISSUING BIOMETRIC IDS
----------
Thursday, May 9, 2013,
House of Representatives,
Subcommittee on Government Operations,
Committee on Oversight and Government Reform,
Washington, D.C.
The subcommittee met, pursuant to call, at 9:00 a.m., in
Room 2154, Rayburn House Office Building, Hon. John Mica
[chairman of the subcommittee] presiding.
Present: Representatives Mica, Massie, Meadows, Connolly,
and Cummings.
Staff Present: Ali Ahmad, Majority Communications Advisor;
Alexia Ardolina, Majority Assistant Clerk; Molly Boyl, Majority
Parliamentarian; Sharon Casey, Majority Senior Assistant Clerk;
Adam P. Fromm, Majority Director of Member Services and
Committee Operations; Linda Good, Majority Chief Clerk; Ryan M.
Hambleton, Majority Professional Staff Member; Michael R. Kiko,
Majority Staff Assistant; Mitchell S. Kominsky, Majority
Counsel; Mark D. Marin, Majority Director of Oversight; Laura
L. Rush, Majority Deputy Chief Clerk; Scott Schmidt, Majority
Deputy Director of Digital Strategy; Jaron Bourke, Minority
Director of Administration; Devon Hill, Minority Research
Assistant; Lucinda Lessley, Minority Policy Director; Rory
Sheehan, Minority New Media Press Secretary; and Cecelia
Thomas, Minority Counsel.
Mr. Mica. Good morning. I would like to call this
subcommittee hearing of Government Operations Subcommittee of
the House Government Oversight and Reform Committee to order.
Welcome, everyone, this morning. The topic of today's
hearing is Federal Government Approaches to Issuing Biometric
IDs. It looks like a relatively brief hearing. We have two
witnesses that will be participating and I will introduce them
shortly.
The order of business today, we will hear members' opening
statements, then we will hear from our two witnesses, and then
we will have a round or rounds of questioning, as appropriate.
So, with that, let me again welcome everyone. I want to
again state on behalf of the committee that we believe we have
a very important mission of oversight. This committee exists
for a very fundamental purpose, two basic principles. First,
the American people have the right to know how their money is
spent that Washington has taken from them. We have the
fiduciary responsibility of seeing how it is expended and what
programs are successful, what are unsuccessful, making certain,
first of all, that the American public, our Nation is secure.
And I think, finally, the American public deserves an
efficient, effective Government that works for them. We have
that important responsibility in this committee and we intend
to protect those rights. We want to hold Government accountable
for the taxpayers and make certain that we, through these
hearings and the proceeding today, that we keep the executive
branch and others charged with important responsibilities true
to the intent and legislative purpose that Congress has set
forth.
So that is our purpose. I look forward to working with Mr.
Connolly, our ranking member, and members of the subcommittee
to continue this effort, and thank them for their cooperation
this morning.
On November 25th, 2002, then_President Bush signed the
Maritime Transportation Security Act of 2002. That is more than
a decade ago and that legislation set forth the credentialing
for individuals that are entering some of our port facilities
and regulated facilities that accommodate vessels and maritime
traffic.
According to the GAO, from 2002 to 2012, an excess of half
a billion dollars has been spent in that effort, some $540
million. About a quarter of a billion dollars raised on fees
from some of the workers and other folks, and then about a
quarter of a billion dollars in public money and grants.
According to CRS, since we first issued the cards in 2007,
about 2,001 cards have been issued. The cost initially was
$129.75 for the past number of years and there is a proposal
now that some of the workers can extend their cards for a fee
of $60. The card was intended from the very beginning, and
having participated in that process, to have a biometric
component, to be a secure, durable identification that could
ensure the identity of those entering, again, those secure
areas in our port facilities.
We have had at least four hearings that I know of, some on
the Transportation Committee, some on some subcommittees,
reviewing the progress of this card. I think if you will look
at a poster child for programs that sort of run amok and do not
get the job done, that the TWIC card, as it is affectionately
known, Transportation Worker Identification Card, is
unfortunately the poster child, again, for not producing what I
think Congress intended.
Despite all the time that has lapsed, the hearings that
have been conducted, GAO continues to find that TSA is failing
to properly administer the TWIC program. The latest report we
have has just come out. This is March 2013. It cites a whole
host of problems with the program. First of all, we wanted the
card produced with biometric capability. The card had some
capability, fingerprint; it doesn't have iris, as I understand
it. The cards were issued. Since 2007 the cards have not had
the capability of having a reader. Congress had passed
additional legislation trying to get the reader program
engaged, and we will hear today that while GAO is testing some
of the equipment, that we still do not have readers deployed in
a universal manner to read the cards.
So what you have is a farcical system of a card that, and
not by my evaluation, but previous GAO studies have shown, is
not what we intended; it is tamperable. It has actually been,
in testing by GAO, it has been found to be deficient and,
again, it is a card that can also be easily reproduced.
So what you have is, again, a card that is produced at
great expense to individual workers, great expense to the
Government; does not have a guaranty that it is a secure card,
that is, tamperable; it has become a joke among transportation
workers because at almost every port they are now required to
produce a driver's license or some other identification that is
used for entry.
So this sort of goes on and on. After, again, spending an
incredible amount of money, TSA and the independent tests
agent, they found did not even have a clear record of baseline
data for comparing operational performance at access points
with the TSA readers. This is in the testing. GAO went on to
find that TSA and the independent test agent did not collect
complete data on malfunctioning TWIC cards.
I know this is a long explanation of where we are, but I
think it deserves sort of an update for the record. We again
are faced with more than a decade delay in producing what
Congress intended. Now years have gone on trying to get a
reader that is approved.
The final thing I would just point out to Mr. Connolly and
other members is other agencies do have cards. Most recently,
here is our TWIC card, a little mockup of it. Again, I think
some of you may have seen this before, the TWIC card, again
flawed. Here is a clear card which a private company has
produced, and it actually has biometric, both fingerprint, and
I think it is all five fingers, and iris; and it is in use. We
found other agencies that have readers and they also have cards
that have both components that Congress was trying to get some
years ago.
So this is very frustrating and the purpose of the hearing
is to review where TSA is and where we are going to go.
With that, I would like to recognize our ranking member,
Mr. Connolly.
Mr. Connolly. Mr. Chairman, thank you, and thank you for
your leadership on this issue and for holding this hearing. I
can't help but observe there are two lonely members of the
press at the press table. Yesterday we had dozens and dozens
and dozens.
Mr. Mica. This isn't Benghazi.
Mr. Connolly. And yet the Benghazi hearing basically
uncovered nothing. Actually, today's hearing potentially has so
much more of an impact in terms of U.S. security, but I guess
it is not a particularly sexy subject, at least when it comes
to the media. But I think it is very important to our Country's
security.
And again I thank you for your leadership, Mr. Chairman. I
know you cared about this in your previous capacity at
Transportation and Infrastructure as chairman, and I am so glad
you bring that sensitivity to this committee as well.
All of us want to make sure that our transportation system
is secure. Every day our transportation system moves more than
1.4 million shipments of hazardous materials, any of which
could be potentially of harm to Americans. As we all know,
securing all of this cargo is very daunting, but we know it is
imperative to the safety of the Nation.
The Maritime Transportation Security Act of 2002 requires
the Department of Homeland Security to issue a biometric
transportation security card, TWIC, to identify individuals who
will be allowed unescorted access to the secure areas of ports
and vessels. The biometric information contained in the card
includes, of course, as the chairman indicated, fingerprints
and a digital photograph. TSA is responsible for the issuance
of the card, while the United States Coast Guard is responsible
for enforcing its use.
TWIC cards are intended to be utilized with an electronic
reader that would simply scan the card to determine entry into
the respective facility. Under the Safe Port Act of 2006, DHS
was required to conduct a pilot program on the efficacy of the
TWIC card readers. Unfortunately, the most recent GAO report,
which we are going to hear about today, found significant
methodological problems with the study.
Specifically, GAO determined that TSA lacked data analysis
plans, performance standards, or sampling methodology
development prior to selection of participating facilities and
vessels in the TWIC reader pilot. In addition, GAO also found
that the finalized TWIC cards did not undergo any level of
durability testing, which is problematic considering the use of
these cards will be in sometimes harsh, wet, maritime
environments, which was also cited by the GAO report.
These findings are disappointing and of great concern. I,
for one, want to know why the Department has not responded
favorably to GAO's serious findings, if in fact they have not.
We look forward to hearing about that today.
If the readers and the TWIC cards fail to function
properly, not only will maritime workers not be able to perform
their jobs adequately on a daily basis, but these facilities
are left vulnerable to a potential security breach. Given the
volume of cargo coming into the United States, that is of great
concern. The United States transportation system of maritime
facilities remain a target and a means through which terrorists
seek to attack the homeland. We all know that an attack on our
Nation's maritime transportation system could have very serious
consequences, and it seems to me all of us have got to do
everything in our power to make sure that does not happen.
I look forward to hearing from our witnesses this morning
and what corrective measures we can take to make TWIC an
effective security card.
With that, I yield back, Mr. Chairman.
Mr. Mica. Thank you, Mr. Connolly.
Also, I will just explain for the members of the panel that
we attempted to look at IDs across the board, because TSA is at
the heart of approval and DHS is at the heart of approval of
moving all these ID programs forward. We were not able to get
Customs and Border Patrol to participate today, nor Department
of State and some others that we wanted; they wanted more time.
So, unfortunately, what we have done is divided this review
up. We will, hopefully in a couple of weeks, and with the
agreement of the minority, reconstitute the panel and we will
look at problems with the pilots' license, there are problems
with the various cards that we have for identification. At the
airports we have a global entry under the Department of State.
But I think all of these, and it is part of our
responsibility. We are the only committee with enough
jurisdiction to look at all of these, and then also TSA's
responsibility. So we will follow up on that.
With that, let me recognize Mr. Meadows, then we will go to
the ranking member, Mr. Cummings, of the full committee.
Mr. Meadows. Thank you, Mr. Chairman, and thank you to the
ranking member, Mr. Connolly, who has, over and over again,
expressed a willingness to work in a bipartisan way to cut out
waste, fraud, and abuse.
As we are here today obviously looking at some half billion
dollars spent on a program that is yet to be implemented, I am
reminded of the fact that there are two ways things get done
here in Washington, D.C., slow and never, and we are trying to
figure out which one of these this particular thing is going to
be, because we have heard testimony in this very room of
computer systems that we have spent some $1 billion on, then
was never implemented.
So is this just another government program where it has
great intentions of providing security, but in essence we are
going to spend millions and millions, and perhaps billions of
dollars only to find out later that the theory or the genesis
of this particular security system is one that is not going to
be implemented?
The most recent GAO report is troubling from some of the
accusations and literally some of the research that it is
providing here, so I look forward to really less looking at
when are we going to have a system that secures our ports. We
have been at this for some 11 years now. So if not next year,
then when? If not next year, then are we looking at another 10
years? What is the time line? And from a practical standpoint
what are the deficiencies? Would we be better off to just say
we made a mistake, let's go back to the drawing board, let's
find another area to do it?
I have the privilege of having Google in my particular
district, and I can tell you the type of security that is there
with those facilities didn't take this long to get implemented
in the private sector and, quite frankly, are extremely secure.
So if the private sector can do it, certainly we, with all of
our resources of the greatest Nation in the world, should be
able to figure it out. So I look forward to your testimony.
With that, I yield back, Mr. Chairman. Thank you so much.
Mr. Mica. I thank the gentleman.
Now I am pleased to recognize the ranking member of the
full committee, the gentleman from Maryland, Mr. Cummings.
Mr. Cummings. Thank you very much, Mr. Chairman and Ranking
Member Connolly, for calling this hearing. And I want to thank
the witnesses for their testimony.
This is a subject that is of great interest to me because I
previously served as the chairman of the Subcommittee on the
Coast Guard and Maritime Transportation, and during my tenure
in that position I convened two hearings to examine the rollout
of the TWIC card, which began, unbelievably, in 2007.
Now, six long years later, 2.5 million transportation
workers have been enrolled in the TWIC program and 2.7 million
TWIC cards have been printed. These enrollees have paid an
estimated $300 million to implement this program. However,
those TWIC cards are nothing more than very expensive flash
passes without sophisticated electronic readers to read them.
That is sad.
We now know that many vessels and facilities will never use
TWIC readers, yet workers there are still being required to
obtain the TWIC card. The Coast Guard, which is responsible for
enforcing the use of the TWIC cards, has recently issued a
Notice of Proposed Rulemaking that would require only vessels
and facilities in what are known as Risk Group A classification
to utilize TWIC card readers. As a result, far less than 1
percent of regulated vessels and approximately 16 percent of
facilities will require a TWIC reader.
So the TWIC card is just a very expensive flash pass for
all the mariners and transportation workers working in the 99
percent of vessels and more than 80 percent of facilities
without TWIC card readers.
But the problems with the TWIC card program run deeper than
that. Where TWIC card readers will be required, they must be
able to determine whether a card is valid and matches the
biometrics of the individual who seeks access to a restricted
area in a port or on a vessel. Unfortunately, we cannot count
on that. When the GAO reviewed the TWIC pilot program required
by the Safe Port Act, it identified methodological problems
with the pilot that are so severe GAO has concluded that the
results of the pilot are simply not reliable.
I am stunned by the scope of the shortcomings identified by
the GAO, particularly given that as long ago as 2009 GAO
identified shortcomings that needed to be addressed to ensure
the TWIC pilot program would yield reliable results.
We are all aware that we need to take every effective step
to protect our maritime facilities from those who wish to harm
us. However, at this time we still have no reliable data
proving that the TWIC card is one of those steps.
I can simply say I am disappointed and we are better than
that. As my colleague said just a moment ago, if the private
sector can do this, we ought to be able to do this, and we need
to know exactly why we can't.
When I was chairman of the Coast Guard subcommittee, Mr.
Chairman, I constantly talked about, I was really talking about
the Coast Guard and its acquisition program, but talked about
how we were moving into a culture of mediocrity; and I think
this whole fiasco is a step below that. So I am hoping that we
will get some answers, that we will get some results soon so
that the intended purpose of the TWIC card will be able to
carry out the way we wanted it to be done.
With that, I yield back.
Mr. Mica. Well, I thank the ranking member and concur in
his very frank statement. We will work together. We have to
figure out a way to get this program back on track.
No other members this morning, so I will ask unanimous
consent that members have seven days to submit opening
statements for the record. Without objection, so ordered.
So now we will turn to our two witnesses this morning.
First we have Mr. Steve Sadler, and he is the Assistant
Administrator for Intelligence Analysis for the Transportation
Security Administration.
Welcome back, Mr. Steve Lord. He is the Director of
Forensic Audits and Investigative Services for GAO, the
Government Accountability Office.
Gentlemen, this is an investigative panel of Congress. If
you will stand and be sworn. Please raise your right hand.
Do you solemnly swear that the testimony you are about to
give before this subcommittee of Congress is the whole truth
and nothing but the truth, so help you, God?
[Witnesses respond in the affirmative.]
Mr. Mica. Let the record reflect that both witnesses
answered in the affirmative.
We aren't too pressed for time this morning, so we will
give you a little bit of leeway. Usually it is a little
briefer, but we will recognize first Mr. Sadler, the Assistant
Administrator for Intelligence and Analysis at TSA.
Welcome and you are recognized, sir.
STATEMENT OF STEPHEN SADLER
Mr. Sadler. Good morning, Chairman Mica, Ranking Member
Connolly, and distinguished members of the subcommittee. Thank
you for the opportunity to testify today about TSAs role in the
TWIC program.
TWIC is a fee-based program that issues a tamper-resistant
biometric credential. Eligible maritime workers use TWIC for
unescorted access to secure areas of port facilities and
vessels regulated under the Maritime Transportation Security
Act of 2002. TSAs primary areas of responsibility include
conducting security threat assessments, providing customer
service at enrollment centers, and engaging industry to develop
specifications for TWIC readers.
The full enrollment fee for a transportation worker is
$129.75, and an initial TWIC is valid for five years. Under the
Extended Expiration Date Initiative, eligible workers may
request a three-year extension by paying the $60 card
replacement fee.
Currently, the United States Coast Guard requires maritime
operators to visually inspect the TWIC prior to granting
unescorted access to secure areas. Under MTSA, the Coast Guard
currently regulates nearly 14,000 vessels and more than 3200
facilities. With a single uniform credential, facilities,
vessel operators, and law enforcement entities can verify an
individual's identity and eligibility to enter secure areas
with a higher level of confidence than was feasible prior to
TWIC. TWIC is an important layer in maritime security as risk-
based control requirements and technical capabilities mature.
TWIC readers determine whether a card is authentic and
issued by TSA. The readers also check that the card has not
expired and has not been revoked or reported lost or stolen.
The Coast Guard recently published a proposed Notice of
Rulemaking on TWIC readers in which the use of those readers
would be required for certain high-risk vessels and facilities.
Recently, several major challenges have converged for the
TWIC program. These include the expiration, re-enrollment, and
demand for replacement of 1.5 million TWICs over an 18-month
period; modifications to the process to limit enrollment and
card issuance to a single visit; and a transition of the
program from a current single-provider contract to separate
contracts for enrollment services and system operations.
Beginning this summer, the first phase of an initiative to
enable individuals to apply for and obtain a TWIC with a single
visit to an enrollment center will be tested in Alaska and
should expand nationwide in 2014. One visit represents the most
significant program change since TWICs inception and will
greatly ease the burden on future applicants and individuals
needing a replacement card.
Additional customer service improvements include expanding
the number of TWIC enrollment centers from 136 to more than
300; increasing call center representatives focused on reducing
call wait times; developing a web-based process to apply for
extended expiration date TWICs or replacement cards; and
increasing mobile enrollment opportunities to facilities
wanting to enroll workers onsite.
As a result of the TWIC pilot program, we obtained
considerable data and sufficient quantity and quality to
support the general findings and conclusions in the pilot
report. Our analysis concluded that TWIC readers function
properly when they are designed, installed, and operated in a
manner consistent with the characteristics and business needs
of the facility or vessel operation. The analysis also
concluded that reader systems can make access decisions
efficiently and effectively.
Thank you for the opportunity today, and I will be glad to
answer any of your questions.
[Prepared statement of Mr. Sadler follows:]
[GRAPHIC] [TIFF OMITTED] T1281.001
[GRAPHIC] [TIFF OMITTED] T1281.002
[GRAPHIC] [TIFF OMITTED] T1281.003
[GRAPHIC] [TIFF OMITTED] T1281.004
[GRAPHIC] [TIFF OMITTED] T1281.005
[GRAPHIC] [TIFF OMITTED] T1281.006
[GRAPHIC] [TIFF OMITTED] T1281.007
Mr. Mica. Thank you.
We will turn now to Mr. Steve Lord, the Director of
Forensic Audits and Investigative Services for GAO. Welcome
back.
STATEMENT OF STEPHEN A. LORD
Mr. Lord. Thank you very much, Mr. Chairman, Ranking Member
Connolly, and Representative Meadows. I am really pleased to be
here today to discuss the results of our recent TWIC report
issued just recently. I should point out this is not the only
report we have issued on this subject. We have work going back
several years, including a very significant study we issued in
2009 on the design of the pilot, as well as a May 2011 report
on the internal controls in the program.
The overall message that I wanted to convey today, I think
it is a very important message, that the pilot results should
not be used to inform future decisions regarding the TWIC
reader rule or the future deployment of card readers. This is
where we disagree with TSA and DHS. I am also surprised to see
that the Coast Guard went ahead and issued their March 22nd
Notice of Proposed Rulemaking, because it incorporated the
results of the pilot even though we found major issues in the
pilot data, which we had previously shared with them.
I would like to briefly touch on some of the key challenges
we identified in the pilot. They fall into three major buckets.
The first one is planning. Bottom line is DHS did not address
the pilot planning weaknesses we identified in our 2009 report.
Although it took some initial steps to address them, it did not
develop a full evaluation plan or the performance standards we
called for to help guide the pilot as it unfolded.
The second key issue we identified was related to data
collection. We identified eight separate weaknesses in how the
pilot participants collected data. I am not going to discuss
all eight today, but I would like to briefly highlight three.
First, TSA and the independent test agent did not record
clear baseline data. If you don't have a clear baseline, you
really have nothing to compare the collected data to.
They also did not collect complete data on reasons for card
failures or the reasons people were denied access to
facilities. Obviously, they collected some, but we scrutinized
the data they did collect and we found several significant
discrepancies and anomalies in the data.
The third key data collection issue we identified was the
operational impact of using TWICs with readers was not
consistently documented. And this is a really important issue
because this was one of the major reasons they ran a pilot, to
measure the business impact on the private sector. Yet, when we
looked at how they measured that, they didn't do a good job and
they essentially did not collect the data needed to assess that
issue.
As a result of all the challenges we identified, we think
it is really difficult to assess whether the problems
experienced were due to the cards themselves, to the readers,
or to the way the users were using them. So it could have been
a combination of all three, and that is something we highlight
in our report.
We also scrutinized DHS's report to Congress. I should
mention we just didn't evaluate the report; we looked at what
went into the preparation of the report. We pulled all
available data sets that were used to support the February 2012
report to Congress.
And one notable issue we identified was the assessments of
the entry times at ports, again, the throughput times. This is
a really important issue that was looked at, where these
measures were mixed up with reader response times, which is the
time it takes a card to be read in a laboratory setting. So
obviously they weren't really measuring throughput, which is a
key objective of the pilot, but basically how much time it took
a card to be read in a laboratory setting.
Given all the issues we identified, we do not believe using
TWICs with readers would provide a critical layer of port
security. We think that has yet to be demonstrated, and that is
why we called for the agency to implement our prior
recommendation on that point, to do a security assessment, to
try to identify the value added of using TWICs with readers. Is
it better than the regimes used in the past or not? We think
that is a really important issue. So that is why, again, we
called for that in our 2011 report.
But we do acknowledge some of the many challenges that DHS
experienced in the pilot. They were dealing with 17 different
sites; they participated on a voluntary basis, they couldn't
compel them to participate or collect data in a certain way.
And we recognize that, yet we still think some of those risks
could have been mitigated by perhaps having more personnel
involved at the sites or providing additional resources.
In closing, given the many issues we identified, as we
highlight in our report, we think Congress should consider
repealing the requirement that the final regulations for the
card readers be consistent with the pilot findings.
Essentially, we think those two issues should be de-linked
given the issues we identified in the pilot. Instead, we
believe Congress should require DHS to complete a security
assessment, as we originally called for in our May 2011 report.
Again, the security assessment will help demonstrate the value
of the program.
And the assessment should also include a comparison of
alternative credentialing approaches. There are different
options they could have considered. For example, the Government
can conduct a security assessment and have the credentials be
provided at the local level. That was an option that was never
considered in the early analysis of alternatives, and we think
that has possible merit that should be studied further.
Thank you, Mr. Mica, Ranking Member Connolly,
Representative Meadows. This concludes my prepared statement
and I look forward to answering any questions.
[Prepared statement of Mr. Lord follows:]
[GRAPHIC] [TIFF OMITTED] T1281.008
[GRAPHIC] [TIFF OMITTED] T1281.009
[GRAPHIC] [TIFF OMITTED] T1281.010
[GRAPHIC] [TIFF OMITTED] T1281.011
[GRAPHIC] [TIFF OMITTED] T1281.012
[GRAPHIC] [TIFF OMITTED] T1281.013
[GRAPHIC] [TIFF OMITTED] T1281.014
[GRAPHIC] [TIFF OMITTED] T1281.015
[GRAPHIC] [TIFF OMITTED] T1281.016
[GRAPHIC] [TIFF OMITTED] T1281.017
Mr. Mica. Thank you. We will start questions. I will start
with a round.
First, Mr. Sadler, have you ever had the opportunity see
the movie Groundhog Day?
Mr. Sadler. Yes, I did, sir.
Mr. Mica. In that movie, doesn't the character keep
repeating the same day over and over again and sort of the same
thing over and over?
Mr. Sadler. I believe he does, sir.
Mr. Mica. I feel a little bit like that character, Mr.
Connolly and Mr. Meadows. From 2002, 2005, 2006, 2009, to 2011.
Last I checked, this is 2013. And we still do not have a viable
TWIC program. I just heard Mr. Lord go through his analysis of
these reader tests experiences. We have his report here. It is
very frustrating.
I guess you did 17 sites?
Mr. Sadler. That is right, sir.
Mr. Mica. And we don't really know how many people went
through. DHS's report to Congress shows a total population of
33,111. However, final pilot site test systems showed a
population of 79,000. There is a discrepancy even in the number
of participants. Mr. Lord said that you couldn't get some to
participate.
The report says pilot participants did not document
instances of denied access. TSA and the independent test agent
did not collect complete data on malfunctioning TWIC cards. I
mean, the report just goes on and on about, again, what is
supposed to be pilot testing to develop a card that we can use
and have some basic knowledge about what is effective and how
all this can be utilized. How do you respond to GAO?
Mr. Sadler. I would say that GAO, in their opening
statement, pointed out some of the challenges that we faced
when we started this pilot program, and that is a key point.
This is a pilot program that we implemented in the commercial
maritime environment. No one has done that before. And I know
you have heard that before, but that is the crux of the issue.
Mr. Mica. In a maritime environment?
Mr. Sadler. No one has done this type of pilot, that I know
of, in this type of environment. So we got voluntary
participation from the facilities. We were very happy that
these facilities stepped forward and participated, but we did
this pilot under the condition of an operational maritime port
facility. So we couldn't put readers at every access point;
whether it was for a vehicle, whether it was for a pedestrian.
So those were some of the challenges that we faced. It was
a voluntary pilot; it was in an maritime operational
environment; not all access points had readers. If we could
have locked the place down and put a reader at every access
point, possibly----
Mr. Mica. So you are saying it is not practical to have a
reader with a TWIC program?
Mr. Sadler. No, I am not saying that, sir. What I am saying
is under the conditions we had to test, we faced challenges;
and we stated those in our report to Congress as well.
Mr. Mica. Now, let me ask you a question. You have issued,
what, 1.8 million of these?
Mr. Sadler. About 2.5 million, sir.
Mr. Mica. But is there 1.8 million coming due or something?
Mr. Sadler. Well, there are about 1.5 million cards that
are set to expire over the next 18 months.
Mr. Mica. I am sorry, I messed up the figures. So in the
next 18 months you have 1.5 million. Do you have a card now
that has a biometric component that would recognize both
fingerprints and iris?
Mr. Sadler. Sir, we use the fingerprint template only
because that is the only federal standard that is in existence
today, and it was the most robust biometric.
Mr. Mica. And you are working with the folks that set the
standards, and they have told us at several previous hearings
that the standard was just around the corner for iris. What are
they telling you now?
Mr. Sadler. As I understand it, they are in their second
iteration of the iris standard out for comment, and I don't
know what their schedule is for final publication of that
standard. I would have to defer to them.
Mr. Mica. Well, TSA, you also oversee entry programs, for
example, the CLEAR program. I am told that the CLEAR program
has an iris and also I think all five fingers are incorporated,
and this is in use in the airports, is that correct?
Mr. Sadler. It may be, sir. I am not aware that we are
overseeing that program at this point.
Mr. Mica. TSA just lets anybody put a program in place?
Mr. Sadler. It is not about TSA allowing the program; it is
about a relationship between the contractor or that company and
the airport.
Mr. Mica. So do you accept these cards? These aren't
accepted?
Mr. Sadler. I don't know if they are accepted or not. I
would have to get back to you on that answer. As far as
boarding an aircraft?
Mr. Mica. Yes.
Mr. Sadler. I would have to get back to you on that answer.
What I would say about that is we use a fingerprint template;
we do not use an image for privacy purposes. We have to encrypt
our biometric. I don't know if they encrypt their biometric.
Also, if an individual comes up to a kiosk in an airport,
that is much different than an individual who is in a tractor
trailer or a truck going through a gate trying to use an iris
scan. If I could set every person going into a port coming up
to a kiosk and take the time I needed to take that iris scan
and embed that in the card, then we would do that, but that is
not the way the port operates. Now, if the port wanted to use
an iris, they can use an iris and they can use a TWIC card as a
pointer to get back to that biometric.
Mr. Mica. So basically you are going to be issuing more
than a million cards, reissuing the cards that have expired,
without an iris component and I guess somewhat limited
fingerprint component. I think one of the previous studies that
Mr. Lord did was some of the flaws with the card that they
could be tampered with.
And, actually, I think on several occasions you thwarted
the system, is that correct, Mr. Lord?
Mr. Lord. Yes. We did some covert testing as part of our
2011 report and this report as well. We dispatched covert
testers to basically conduct two types of tests. We presented
fraudulent identification documents. We were able to obtain an
authentic TWIC and we also manufactured a TWIC, we basically
made a fake TWIC; and we were able to access facilities using
both types of credentials.
Mr. Mica. Did you use any of the fake TWICs to thwart the
pilot?
Mr. Lord. At one site they were using a reader, but it is
my understanding they had some problems with false positives,
so our undercover investigators were waved in. Even after the
entry guard tried to swipe it and it wasn't working, she still
provided them access to the facility.
Mr. Mica. Very good.
Let me go to Mr. Connolly. I want to be fair with the
members that are here.
Mr. Connolly. Thank you, Mr. Chairman.
Mr. Sadler, do you think the pilot program was successful?
Mr. Sadler. I think the pilot program showed what we asked
it to do.
Mr. Connolly. Whoa. Time out. The pilot is the predicate
for moving forward. It is kind of a critical question. Was it
successful? Because GAO says that not only was it not
successful; they are recommending the Congress decouple future
regulations and standards from the pilot. Do you disagree with
that?
Mr. Sadler. I think it was successful in what we intended
to do, which was show that if that reader was installed
properly, if the operator was trained properly, if the
individuals were trained properly in the use of the card and
that reader was put in place based on the business requirements
of that port, then the reader did its job with the TWIC card.
Mr. Connolly. Mr. Sadler, we just heard testimony, and
there is more in the report, you didn't test for durability.
Durability of the card actually could be very important in
terms of long-term security. The wet conditions are a problem
in terms of accurate reading. You just heard Mr. Lord say they
actually manufactured a fake card and, sadly, that fake card
passed muster that all too often the differentiation between
the fake card and the TWIC card failed in the readers.
Now, you think that is just a matter of fine-tuning? And,
by the way, another aspect of the GAO report is the cost
figures were so flawed as to not be reliable, and they caution
Congress don't read too much into that because the methodology,
frankly, is not really an accurate picture of what it cost.
What aspect, pray tell, of this pilot could be considered
successful such that we could have confidence in moving
forward?
Mr. Sadler. If someone uses a card that is fraudulent, and
I think it was shown in this case that the reader would not
read that card, so that individual who came up with that
fraudulent card did not get a positive read off the reader,
from what I understand. And if the individual was allowed into
that facility, the person should not have been let into that
facility without a business need.
Mr. Connolly. Time out.
Mr. Lord, tell us how it worked.
Mr. Lord. The card reader rejected the card; the person was
allowed to enter the facility based on what they referred to as
social engineering, some discussion with the guard, the
security guard.
Mr. Connolly. So they were able to bypass the card system
entirely.
Mr. Lord. Yes. They were able to basically talk their way
in.
Mr. Connolly. So you are saying that is not really a
failure of TWIC; that is a breach of security protocols in
general.
Mr. Sadler. What I am saying is in that case it appears
that the card and reader did their job; they didn't have a
positive identification for that individual. And then the
individual talked to the security guard, apparently.
Mr. Connolly. So a separate issue.
Mr. Sadler. That is a different issue completely than the
card itself or the reader. If that person didn't have a
business need to get into that port, that person should not
have been let in.
Mr. Connolly. But how do you respond, Mr. Sadler, to Mr.
Lord's and GAO's recommendation to the Congress that the lack
of efficacy of the pilot is such we should pass legislation to
decouple it from moving forward? That is a pretty rare
recommendation coming out of GAO.
Mr. Sadler. I think that the TWIC card and reader, when
installed properly, provides security value at the port. It is
not a silver bullet; it is part of our layered security, and I
think it provides value when it is used properly and installed
properly.
Mr. Connolly. Can you point to a place where it has been
installed properly and it works and, therefore, we should have
confidence in it?
Mr. Sadler. In some of the pilot locations it has been
installed properly.
Mr. Connolly. For example?
Mr. Sadler. In a Long Beach Port there was one single gate
through the back, and I believe it was Long Beach, it might
have been Los Angeles; I would have to go back and check. There
was one single gate where, if you came into that back gate you
had to use the card, you had to use the reader. It worked and
we didn't see any appreciable backup in the flow of traffic.
And I will go back and confirm that.
Mr. Connolly. All right. Yes, I wish you would. You know, I
spent 20 years, before I came here to Congress, in the private
sector, and in two organizations that do a lot of security
work, including port security, I might add. I spent 14 years in
local government. The practice in both local government and in
the private sector, when we were looking at a challenge, was to
first look at best practices. We benchmarked ourselves against
the competition.
I will use local government rather than the private sector.
I represented Fairfax County, a pretty advanced county
government, big local government. So we would compare ourselves
to DuPage in Illinois and Los Angeles County, and depending on
the subject matter, how are they doing it? What are they doing?
How does it work? What can we learn from their lessons?
Did we do that before we decided to embrace TWIC as the
answer to port security going forward? Because the chairman
pointed out that there are other examples, seemingly, of cards
that do seem to work and processes that do seem to work. What
have we learned from those that we are trying to apply to what
seems to be a flawed process here?
Mr. Sadler. Well, we were required by Congress to issue the
biometric credential, and we are doing that.
Mr. Connolly. Excuse me, Mr. Sadler. If I may interrupt
just one second. We take that point; the chairman addressed
that. The cards he gave you as an example that seemed to work
also include biometric data. This is not unique to TWIC.
Mr. Sadler. Those cards are not working in the same
environment we are working in.
Mr. Connolly. Your argument is that the port environment,
the maritime environment is unique and has special
requirements?
Mr. Sadler. Yes. The port environment is unique. And as far
as durability of the card goes, some of the analysis that we
saw, the use of the card was equivalent to use by DOD, use by
park rangers. So this is a very tough environment. It is not
the same as coming up to a kiosk in an airport, which is
inside, which is a controlled environment. So I would say, yes,
it is unique.
Mr. Connolly. All right, my time is almost up, but if I
could just add one last question on that.
Mr. Lord, could you respond to that? What about that? This
is a unique environment and some of your criticisms might be
more applicable if we were talking about access to an office
environment in a commercial office building, but you are not
being cognizant of the unique attributes of the maritime
environment.
Mr. Lord. I think we are. We fully recognize the harsh
maritime conditions the card is used within. The analogy we
drew in our report was to the DOD CAC card. That card, in
contrast to the TWIC card, is durability tested after it is
personalized, which tends to introduce some vulnerabilities in
the card when you add the little unique features; and that was,
to me, an important distinction between the TSA approach and
the DOD approach.
As you know, if you have ever been abroad, Iraq,
Afghanistan, that is the common access card they use in those
types of environments, which we think are pretty harsh
environments as well, and those cards are considered a success
because they are considered more durable.
Mr. Connolly. Thank you.
Mr. Mica. Thank you, Mr. Connolly.
Mr. Meadows?
Mr. Meadows. Thank you, Mr. Chairman. I am going to pick up
on some of the line of questioning that the ranking member
brought up with regards to the pilot program and the existence,
why we have a pilot program is hopefully to make determinations
on whether we should proceed.
You are saying that it is a congressional thing and, Mr.
Sadler, I am sorry to point all these questions to you. This is
not a personal thing and obviously I am looking to you for
guidance on what we need to go forward with, because we have
had, according to my research, six or seven studies already by
GAO in terms of recommendations on this particular thing. Is
that correct?
Mr. Sadler. I don't know the exact number, sir, but there
have been quite a few.
Mr. Meadows. A number of them?
Mr. Sadler. Yes, sir.
Mr. Meadows. And each time, from what I understand, you
have agreed, or your agency has agreed to the recommendations
that the GAO has made, is that correct?
Mr. Sadler. Yes, sir, I believe that is correct.
Mr. Meadows. And so I guess my question is why have those
not been followed up on or really, truly implemented? Is it
because of the weather conditions that you are talking about?
Mr. Sadler. I think that is part of it. It is not
necessarily the weather conditions. I think the weather
conditions are a part of it.
Mr. Meadows. Well, I know that maritime constitutes salt
water, generally; not always, but many times salt water. And I
know that salt just eats the hell out of anything. So when we
have this technology, is this something that could be viable
long-term, or are we going to be spending another $3.2 billion
five years from now to replace readers?
Mr. Sadler. No, I think what we found in the pilot was that
if the reader was installed properly and covered properly, that
cut down on a lot of the issues.
Mr. Meadows. Okay. And you have installed those readers at
17 ports, is that correct?
Mr. Sadler. Seventeen ports, 100 access points.
Mr. Meadows. For the cost of $500 million?
Mr. Sadler. No, the total cost of the pilot that we
conducted to the ports was $15 million, and to the Government
approximately $8 million. So the total amount of money expended
for this pilot was $23 million.
Mr. Meadows. All right, so we are talking about $23 million
there for the pilot, is that correct?
Mr. Sadler. That is correct.
Mr. Meadows. Okay. And you have issued about 2.5 million
cards, is that correct?
Mr. Sadler. That is correct also.
Mr. Meadows. So how many of those cards have been lost or
stolen?
Mr. Sadler. I would have to get back to you, sir, with that
number; I don't have that off the top of my head.
Mr. Meadows. Do you think you know exactly the number of
cards that have been lost or stolen at your agency at this
point?
Mr. Sadler. I think we would have a pretty good idea. I
don't know if we would know the exact number.
Mr. Meadows. So everybody that loses a card or has one
stolen, with the transient nature of employment, would call you
and let you know?
Mr. Sadler. They would have to call and get a replacement
card, yes.
Mr. Meadows. Only if they were trying to get back in.
Mr. Sadler. Yes, sir.
Mr. Meadows. But if they lost it and they were unemployed,
would they call you?
Mr. Sadler. If they needed the card, they would call us.
Mr. Meadows. But only if they needed it. My point is when
we have this and we are looking at this biometric there, if
these cards are transient and you have no kind of iris
screening that would connect them, for a million bucks maybe I
give my card to somebody else. So does it actually provide a
more secure environment, with the transient nature of this and
with nothing that is actually tied to the person that you issue
it to?
Mr. Sadler. We can't eliminate that risk, sir; we can try
to mitigate it. And that is why I would say we need the
readers.
Mr. Meadows. All right.
Mr. Sadler. Just as the GAO mentioned, when they tried the
card where a reader was positioned, it didn't acknowledge that
card. It was social engineering that got it through, not a
fraudulent TWIC.
Mr. Meadows. So if you were to come back before Congress
and say, well, we are doing this because Congress told us we
had to do it, if we were to put forth a piece of legislation
today that says Congress changed its mind because this is not a
wise investment of hardworking American taxpayers' dollars,
would you endorse that?
Mr. Sadler. Well, we would try our best to comply with
whatever statute Congress passed.
Mr. Meadows. But if you were in my shoes, would you put
forth a piece of legislation, knowing what you know over the
last 11 years, that we have spent over $500 million and we are
still yet to have secure ports, would you make that
recommendation? If you were going back home and people were
going to say, well, it is my money, are you being responsible,
is that the kind of decision you would make?
Mr. Sadler. What I would tell my constituents, I would say
TWIC is a valuable security tool.
Mr. Meadows. It is a valuable security tool.
Mr. Sadler. Yes. And I believe that.
Mr. Meadows. And you make that based on 17 installations
out of 360?
Mr. Sadler. Seventeen installations, 100 access points, 156
readers, 400,000 pieces of data.
Mr. Meadows. Okay. How sure are you that we are only going
to spend $3.2 billion to implement this? On the level of 10
being the highest that you are absolutely confident, how sure
are you, Mr. Sadler?
Mr. Sadler. Well, the life cycle cost estimate that was
conducted, I believe, in 2005 had a limit of $694 million up to
$3.2 billion.
Mr. Meadows. During the pilot have you had cost overruns?
Mr. Sadler. No, sir.
Mr. Meadows. Because there was no budget. So it is hard to
go over or under a budget.
Mr. Sadler. No, there was a budget.
Mr. Meadows. Okay.
Mr. Sadler. There was $23 million in grants that were let
to the facilities, there was $8 million let to TSA, and it is a
fee-funded program. So if you have a fee-funded program, you
cannot go over budget.
Mr. Meadows. So as long as they are paying for it, you
don't go over budget. Because I am reading in the GAO there
were some concerns with regard to some of the issues in how we
implement this, and we have, obviously, a Government-centric
focus here. Do you think we ought to reevaluate that and go
with something that is not Government-centric? Or is the
Government the best place to provide security here?
Mr. Sadler. I don't know exactly what you mean, sir.
Mr. Meadows. Well, it is all about calling into a
Government call center to provide these particular cards, and
as we look at that it is all about the Government providing it.
Could a private agency do a better job than we are doing?
Mr. Sadler. I don't think so, sir, because a private agency
is not going to have access to the information we have access
to to make those decisions.
Mr. Meadows. So there is no private security that could
provide that. So you are saying basically because of the
information with regards to the matrix with fingerprinting,
etcetera?
Mr. Sadler. In my opinion, I think that is correct.
Mr. Meadows. So your recommendation is to continue to go
forward with this plan?
Mr. Sadler. My recommendation is to implement readers in
the maritime environment.
Mr. Meadows. I can see my time is up, so let me finish up
with this line of questioning. We have been here for 11 years.
We have yet to have really new port security. In fact, you even
mentioned that we have issues. The GAO report mentions that we
have issues. So we don't have a more secure environment in 11
years.
At what point can I tell my folks back home that we are
going to have more secure ports, is it five years, six years?
You have $3.2 billion to spend, so at what point do we have a
more secure environment?
Mr. Sadler. You can tell them that today, sir.
Mr. Meadows. So it will be more secure today?
Mr. Sadler. It is already more secure. You have a common
credential; you have a consistent security threat assessment
that nobody has done before.
Mr. Meadows. So you have reached your objective?
Mr. Sadler. No, sir, we have not.
Mr. Meadows. So my question, you know what I am meaning, at
what point do we reach our objective, Mr. Sadler?
Mr. Sadler. We reach our objective when we get readers
installed.
Mr. Meadows. All right, which will be when?
Mr. Sadler. I defer to the Coast Guard and their time
schedule. They have an MPR out now; they are taking comments.
They are going to adjudicate the comments and get a final rule.
Mr. Meadows. So we needed to have the Coast Guard here. And
you are saying that they can implement it with the pilot
results that you have right now?
Mr. Sadler. I am going to defer to the Coast Guard on which
results from that pilot program they use and which they don't
use.
Mr. Meadows. So if it fails, whose fault will it be, yours,
TSAs because of the pilot, or the Coast Guard for
implementation?
Mr. Sadler. That is a hard question to answer, sir. I am
the responsible executive at TSA for this program, so I don't
think failure is an option. I know failure isn't an option, but
that is a difficult question to answer because I am
presupposing that I know why it failed, if it does, and I don't
believe that it will.
Mr. Meadows. Well, the pilot should have told us that. But
I am way over time.
I appreciate our indulgence, Mr. Chairman, and I yield
back.
Mr. Mica. Well, let me just follow up on that.
Now, wait a second. You are shifting the responsibility to
the Coast Guard, but you provided the Coast Guard the data on
which they are going to evaluate their response to you, is that
correct?
Mr. Sadler. Sir, I am not shifting responsibility to the
Coast Guard. What I said was we provided data to the Coast
Guard.
Mr. Mica. But Mr. Lord said that the data you provide, I
mean, his whole report shows the data is flawed and the test
results can't, you didn't even have clear baseline data from
which you started.
Mr. Connolly and I, Mr. Cummings and the others that were
here, our investigators did not go after this; we rely on GAO
to evaluate what you are doing with the pilot program, and they
came back with one of the most critical reports I have seen.
So, again, you are telling us that you are giving the data and
the Coast Guard is going to evaluate it based on the data,
which is flawed, according to the GAO.
Mr. Sadler. Well, we believe there is meaningful data in
that pilot report, and we provided that to the Coast Guard.
Mr. Mica. You cited one place where you thought this worked
at some back gate, and you weren't sure if----
Mr. Sadler. Well, you asked me for an example, sir, and I
gave you that example.
Mr. Mica. But that is at one back gate.
Mr. Sadler. And the reason I gave you that example was
because that was a controlled gate; that wasn't an area where
you might have eight gates with only two readers.
Mr. Mica. How much have we spent on the pilot project?
Mr. Sadler. Twenty-three million dollars.
Mr. Mica. Twenty-three million dollars.
Pretty good, Mr. Connolly. We got that one back gate
secure. All this data that was collected without reliability.
Mr. Lord, I thought you said that others could do this, and
in harsh conditions.
Mr. Lord. Chair, before I respond to that, I think I would
like to address one point Mr. Sadler raised. I think there is
broad agreement among most stakeholders that there is some
value in the program, and that is the background check that is
conducted.
Mr. Mica. Yes. And, you know, he didn't do a very good job
on that. If I were him, I would have said, well, we stopped
50,000 people from actually getting the cards.
Mr. Lord. But I agree with Mr. Sadler. He did mention that
was one of the values of the program. But beyond that, I think
that is where, to us, it gets a little fuzzy, because that was
one option that wasn't really considered at the start of the
program. What if the Government did the background checks and
we left the issuance of the credential to the local ports? That
is essentially what they do with the CITA model with the
airports.
Mr. Mica. Actually, this became an issue. I forgot Mr.
Connolly and I were discussing it. I was telling him, in South
Florida, about 25 percent of our port workers had criminal
backgrounds, and this actually came into Congress, I think, Mr.
Connolly, as to what we could consider in background checks.
What do you consider now? I thought we set the standard because
I know it became a big brouhaha.
Mr. Lord. They do criminal record checks.
Mr. Mica. How far back? You couldn't do State checks versus
Federal or something. What is the status of what?
Mr. Lord. It depends on the disqualifying crime. Some
crime, such as murder, is an unlimited look back; other crimes
are seven years or five years from release of incarceration.
Mr. Mica. I think that is what we got into, yes.
Mr. Lord. Well, we do use State records. We receive State
records from 40 States now that we utilize in the background
check.
Mr. Mica. Well, again, we spent $23 million just on the
pilot program. We are 11 years away from when we passed the
initial legislation. We don't have a reader. We are going to
issue, again, another million-plus cards, and they don't have
the capability that Congress originally intended because,
again, you say another agency has not set the standard for
iris.
Any hope of when, again, we could actually see this happen
if we go through the Coast Guard process, any processes that
you have? And then when would you pick a reader, guesstimate?
And then when would they be deployed; will it be in the next
decade?
Mr. Sadler. Well, sir, I would have to defer to the Coast
Guard on the time line as they are promulgating the rule. I
can't answer that question.
Mr. Mica. Who actually issues the TWIC card, the Coast
Guard?
Mr. Sadler. No, we issue. That is our responsibility, to
issue the TWIC.
Mr. Mica. I thought the Coast Guard was sort of the
enforcement agency.
Mr. Sadler. They are.
Mr. Mica. They do a great job. Thank God for the Coast
Guard, because they are there 24/7, low pay, and guarding the
ports at entry points far beyond these gates, also making
certain that our maritime facilities are secure.
Okay, let's work this out. Remember my Groundhog Day? I
want to know how many more times we are going to do this. So
you have the Coast Guard, now this rulemaking. Is that an open-
ended thing or is there a time frame?
Mr. Sadler. Ninety-day comment period from March 22nd.
Mr. Mica. Okay. And then you expect them to digest this?
Are they going to get back with you? What is the process?
Explain it.
Mr. Sadler. The process is that they have public meetings.
Mr. Mica. After the rulemaking or during the rulemaking?
Mr. Sadler. During this 90-day period.
Mr. Mica. We got to that.
Mr. Sadler. Then they receive written comments.
Mr. Mica. I got to 90 days.
Mr. Sadler. Ninety days.
Mr. Mica. Then what is going to happen?
Mr. Sadler. Then they take the written comments, they take
the verbal comments from their public meetings, they adjudicate
those comments, and then they start to develop the final rule.
Mr. Mica. And any guess as to?
Mr. Sadler. No, sir, I don't.
Mr. Mica. No guess?
Mr. Sadler. No, sir.
Mr. Mica. Mr. Lord?
Mr. Lord. Yes. I think it is worth noting the Coast Guard
recently extended the comment period by 30 days. It may be
beneficial, given all the issues we discussed at today's
hearing, to perhaps extend it another 30 days to get additional
stakeholder comments. I imagine there are going to be a lot of
comments generated in the next few weeks.
Mr. Mica. Mr. Sadler, how long have you been with TSA?
Mr. Sadler. Since September 22nd, 2003.
Mr. Mica. From the beginning. So you have been there to see
that this is something we have tried to put into place for more
than a decade, and we seem to, at every turn, not make the
progress that Congress originally intended. We don't, again,
have a card, I think, that is adequate and we don't have
readers or a program really to get a reader in place, so it is
very frustrating. We have spent half a billion dollars on this
and we have a card now that is flawed; and not by my
definition, but by GAO's evaluation.
Mr. Lord, have you got any idea how this will all end?
Mr. Lord. I really don't, sir. That is more a matter for
Congress and the executive agencies. Our role is simply to
respond to the mandate and the Coast Guard Authorization Act to
study the results of the pilot and provide the report to
Congress, so that is what we did. On the other hand, we have
reported extensively on other TWIC-related issues in the past.
It will be interesting to see how it progresses after today.
Mr. Mica. Well, I believe there have been enough models out
there and enough opportunities to adopt a better system. It may
not be flawless, but, for the money we have spent and the
results we have gotten, this is a pitiful commentary to be here
May 2013 and still in this situation.
Mr. Connolly?
Mr. Connolly. Thank you, Mr. Chairman.
I guess in addition to just the facts here, I am bothered
by two Federal agencies coming to two different conclusions
based on the data available. Mr. Lord and GAO have taken the
position, if I understand it correctly, that the efficacy of
the pilot is flawed such that we should not rely on it. It
should not be a guide as we move forward, or something that can
be adhered to as a guide because it is so flawed in its
methodology in almost all respects, except there are some
ancillary things that produced positive externalities, but not
by design, you know, background checks or whatever.
Mr. Sadler, if I understood your testimony correctly, you
believe that is not correct; that there is reliable data, at
least sufficiently reliable that you and the Coast Guard can go
forward in expanding the pilot to other facilities. Is that
accurate?
Mr. Sadler. What I said, sir, was I think there is enough
reliable data to support the conclusions of the pilot itself,
which are that the reader, when installed properly, operated
properly, and when the individuals are trained properly,
whether it is the operator or the individual with the TWIC
card, that the reader works properly.
Mr. Connolly. And you say that the GAO report and evident
lack of confidence in same notwithstanding.
Mr. Sadler. I am sorry, sir, could you repeat that?
Mr. Connolly. You are saying that you are fully aware of
GAO's findings and reports that come to a very different
conclusion.
Mr. Sadler. Well, that was our conclusion when we wrote the
pilot report that we sent to Congress, so, yes, that is what I
am saying. So we agree in many areas with GAO, and we have to
agree because our pilot report itself pointed out many of the
same challenges that GAO pointed out as well. So we admitted to
those and we know it is a challenge.
Mr. Connolly. But here is the fundamental difference, Mr.
Sadler. GAO has come to the conclusion that those flaws,
deficiencies, problems, and lack of accurate data because of
methodology flaws are of sufficient gravity that Congress
should not rely on the pilot. You, in your position on behalf
of TSA, are saying quite the opposite. You are saying we are
going to rely on it; we don't agree that it is so flawed that
it can't be relied upon. And that is what I mean. Their
findings notwithstanding, you intend to go forward based on the
pilot, even though GAO is saying to Congress we actually think
you ought to decouple it from the pilot, it is that flawed.
Mr. Sadler. Well, sir, we have to go forward. We have been
directed to issue the credential; we have been directed to
install readers. And unless Congress gives us other direction,
then we are going to go forward.
But we still stand by the fact that there was enough
information gleaned from the pilot to support our conclusions
in the pilot report. Then we take that information, we give it
to the Coast Guard, and that is why I defer to the Coast Guard,
because the Coast Guard takes that information and they use it
based on how they think they need it, how they weight it, if
they shouldn't use it. So I am not shifting responsibility to
the Coast Guard, it is just the fact that they are writing the
rule.
Mr. Connolly. Surely, Mr. Sadler, you can sympathize,
though, with a taxpayer concern that if we have such a flawed
entity in the pilot, why not acknowledge that and find another
paradigm with which we are more comfortable, and there are
other models that seem to work in harsh environments, albeit
maybe not a maritime one, as opposed to slavishly sticking to
the pilot because statute cites it?
I mean, you are here to give advice today, as well as to be
accountable to Congress, and if it is your studied judgment
that we did our college best, but the pilot failed, or it is
sufficiently flawed that, in good conscience, if you asked my
opinion, I would find something else as a model to base going
forward on rather than the pilot.
And I don't want to mischaracterize, but what I am hearing
you saying is you don't, that is not your opinion; your opinion
is the pilot, flaws and all, is going to give us sufficient
data and is sufficiently efficacious that I have confidence
that we can move forward based on what we learned from that
pilot.
Mr. Sadler. And I want to be careful how I say this because
I do have to defer to the Coast Guard, but the pilot data is
one of many sources that the Coast Guard used in promulgating
their rule. So what I said, and what I will say again, is that
we believe we got sufficient data in sufficient quantity, in
sufficient quality, to support the conclusions of that pilot
itself, which was that if the readers are installed properly,
people are trained properly, and they were purchased and
installed based on the requirements of that particular port,
then they work properly and they can be used to help make
access decisions. Those were the conclusions of the pilot.
Mr. Connolly. Okay. The record will show that is in
distinct contrast to the GAO point of view. Okay.
Final set of questions, Mr. Chairman, if I may.
Mr. Lord, you cited in our previous round of questioning
harsh conditions in Afghanistan and Iraq, war conditions, and
lots of weather challenges too, I might add. I have been to
both. But they use an access card that includes biometric
information, is that correct?
Mr. Lord. Yes. It is called the common access card, the CAC
card.
Mr. Connolly. CAC card. And how many CAC cards have been
issued?
Mr. Lord. That is a good question. I am not the subject
matter expert on that. I know just from personal experience. I
was deployed to Iraq for GAO for three months and I had one and
it seemed to work and I never had an issue with it.
Mr. Connolly. Hundreds of thousands of contractors?
Mr. Lord. Absolutely. And the servicemen themselves.
Mr. Connolly. And the servicemen. Well, when you look at
the total number that have come through Afghanistan and Iraq,
it is well over a million, probably, right?
Mr. Lord. Yes.
Mr. Connolly. So we have had a lot of these cards issued. I
don't know if it approaches the TWIC, but it would be fairly
comparable, is that correct?
Mr. Lord. I believe so. I don't have the exact numbers. But
again I cited it as a success. That is an example where the
Government was able to issue----
Mr. Connolly. Yes. I am back to my benchmarking. We
actually have an example, and the security challenge is
paramount. That is why we issued these CAC cards, to make sure
bad guys don't get into sensitive facilities or, for that
matter, even canteens, where lots of our servicemen and women
are congregating, assuming it is a safe harbor; and it works.
And it has been working for how long?
Mr. Lord. For how long? That is a good question. I don't
know the answer.
Mr. Connolly. Well, we have been at war for 12 years, so
presumably most of the duration of that 12 years. Almost
paralleling the same time frame that the chairman cited in his
frustration, understandable frustration, where we have been
trying to work this out in the ports. And I guess I just wonder
what is the likelihood we could perhaps learn from a successful
lesson and try to apply it to TSA.
Mr. Lord. Well, that is obviously an option. You know,
there is another option. It is not, obviously, my call, but
they could rerun the pilot on a limited scale and resource it
and oversee it correctly. That is obviously one option. Or you
could pursue a different model, as you suggested, you know,
have the Government do the background checks and have the local
ports provide the credential. That is what I call a hybrid
option. But, again, that is not my call, that is the Congress's
call.
Mr. Connolly. I know it is the chairman's intention,
perhaps, and I would join him in this if that is what he wishes
to pursue, where we are going to hear from different examples
of Federal agencies using these kinds of access cards, and
undoubtedly we will have TSA back, but it will be most
instructive to hear more about how the DOD has successfully
managed to create and deploy a card that seems to work.
Mr. Lord. In harsh conditions. Actually, they would
probably be a very good witness to have at your upcoming
hearing.
Mr. Connolly. Thank you very much.
Mr. Chairman, I yield back and I thank you for holding this
hearing. It is most illuminating.
Mr. Mica. Well, thank you, Mr. Connolly. We will work with
you.
I think, again, our intent is to sort of end this Groundhog
Day and not have another one of these hearings. Again, there
are just so many of them. I just was reminded by the staff, Mr.
Connolly, that we had a one-year pilot program testing the
readers back in 2006 at the Port of New York and New Jersey,
and we had collected data on fingerprints at that juncture. But
we have done that pilot program, we have done these pilot
programs. Now we are at this stage and Mr. Lord said it might
be valuable to go back and do another pilot program again with
some data that is reliable.
Mr. Sadler, you said we spent $23 million on this pilot. Is
there any money left?
Mr. Sadler. I believe there is some grant money. And out of
the $23 million, as I understand it, the ports expended $15
million of the grant money.
And I would like to make a comment on the DOD, and maybe
Mr. Lord can answer this. The DOD may be using a contact mode
only, and I don't know if that is accurate or not.
Mr. Mica. But, you know, it is amazing. Are you the head of
this program for TSA?
Mr. Sadler. I am the senior responsible executive.
Mr. Mica. And you don't know about the other programs?
Mr. Sadler. If they are using a CAC card, that is a contact
biometric, sir.
Mr. Mica. I think the first thing I would do, if I were the
head of this, Mr. Connolly, find out what works, is somebody
doing it. Are we reinventing the wheel?
Mr. Sadler. Well, I will tell you, sir, contact is not
going to work in the maritime environment. And if the CAC card
is using a contact biometric, where you have to put the card
into a reader and put a PIN in, you are not going to get trucks
and individuals through those gates using a contact mode.
Now, to fix that problem, we actually developed a
specification with industry to wirelessly transmit an encrypted
biometric. There is no standard in the Federal Government for
that today. So if we compare models, we need to compare similar
models.
Mr. Connolly. Mr. Sadler?
Mr. Chairman?
Mr. Mica. Go ahead.
Mr. Connolly. If I could just follow up on the chairman's
point, Mr. Sadler. I am not trying to put you on the spot, but
instead of theorizing about what CAC does or does not do, or
whether it is applicable or it is not applicable, how about
finding out? Would it be worth it? Would you be willing to
commit that TSA is going to actually look at how CAC works?
Mr. Mica. Not just CAC, Mr. Connolly, but others. There are
programs that do work.
Mr. Connolly. And let's see if we can't fold that into our
experience with our own pilot and see if we can't make a better
product. Our interest here is success, it is not laying blame;
and we would like to partner with you, but if we have a model
that is successful, and you may be absolutely right, it may not
fully be applicable, it may not be applicable at all, but
trucks have to go to remote locations in Afghanistan, and
previously Iraq, long convoys, so there may be comparable
aspects of this that we could benefit from.
So I wonder if you would be willing to make that
commitment, that you are going to look at that to see if there
are aspects of it that could be relevant as we fold in lessons
learned in the pilot.
Mr. Sadler. We will look at anything, sir, to make this
pilot better and to make the result better.
Mr. Connolly. I thank you for that commitment.
Mr. Sadler. And my comment was not meant to infer
otherwise.
Mr. Mica. And maybe we will give him about 60 days or
something like that, Mr. Connolly; call him back and see what
he has learned that is out there that may be applicable, get an
evaluation of where they are. Again, maybe you could come back
to the committee with a better time line. We have this 90-day
review in place.
And then maybe, if there is money left over, Mr. Lord and
this report says that some of the basis by which you are
proceeding is flawed. Even the data that is given to Coast
Guard by which you are making a further evaluation isn't up to
date. But, my God, this thing is going on forever. We do not
have readers.
The other thing, too, what is the agency that sets the
standard for the high risk?
Mr. Sadler. NIST.
Mr. Mica. Yes. Could you write them and ask them when they
think they will have that standard? I have had them before
Congress several times. I would just be curious if you would
write them, and then I will ask the committee staff, we will
sign a letter together, when they will have this ready. It was
coming some years ago in the summer, and then it was coming in
the fall, and then it was coming in mid-January. We still don't
have this. And then maybe if we don't, we can find some
standards that Congress could adopt or something.
But to issue cards that do not have a biometric component
that is reliable, cards that can be thwarted, which GAO has
done in covert testing, and to have this system in place at
great expense both to the truckers and the transportation
workers, and maybe 129 doesn't sound like a lot to us, but to
again have this whole thing not working and not as it was set
out to provide us with some firm identification.
Now, we are just looking at TWIC. We are going to look at
global entry, we are going to look at the CLEAR card, we are
going to look at the pilot's license, all these IDs that TSA
and Homeland Security have some say in, and try to see what we
can do to ensure that we have better identification, because we
are putting ourselves at risk. We are not knowing who we are
dealing with. And if we can know that, you can speed up the
process, the inconveniences to passengers, to business,
truckers, to port personnel.
So that is our intent. I want to thank, again, Mr. Connolly
for his involvement, Mr. Cummings, Mr. Meadows, and others. We
have a small panel, so we can have this nice exchange. We will
be back.
There being, I guess, no further business before the
subcommittee, I thank the witnesses for being with us. I thank
you and the committee stands adjourned.
[Whereupon, at 10:29 a.m., the subcommittee was adjourned.]
�