[Senate Hearing 107-550]
[From the U.S. Government Publishing Office]
S. Hrg. 107-550
SECURING OUR INFRASTRUCTURE:
PRIVATE/PUBLIC INFORMATION SHARING
=======================================================================
HEARING
before the
COMMITTEE ON
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED SEVENTH CONGRESS
SECOND SESSION
__________
MAY 8, 2002
__________
Printed for the use of the Committee on Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
80-597 WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001
COMMITTEE ON GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan FRED THOMPSON, Tennessee
DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska
RICHARD J. DURBIN, Illinois SUSAN M. COLLINS, Maine
ROBERT G. TORRICELLI, New Jersey GEORGE V. VOINOVICH, Ohio
MAX CLELAND, Georgia THAD COCHRAN, Mississippi
THOMAS R. CARPER, Delaware ROBERT F. BENNETT, Utah
JEAN CARNAHAN, Missouri JIM BUNNING, Kentucky
MARK DAYTON, Minnesota PETER G. FITZGERALD, Illinois
Joyce A. Rechtschaffen, Staff Director and Counsel
Larry B. Novey, Counsel
Kiersten Todt Coon, Professional Staff Member
Richard A. Hertling, Minority Staff Director
Ellen B. Brown, Minority Senior Counsel
Elizabeth A. VanDersarl, Minority Counsel
Morgan P. Muchnick, Minority Professional Staff Member
Darla D. Cassell, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Lieberman............................................ 1
Senator Thompson............................................. 2
Senator Bennett.............................................. 4
Senator Akaka................................................ 7
Senator Carper............................................... 19
Prepared statement:
Senator Bunning.............................................. 53
WITNESSES
Wednesday, May 8, 2002
Ronald L. Dick, Director, National Infrastructure Protection
Center, Federal Bureau of Investigation........................ 8
John G. Malcolm, Deputy Assistant Attorney General, Criminal
Division, U.S. Department of Justice........................... 10
John S. Tritak, Director, Critical Infrastructure Assurance
Office, U.S. Department of Commerce............................ 12
Michehl R. Gent, President and Chief Executive Officer, North
American Electric Reliability Council.......................... 28
Harris N. Miller, President, Information Technology Association
of America..................................................... 30
Alan Paller, Director of Research, The SANS Institute............ 32
Ty R. Sagalow, Board Member, Financial Services Information
Sharing and Analysis Center (FS ISAC) and Chief Operating
Officer, AIG eBusiness Risk Solutions.......................... 34
David L. Sobel, General Counsel, Electronic Privacy Information
Center......................................................... 36
Rena I. Steinzor, Academic Fellow, Natural Resources Defense
Council and Professor, University of Maryland School of Law.... 38
Alphabetical List of Witnesses
Dick, Ronald L.:
Testimony.................................................... 8
Prepared statement........................................... 54
Gent, Michehl R.:
Testimony.................................................... 28
Prepared statement........................................... 81
Malcolm, John G.:
Testimony.................................................... 10
Prepared statement........................................... 64
Miller, Harris N.:
Testimony.................................................... 30
Prepared statement with attachments.......................... 94
Paller, Alan:
Testimony.................................................... 32
Prepared statement........................................... 112
Sagalow, Ty R.:
Testimony.................................................... 34
Prepared statement with attachments.......................... 123
Sobel, David L.:
Testimony.................................................... 36
Prepared statement........................................... 166
Steinzor, Rena I.:
Testimony.................................................... 38
Prepared statement with an attachment........................ 172
Tritak, John S.:
Testimony.................................................... 12
Prepared statement........................................... 77
Appendix
Chart with quote from Osama Bin Laden, December 27, 2001,
submitted by Senator Bennett................................... 190
Chart entitled ``Reporting and Dissemination of Information.''
Source: The Report of the President's Commission on Critical
Infrastructure Protection, October 1997, submitted by Senator
Bennett........................................................ 191
Chart entitled ``Coincidence or Attack?'' Source: The Report of
the President's Commission on Critical Infrastructure
Protection, October 1997, submitted by Senator Bennett......... 192
Chart entitled ``Critical Infrastructure Information Security
Act'' submitted by Senator Bennett............................. 193
Copy of S. 1456.................................................. 194
Laura W. Murphy, Director, ACLU Washington National Office, and
Timothy H. Edgar, ACLU Legislative Counsel, American Civil
Liberties Union, prepared statement............................ 214
John P. Connelly, Vice President, Security Team Leader, American
Chemistry Council, prepared statement.......................... 222
Catherine A. Allen, CEO, BITS, The Technology Group for the
Financial Services Roundtable, prepared statement.............. 228
SECURING OUR INFRASTRUCTURE:
PRIVATE/PUBLIC INFORMATION SHARING
----------
WEDNESDAY, MAY 8, 2002
U.S. Senate,
Committee on Governmental Affairs,
Washington, DC.
The Committee met, pursuant to notice, at 9:33 a.m., in
room SD-342, Dirksen Senate Office Building, Hon. Joseph I
Lieberman, Chairman of the Committee, presiding.
Present: Senators Lieberman, Thompson, Bennett, Akaka, and
Carper.
OPENING STATEMENT OF CHAIRMAN LIEBERMAN
Chairman Lieberman. The hearing will come to order. Good
morning.
Today the Governmental Affairs Committee takes up the issue
of protecting our critical infrastructure from terrorist attack
and the extent to which private industry should share sensitive
information both within its own community and with the Federal
Government.
This is a matter of longstanding interest to Senator
Bennett, who has introduced legislation with Senator Kyl
regarding information sharing and our critical infrastructure.
I would like to take this opportunity to thank him for his
dedication to this matter of critical importance to our
national security.
Senator Bennett's legislation, which is called the Critical
Infrastructure Information Security Act, would encourage
companies to voluntarily share information about critical
infrastructure threats and vulnerabilities with the government
and among themselves by granting exemptions from the Freedom of
Information Act and the antitrust laws.
Senator Thompson and I are working with Senators Bennett
and Kyl to evaluate the principles and questions embodied in
this bill, which raises important questions about how to better
secure our critical infrastructure against what we now must
conclude are very real terrorist threats and continuing
criminal threats.
Critical infrastructure is a term that I take to cover our
financial, transportation, communications networks, our
utilities, public health systems, law enforcement, and
emergency services. Critical infrastructure has been described
as our Nation's skeleton, but it seems to me that it might more
aptly be described as our Nation's vital organs. The critical
infrastructure is what keeps the country humming. It enables us
to interact with one another. It enables us to continue the
life of our economy which sustains all of us, and also makes it
possible for us to have the highest quality of life on the
planet. The critical infrastructure in that sense is what makes
America work.
Many of our critical infrastructures are privately owned,
and in this information age are increasingly computer-dependent
and interdependent with each other. For several years, the
Federal Government has been working to develop a public/private
partnership to secure critical infrastructure. Companies are
encouraged to share information among themselves about
vulnerabilities, threats, intrusions, solutions, and to share
information also with the government, which can then, as
appropriate, issue warnings and respond accordingly.
Because of our oversight role, the Governmental Affairs
Committee has closely participated in these efforts, although
Senator Bennett's foresight is such that he was working on this
proposal, this bill, before September 11. Our task took on
renewed urgency after the events of September 11. We have held
a series of hearings in our governmentwide evaluation about how
best to protect Americans here at home as well as our
infrastructure, and today's hearing builds on that record that
this Committee has compiled.
Let me say that if necessary information is not being
adequately shared between private entities and the Federal
Government, we must address that problem for the safety of all
Americans, but we have also got to be concerned, obviously,
about unintended consequences, and that would be unduly
undermining, for instance, the public's right to know. So there
is a balance here to be struck. It is, in that sense, the
balance that this Nation has struck since the beginning of its
existence between, if I may state it too simplistically,
security and liberty. There is a natural tendency now to move
along that spectrum towards security after September 11, and it
is realistic and responsible to do so, but obviously we do not
want to do it in a way that unduly compromises the blessings of
liberty which define what it means to be an American and for
which we are all grateful, and in that sense which we are
fighting to protect in the war against terrorism itself.
So those are the very important and difficult questions
that the legislation before us deals with and we will be
dealing with this morning.
I look forward to hearing from today's witnesses to learn
exactly what kind of private sector information they believe
the government needs, to effectively protect the critical
infrastructure and the American people; what the experience of
industry and government have been regarding information sharing
thus far; and, to the extent that there are those who believe
that the proposed legislation would be harmful, or reaches too
far, why they feel that is so.
Senator Bennett and I certainly agree that the protection
of our critical infrastructure is a priority, a national
concern now, and I look forward to working with him as we go
forward to achieve a good and reasonable solution.
Senator Thompson.
OPENING STATEMENT OF SENATOR THOMPSON
Senator Thompson. Thank you, Mr. Chairman.
We certainly are all redoubling our efforts to shore up our
defenses after September 11. You point out most of the issues
that we are confronted with. However, there are other issues.
The role of the Federal Government, with regard to critical
infrastructure, has never been fully defined. We are in need of
proposals to define the Federal Government's role, as well as
assigning specific responsibilities to the State, local and
private sector entities. And while we want to encourage
industry to share information with the Federal Government, we
are still in need of a framework for dealing with that
information, and assurances about what will be done with that
information once it is received.
Senators Bennett and Kyl have introduced legislation which
is before this Committee, intended to reduce the threat of
terrorism by encouraging private industry to share information
with each other and with the Federal Government in order to
help prevent, detect, warn of and respond to threats.
Originally cast as a cyber terrorism bill, this bill is
just as relevant to physical terrorist threats as well. It
seems to me that instead of mandating requirements or issuing
regulations for the private sector, we should be incentivizing
private industry to protect themselves and share information
with each other and the Federal Government. At this time I
think the Bennett-Kyl bill is on the right track. There are
issues and concerns the bill raises, but those are the things
we will begin to try to work through today.
One thing is certain, information is vital to this Nation.
On September 11, despite great physical damage sustained,
information continued to flow across the country. We learned
that, for example, Verizon's switching office at 140 West
Street in Manhattan, which supported 3.5 million circuits,
sustained heavy damage. Verizon Wireless lost 10 cellular
transmitter sites. WorldCom lost service on 200 high-speed
circuits in the World Trade Center basement. Spring PCS
Wireless Network in New York City lost four cells.
Notwithstanding these losses, the telecom infrastructure
continued to bring the Nation sound and images of the events,
summoned emergency vehicles and alerted the military. But the
wireless disruptions we experienced here in DC, which were also
experienced in New York, were localized and due to overload.
Within 1 week after September 11, Verizon restored 1.4 million
of the 3.5 million circuits it lost. The New York Stock
Exchange had phone and data service to over 93 percent of its
15,000 lines when it reopened. Information is vital.
The LA Times recently reported that a new CIA report makes
clear that U.S. intelligence analysts have become increasingly
concerned that authorities in Beijing are actively planning to
damage and disrupt U.S. computer systems through the use of
Internet hacking and computer viruses. This was in the L.A.
Times April 25.
I do not know why this is a surprise to anyone. In 1998 the
Director of Central Intelligence testified in open session
before the Committee that several countries, including Russia
and China, have government-sponsored information warfare
programs with both offensive and defensive applications. So the
stakes are very high.
I look forward to hearing from our witnesses today about
how we can better protect our Nation's critical infrastructure
and its citizens. Thank you, Mr. Chairman.
Chairman Lieberman. Thank you, Senator Thompson. Senator
Bennett.
OPENING STATEMENT OF SENATOR BENNETT
Senator Bennett. Thank you very much, Mr. Chairman. I
appreciate your courtesy and leadership in holding the hearing.
We have been talking about this for sometime, and I appreciate
your willingness to raise it to this level.
I would ask that the record be kept open for a week to
allow interested parties to submit statements and comments.
Chairman Lieberman. Without objection, it will be done.
Senator Bennett. If I may, Mr. Chairman, I would like to
take a little time to just set the scene, as I see it. And I
will start out with a chart that shows an interesting quote
that came on December 27, 2001.\1\ And the quote is being put
up there, but you and Senator Thompson and Senator Akaka have a
copy of it. Osama bin Laden says, ``It is very important to
concentrate on hitting the U.S. economy through all possible
means . . . look for the key pillars of the U.S. economy. The
key pillars of the enemy should be struck. . . .'' Making it
very clear that he is not just talking about bombing buildings
or symbols. He wants to go after the economy. And, obviously,
critical infrastructure represents by definition those parts of
the economy that he would attack.
---------------------------------------------------------------------------
\1\ Chart with quote from Osama Bin Laden appears in the Appendix
on page 190.
---------------------------------------------------------------------------
I am not quite sure of the number. I have used 85 percent.
Some witnesses say 90 percent of the critical infrastructure in
this country is owned by the private sector, so that this
represents a vulnerability different than any we have ever
faced in warfare before. Always before an enemy would
concentrate on military targets or production targets that were
tied to the military. In this case, as Osama bin Laden's quote
indicates, they are going to go after any aspect of the economy
that would shut us down. So let us use the more conservative
number and say 85 percent of the future battlefield is in
private, not public hands. So if the private sector and the
government are both targets, they should be talking to each
other, and they should be talking to each other in ways that
make the most sense.
Now, this is not a new issue. If I can go back to a pair of
charts that were prepared 5 years ago during the Clinton
Administration by the report of the President's Commission on
Critical Infrastructure Protection. The first one \2\ has to do
with this whole question of reporting and disseminating
information, and the President's Commission, under President
Clinton, produced this pyramid. And it is a little hard to
read, so let me walk you through it, Mr. Chairman.
---------------------------------------------------------------------------
\2\ Chart entitled ``Reporting and Dissemination of Information''
appears in the Appendix on page 191.
---------------------------------------------------------------------------
At the very top of the pyramid are the publicized system
failures or successful attacks. We would think of this in terms
of the Nimda attack or the ``I Love You'' virus or other things
that have caused economic damage, and the reporting and
dissemination of information about things at the top of the
pyramid, if you can follow the arrow on the side, is moderate.
That is there is a fairly sufficient amount of information. I
cannot resist commenting something I was taught many years ago
when it came to chart making, which is ``black on blue you
never do.'' [Laughter.]
And someone did not notice that when they drew that black
arrow.
Anyway, below that top point of the pyramid, there are
threats to critical infrastructure that are less well known and
less well reported, and beneath those there are system
degradations, information about vulnerabilities that are even
less well known and less discussed. And then below that where
you talk about the vulnerabilities of particular systems, comes
the question of interdependencies where one system may be in
very good shape but threatened because it is tied to another
that is not in good shape, and then finally, the area that is
in the very lowest area of reporting and dissemination are
those other sources of useful information that would apply to
this.
As I was saying, this chart was drawn up during the Clinton
Administration and is now 5 years old. Neither we in the
Congress nor the administration have done anything formally
about this. There has been a great deal of effort put forward
during the Clinton Administration being carried on almost
frantically in the Bush Administration. But we in the Congress
have not responded in any way to try to make the reporting and
dissemination of information more widespread. We are still
somewhat contented to concentrate entirely on the tip of the
pyramid and not look at the things below that.
Now, one of the reasons for the legislation that I have
introduced along with Senator Kyl, and we have now picked up
some other co-sponsors, is to encourage sharing of information
voluntarily across the entire spectrum, that is the 85 percent
that is in private hands as well as the 15 percent that is in
government hands. And, yes, we do want to protect that
information from a FOIA request, Freedom of Information Act.
The Freedom of Information Act itself allows this to be done.
That is there are provisions in the act that say that
information need not be shared. But the real focus of the
legislation we have introduced is simply to sharpen the
definitions of the areas that are already in the act. We are
not trying to repeal the act or in any way damage or change its
major thrust. We simply want to make the definitions that it
already contains a little clearer with respect to this threat.
Now, why would we want to protect information from a FOIA
request? Because if we do not, we will not get it. There are
private companies who simply will not give us the information
if they think it is subject to a FOIA request, perhaps because
they want to protect it from competitors. It is voluntarily
given. Why should they voluntarily tell their competitors that
they are under threat?
Second, they do not want it to be a road map for
terrorists. Many people do not realize that you do not have to
be a U.S. citizen to submit a FOIA request. Osama bin Laden
could find some third party willing to front for him who would
submit a FOIA request, find out how successful he was being in
one of his attacks, and the FOIA request therefore could become
a road map for the terrorists as they seek to be effective in
their attacks. Also, we want consistency from agency to agency
and we believe that this legislation will allow that to happen.
There is another reason why this information should come to
the government, because the government needs to analyze it to
determine whether or not the attacks that are coming are real
attacks or simply coincidence. Once again, a chart \1\ that
comes out of the Clinton Administration that is 5 years old,
simply raises the question of whether or not a variety of
attacks are a pattern coming from a common source or simply
coincidence. Here on this map are a series of things that could
happen in the Northwest--9-1-1 suddenly becomes unavailable. In
my area of the country there is a threat to the water supply.
In the Midwest there are bomb threats at two buildings. Some
bridges go down. And FBI phones get jammed. An oil refinery has
a fire. These things happen simultaneously. Is there a pattern
that would indicate that they are being caused by some enemy,
or is simply coincidence that they are all happening on the
same day? Without information sharing the government analysts
who are looking for the possibility of attack simply will not
know. They will have to guess. And guessing is never a very
productive kind of thing when you are vulnerable.
---------------------------------------------------------------------------
\1\ Chart entitled ``Coincidence or Attack?'' appears in the
Appendix on page 192.
---------------------------------------------------------------------------
So again this is a chart that is 5 years old, drawn up
during the Clinton Administration to say we need information
sharing so that we can determine whether or not this is a
coincidence or an attack.
Now, finally if I could put up a chart that I have produced
that summarizes the position that we are taking with respect to
this bill.\2\ We believe that there needs to be information
sharing on the circle on the left of the chart. Within private
industry people ought to be able to talk to each other. The
telephone company that is under some kind of cyber attack ought
to be able to check with somebody in the banking industry to
see if they are experiencing similar sorts of problems.
---------------------------------------------------------------------------
\2\ Chart entitled ``Critical Infrastructure Information Security
Act'' appears in the Appendix on page 193.
---------------------------------------------------------------------------
Senator Dodd and I introduced legislation with respect to
the Y2K on exactly this point. And it was passed, and if I may
say so, the world did not come to an end. There was not a
shutdown of civil liberties or freedom of information. It was
simply an opportunity for two industries that are seemingly
different, but that have the same kinds of computer problems,
to talk to each other. So we have that circle on the left side
where people in private industry can talk to each other to say,
``Gee, my facility is under this kind of cyber pressure. Is
anything happening in yours that I might know about?'' Then
comes the arrow at the bottom of the chart where that
information is shared voluntarily with the U.S. Government.
Perhaps the most important arrow is the one at the top of the
chart where the U.S. Government shares back with industry their
analysis. Harking back to the earlier chart, they can say,
``No, we see no pattern here. If you have a problem, it is
probably caused by a disgruntled employee or a private hacker
that decided you are a target. There is no indication here of a
major attack.'' Or the information comes back, ``Hey, we have
analyzed this. What is happening to you in the banking industry
is similar enough to what is happening in power or other
utilities, that we think this is a concerted effort being
mounted by somebody who wishes the entire economy ill.'' It is
that kind of information sharing and analysis sharing that we
think will make the entire Nation safer.
So, Mr. Chairman, I appreciate your willingness to hold the
hearing. I appreciate your indulgence in allowing me to go on a
little longer than is normal for an opening statement to
outline where we are. What I hope we can accomplish in this
hearing is to determine the degree to which information sharing
is needed, how the government can get the information that it
needs from the private sector, how the private sector can get
analysis and information that it needs from the government, and
if there are additional barriers to the sharing of information
that we have not addressed in this legislation that could cause
us to make changes in it.
With that, Mr. Chairman, I will participate, obviously, in
the questioning of the panel, and again, thank you for the
leadership you have shown in pursuing this issue.
Chairman Lieberman. Thank you, Senator Bennett. Thanks for
a thoughtful statement, and incidentally, by Senate standards,
it was very brief. [Laughter.]
Senator Akaka, do you have an opening statement?
OPENING STATEMENT BY SENATOR AKAKA
Senator Akaka. Thank you very much, Mr. Chairman for
holding this hearing today on information sharing between the
private sector and the Federal Government as a part of our
national strategy to protect our critical infrastructure.
Such cooperation should be encouraged in order to safeguard
America's computer systems from devastating cyber attacks, and
I have listened with interest through the Senator's
presentation with the charts that shows it so well.
The interdependency and inter-connectivity of government
and industry computer networks increase the risks associated
with cyber terrorism and cyber crimes. Any security weakness
has the potential of being exploited through the Internet to
gain unauthorized access to one or more of the connected
systems. Information sharing can help protect our national
security and critical infrastructure. The necessary exchange of
information is furthered through President Clinton's
presidential decision, Directive 683, which established ISACs,
Information Sharing and Analysis Centers, to facilitate
information sharing among private entities. The Directive
fosters voluntary information sharing by various entities with
the Federal Government to submit sensitive information that is
normally not shared to enhance the prevention and detection of
attacks on critical infrastructures.
I believe the confidential sharing of information on
vulnerabilities to the Nation's critical infrastructures is
necessary. However, we must carefully examine legislation like
S. 1456, which would make voluntary shared information about
critical infrastructure security exempt from release under the
Freedom of Information Act. Exempting this information from
disclosure might mean that State and local governments would
not have adequate access to information relating to
environmental and public health laws like the Clean Air Act. We
must not provide inadvertent safe harbors for those who violate
Federal health and safety statutes. I have heard from a number
of my constituents who believe that measures to ease
information sharing through a FOIA exemption would bar the
Federal Government from disclosing information regarding toxic
spills, fires, explosions, and other accidents without
obtaining written consent from the company that had the
accident. States and localities are concerned that other
proposals would provide companies with immunity from the civil
consequences of violating, among other things, the Nation's
environmental, consumer protection and health safety laws. We
must be careful not to harm the environment inadvertently or
bar communities from acquiring vital public health information
by enacting overly broad legislation.
I look forward, Mr. Chairman, to hearing from our witnesses
on how to promote information sharing between the Federal
Government and private sector in a manner that does not turn
back existing laws and regulations that protect the environment
or public health. Thank you very much, Mr. Chairman, for
holding this hearing.
Chairman Lieberman. Thank you, Senator Akaka.
We will now go to the first panel which consists of
representatives of the Executive Branch, the administration.
Ronald Dick, who is Director of the National Infrastructure
Protection Center at the FBI; John Malcolm, Deputy Assistant
Attorney General in the Criminal Division of the Department of
Justice; and John Tritak, Director of the Critical
Infrastructure Assurance Office at the Department of Commerce.
We welcome the three of you.
There is a light system here. We ask you to try to keep
your opening statements to 5 minutes. With 1 minute left it
will go yellow. When it hits red, we are not going to
physically remove you, but try to bring it to a conclusion.
I would like to say for the record that the written
statements that you have submitted to the Committee will be
printed in full in our record. So we thank you for being here,
for this very important discussion.
And, Mr. Dick, why do you not begin?
TESTIMONY OF RONALD L. DICK,\1\ DIRECTOR, NATIONAL
INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF
INVESTIGATION
Mr. Dick. Good morning Senator Lieberman, Senator Thompson,
and other Members of the Committee. Thank you for the
opportunity to discuss our government's important and
continuing challenges with respect to critical infrastructure
protection.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Dick appears in the Appendix on
page 54.
---------------------------------------------------------------------------
In your invitation to appear before this Committee, you
asked me to address issues related to information sharing and
critical infrastructure protection. Because the NIPC is located
within the FBI, we have access to a great deal of information
from intelligence sources as well as from criminal
investigations.
Only a week ago, our 24 by 7 NIPC watch began receiving
calls from several of our private sector partners about the
Klez.h worm. The worm had spread quickly and had the potential
to affect a number of vulnerable systems by destroying critical
operating system files. After consulting with our private
sector partners and within a few hours of the official
notification, we released an alert which was immediately
disseminated via E-mail and teletype to a host of government,
civilian and international agencies. The alert was also posted
to the NIPC website. This is only the most recent example of
two-way information sharing and how the private sector works
with the NIPC.
The NIPC's InfraGard is an initiative to promote trust and
information sharing. We have developed InfraGard into the
largest government-private sector joint partnership for
infrastructure protection probably in the world. More than half
of our 4,100 members have joined since I testified before this
Committee 7 months ago. InfraGard expands direct contacts with
the private sector infrastructure owners and operators and
shares information about cyber intrusions and other critical
infrastructure vulnerabilities through the formation of local
InfraGard chapters within the jurisdiction of the FBI field
offices.
I have created a new unit within the center, whose mission
includes building trusting relationships with the ISACs that
had been mentioned earlier that represent critical
infrastructures. We now have information sharing agreements
with seven ISACs, including those representing energy,
telecommunications, information technology, air transportation,
water supply, food, and chemical sectors. Several more
agreements are in the final stages. To better share
information, NIPC officials have met with business, government
and community leaders across the United States and around the
world to build the trust required for information sharing. Most
have been receptive to information sharing and the value of the
information received from NIPC.
However, many have expressed reservations due to lack of
understanding or perhaps confidence in the strength of the
exceptions found in the Freedom of Information Act. In
addition, concerns about whether the Justice Department would
pursue prosecutions at the expense of private sector business
interests, and finally, simply reluctance to disclose
proprietary information to any entity beyond their own control
or beyond the direct control of NIPC.
The annual Computer Security Institute/FBI Computer Crime
and Security survey, which was released in April of this year,
indicated that 90 percent of the respondents detected computer
security breaches in the last 12 months. Only 34 percent
reported the intrusions to law enforcement. On the positive
side, that 34 percent is more than double the 16 percent that
reported intrusions in 1996. The two primary reasons for not
making a report were negative publicity and the recognition
that competitors would or could use the information against
them if it were released. At the NIPC we continue to seek
partnerships which promote two-way information sharing. As
Director Mueller stated in a speech on April 19, ``Our top
priority is still prevention.'' We can only prevent acts on our
critical infrastructures by building an intelligence base,
analyzing that information and providing timely, actionable,
threat-related products to our private and public sector
partners.
As for the Freedom of Information Act, many legal
authorities have agreed that the Federal Government has the
ability to protect information from mandatory disclosure under
the current statutory framework. Indeed, in 1974 Federal courts
began to hold that FOIA itself anticipates that Federal
agencies do not have to release private sector commercial or
financial information if doing so would, ``impair the
government's ability to obtain necessary information in the
future.'' And the FBI also has the ability to protect certain
information provided by the private sector that is compiled for
law enforcement purposes.
Nonetheless, the government's ability to protect
information is of little value if the private sector is
unwilling to provide that information in the first place.
Clearly there is room for increasing the private sector's
confidence level in how we will protect their information from
public disclosure. stated more simply, if the private sector
does not think the law is clear, then by definition it is not
clear.
Therefore, we welcome the efforts of your Committee in
improving information sharing, and I look forward to addressing
any questions that you may have. Thank you.
Chairman Lieberman. Thank you, Mr. Dick. Now Mr. Malcolm.
TESTIMONY OF JOHN G. MALCOLM,\1\ DEPUTY ASSISTANT ATTORNEY
GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE
Mr. Malcolm. Thank you, Senator. Mr. Chairman, Members of
the Committee, I would like to thank you for this opportunity
to testify about the Department of Justice's efforts to protect
our Nation's critical infrastructure and about information
sharing that is needed and related to its protection. It is
indeed a privilege for me to appear before you today on this
extremely important topic and I would commend the Committee for
holding this hearing.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Malcolm appears in the Appendix
on page 64.
---------------------------------------------------------------------------
Since the Committee already has my slightly more lengthy
written testimony, I will use the brief time that I have in my
oral statement to outline the nature of the critical
infrastructure protection, the information sharing problems,
and the Department's current efforts to combat that problem. It
is clear to the Department of Justice, as it is to this
Committee, that information sharing is a serious issue and that
its complexity presents significant challenges to law
enforcement.
The safety of our Nation's critical infrastructure is of
paramount concern to the Justice Department. As you know, the
term ``critical infrastructure'' refers to both the physical
and cyber-based resources that make up the backbone of our
Nation's telecommunications, energy, transportation, water,
emergency services, banking and finance, and information
systems. The problem of ensuring delivery of critical
infrastructure services is not new. Indeed owners and operators
of critical infrastructure facilities have been managing risks
associated with service disruptions for as long as they have
had those facilities. However, the operational challenges of
ensuring the delivery of the broad array or services that now
depend upon the Internet and other information systems is a
challenge that has grown exponentially in the last several
years.
The burgeoning dependence of the United States
infrastructure on the Internet has exposed vulnerabilities that
have required the U.S. Government to mount new initiatives, to
create new Federal entities, to help manage critical
infrastructure protection efforts, and to seek prevention,
response, and reconstitution solutions. The safety of our
Nation is of course our first and foremost overriding
objective. The Justice Department has been working across
government to address infrastructure issues for several years.
However, the attacks of September 11 have heightened our
awareness of these issues and created a new sense of urgency.
U.S. infrastructure protection efforts are the shared
responsibility of many entities, both public and private. Many
of this joint effort is based upon the principle that a robust
exchange of information about threats to and actual attacks on
critical infrastructures is a critical element for successful
infrastructure protection. The following, of course, are just a
few of the entities that are dedicated to this principle: The
National Infrastructure Protection Center, headed up by Mr.
Dick; the Department of Justice's Computer Crime and
Intellectual Property Section, which I oversee; the Information
and Analysis Centers that have been referred to; the Critical
Infrastructure Assurance Office, Mr. Tritak's shop; Office of
Homeland Security; and the Federal Computer Incident Response
Center.
To better protect critical infrastructures government and
private sector must work together to communicate risks and
possible solutions. Acquiring information about potential
vulnerabilities from the private sector is essential. Doing so
better equips us to fix deficiencies before attackers can
exploit them. For example, a vulnerability in an air traffic
control communication system could allow a cyber attacker to
crash airplanes. That example is not entirely hypothetical. A
hacker did indeed bring down the communication system at the
Worcester, Massachusetts airport in 1997. After he was caught
and prosecuted, and thankfully no lives were lost, nonetheless
this is a sobering example.
If we concentrate our time and energy on remediation of
terrorist attacks after they have occurred, we have already
lost. Information is the best friend that we have for both
prevention and response. And we recognize that we can protect
the Nation only if the private sector feels free to share
information with the government. However, industry often is
reluctant to share information with the Federal Government. One
reason that they give for not sharing this information is that
the government may ultimately have to disclose that information
under the Freedom of Information Act or FOIA. Industry is also
concerned that sharing information among companies will lead to
antitrust liability, or that sharing among companies or with
the government will lead to other civil liabilities such as a
product liability suit or shareholder suit.
Without legal protections regarding information needed by
the government and which they possess in order to safeguard our
infrastructure, even the most responsible civil-minded
companies and individuals may hesitate before sharing such
critical information, fearing that competitors may share that
information and use it to their advantage. With this in mind,
both the Senate and the House of Representatives have actively
considered addressing this issue through legislation, and the
Department appreciates the efforts of, among others, Senator
Bennett, a Member of this Committee, for sponsoring such
legislation.
Such a corporate good samaritan law would provide the
necessary legal assurance to those parties willing to
voluntarily provide sensitive information to the government
that they would otherwise not provide. The Justice Department
believes that the sharing of the private sector security
information on critical infrastructure between the private
sector entities and the Federal Government will help to avert
acts that harm or threaten to harm our national security, and
that this is of the utmost importance. We are prepared to work
very closely with Congress to pass legislation that provides
this important legal protection.
Mr. Chairman, I would again like to thank you for this
opportunity to testify about our efforts. Citizens are deeply
concerned about their safety and security of our country, and
by addressing information sharing Congress will enhance the
ability of law enforcement to fight cyber crime, terrorism and
protect our infrastructure. And again, the Department stands
ready to work with this Committee and with Congress to achieve
those goals.
Thank you. That concludes my remarks and I look forward to
answering your questions.
Chairman Lieberman. Thanks, Mr. Malcolm. Mr. Tritak.
TESTIMONY OF JOHN S. TRITAK,\1\ DIRECTOR, CRITICAL
INFRASTRUCTURE ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE
Mr. Tritak. Thank you, Mr. Chairman, Senator Thompson, and
Senator Bennett. It is an honor to be here today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Tritak appears in the Appendix on
page 77.
---------------------------------------------------------------------------
It was not too long ago that national security was
something that the government did virtually on its own. The
term ``national economic security'' used to mean largely free
trade and access to markets and critical materials overseas.
Now we are confronted with a unique challenge in which we have
a national security problem the Federal Government cannot solve
alone. National economic security now literally means defending
our economy and critical infrastructures from direct attack. As
Senator Bennett had indicated in his opening remarks,
terrorists had indicated the economy is a target, and that
followers have been urged to attack wherever vulnerabilities
may exist with all means available, both conventional,
nonconventional, and cyber means.
Let us be clear what their goal is, too. Their goal is to
force us to turn inward and to rethink our global commitments
overseas, especially in the Persian Gulf and the Middle East.
Securing our homeland today is really a shared responsibility.
It is protecting our way of life and the core values that we
cherish. It also is going to require a clarification and maybe,
in some cases, a redefinition of the respective roles of
responsibility of government and industry in light of that
shared responsibility. This is going to require an
unprecedented level of collaboration, whereby industry must be
considered and treated as a real partner. Now, I will tell you
as a government person, that is going to require a cultural
adjustment on both sides. But we have made it very clear that
information sharing is an essential element of fostering that
kind of collaboration, not just for the self interest of the
companies, but for the public interest. This actually
constitutes a public good, which is why both the last
administration and this one have encouraged information sharing
within the respective infrastructure sectors, because availing
themselves of that shared information helps them better manage
the risk that they confront, and sharing between industry and
government, because there are things that government can bring
to this equation that industry alone cannot, and together they
can help address common problems.
Moreover, information sharing is in fact occurring. There
have been ISACs, as Ron Dick has mentioned and Senator Bennett
has mentioned, and information sharing is taking place with the
Federal Government, but it is clear from everything we have
heard so far that there is a reluctance on how far that
information sharing is going to go.
So I would submit to you that if I had to think through
this issue in its clearest form, the question is whether the
current statutory and regulatory environment is conducive to
supporting a voluntary activity information sharing, which we
all accept is in the public interest. And I acknowledge, and we
all acknowledge, that this is not going to be easy because we
may have public goods that come in conflict from time to time,
i.e., FOIA exemption versus open government. I do not think we
are going to solve this problem finally with a passage of
legislation. Let us be clear, this is not a silver bullet. You
cannot regulate or legislate trust, which is an essential
ingredient to information sharing taking place, and you are
going to hear in the second panel instances where that trust
has evolved over time and the level of information sharing and
the quality of that sharing has gone up.
Some of the newer industries are taking baby steps into
information sharing, and they may take a little bit of time
before information sharing in those industries fully matures.
But what is clear is that if we want to encourage this
voluntary activity, we need to examine the public policy and
statutory environment to determine whether or not we are doing
everything necessary to incentivize and encourage that
activity. In the absence of a certain level of predictability
and certainty, there may be an impediment to that kind of
sharing.
I want to acknowledge Senator Bennett for the very good
work that you have been doing, not just since September 11, but
before September 11, and I think that the attempts at
addressing the concerns expressed by industry are very
seriously put forward and in fact are very seriously being
considered by the administration. I look forward to working
with you and the Committee, and I would welcome any questions
you may have. Thank you.
Chairman Lieberman. Thanks, Mr. Tritak. We will begin the
questioning. We will have 7-minute rounds since we only have
three of us here.
Last September 26, President Bush wrote to Daniel Burnham,
who is the CEO of Raytheon, but wrote to him in his capacity as
a leader of the National Security Communications Advisory
Committee. And in the letter, which was following up on a
meeting, the President says, ``My administration is committed
to working in partnership with the private sector to secure
America's critical infrastructure, including protecting
information the private sector provides voluntarily to the
Federal Government in support of critical infrastructure
protection. ``Accordingly, I support a narrowly-drafted
exception to the Freedom of Information Act to protect
information about corporations' and other organizations'
vulnerabilities to information warfare and malicious hacking.''
So I guess I will begin by directing it to you, Mr.
Malcolm. What, if anything, has the administration done to
develop the policy that the President stated in this letter,
and more particularly, since the President said he supported a
narrowly-drafted exception, what are the parameters, if you are
at a point where you can say so, of what that narrowly-drafted
exception night be?
Mr. Malcolm. Sure. Senator, this is, of course, an evolving
process, and there are several bills--Davis-Moran, Bennett-
Kyl--that are pending and that are being evaluated by the
administration. The administration likes a number of ideas that
are in both pieces of legislation, probably prefers some of the
elements of Bennett-Kyl for reasons that I will be happy to
discuss with you. Nonetheless, I think it is safe to say that
the administration has some concerns with all of the bills that
are pending and is working to try and massage those into what
the Executive Branch would consider a best practices bill.
A number of the elements that had been discussed in terms
of crafting a definition of critical infrastructure information
that is both large enough to get the information that the
government needs to protect our critical infrastructure, while
at the same token not being so large that it protects from
public disclosure in the open government aspects of FOIA,
protects being an over broad definition that just covers
everything. The principle though of coming up with a FOIA
exemption the administration believes to be a good one because,
as Senator Bennett has pointed out, 85 to 90 percent of the
critical infrastructure that is out there is owned and operated
by the private sector. The government needs to have that
information so that it can assess vulnerabilities and share
appropriate information back, and they are not currently
providing it. They are to InfraGard to some degree, but we need
more, so there has to be a way to bridge that gap. And if a
FOIA exemption, narrowly crafted, is the way to go, that is
fine, whatever it takes to bridge that gap.
Chairman Lieberman. Would you discuss, if you are prepared
to, what some of the pluses and minuses are that you see in the
various bills, which I suppose would help us understand, at
this point, what ``narrow'' means here.
Mr. Malcolm. I think that is fine. Again, without getting
into the specifics of each legislation, I know that both pieces
of legislation, for instance, have an antitrust exemption. The
Executive Branch of the administration has traditionally taken
the approach that an antitrust exemption is unnecessary, that a
business review letter suffices.
However, that having been said, we are still studying that
aspect of these bills. There are provisions in both bills about
the use to which the government can put voluntarily-obtained
information. Davis-Moran, for instance, I believe, prohibits
the use by the government, both direct use and indirect use, of
that information. Bennett-Kyl, I believe, talks about a
prohibition in terms of direct use without getting consent. The
administration has some concerns about those provisions in
terms of what it might do to hamper government criminal and
civil enforcement efforts, some of the concerns that Senator
Akaka addressed. For instance, the administration would want to
make sure that any information provided to the United States
could be used by the government for a criminal enforcement act.
There are incentives that are in departmental policies of
long standing that we believe provide adequate incentives to
turn over that information, and we are afraid that anything
that is broad could allow for a document dump. It could allow
for industry to just turn over information and the government
would not be able to enforce its criminal laws or its civil
laws. It has a similar concern in terms of prohibitions on
direct or indirect use in terms of civil enforcement actions.
We would probably prefer something a little more narrowly
crafted in the sense that it would not tie the government's
hands in either civil or criminal enforcement actions with
respect to the information that it obtains. That is an idea of
the direction where we are going, so we have the same concerns
that Senator Akaka has about not wanting to protect too much
information while at the same time giving the government the
ability to engage in criminal and civil enforcement actions
where appropriate.
Chairman Lieberman. OK. That is a helpful response.
Obviously, there is a lot of detail to it, Mr. Tritak, as we go
along. Do you have any sense of timing as to when the
administration would be in a position to either propose
specific legislation or comment in detail on the proposals that
are before us?
Mr. Tritak. I do not, Senator. I know that is a very
pressing issue. We are aware that you want to act now on this
matter. We want you to act on this issue, and we want to strike
while the iron is hot, so I will certainly relay your concerns
about the timing and get back to you.
Chairman Lieberman. I appreciate that. Mr. Tritak, you
talked about trust, which I agree with you, it is a very
important element here in that the kind of exemption we are
talking about could create a foundation of trust that sensitive
information shared with the government will be secured. I want
to ask you to talk for a moment about two aspects of that. The
first is, just for the record, on what basis you conclude that
a new FOIA exemption could actually make a significant
contribution to information sharing. And as part of that, if
you would consider what one of the witnesses, by submitted
testimony, will say on the second panel, which is some
skepticism that all information that the government would want
to have will in fact be shared by the private sector, even with
a FOIA exemption, because of concern about the proprietary,
private, etc. nature of it.
Mr. Tritak. I would be happy to. Senator, first I will talk
to the first question--about what would it actually do. We have
to take into account that, for example, with the FOIA laws,
they predate this problem. They were on the books long before
this issue of information sharing to advance critical
infrastructure protection came up.
Chairman Lieberman. Right.
Mr. Tritak. We have been trying to encourage industry to
take proactive voluntary steps to do things they are not
required to do right now. The clarifying of FOIA, and I think
what Senator Bennett said is exactly the right way, you could
approach in one of two ways. You can say that the current
environment, if you are very careful and you watch out, the
existing exemptions will cover any concerns that may arise
regarding FOIA, not to worry.
The response we have usually heard in those instances was,
``Well, but that makes us have to second guess our actions.
That makes us have to second guess what we are trying to do
here.'' And also to be clear, the kind of legislation we are
looking at and the kind of trust we are trying to create must
take place in a dynamic environment. It is not a set piece
exchange where you take a piece of information, you hand it
over, it gets considered, and it comes back. Information must
flow all the time and at different levels. You cannot stop the
process for every little bit of informatin to determine whether
it is covered under FOIA. It is very interesting that you
should mention the NSCAC as the letter for the President
because in fact they have had 20 years of information sharing.
And the idea here is, is that companies believe more can be
done if this environment is more clear and predictable in terms
of the complication of FOIA.
Now, I think Ron would attest that when it comes to an
actual event, an incident in real time, there is a lot of
sharing that goes on. What we are trying to do here is
encourage proactive sharing before incidents occur and in a
dynamic setting so that companies will actually take preventive
and proactive measures. And so I think that is what the trust,
along with the right legislative framework, will foster.
In terms of the skepticism, I want to make very clear, as I
said before, that FOIA alone is not going to be the silver
bullet to information sharing. You are not going to get an
avalanche of information being shared with the government just
because you have this bill piece. What it does, in my judgment,
is create an environment that is conducive to that kind of
sharing and send a signal to industry that, if you engage in
this kind of activity, you will be protected against certain
types of disclosures.
Chairman Lieberman. Thanks, Mr. Tritak, I apreciate your
answer.
Senator Thompson and I are smiling because, I do not know
whether it is the quality of your answer or staff deference to
the Chairman, but the time available to me seems to be growing
instead of shrinking. [Laughter.]
Senator Thompson. It is the power of the Chair.
Chairman Lieberman. Must be. But I am going to have to
declare that my time is over, and yield to Senator Thompson.
Senator Thompson. Thank you very much, Mr. Chairman.
I think that a valid distinction to make here is that under
FOIA as it exists, although the government may be able to
withhold certain information that we are talking about here, it
is discretionary with the government, and the distinction
between that and this bill would be that it would be mandatory.
Is that a valid distinction to make, it would be incumbent upon
the government to withhold it and would have no discretion?
Mr. Malcolm. My understanding, Senator, is that there is
some discretion in FOIA as it currently exists except as it
pertains to trade secrets.
Senator Thompson. OK. I think that, Mr. Malcolm, it seems
to me like you are on the right track and asking the right
questions about this. Many of us are not as steeped in this
subject as Senator Bennett and some others are. But in looking
at it I would think that the first thing that you--although
clearly we need to do something in this direction if it is
going to help. One of the first things that you would want to
look at is whether or not it would allow a company that perhaps
is in a little trouble and sees some vulnerability, to protect
itself just strictly for the purpose of protecting itself to do
the document dump.
Mr. Malcolm. Right.
Senator Thompson. And the definitions, as they are
currently drafted, provides protection of sharing of
information concerning critical infrastructure which it defines
as physical and cyber-based systems and services essential to
the national defense, government or economy of the United
States, including systems essential for telecommunications,
electric, oil, gas, etc. It seems to me like this is very broad
language and could cover anything from farming to automobile
production. And the question would be whether or not if a
company was doing a very poor job, deliberately doing a very
poor job to save money and protecting its critical
infrastructure, and it saw there were some rumblings out there
concerning civil lawsuits or the government beginning to take a
look at it, it could get a bunch of stuff to you in a hurry and
totally protect itself, and keep you, for example, from
conducting a civil action against them. I would think that
would be something that nobody would want, and I am not sure
how you address that, but I think you are asking the right
questions, and that is something that should be addressed.
In addition, we are operating under the assumption here--
and I assume we will get more of this from the next panel--that
information is really being withheld. I think it is important
to create a public record for a need for this bill. It stands
to reason logically that if there is some vulnerability out
there and sharing information, that it is less likely to be
shared, but do you really hear instances from industry or
others where they are saying that they are really restrained
somewhat or afraid to share information for the reasons that we
have discussed, any of you?
Mr. Tritak. Well, I will just speak for myself. I have been
told that precisely, particularly when you are talking about
potential systemic problems and vulnerabilities--that there is
a real reluctance to share information about those things
without better understanding about whether or not you will be
protected under FOIA. We are hearing this across a number of
sectors.
Mr. Dick. Where this comes into play, as was mentioned,
when we get into a crisis like with Code Red or Nimda or any of
those, the private sector comes forward very, very willingly.
Where I think the enhancements need to occur is from the
predictive and strategic components, wherein information is
shared on a routine basis so that we can be out in front, if
you will, of the vulnerabilities so as to share with the
private sector what actionable things they can do to prevent
them from becoming victims, and that is the kind of thing that
needs to occur on a daily basis.
For example, during the events of September 11, one of the
things that we did very routinely with the Information Sharing
and Analysis Center is share physical threat information. We
did that for two reasons. One, obviously, is prevention and
protection, but two, as we got threats, let us say to the oil
and gas industry, only the oil and gas industry experts know
that industry from an expert level so as to assess, well, is
the threat as described even viable to the oil and gas
industry, so as to determine is it a valid threat? So we have
to have the ability to share at times even classified
information to the private sector to assess that threat and
then determine what are the right actions to be taken.
Senator Thompson. Right.
Mr. Malcolm. Senator, if I may, I just think it is fair to
say that to some degree we do not know what we do not know. We
need to know it and we need to know it now. Obviously, 85 to 90
percent of the critical infrastructure is owned and operated by
private sector. When threats happen or when incidents happen,
all of a sudden information which the government did not know
about comes forth. We need to have that information now so that
we can deal with it prophylactically and have that information
at hand if, God forbid, does happen, track down these
perpetrators quickly before they repeat their act.
Senator Thompson. One of the critical parts of all of this
is private industry cooperation with each other. The bill
addresses the antitrust aspect of it. And I am wondering
whether or not, even if that is taken care of, that there will
still be a concern from a competitive standpoint with regard to
industry sharing information with each other, they would be
allowed to do that. The government may not come down on them
for that, but does that in any way--of course this bill, I do
not think, addresses that and perhaps cannot. I am just
thinking from a practical standpoint that we still have a
problem. I think that was a part of the Presidential Directive
63, trying to get industry to work with each other and the
government working with industry, etc. It looks to me like this
would still be a concern there in the private industry with
sharing information one company with another strictly from a
competitive standpoint. Do you have any thoughts on that at
all?
Mr. Dick. Senator, it is a valid concern. It is one we hear
fairly routinely, particularly in the information technology
arena. However, I think what is--as I talked about in my
statement, you see with the number of Information Sharing and
Analysis Centers that are being created, with the amount of
information that is being shared internally within those
organizations. There is a building of trust, as Mr. Malcolm
talked about and I talked about too, amongst them. That does
not happen overnight, and as was indicated earlier, you are not
going to legislate that. Only with time and experience, and
that there is value added to the bottom line of these companies
through sharing information and reducing the threat is that
going to come to fruition. But I think there are very positive
first steps that we have made and this Committee can make, by
providing the assurances to the private sector that we will
minimize the harm that could occur.
Mr. Malcolm. Senator, if I may answer your question
briefly, I think that even if you had an antitrust exemption,
that is not going to do away with antitrust lawsuits. I mean it
is going to then be a question of did the competitors who sat
down in the room together extend beyond the bounds of the
information that they were supposed to discuss?
Senator Thompson. If they only did the things that the
exemption provides them with in this bill, they would not have
had any antitrust problem anyway.
Mr. Malcolm. That is right, and that is, again, when we
talked about ways in which we are looking at this possibly
narrowing it, again, these issues have been dealt with in the
past. There is a business review letter once the government has
issued a business review letter, which it can in particular
circumstances actually do fairly quickly. There has never been
an enforcement or antitrust action brought following the
issuance of a business review letter, and I think that it might
provide some protection on the margins in terms of people
feeling comfortable walking into a room together, but in terms
of whether they extend beyond the bounds of just talking about
critical infrastructure information and getting to pricing and
whatnot, that is still going to lead to allegations and
possible lawsuits.
Senator Thompson. Thank you very much.
Chairman Lieberman. Thanks, Senator Thompson. Senator
Carper.
OPENING STATEMENT OF SENATOR CARPER
Senator Carper. Thanks, Mr. Chairman. Good morning.
Chairman Lieberman. Good morning.
Senator Carper. To our witnesses and guests, thanks for
coming this morning. It is my third Committee hearing I have
been to, so I apologize for missing most of what you said. I
just arrived when Senator Lieberman was questioning you during
his first hour of questioning. [Laughter.]
I think you have some comments on legislation that maybe
Senator Bennett has introduced, and I am not aware of what you
had to say about it. Do you have anything positive that you
might share with us about the legislation that he has
introduced, just each of you?
Mr. Malcolm. Specifically about Senator Bennett's
legislation, that fact that he has not charged across the desk
and at me I think is indicative of the fact that we have said
some very positive things about the legislation.
Senator Carper. Just share a couple of thoughts you had
with me.
Mr. Malcolm. Certainly. It provides, for instance, with the
government to be able to use independently obtained information
without restriction, certainly in terms of not prohibiting the
government's use of indirectly or derivatively obtained
information in a criminal or civil enforcement action. That is
a very good thing. I did take some issuance with Senator
Bennett in terms of saying that perhaps even a direct
preclusion by the government in terms of the use of information
might not be in order, but nonetheless, in terms of a thrust of
bridging the gap between private industry and the government in
terms of getting that information, we are well down the road
and in the right direction with Bennett-Kyl.
Senator Carper. Anyone else? Mr. Dick, do you have any
thoughts?
Mr. Dick. We have had a number of discussions, my staff
with Senator Bennett's staff, and are well aware of the
legislation, and frankly, are supportive of many aspects of it.
As I talked about in my opening statement, we believe that
there are sufficient provisions in the FOIA now to protect
information that is provided to us. But it really does not
matter. If the private sector does not believe it, and does not
feel comfortable with it, then we need to provide them those
assurances that make them feel that a partnership with the
government is worthwhile and is value added to them, and
Senator Bennett's bill as a whole does that.
Senator Carper. Any changes you would recommend that we
might consider in his legislation? We are usually reluctant to
try to amend his legislation, but maybe one or two.
Mr. Dick. I would defer back to my esteemed colleague, Mr.
Malcolm, with the Department of Justice in that regard.
Mr. Malcolm. Well, one of them I have discussed already,
Senator Carper, which has to do with direct use by the
government in a civil enforcement action. I think that that
ties the government's hands inappropriately, but I am pleased
to see that it is a direct use prohibition and not an indirect
use prohibition.
Certainly if we are going to tie the government's hands at
all, I would prefer seeing, say, a provision in there that
allows an agency head to designate which section of an agency
is to receive this voluntary information so that other branches
of the government can pursue whatever leads it wants to, and
use any information that it obtains in a full and unfettered
measure. Again, independently obtained information is in there.
I forget whether Bennett-Kyl has a requirement that the company
said that it is voluntarily providing this information and
intends for it to be confidential, but I think that is a good
thing.
As I recall, Bennett-Kyl, although I may be getting my
bills confused, allows for oral submissions to get FOIA
protection from the administration's perspective. Again, while
we are still mulling this over, I think, to use a non-legal
term, it is a little bit loosey-goosey in terms of it does not
make clear what information we are talking about, how it is to
be provided, and certainly the administration would prefer to
see something in which any oral submission were reduced to
writing. Those are just a few things.
Senator Carper. All right, thanks.
Mr. Tritak, tell us a little bit about your wife.
Mr. Tritak. I am not sure she is here.
Senator Carper. She is not. I do not see her. I do not know
if my colleagues know this, but whenever----
Chairman Lieberman. You have a right of privacy, Mr.
Tritak. [Laughter.]
Senator Carper. No, I think he surrendered that. When the
roll is called, not up yonder but in the Senate, there are a
couple of roll clerks who call the roll, and among the people
who do that are Mr. Tritak's wife. Katie, right?
Mr. Tritak. Katie.
Senator Carper. And then while I was presiding yesterday,
she mentioned to me, she says, ``My husband is going to''--I
said, ``Is this your first husband, Katie?'' [Laughter.]
She said, ``He is going to be testifying tomorrow before
your Committee.'' And I said I would be sure to remember to
thank you for sharing your wife with us. She does a great job.
She keeps us all straight and on a very short leash. It is very
nice to meet you.
Let me just ask you a question, and I do not care who
really jumps into this one, but take a minute and tell us how
you work together, how do your agencies work together in the
information sharing program?
Mr. Tritak. I would like to actually restate that. We have
very clear roles and responsibilities and I would say that our
working relationship has actually been quite excellent over the
last few years. Mr. Dick and I probably talk at least once a
week.
My own rule generally, although not in particular detail,
is to try to focus on the front end of getting industry to see
this as a business case. We have been talking about this as a
national security issue. I actually think there is a business
case. I think it is a matter of corporate governance. I think
this is something that is important for them in terms of their
own self interest as well as the interest of the Nation. And
the extent to which we can translate the homeland security
proposition into a business case, I think we begin to advance
greater corporate action. There is a lot of corporate
citizenship that you are seeing now. There is a lot of
``wanting to do the right thing,'' but it is also helpful to
understand that this can actually affect the bottom line. This
is actually something that advances and is in the interest of
their shareholders, as well in their industry, in general.
Having achieved that, my goal is frankly to find
``clients'' for Ron Dick, who then picks up that case and
develops the operational relationships in terms of the
specifics of information sharing, working with the lead
agencies, working with the ISACs who you will hear from in a
few minutes. So I think that is how I certainly see the matter.
Mr. Dick. Continuing on with that theme, with the recent
Executive Order by President Bush and the creation of the
President's Critical Infrastructure Protection Board under Dick
Clark has even further solidified that spirit of cooperation
within the government. The intent of the board creation, in my
estimation, is to raise the level of security and insofar as
the government systems are concerned from the CIO level
actually to the heads of the agencies themselves. And the
intent of the board is to make the government, if you will, if
possible, a model to the private sector as to how information
security should occur as well as information should be shared
amongst agencies. We have created a number of committees. I am
on the board and chair of a couple of them, insofar as working
within the government and with the private sector to develop
contingency plans as to how we will respond to an incident.
Frankly, having been in this town for a number of years
myself, the environment and the people that are heading up this
effort are truly unique insofar as our willingness to move the
ball forward, if you will. And the private sector, in my
estimation, through Harris Miller and some of the others, Alan
Paller, are frankly coming out front, too, to try and figure
this out.
Mr. Malcolm. I have nothing really to add, Senator, other
than, for instance, the attorneys that I oversee in the
Computer Crime and Intellectual Property Section have daily,
sometimes hourly contact with the National Infrastructure
Protection Center, and then also through dealing on various
subcommittees with the President's Critical Infrastructure
Protection Board we also have dealings with Mr. Tritak's shop
among others. So it works well within government.
Senator Carper. Well, that is encouraging. Thank you for
sharing that with us.
Mr. Chairman, if my time had not expired, I would ask Mr.
Dick and Mr. Malcolm to report on their wives as well.
[Laughter.]
Chairman Lieberman. They and I are happy that your time has
expired. [Laughter.]
Senator Carper. I would say to Mr. Tritak, it is a
privilege serving with your wife, and we are grateful for that
opportunity and for the testimony of each of you today. Thank
you.
Chairman Lieberman. I think we can all agree on that.
Thanks, Senator Carper. Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman. If I can just put
a slight historical note here. Mr. Malcolm, considering the
initial reaction of the Justice Department to my bill and your
comments here, I can say to my colleagues that we have moved a
long way. [Laughter.]
Because the initial reaction was not only no, but no, on
just about everything, and I am grateful to you and your
colleagues at the Department, that you have been willing to
enter into a dialog and we have been able to move to the point
where you are able to make the statements that you have been
making here. I think it demonstrates great progress. And I come
back to a comment that Mr. Tritak made, which I think
summarizes very clearly the problem we have here, when he says
this is going to require a significant cultural adjustment on
both sides. We have had grow up in this country the
adversarial, if you will, relationship between government and
industry. Maybe it comes from the legal world where everything
is decided by advocates on two sides who fight it out and then
presumably the truth comes as a result of this clash.
This is not something that lends itself to the adversarial
attitude. This is something that requires a complete cultural
adjustment. Industry automatically assumes that anything they
share with the government will be used against them. There is
an unspoken Miranda attitude that anything I tell the Feds,
they are going to turn around, even if it is totally benign,
they are going to look for some way for some regulator to find
me or damage me in some other way. And some regulators have the
attitude, unfortunately, that anybody who goes into business in
the first place is automatically morally suspect, that if they
had real morals they would teach. [Laughter.]
Or come to work for the government. And we have got to
break down those cultural attitudes on both sides and
recognize, as this hearing has, that our country is under
threat here, and people who wish us ill will take advantage of
the seams that are created by these cultural attitudes, and we
have got to see to it that our protection of our critical
infrastructure becomes truly seamless between government and
industry, and there is an attitude of trust for sharing of
information.
Now, let me get directly to the issue that Senator Thompson
raised with you, Mr. Malcolm. Do you see anything in my bill
that would allow someone to deliberately break the law and then
try to cover that by some kind of document dump?
Mr. Malcolm. Well, I will answer you question this way,
Senator--and I am not meaning to be evasive--I believe the
intent of your bill, for instance, is not to preclude the
government from using the information in terms of a criminal
prosecution, although I believe that intent, assuming that is
your intent, should be spelled out perhaps a little tighter.
But assuming that is your intent, that any information provided
voluntarily or otherwise to the government they can direct use
of it, derivative use of it in terms of a criminal prosecution,
then the answer to your question will be no.
In terms of a civil enforcement action--and of course there
are many elements that go into a criminal prosecution which may
or may not be appropriate. Sometimes you want to take, say,
environmental cleanup efforts or any civil enforcement action
that is not a criminal prosecution, there is nothing in your
bill that I see that prevents that action from going forward.
There are things in the bill that make such an action more
difficult in terms of precluding direct use of the information
that is voluntarily submitted, and of course, that does leave
it to a court to determine when you cross the line between
direct use and indirect or derivative use. So there is some
gray area on the margins of what the term ``direct use'' means,
so it is possible that a company say could be negligent in its
maintenance of manufacture of some component that deals with
critical infrastructure could get some noise out there that
something bad is about to happen that might subject the company
to civil liability, could do a document dump on the government,
and the government would be circumscribed to some degree in
terms of its ability to use that information in a civil
enforcement action.
Senator Bennett. Not being a prosecutor and not being
burdened with a legal education---- [Laughter.]
My common sense reaction would be if we were getting--I put
myself now in the position of the government. If we were
getting a pattern of information from an industry, say a dozen
different companies were saying, ``This is what is happening,
this is what is happening, and so on,'' and one company does a
document dump in which there is an indication that something is
wrong with their maintenance, it would seem to me, if I were
sitting in that situation, here is a red flag that these people
are not giving us legitimate information for legitimate
purposes. These people have something serious in mind that they
are trying to protect and would make me examine their
submission far more than I otherwise would. If I were the CEO
of a company, and I have been, and somebody in my legal
department were to come and say, ``Hey, we can cover this. This
is what we would do.'' In the first place, I would not tolerate
that in any company that I was running, but if someone were to
come to me with that idea that this is how we are going to
cover this, I would say, ``You are up in the night here, this
is crazy. Fix the problem. Disclose what we need to disclose to
help deal with the critical infrastructure thing, but do not
think that the Feds are stupid enough to overlook what you are
trying to cover here.''
But that having been said, obviously we have the intention
you are imputing to us. We do not want, under any circumstances
to say that the sharing of information with the government will
provide cover for illegal activity or that it will provide
cover that somebody in a civil suit could not file a legitimate
subpoena for that information.
Mr. Malcolm. The only thing that I am saying, Senator, and
we are not really disagreeing with each other, we are certainly
four-square together with respect to a criminal prosecution.
With respect to a civil enforcement action, if you assume you
are in the perspective of the government and the evidence has
been dumped upon you, if you have say a bad faith exclusion for
dumping documents, that puts you into the difficult position of
having an evidentiary hearing of sorts to determine what was in
the minds of the people who dumped the documents. Were they
doing this in bad faith because they realized that their
vulnerabilities that were of their own making were about to
come to light? Or were they dumping it because they realized
that they had these vulnerabilities, whether they should have
fixed them or not fixed them. That could harm the government
and harm the citizenry. Those are evidentiary issues.
All I am saying, in terms of impeding an effort, is if you
are in the position of the government and you receive this
information, and it is now not FOIA-able, because this now fits
within an exemption, so you are largely relying on the
government to take an appropriate civil remedial action, there
are constraints within the bill that you drafted as to what you
can do with that information and how far the direct use extends
into information we get. I am not saying it is not doable,
because for example, in the hypothetical that you used, you
said, well, there are other companies out there that are making
rumblings about what bad company is doing. Well, if you get the
information from those other companies, it is independently
derived, you are in the clear. But if the crux of the
information that you have received is from a company that has
done the document dump, you then are in the area of trying to
figure out or have a judge figure out what motivated the
company in terms of making that submission, and you are also in
the area in terms of saying to what use can you put the
information that has been provided, and again, it is our belief
that there are already benefits that a company can get by
providing the information. There is a policy that gives
favorable consideration for voluntary disclosures in terms of
criminal prosecution and civil enforcement actions. That should
be enough, and that the government's hands should not be tied
in terms of taking appropriate civil enforcement actions,
particularly since that information is not going to be FOIA-
able and will probably be protected from other civil lawsuits
by private organizations.
Senator Bennett. If I can just very quickly, Mr. Chairman,
on this whole question of a cultural attitude change, it may
very well be that the very thing that the head of Homeland
Security of the Department of Defense needs to know in the face
of an attack is the particular vulnerability that this one
company might otherwise not disclose. So I am very sympathetic
to what you are saying about the need to see to it that people
do not get off the hook, but let us not lose sight in our
effort to hang onto that, of the possibility that a terrorist
has discovered that this company is the most vulnerable because
of bad maintenance or whatever, and is moving in that
direction. And if the government does not get that information,
we could all be sitting here looking at each other after an
attack, saying, ``Gee, we wish we had paid equal attention.''
Thank you very much.
Chairman Lieberman. Thank you, Senator Bennett.
This is an important line of questioning, and before we
move on to the next panel, I want to just take it one step
further, and in fairness give my colleagues an opportunity to
ask another question also. And this is about the effect on the
regulatory process--we have talked about civil and criminal
actions--both the authority of the government and the
responsibility of private entities under the regulatory
process. So I would guess we will hear on the second panel a
concern that has been expressed by the environmental community
about what an exemption under FOIA as proposed by Senator
Bennett's legislation would do to a company's obligations under
the right-to-know laws, where they are providing information
about environmental health or safety risks and problems, and
then that information is made available by the government to
the public. There are concerns that the exemptions granted here
might give the companies a ground for withholding some of the
information that otherwise would be public. Similarly, there is
a concern that if a company voluntarily submits the
information, receives a FOIA exemption, and then the government
decides--perhaps the Justice Department--that the information
should be considered for instance in deciding whether to grant
a permit, an environmental permit or some other permit for the
facility, whether the information has to continue to be kept
secret.
So my question would be whether you think that those fears
are justified, and if so, is there a way to handle them in this
legislation?
Mr. Malcolm. That is an excellent question, Senator, and in
part you are going beyond my ken of expertise, but I will
answer it as best I can. And this goes back actually to the
point that Senator Bennett just made at the end, which is that
we are trying to come up with a fine balancing act that
incentivizes companies to give over this information which is
desperately and vitally needed by the United States, while at
the same time not giving them an ability to, if you will, hide
their misdeeds and to get away. And this is a balancing act.
In terms of the first part of your question, which I took
to mean that, gee, if we were to create such an exemption, that
would give a company an excuse to withhold information that it
otherwise----
Chairman Lieberman. That they would otherwise have to make
public under right-to-know laws.
Mr. Malcolm. While I would like to give that matter more
thought and perhaps my answer might change, I will say at the
risk of shooting from the hip, that I think that concern is
probably somewhat exaggerated for two reasons, which is, one
any exemption that would be created here I do not believe would
take precedence or in any way overrule any other requirements
that the company might have. So if it is required under some
other regulation to put forth information, I do not think that
the company could all of a sudden come back and say, well, I do
not have to comply with that regulation because of this FOIA
exemption.
As well, with respect to private parties' abilities to
obtain information, I think we need to be clear, one, this is
information nobody would have had but for the voluntary
disclosure, and two, it only prevents private parties from one
avenue of getting this information, and that is through a FOIA
request. It is not taking precedence in any way of any other
avenue that civil litigants or interested parties have at their
disposal and use frequently to great effect to get information
from private industry. It is just saying that among your
arsenal of ways of obtaining information, this quiver is being
taken out of your arsenal.
Now, you had a second part to your question which dealt
with any possible effects on, if a voluntary disclosure is made
in terms of the government's ability to share that information
in a regulatory environment, and I am afraid, Senator, that
really is sort of beyond my expertise.
Chairman Lieberman. I understand. I would ask you to think
about that, and I appreciate your answer to the first part, and
as the administration formulates its exact or detailed position
on this question, I hope you will keep it in mind that it may
be that we can handle this with a simple explicit reassurance
in the legislation that there is no intention here to override
any other responsibilities that anyone otherwise would have had
under other laws.
Do any of my colleagues wish to ask another question of
this panel?
Senator Thompson. Mr. Chairman, along that line, it would
seem--I am looking at a summary of the bill here that says the
voluntarily shared information can only be used for the
purposes of this act. And so I would assume that the purposes
of this act would not include environmental enforcement or
anything like that. And without written consent, cannot be used
by any Federal, State or local authority, or any third party in
any civil action. So I think, as you indicated, there is
nothing in here that would prohibit using the very information
the company gives you to carry out a criminal action against
the company. So you can use the information in a criminal
proceeding, I would assume, although you have got to have some
company lawyer assuring the boss that there is no criminal
exposure when they turn that information over, a little
practical matter there. But assuming they do, you can use it
directly.
And in a civil action you can use information derived from
other sources. You just cannot use the information that the
particular company sent you. But then you would have to carry
the burden of proving that you are basing your enforcement
action on that other material and not this particular
information this company sent you. Somewhat like when a Federal
prosecutor gets into sometimes when we have hearings, and he
has to prove that he is building his case based on things other
than what was on national television every night for a week,
and he did not get any information there that he used. There is
no fruit of the poisonous tree and all that. So there are some
practical impediments there.
But getting back to what Senator Bennett said we should not
forget that what we are doing here is pretty important and
there are some tradeoffs, it seems to me. There is no way that
we can avoid some potentially, not the best kind of result. If
you have got a company that is supposed to be running a nuclear
reactor and they are doing a shoddy job of it, is it not best
maybe that we know they are doing a shoddy job of it, even if
nobody can sue them? [Laughter.]
On the other hand, what if they persist in doing a shoddy
job and refuse to do anything about it; what does that leave
you?
I think you are on the right track. You are asking the
right questions, and I think that hopefully we will wisely make
those tradeoffs. Thank you.
Chairman Lieberman. Thanks, Senator Thompson.
Senator Carper, do you have another question?
Senator Carper. I think I have done enough damage with this
panel. Thank you. [Laughter.]
Chairman Lieberman. Senator Bennett.
Senator Bennett. Well, I think this has been a very useful
discussion, and certainly we stand ready to make the kinds of
clarifications Mr. Malcolm is talking about, because it was
never the intent and never should be, that this desire to get
information should be used in any way to cover any illegal or
improper activity. But the one thing that I want to stress one
more time that has already been mentioned, but just to make
sure we do not lose sight of it, without the passage of some
legislation along the lines that I have proposed, in all
probability the information that we are talking about will not
be available to anybody anyway. We are not talking about
something that is a new protection because the ultimate
protection, absent our legislation, is the lawyer and the CEO
sitting down and saying, ``We are not going to tell anybody
about any of this, so that nobody knows. The government does
not know. Competitors do not know. A potential litigant in the
environmental community or anyplace else does not know because
we are just not going to let anybody know about this.'' And if
the legislation passes and then the CEO says, ``You know, this
is potentially a serious problem, and we can let this out
knowing that the effect on our business will be exactly the
same as if we do not let it out.'' That strikes me as a
positive good for the government to have. So let us keep
understanding in all of this discussion that we are talking
about information that would otherwise not be available to
anybody.
Chairman Lieberman. Thanks very much, Senator Bennett.
Gentlemen, thank you. I agree with Senator Bennett, it has
been a very helpful discussion, and we look forward, as soon as
possible to the administration's recommendations to us. Thank
you.
We will call the second panel now. Michehl Gent, who is the
President and Chief Executive Officer of North American
Electric Reliability Council; Harris Miller, President of the
Information Technology Association of America; Alan Paller,
Director of Research at the SANS Institute; Ty R. Sagalow, a
Board Member, Financial Services ISAC, and Executive Vice
President of eBusiness Risk Solutions, American International
Group; David L. Sobel, General Counsel, Electronic Privacy
Information Center; and Rena I. Steinzor, Academic Fellow,
Natural Resources Defense Council and also more particularly a
Professor at the University of Maryland School of Law.
We thank you all for being here. I know you have been here
to hear the first panel, and we look forward to your help for
us as we try to grapple with this serious matter and balance
the national values that are involved.
Again I will say to this panel, that your prepared written
statements submitted to the Committee will be printed in full
in the record, and we would ask you to now proceed for an
opening 5-minute statement. Mr. Gent.
TESTIMONY OF MICHEHL R. GENT,\1\ PRESIDENT AND CHIEF EXECUTIVE
OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY COUNCIL
Mr. Gent. Thank you Chairman Lieberman, Senator Thompson,
and Committee Members for this opportunity to testify on
information sharing in the electric utility industry, and
information sharing between industry and government as it
relates to critical infrastructure protection.
---------------------------------------------------------------------------
\1\ The prepeared statement of Mr. Gent appears in the Appendix on
page 81.
---------------------------------------------------------------------------
Because of electricity's unique physical properties and its
uniquely important role in our lives, the electric utility
industry operates in a constant state of readiness. The bulk
electric system is comprised of three huge integrated
synchronous networks that depend instantly and always on
coordination, cooperation, and communication among electric
system operators. We treat preparation for acts of terrorism
the same way we deal with the potential loss of a power plant
or transmission line. We have trained people, facilities and
procedures in place to handle these contingencies. What we lack
are security clearances for key electric industry personnel to
be able to receive and evaluation classified threat
information. We also lack the equipment that would allow us to
communicate by voice over secure channels with people that have
these clearances.
In my written statement I have outlined our very good
working relationship with the U.S. Government, the FBI, the
National Infrastructure Protection Center, the Department of
Energy, the Critical Infrastructure Assurance Office and
others. We have successfully managed a number of very difficult
challenges including Y2K and the terrible events of this past
September. I commend the NIPC and the DOE specifically for the
way they have conducted themselves and their programs.
At the heart of our success is our commitment to working
with the FBI. We made this commitment nearly 15 years ago, and
the trust in each other that we have built over the years has
carried over into the NIPC. The word ``trust'', as you have
heard here earlier today is a very important word to us.
Without trust none of these programs will work. We are proud of
our relationship with the NIPC and the DOE. However, this
strong relationship could be much better, could be stronger.
Trust alone is not enough to allow us to do the additional
things that are needed to prepare for future possible terrorist
attacks. To be able to share specific information with the
government we need to have some assurances that this critical
information will be protected. To be able to share specific
vulnerability information within our industry and with other
industries to do joint assessments of inter-sector
vulnerabilities, we need to have targeted protection from
antitrust laws. We therefore support S. 1456 introduced by
Senator Bennett.
The electric utility industry is building on the trust of
one another that we developed in its Y2K effort. We are
approaching critical infrastructure protection similar to the
way we dealt with Y2K. We have an all-industry organization
called the Critical Infrastructure Protection Advisory Group.
In my testimony I have outlined the scope and activities of
that group. It is very active and we are very proud of the
progress they are making.
Our Information Sharing and Analysis Center, or ISAC, gets
lots of acclaim. We have had a lot of practice and we have been
doing this information gathering, analysis, and dissemination
for decades. We did not get much attention before because most
people have not given too much thought about what it really
takes to keep the lights on. Adding cyber threat awareness to
our physical threat analysis programs was a natural. Physical
and cyber activities are becoming increasingly entwined.
We believe that our electric industry's experience is a
great formula for success and an example of how an industry
organization can best serve the industry that supports it. To
take the next steps and to deal in greater detail with the
combined threats of physical and cyber terrorism, our industry
needs an even greater ability to share information within the
private sector and with the government.
In summary here are my recommendations. We need to provide
a way of sponsoring agencies such as the FBI and DOE, to
increase the number of industry personnel with security
clearances. Private industry input is needed for any credible
vulnerability assessment. We need to provide inexpensive,
effective, and secure communication tools for industry
participants that participate in these infrastructure ISACs. We
need to provide limited specific exemptions from Freedom of
Information Act restrictions for certain sensitive information
shared by the private sector with the Federal Government. We
need to provide narrow antitrust exemptions for certain related
information sharing activities within the industry. We believe
that S. 1456 does achieve this result.
And finally, we need to adopt the reliability legislation
that has been passed by the Senate as part of the comprehensive
energy bill.
Again I thank you for this opportunity. I look forward to
your questions at the end of the panel.
Chairman Lieberman. Thanks, Mr. Gent. Mr. Miller, please
proceed.
TESTIMONY OF HARRIS N. MILLER,\1\ PRESIDENT, INFORMATION
TECHNOLOGY ASSOCIATION OF AMERICA
Mr. Miller. Thank you very much, Mr. Chairman. On behalf of
the more than 500 members of the Information Technology
Association of America, I am very pleased to be here in front
of you. I know my 5 minutes is going to go quickly, but I just
want to say a couple of personal things.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Miller with attachments appears
in the Appendix on page 94.
---------------------------------------------------------------------------
First of all, Senator Thompson will be sorely missed when
he retires at the end of this Congress. I am not sure I am
going to have another opportunity to testify before this
Committee, but his leadership on information technology issues
and bringing information technology to the government has been
quite remarkable and we really appreciate his leadership and
that of the staff.
Chairman Lieberman. I agree, and I will be sure to tell
him. This is one of those rare cases in Washington where you
say something nice about a person when he is not in the room.
[Laughter.]
So that is even more sincere.
Mr. Miller. Thank you, Mr. Chairman. Second, it is once
again a pleasure to work very closely with Senator Bennett,
whose leadership on the Y2K has been continued on this issue
and we appreciate it.
And third, Mr. Chairman, one of my senior staff recently
found a bestseller called ``The Power Broker'' authored by
you----
Chairman Lieberman. Your testimony is becoming more and
more impressive as you go forward. [Laughter.]
Mr. Miller. And my staffer asked if you would agree to sign
this. We promise not to go out on the eBay auction site. So
thank you, Mr. Chairman.
Last, but not least, I did bring my general counsel, Joe
Tasker with me. While you were studying at the law school at
Yale, I was up the street at the political science department,
so if this gets too technical I may turn to my general counsel
to help.
Basically, I want to make just a couple of important points
today. First of all, we strongly endorse the Bennett-Kyl bill,
and certainly none of the suggested changes made by Mr. Malcolm
on behalf of the Justice Department would give us any heartburn
if the primary sponsor feels that those are acceptable. So the
kind of narrowing that the Justice Department is suggesting
sounds quite reasonable if Senator Bennett, Senator Kyl, and
the House sponsors also agree, so we can certainly go along
with that.
Basically three simple messages I want to leave you with.
The cyber security threats are substantial and growing. Second,
information sharing requires tremendous trust, and that was
also discussed in the first panel. And third, we think that
passage of this legislation is essential if we are going to
move along that trust quotient that is necessary.
In terms of the growing threat, I have a lot of data in my
written submission, but let me just make one simple point. We
now believe that a new virus or worm is being written and
unleased out there every 5 minutes, so just while I am
testifying before your panel, we are going to have a new virus
or worm out there. In the 2 hours of this hearing you are going
to have a couple of dozen new viruse worms out there. So the
threat is enormous. It is growing, and the attention that this
Congress can put on this issue is very important.
We know that most citizens are much more scared of physical
threats and biological threats than they are of cyber threats,
but as Senator Bennett has so eloquently stated on many
occasions, the worst-case scenario is really the combination of
a physical threat or a bio threat with a cyber threat, and
because our society, our government and our economy are so
dependent on our cyber network, the attention this Committee
and this Congress is paying to cyber threats and that the
administration is paying is absolutely essential.
Well, if the threat is so real, what is the problem about
information sharing? Well, we all remember the old adage
``Macy's doesn't tell Gimbel's.'' Well, it is particularly
true, as Mr. Dick suggested in the previous panel in the
information technology industry. We are a very competitive
industry, and as the head of a trade association, I can tell
you how difficult it is to get them to share information, and
in particular, Macy's and Gimbel's do not go tell the cops.
That just is not the way it is done. But yet as the first panel
pointed out and you pointed out in your opening statement, Mr.
Chairman, that is essential if we are going to deal with this
threat. We need to get a situation where we are sharing the
information. So how do we do it? How do we get beyond the
business as usual mentality that these organizations have?
Well, Senator Akaka mentioned that ``terrible'' acronym,
ISAC, the Information Sharing Analysis Centers, but those are
critical. Let me be clear what this is. These are closed
communities. Now you may say, ``Why do you need a closed
community?'' Because we are dealing with, by definition,
sensitive and confidential information, just as the government
has classified internal information that they do not want to
share with the public or with potential terrorists or
criminals, similarly the industry has those issues. And so we
are creating with these Information Sharing Analysis Centers
which are closed community environments.
So the first challenge is to get the ISAC members
themselves to share information. As one who was instrumental in
setting up the IT ISAC, for example, I can tell you that is
still difficult. We are still taking baby steps even though the
organization was formally announced almost 14 months ago and
has been in full operation for over 8 months. It is very tough
to get people to share this kind of sensitive proprietary
confidential information even though they know in some sense it
is the right thing to do, because not only, as was pointed out
in the previous panel, do you have to see the return on
investment, you also have to be sure there is no enormous
downside, and that downside of that public disclosure is
perhaps one of the biggest threats to that.
And then we have to move on, as Mr. Gent just said in his
comments, to sharing across the ISACs, so we have that kind of
sharing. There are institutions being created to do that. There
are institutions that already exist such as the Partnership for
Critical Infrastructure Security that encourage that, but we
really need to advance that.
And then of course the sharing with the government, which
is really what Senator Kyl and Senator Bennett's bill is all
about; how do we move beyond simply sharing within industry,
again, sensitive information before events occur? And we
believe that this information sharing will be accelerated if
key executives, and particularly the lawyers who are the
gatekeepers here, are willing to allow their companies to share
information without the threat to FOIA.
We certainly believe that the good faith provisions that
Mr. Malcolm and you just discussed, Mr. Chairman, and Senator
Bennett discussed, are exactly right. We are not trying to
allow companies to hide bad faith actions, but to get companies
to the appropriate level of care and trust, we believe this
passage of this legislation is essential.
Today, Mr. Chairman, criminals and terrorists are in the
driver's seat. The bad actors have great advantages. There are
hacker communities out there. They have conventions. They
communicate on the Internet. They are not worried about FOIA
provisions, but we have to get the good guys together in the
same way. We have to get them to cooperate.
One final point. Mr. Dick said quite correctly that the
industry and government are trying to work together on a lot of
good advances such as the InfraGard program. But we still
believe, Mr. Chairman, the government perhaps can do a little
bit more to share sensitive information in the other direction.
Now, we understand again that is very difficult, and in some
industries it is being done, but again, that is trust going the
other way. That is the cultural change on both sides that Mr.
Tritak referred to, but we would encourage this Committee to
continue to dialog with industry and with government to make
sure the information sharing is going in both directions.
Thank you very much.
Chairman Lieberman. Thanks, Mr. Miller. Mr. Paller.
TESTIMONY OF ALAN PALLER,\1\ DIRECTOR OF RESEARCH, THE SANS
INSTITUTE
Mr. Paller. Thank you, Mr. Chairman.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Paller appears in the Appendix on
page 112.
---------------------------------------------------------------------------
Every day millions of attacks are launched across the
Internet in an ongoing battle between----
Chairman Lieberman. Mr. Paller, excuse me. Tell us what the
SANS Institute is.
Mr. Paller. SANS is the principal education organization in
information security. We train about 16,000 people a year, the
intrusion detection analysts, the firewall people, the guys on
the front lines, and that is who I am representing in this
discussion today.
I will start by answering directly the four questions that
were outlined in the letter that you sent. The government is
not getting the data it needs from the private sector, either
to provide adequate early warning or to give a good report to
you or to the public about the real costs of cyber crime. On
the other hand, specific elements of government are doing a
wonderful job of responding very quickly to information the
private sector provides. For example, the Office of Cyber
Security in the White House and the FBI created a wonderful
public/private technical partnership to fight specific worms.
GSA inside the government is doing a great job of sharing data
within the government, getting data reported to it and sharing
it within the government. Private sector organizations are not
doing very well in sharing attack data. I will give you
specific information on that. Although they are making good use
of data on unsuccessful attacks, and I will differentiate that
in a minute.
The fourth question is whether legislation is needed. I am
not a lawyer. I do not have that training, but I believe a
clarification of the FOIA exemption is not going to cause
companies to share cyber attack data with the government. I
fully agree that secrecy of that data is essential when that
data is presented, to protect the victim from further damage.
You have to keep it secret because if you do not, the bad guys,
will pile on. If anybody is known to be attacked, everyone else
comes in and goes and gets them, plus you have got all the
problems with the business issues.
But even if you provide a perfect FOIA exemption, the
companies under attack are unlikely to share the data. There is
ample evidence to prove this. Even when the technical trust
relationship is established--I think of FOIA as a technical
trust. Trust is a personal issue. FOIA is a technical way of
trying to build it. Even when the technical trust relationship
is perfect, the evidence comes from the members of one of the
ISACs, not the oldest ISAC, but the most active old ISAC in
this information sharing of cyber data, the Financial Services
ISAC. They have a reporting system that is absolutely perfect.
They cannot figure out who reported. And so you would think
that would solve the problem. But if you go in and check the
data, you will find that substantially none of them reported
data on current attacks or reported data on other attacks with
one single exception, and the exception is actually the reason
you think there is data, and that is when they have actually
hired the company that runs the ISAC to be their instant
response team. So the company that is hired goes in as part of
the victim's team, and because they know the data as the
victims know it, they feed it into the database. But the idea
that if you establish a perfect technical trust relationship,
you are going to get the data--we have no proof of that?
Chairman Lieberman. What do you mean by data here?
Mr. Paller. I mean, ``I am being attacked right now. It is
coming in through a new vulnerability in IIS. It has gone two
steps. It has also taken over my database. They are extorting
money from me.''
And it is happening right now. Two people get it. One is
the consultant that was called in, and if they call the law
enforcement in, they will get it, too. But there is no sharing
with other people.
Chairman Lieberman. You mean the fact that it is happening?
Mr. Paller. The fact that it is happening because it is a
private event. They are being extorted.
Chairman Lieberman. Understood. So that is what you mean by
data here----
Mr. Paller. Yes, exactly.
Chairman Lieberman. Because they do not want to reveal it.
They do not want it to be known----
Mr. Paller. They do not want to reveal it, and they see no
benefit in revealing it.
Chairman Lieberman. And they see danger or vulnerability or
loss.
Mr. Paller. It is a bet-your-company loss. It is that big
to them. So all the other stuff tends to pale.
If the government--this is the line they do not like to
say, but if the government wants substantially more people to
report attack data, I think you are going to need to make
reporting mandatory through changes in contract and grant
regulations or through other action in legislation like the
legislation you have that requires federally insured banks to
report suspicious activities.
I have a couple of charts. Is it all right if I show them
to you?
Chairman Lieberman. Sure, if you can stay within your time.
Mr. Paller. Well, since we have 1 minute left, let us not
do that.
There are five areas that the data sharing comes in. One is
vulnerability data. If a utility finds out it has a
vulnerability in a SCAN system, running its systems, it could
do a lot of good if it shared that with the government and it
could do a lot of good if it shared that with the other
utilities right away, and getting that data is absolutely
essential to the early warning.
Two, unsuccessful attack date is being shared very well.
This is the data that hits your system but you do not want.
That data has found two worms and it has helped block one of
them and helped capture the criminal that did the other one. So
that is working. What is not working are the two sets of data
that you want when the attack is taking place, when it is
taking place and you are not getting it after the fact, and as
I said before, you are not going to get it unless you require
it.
The last set of data is the one that actually can do the
most good. There is a synthesis of data that companies will
share. The synthesis is ``we have been attacked, so we know
what we have to do to protect our systems,'' and those are
called benchmarks. And when the Federal Government and
commercial organizations share the benchmarks, you can actually
have a radical impact on the effect of new worms. The NSA, the
National Institute of Standards and Technology, SANS and the
Center for Internet Security have just finished, with
Microsoft's help, standard for securing Windows 2000. There
will be more coming shortly. If you want to do a lot of good
make sure the Federal Government uses some kinds of standards
when they buy new equipment so that they are as safe as they
can be when they are installed.
Thank you.
Chairman Lieberman. Thank you. Mr. Sagalow.
TESTIMONY OF TY R. SAGALOW,\1\ BOARD MEMBER, FINANCIAL SERVICES
ISAC AND CHIEF OPERATING OFFICER, AIG eBUSINESS RISK SOLUTIONS
Mr. Sagalow. Mr. Chairman, thank you for this opportunity
to testify about the importance of information sharing and the
protection of this Nation's critical infrastructure.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Sagalow with attachments appears
in the Appendix on page 123.
---------------------------------------------------------------------------
My name is Ty R. Sagalow, and I come to you in two
capacities today. First as a Member of the Board of the
Financial Services Information Sharing and Analysis Center, the
FS ISAC. And second, as COO of American International Group's
eBusiness Risk Solutions Division, the largest provider of
network security insurance in the world. My full remarks have
been entered into the record, but I'd like to summarize them
for you if I can.
Governor Tom Ridge recently remarked, ``Information
technology pervades all aspects of our daily lives, of our
national lives. Disrupt it, destroy it or shut down the
information networks and you shut down America as we know it.''
The sad fact is that our information technology systems are
already under attack, and there is every reason to believe it
will get worse before it gets better. U.S. companies spent
$12.3 billion to clean up damages from computer viruses in
2001. And Carnegie Mellon reported that in 2001 they received
over 50,000 incident reports. Today it is easier for a cyber
terrorist to shut down a dam by hacking into its control and
command computer network than to obtain and deliver the tons of
explosives needed to blow it up. More frightening, the
destruction can be launched from the safety of the terrorist's
living room couch, or cave as the case may be.
Fortunately, we are not powerless. Ironically, as it is the
information systems which are the subject of the attack, it is
our ability to share information which provides our best
foundation for defense.
Today the financial institutions that are members of the FS
ISAC represent more than 50 percent of all credit assets. The
mission of the FS ISAC is straightforward: Through information
sharing and analysis provide its members with early
notification of computer vulnerabilities, computer attack
subject matter expertise and relevant other information such as
trending analysis. Unfortunately, I am here today to tell you
that we have not been wholly successful in that effort, and we
can not succeed without your help.
We believe there are chiefly three obstacles that must be
removed for effective information sharing to take place. The
reason, as Senator Bennett has already said, companies will not
disclose voluntarily if their general counsels tell them that
there is a potential that disclosure will bring financial harm
to their company. It is really that simple.
As respect to sharing information to the public sector, the
fear exists that competitors or terrorists or others will be
able to obtain that information through the Freedom of
Information Act. As respect to sharing of information within
the private sector, there are two fears. First that the sharing
will be deemed to be a violation of antitrust laws, as been
previously discussed; and second, that the act of sharing the
information will lead to civil liability against a company or
its directors and officers.
Now, much has already been said of the first two points.
Permit to speak on the third for a moment. The chilling effect
of the potential liability lawsuits on voluntary speech cannot
be underestimated. Private lawsuits, or rather the fear of
them, have always played an important role in fostering proper
conduct. However, when applied inappropriately, they can have
the opposite effect. Such is the situation here. Why disclose
the potential inadequacy of a security technology of your
vendors when that disclosure could lead to a defamation
lawsuit. Why recommend the use of specific technology
safeguards when such disclosures could lead to lawsuits
alleging interference with the contractual rights of others?
Why freely disclose the result of research and analysis and
best practices, when that disclosure could lead to shareholder
lawsuits alleging disclosing of company trade secrets?
The risk is too great. Better safe than sorry. Better to
keep your mouth shut. These statements represent the danger
that we face today as they will be the advice given by general
counsels throughout the Nation.
Fortunately, this danger can be avoided through thoughtful
and balanced legislation like the Senator Bennett-Kyl bill and
similar to the great work done by Senator Bennett in Y2K.
Putting on my other hat for a moment, I can tell you that
information sharing is essential to the creation of a stable
insurance market for network security. Insurance plays a
critical role in protecting our national infrastructure, both
through the spreading of risk as well as the influencing of
standards of good security behavior through the incentives
inherent in making insurance available and affordable.
Today my company leads the way in this effort, and we have
already provided billions of dollars of insurance protection
for thousands of companies. However, there are very few
insurance companies willing to provide network security
insurance. The reason, insurance companies cannot underwrite if
they do not have access to data on frequency and severity of
loss or at least the hope of future access to that data.
Effective and robust information sharing becomes the foundation
of building the actuarial tables needed to create a stable
insurance market.
Therefore and in conclusion, we believe that for voluntary
information sharing to be both robust and effective, the
following needs to happen: An exemption for FOIA as seated in
the Bennett-Kyl bill; an exemption of the Federal-State
antitrust laws for information that is voluntarily shared in
good faith, and finally, the creation of a reasonable safe
harbor provision similar to that that was provided under Y2K,
to protect disclosure of information within the private sector
as long as that disclosure was made in good faith.
Mr. Chairman, I would very much like to thank the Committee
for permitting me to testify on this important subject. I will
be pleased to answer any questions you might have.
Chairman Lieberman. Thanks, Mr. Sagalow. Mr. Sobel.
TESTIMONY OF DAVID L. SOBEL,\1\ GENERAL COUNSEL, ELECTRONIC
PRIVACY INFORMATION CENTER
Mr. Sobel. Mr. Chairman, thank you for providing me with
the opportunity to appear before the Committee.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Sobel appears in the Appendix on
page 166.
---------------------------------------------------------------------------
The Electronic Privacy Information Center, EPIC, has a
longstanding interest in computer security policy, emphasizing
informed public debate on matters that are of critical
importance in today's interconnected world.
While my comments will focus primarily on proposals to
create a new Freedom of Information Act exemption for
information concerning infrastructure protection, I would like
to share with the Committee some general observations that I
have made as this debate has unfolded over the last few years.
First, there appears to be a consensus that the government
is not obtaining enough information from the private sector on
cyber security risks. I would add that citizens, the ones who
will suffer the direct consequences of infrastructure failures,
are also receiving inadequate information on these risks.
There has not yet been a clear vision articulated defining
the government's proper role in securing the infrastructure.
While there has been a lot of emphasis on finding ways to
facilitate the government's receipt of information, it remains
unclear just what the government will do with the information
it receives. In fact, many in the private sector advocate an
approach that would render the government powerless to correct
even the most egregious security flaws.
The private sector's lack of progress on security issues
appears to be due to a lack of effective incentives. Congress
should consider appropriate incentive to spur action, but
secrecy and immunity, which some advocate, remove two of the
most powerful incentives--openness and liability. Indeed, many
security experts believe that disclosure and potential
liability are essential components of any effort to encourage
remedial action.
Rather than seeking ways to hide information, Congress
should consider approaches that would make as much information
as possible available to the public consistent with the
legitimate interests of the private sector.
As indicated, I would like to focus my comments on
proposals to limit public access to information concerning
critical infrastructure protection. EPIC and other members of
the FOIA requestor community have, for the past several years,
voiced concerns about proposals to create a broad new FOIA
exemption such as the one contained in S. 1456 for information
relating to security flaws and other vulnerabilities in our
critical infrastructure. Government activity in this area will
be conducted in cooperation with industry, and accordingly,
will involve extensive sharing of information between the
private sector and government. To facilitate the exchange of
information, some have advocated an automatic, wholesale
exemption from the FOIA for any cyber security information
provided to the government.
Given the broad definitions of exempt information that have
been proposed, I believe such an exemption would likely hide
from the public essential information about critically
important and potentially controversial government activities
taken in partnership with the private sector.
Critical infrastructure protection is an issue of concern
not just for the government and industry, but also for the
public, particularly the local communities in which affected
facilities are located.
I believe the proposed exemption is not needed. Established
case law makes it clear that existing exemptions contained in
the FOIA provide adequate protection against harmful
disclosures of the type of information we are discussing.
Exemption 4, which covers confidential private sector
information, provides extensive protection. As my written
statement explains in detail, I believe that exemption 4
extends to virtually all of the critical infrastructure
material that properly could be withheld from disclosure.
In light of the substantial protections provided by FOIA
Exemption 4 and the case law interpreting it, I believe that
any claimed private sector reticence to share important data
with the government grows out of, at best, a misperception of
current law. The existing protections for confidential private
sector information have been cited repeatedly over the past 2
years by those of us who believe that a new exemption is
unwarranted. Exemption proponents have not come forward with
any response other than the claim that the FOIA provides a
``perceived'' barrier to information sharing. They have not
made any showing that Exemption 4 provides inadequate
protection.
Frankly, many in the FOIA requestor community believe that
Exemption 4, as judicially construed, shields far too much
important data from public disclosure. As such, it is troubling
to hear some in the private sector argue for an even greater
degree of secrecy for information concerning vulnerabilities in
the critical infrastructure. Shrouding this information in
absolute secrecy will remove a powerful incentive for remedial
action and might actually exacerbate security problems. A
blanket exemption for information revealing the existence of
potentially dangerous vulnerabilities will protect the
negligent as well as the diligent. It is difficult to see how
such an approach advances our common goal of ensuring a robust
and secure infrastructure.
In summary, overly broad new exemptions could adversely
impact the public's right to oversee important and far-reaching
government functions and remove incentives for remedial private
sector action.
I thank the Committee for considering my views.
Chairman Lieberman. Thanks, Mr. Sobel. And finally,
Professor Steinzor.
TESTIMONY OF RENA I. STEINZOR,\1\ ACADEMIC FELLOW, NATURAL
RESOURCES DEFENSE COUNCIL AND PROFESSOR, UNIVERSITY OF MARYLAND
SCHOOL OF LAW
Ms. Steinzor. Mr. Chairman, thank you for the opportunity
to appear before you today on behalf of the Natural Resources
Defense Council.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Steinzor with an attachment
appears in the Appendix on page 172.
---------------------------------------------------------------------------
The issues before you are both significant and troubling,
especially in the wake of the tragedies that began on September
11. Obviously, all Americans recognize the importance of doing
whatever we can to improve homeland security. At the same time,
as Senator Lieberman said, this country was attacked because we
are the most successful democracy the world has ever known. If
we overreact to those who attacked us so viciously, and in the
process undermine the principles and rule of law that have made
us such a hopeful example for the world, terrorists will win
the victory that has thus far eluded them.
NRDC strongly opposes both the text and the underlying
principles embodied in S. 1456, the Critical Infrastructure
Information Act, and urges you to consider more effective
alternatives to make Americans secure.
We oppose the legislation for four reasons. The legislation
has an impossibly broad scope. To the extent that the
legislation focuses on cyber systems, and by these I mean
systems that are connected to the Internet and therefore are
vulnerable to outside disruption, NRDC as an institution has
little to add to the debate. Computers are not our area of
expertise. In fact some of us are still using the Windows 95
operating system.
Of course, as Senator Thompson has articulated, S. 1456
extends much further than cyber systems, covering not just
computers that are connected to the Internet, but also the
physical infrastructure used to house these systems. The
legislation covers not just physical infrastructure that has or
is controlled by computers, but also any physical
infrastructure that is essential to the economy and might be
damaged by a physical attack. The legislation is not limited to
the Freedom of Information Act, but extends to any use by
anyone of the information in civil actions. Mr. Malcolm spoke
about the government's use of disinformation. I would stress,
however, that this applies not just to the government but to
the use of the information in a civil action by any party.
And the legislation covers information, not just copies of
specific documents. It is a slender reed to rest on the
adjective direct use when it covers information so broadly, and
information in a different format could still be precluded from
use in a civil action.
NRDC is sensitive to the fears all Americans have about our
vulnerability to terrorist attacks. We are active participants
in the debate about whether information about the operation of
facilities during acutely toxic chemicals should be accessible
on the Internet. The Environmental Protection Agency is
encountering many challenges as it works diligently to sort
through these issues.
But these difficult issues are not within the areas of
expertise of the government agencies assigned a role in
implementing S. 1456. Using legislation of this kind as a
vehicle for stressing how information enhances or combats the
terrorist threat to physical infrastructure is unwise and
duplicative. As Senator Akaka stated so well, the legislation
will have a series of disastrous unintended consequences,
damaging existing statutory frameworks crafted with care over
several decades.
Let me draw in another thread of history. A few years ago
major industry trade associations, which had members subject to
environmental regulations, began to push the idea of giving
companies immunity from liability of the performed self-audits,
uncovered violations of the law, took steps to solve those
problems and turned the self-audit over to the government
voluntarily. The Department of Justice vigorously opposed such
proposals and they never made it through Congress. Several
States enacted versions of self-audit laws. In the most extreme
cases, EPA responded by threatening to withdraw their authority
to implement environmental programs and the laws were repealed.
Self-audit bills defeat deterrence-based enforcement,
creating a situation where amnesty is available even where a
company has continued in violation for many years and then
decided to come into compliance at the 11th hour.
As drafted, S. 1456 is a comprehensive self-audit bill that
extends not just to environmental violations but to violations
of the Nation's tax, civil rights, health and safety, truth-in-
lending, fraud, environmental, and virtually every other civil
statute with the exception of the Securities Act. The
legislation does not even require that companies cure their
violations in order to receive amnesty. Redrafting may help,
but it will be very hard to solve the problems as long as the
legislation covers physical infrastructure. Secrecy is not the
best way to protect critical infrastructure, and this Committee
should abandon that approach. Rather, actually requiring
changes on the ground is a far preferable solution to the
threats we face.
One way to reduce the vulnerability of physical
infrastructure is to ensure that employees have undergone
background checks and that site security at the fence line of
the facility and the area adjacent to vulnerable infrastructure
is enhanced.
Another way to protect the public and workers is to
eliminate the need for the hazardous infrastructure, for
example, a tank holding acutely toxic chemicals. This approach,
called Inherently Safer Technologies, is the cornerstone of
legislation, S. 1602, now under consideration by the Senate
Environment and Public Works Committee.
NRDC has also consulted with EPA officials responsible for
coordinating their agency's contribution to strengthen homeland
security. EPA has extensive legal authority to take actions
against companies that fail to exercise due diligence in
protecting such attacks. The combination of the Corzine bill
and administrative action will make great strides toward
addressing these problems.
As the Committee continues its consideration of these
issues, we hope that you will continue to consult with a broad
range of experts and stakeholders and allow us to participate
in your deliberations. We appreciate the efforts of the
Committee staff to undertake these discussions in order for all
of us to better understand the policies, goals and implications
of the legislation. Thank you.
Chairman Lieberman. Thanks, Professor.
Let me see if I can ask a few of you to give a little more
detail, without disclosing exactly what you do not want to
disclose, which is what are we talking about here with
sensitive information? Mr. Paller, in your testimony you gave
us a series of examples. I wonder if any of the rest of you,
Mr. Sagalow or Mr. Gent, could give us a little more general
information about what we are talking about that people you
represent or you yourselves would not want to disclose without
this kind of exemption from FOIA?
Mr. Gent. Senator, you might remember back, I believe it
was your freshmen year this Committee held hearings, and not
much has changed about the electric system vulnerability since
then. And one of the problems back then was that they wanted us
to build a list of critical facilities, ``they'' being the
government, so that the government could analyze that and be
prepared to help us defend at those facilities at that time
from physical attack of nations or nation states or terrorists.
Not much has changed. We now have the cyber element that goes
into this.
So government agencies are asking us to come forth with
lists of critical facilities along with their degree of
vulnerability and what would happen if this facility were taken
out. And we have, for the last 20 years, said that we are not
going to build such a list. As others have testified, we have
no confidence that the government can keep that a secret.
Chairman Lieberman. Got it. Mr. Miller, do you have an
example that comes to mind, generally speaking?
Mr. Miller. In the information technology industry there
might be a product that is developed, a software product, which
in most formats works fine, but in conjunction with a certain
hardware, which a lot of these things are integrated with,
different types of hardware, in fact there is a vulnerability.
The software vendor may become aware of that, may decide that
it wants to communicate with, however, a very limited audience,
for example--just its immediate customers and clients because
of that relationship, but would be totally unwilling to share
that with the government because it does not want to face the
possibility of broad public disclosure of that.
Again, we are talking about limited cases, not a massive
virus attack, where as was discussed in the previous panel,
everyone wants to work together to get the word out about a
Code Red or a Nimda. We are talking about a particular--the
technical term is ``configuration'' of a particular software
product, where the impetus is to keep it in a closed community
unless otherwise they are incented to do so, and particularly
to share it with the government would bring a lot of risk
because of this possibility, or Senator Bennett, maybe it is
just the paranoia business, the likelihood that if you share it
with government it will end up being disclosed.
Chairman Lieberman. Mr. Sagalow.
Mr. Sagalow. Mr. Chairman, I will give you two examples of
information, falling into the areas of best practices that
might be shared if there was a FOIA exemption. When it comes to
the Nimda virus, Code Red, those massive attacks, that
information is being shared. What is not being shared is
information on risk management techniques, best practices,
corporate governance, and I will give you two examples.
If a corporation becomes dissatisfied with their particular
vendor, one antitrust software works very poorly and they end
up deciding to terminate that contract and instead incorporate
another anti-virus software, you would want that information to
be shared. A general counsel would be extremely reluctant to
give their CEO or CTO permission to share that type of
information, fearing potential defamation lawsuits from the
vendor that you ended up dropping, as well as from other people
for other causes of action like tortious interference with a
contractual relationship.
The second example I would give you is potential
shareholder actions arising out of disclosure of company
practices and technology use. There is a business issue of
whether you want to disclose these things since some may regard
them as trade secrets. However, if all the CEOs of the world
were similar to Mr. Bennett, they would disclose a certain
amount of what is arguably a trade secret if it is consistent
with protecting our national infrastructure and the good of
society, as long as it did not do undue harm to the company. A
general counsel is not going to take that attitude. A general
counsel is going to say even though it is the right thing to
do, there are professional plaintiff attorneys out there that
will start shareholder derivative actions alleging that the act
of disclosure itself was a breach of fiduciary duty.
Chairman Lieberman. Thank you.
Mr. Paller made a statement which was very frank and
sounded pretty realistic, that even with the exemption
proposed, that there will be companies who will not share
because they are still concerned in a voluntary system that it
will not really be kept confidential, and therefore--not that
he was recommending this, maybe he was--but that we may need a
mandatory system.
Now, I wonder whether, real quickly because I want to get
on to another question, whether the three of you agree or
disagree, if we had appropriate exemption from FOIA do you
think companies would still withhold information?
Mr. Gent. I think if you made it mandatory, they would not
withhold.
Chairman Lieberman. Right. [Laughter.]
Mr. Miller. I would strongly disagree with Mr. Paller.
First of all, I do not know what it would mean to be mandatory
and I do not know how you would possibly enforce that, but I
think the information sharing is growing. Again, I agree that
the FOIA is not the silver bullet, Senator, but for the
interest of the industry, yes, there is growing in the
communities, electrical, financial services IT, that there is a
broader community interest because these people who are
American citizens. They want to support the good of the Nation.
But they have to be protected on the down side. That is clearly
the establishment of the ISACs, the establishment of the
partnerships, that sharing of information through InfraGard is
a commitment the industry is making.
Chairman Lieberman. Mr. Sagalow.
Mr. Sagalow. Our members have told us that if these
obstacles are removed, there will be a substantial increase in
disclosure. Of course some people will never disclose no matter
what, but there will be a substantial increase.
Chairman Lieberman. Professor Steinzor, let me ask you your
reaction to the conversation on the last panel, which was: Why
would not your concerns about the effect of the passage of
Senator Bennett's legislation on various environmental laws be
eliminated by inserting language that said that nothing in this
proposal should diminish any obligation that anyone has under
any other system of law?
Ms. Steinzor. That would go a long way to help, but we
would still be required to fight over such issues as whether
there was an obligation, there was no obligation, and whether
the information was submitted before the government asked for
it. The way this bill is drafted it says that information is
voluntarily submitted in the absence of such agency's exercise
of legal authority. So the agency would have to actually ask
for the information in order for it to be submitted non-
voluntarily. At the moment, there is a lot of information kept
in companies that the government may not have asked for yet,
and if it was submitted voluntarily, the protection could be
asserted. That is just one of the kinds of problems that we are
concerned about.
Another way to deal with what you are talking about is a
savings clause. Such a clause should be something that is
dynamic, not just for laws that are on the books today but laws
that are added to the books in the future.
And one last thing I would like to add, which is that to
the extent that the information we are concerned about here is
information that is time-sensitive, one way to approach it
would be to say the protection only lasts for a certain limited
period of time. We have heard a lot about an attack is ongoing
and you need to share the information. Arguably, once you have
shared it, once the problem is addressed, as we all assume it
will be, you no longer need to make that information secret.
Keeping it secret is only important to liability down the line.
Again, there would be no liability if the problem was solved.
So that is another way to approach this.
Chairman Lieberman. Mr. Sobel, do you have a reaction to
that discussion on the first panel? I know is it not directly
responsive to your concerns.
Mr. Sobel. Frankly, Senator, my concern is with this taken
in combination, the fact that there would be no possibility of
disclosure apparently at any time running into the future, as
well as no real governmental ability to address any of the
vulnerabilities that are made known to the government, and then
there is this provision that I read as a very broad immunity
that would also preclude any private actors from seeking
corrective action. So what I see, taken as a whole, is this
structure that provides information to the government, but then
really ties the hands of the government or anyone else to
direct and compel corrective action. As I said, I think this
approach protects the negligent as well as the diligent, and
that is really, I think, the main flaw. Yes, we can certainly
assume that many, if not most, of the actors in the private
sector are going to be good actors, but it seems to me that
this just creates an incredibly large loophole for those
companies that frankly are more inclined to be negligent than
diligent.
Chairman Lieberman. Thanks. Senator Bennett.
Senator Bennett. Thank you, Mr. Chairman, and thanks to
everyone on the panel including those who were not quite as
supportive of my legislation as some of the others, because
these are obviously the issues that have to be resolved, that
have to be talked about.
I sponsored a bill for a long time on the privacy of
medical records, and ran into much the same kind of very firm
opinions on all sides of the issue, and I kept saying year
after year, this is not an ideological issue, this is not
conservatives versus liberals or Republicans versus Democrats.
This is a management issue. How do we solve the problem? And my
staff got sick and tired of me saying it. I would say, if there
is a management problem raised by this objection, let us solve
the problem rather than put ourselves into ideological camps
and then scream at each other? We do a great deal of that in
the U.S. Senate, usually on the floor, less so in committee,
but we have a serious challenge here. It is one for which there
is, frankly, no historic predicate because the coming of the
information age has changed the world as thoroughly and
fundamentally as the coming of the Industrial Age did. And if
you are going to talk about agricultural age warfare after the
invention of the repeating rifle, you are going to be left
behind. And the statement by Osama bin Laden is a chilling
reminder of the fact that we live in an entirely different
world, and we all, on all sides of this issue, need to view
that world differently.
Now, if I were someone who wished this country ill, and I
have said this before so I am not giving out any secrets, if I
were someone who wished this country ill, I would be
concentrating on breaking into the telecommunications
infrastructure over which the Fedwire functions. If I could
shut down the Fedwire, I could bring all activity in the
country to a complete stop. No checks would clear. No financial
transactions would take place. There could be no clearing at
the end of every day for the Federal Reserve system. The
Fedwire is the absolute backbone of everything that goes on in
the economy. And I have had conversations with Chairman
Greenspan about protecting the Fedwire from cyber attack. That
specter before us, how do we deal with the challenge of
telephone companies, of power companies, of brokerage houses,
banks, and the Federal Government itself, that are tied
together in this absolutely intricate network of transactions
and facilities, and protect the Fedwire from someone sitting in
a cave somewhere coming after it?
Now, Mr. Miller could share some information with us, which
I have seen, that shows the graphs of the level of attacks that
have come against the United States, cyber attacks, and it is a
logarithmic scale. It is not just a quiet little incremental
increase every year. It is almost Malthusian in terms of the
predictions, and it is a hockey stick. And I have stood in the
rooms where these attacks are being monitored in real time,
second by second, in the Defense Department within the
Pentagon. The interesting things is that just as the number of
attacks is going up logarithmically, the sophistication of the
attacks is going up logarithmically, so that our ability to
defend ourselves, which is also going up logarithmically, is
just barely keeping up with the sophistication and volume of
the challenge that we have.
I first became aware of this with Y2K when I was talking
with Dr. Hamre, the Deputy Secretary of Defense, as we were
trying to find out in a hearing on S. 407, Mr. Chairman, over
in the Capitol, where we can have classified briefings, about
the degree of this country's vulnerability, and Dr. Hamre said
to me, ``We are under attack every day.'' And this was 3 or 4
years ago. And I said, ``Under attack, what are you talking
about?''
Well, the attack on the government facilities goes on. My
fear, the thing that keeps me awake at night is that if those
who are mounting those sophisticated attacks on government
facilities--and they are primarily aimed at the Defense
Department and the intelligence community, CIA, NSA and
others--were to shift their focus onto the private sector and
do so in a timing and a circumstance where no one in the
government knew that that shift had taken place, how vulnerable
are we, and how will we feel if we say, ``Well, we did not
facilitate the opportunity for people who are the recipients of
those attacks to share with the government what was
happening.'' This is not questioning. I am just responding to
the panel and sharing with you my deep, and I hope not
paranoid, desire to see to it that we are prepared for this.
So in the one minute left before we go back to the second
round, do any of you, recognizing this is a management issue
rather than an ideological issue, have any comments across the
gap that has occurred within the panel, that are not just, oh,
you are wrong, you do not understand. It is easy for you to say
that back and forth to each other. Do any of you have any
solutions that you could suggest across the divide that has
been created here within this panel in the circumstance that I
have framed?
Mr. Miller. Just a brief comment. I thought that Mr. Sobel
and Professor Steinzor said that with some of the limitations
that Chairman Lieberman suggested, and Mr. Malcolm discussed it
in the earlier panel with you as the primary sponsor, that they
might see some possibility of bridging the gap. Again, these
are technical legal issues beyond my exact area of expertise,
but I was pleased to hear that both Mr. Sobel and Professor
Steinzor indicated that they might--if the language of the bill
was even more clear as not to allow the worst bad actors to use
the Freedom of Information Act language to hide behind--that
they might be open to some kind of compromise. And I thought
that was a very positive statement by both of them from my
perspective.
Ms. Steinzor. Senator, I could not agree with you more that
this is an enormous challenge and a grave threat, and I am not
by any stretch of the imagination questioning your motives or
your sense of urgency about all of this. What is troubling to
us is that it would seem as if a more direct way to approach
this would be to try and develop technologies like the one Mr.
Paller was talking about, to erect firewalls and make cyber
systems more secure, rather than simply allowing for a shroud
of secrecy to go over them because of the difficulties of
drawing lines in this area.
You know the Freedom of Information Act, in our experience,
is one of the most ponderous legal tools one can ever use. It
takes months, years, to get a request answered. And so we are
puzzled why the urgent exchange of information could not be
protected in a short timeframe in a different way that does not
implicate the Freedom of Information Act, which we do not see
as a very grave threat to the immediate exchange of
information. People are talking about perceptions on all sides,
and we are puzzled by that.
Mr. Sobel. Senator, if I could just follow up on that, on
the FOIA point. I have a real concern that a new exemption
approach could actually muddy the waters far more than they are
right now. We have heard a lot of concern about the advice that
a general counsel might give within a company in terms of
whether or not there is adequate protection or not. It seems to
me, as an attorney who looks at these issues, that 28 years
worth of very clear case law would give me much more comfort in
advising a client than a newly-enacted piece of legislation
that contains some very broad language. I think if I was that
general counsel and this legislation passed, I would say,
``Well, you know, this has not yet been judicially construed.
We do not know how much protection this is going to provide.''
I would feel much more comfortable looking at the Critical Mass
decision from the D.C. Circuit, where the Supreme Court denied
certiorari, and saying, ``This is a pretty good assurance that
this information is not going to be disclosed.''
So I do not think we are disagreeing about goals, but I
think there is a real question in terms of what is the most
effective way of providing the assurance that the private
sector seems to want.
Mr. Miller. Maybe that is what the hypothetical general
counsel would believe, Senator Bennett. That is not what the
real general counsels believe.
Mr. Sagalow. Senator, let me follow up if I can.
Chairman Lieberman. Mr. Sagalow, let me just interrupt.
Senator Bennett, I do not have any other questions. I have
a couple of colleagues waiting to see me. If you are able, I
would like to ask you to continue the discussion, and then when
you are through, to adjourn the hearing.
Senator Bennett. That is very dangerous on your part.
[Laughter.]
Chairman Lieberman. I do not want you to get comfortable
with the gavel though. [Laughter.]
Senator Bennett. Thank you, Mr. Chairman.
Chairman Lieberman. Not at all. Thank you for your
leadership. It has been a very interesting, important,
constructive hearing, and I look forward to continuing to work
with you, Senator Bennett, and with those who have been before
us to see if we can resolve this in the public interest. Thank
you.
Senator Bennett [presiding]. Thank you very much.
Now, having no constraints upon me, I would like to pursue
this a little further.
Mr. Sagalow. Senator, if I could just respond to a couple
of the comments that were mentioned earlier. My company created
something called a Technology Alliance, which is a group of
technology companies that advise us as underwriters on
evaluating cyber risk, and we have been literally talking to
dozens of technology companies over the last 2 years and we
continue to talk to them.
I can tell you, Senator, that without exception there is no
technology company that believes that there is a technology
silver bullet. There is no super firewall. There is no super
anti-virus or intrusion detection system. There is no single
technology or combination of technologies that will solve this
problem.
On the second issue of the theoretical versus practical
general counsel, I agree with the comments of my colleague, Mr.
Miller. I do not know what theoretical general counsels say,
but I know what they say to me every day. And what they say to
me every day is their view of current law and regulation
including case law does not give them a sufficient basis to
recommend to their CEOs to disclose. More legislation, more
action is needed.
Senator Bennett. Let me follow through on that one.
We have always been under the impression that we were
helping FOIA by focusing and defining the exemption which, Mr.
Sobel, you indicated has been done by case law so as to make it
clear that in this circumstance under these conditions the
broad exemption that is already in FOIA would clearly apply and
that we were not in any way repealing or destroying FOIA, we
were simply focusing the definition.
Now, Mr. Sagalow, let us go back to you--recognizing you
have not had this discussion, but your perception of how a
general counsel would react. Do you think that the passage of
this legislation would be viewed in that regard and therefore
make a general counsel more likely to say let us go ahead, or
do you think they would react to the legislation somewhat in
the way that Mr. Sobel is? You do not have to agree with his
opinion of where they are in case law, as to try to say maybe
he is right that they would say, ``Well, the legislation may
sound good, but it is still not going to give me any comfort.''
Mr. Sagalow. I do not know. It is a legitimate issue. I
believe that, based upon the conversations that I have had so
far, that the majority of general counsels would be looking at
it in the first approach. They would be looking at this
legislation clarifying existing case law in a way favorable
toward disclosure as opposed to a de novo aspect of legislation
that they would feel uncomfortable with until years of case law
interpretation.
Senator Bennett. Let us go back to Professor Steinzor's
comment about time. I think that is a very legitimate issue
that she has raised. I have used the example which, frankly,
Professor, you shoot down, that Osama bin Laden would mount an
attack and then file a FOIA request to find out how well it
worked, and if indeed FOIA would require 4 years before he got
the information, the technology would have been about five
generations old by the time he got the information.
She has raised an interesting question, gentlemen, about
putting a time limit on this, where you say the FOIA request
cannot be filed for 3 years, let us say, pick a number. She
would probably pick 3 months, but let us pick a number and put
a timeframe on this, and talk about what effect that might have
in the real world. Mr. Gent.
Mr. Gent. Senator Bennett, there are certain operational
information that can be made availble moments afterwards, some
hours afterwards, some days afterwards, but when it comes down
to the configuration and vulnerability of the electric system,
this is something that evolves over decades. So having
information, in fact, to be honest with you, some of the
information that is now being released to the public is still
very dangerous and could be considered as a terrorist handbook.
So the configuration has not changed that much. The components
that are vulnerable have not changed that much over the last
decade. So if you talk about operational information, I would
be willing to talk about a shorter timeframe, but physical
configuration of a system is still important after decades.
Senator Bennett. We need to remember, and you have reminded
us, that the physical and the cyber are inextricably linked
here.
Mr. Gent. We believe that. In fact, Hoover Dam is not going
anywhere.
Senator Bennett. But the ability to break into the
computers that are updated that control the sluice gates,
somebody could open the sluice gates and drain Hoover Dam
without blowing it up. Is that an accurate----
Ms. Steinzor. But, Senator, that again is a cyber issue
which presumably would be addressed by technology evolving
within a certain period of time because cyber systems are
changing all the time. I think the emphasis on the physical
configuration is exactly what concerns us because a lot of the
physical configuration, for example, at a chemical plant, is
heavily scrutinized and regulated by the government. And again,
this protection does not just apply to Freedom of Information
Act, it always applies to use in a civil action which could be
either enforcement or some other type of action that would not
be able to proceed if the company was not continuing to do
something wrong.
So again, my suggestion about the temporal aspect is that
the assumption must be that once we discover vulnerability, we
are going to address it right away, whether it is in the
physical context or the cyber context, that the Freedom of
Information Act in civil actions would only be viable if those
problems were not addressed, and therefore a temporal
limitation might be just the ticket to solve the problem.
If I could just add one more thing. As an educator of young
lawyers, let me talk about the theoretical versus the actual
general counsel. One of the things we always impress on our
students is the need to zealously protect their clients'
interests, and while I would sign up tomorrow to be your
general counsel, you being the hypothetical CEO----
Senator Bennett. You might not be in a financially
successful institution. [Laughter.]
Ms. Steinzor. Well, but you were articulating such good
ethics and good sense, that I think I might do it. Maybe I
could keep my university job.
The problem is that if there is an opportunity to do a
document dump, which of course would not be conceived in those
pejorative terms, that it is both a theoretical and actual
general counsel would be pushing the company to do exactly
that. They would say, ``Look, CEO, we have vulnerabilities
involing our physical infrastructure that are very serious, and
we should go contact Governor Ridge about those and get into
some conversation with him, and if any agency tries to pursue
us through one of the more mundane daily laws, we can fend them
off while we address our vulnerabilities.'' This kind of
situation is our concern.
I should have brought a lawyer joke for the occasion.
Senator Bennett. I have plenty of those.
Ms. Steinzor. Good.
Senator Bennett. Anyone want to respond to that? Mr.
Miller.
Mr. Miller. Not so much to that, but your earlier question
about time limitations. It is easy for me to say sure, why not
in the information technology industry because 3 years is an
eternity. But again, it is very much tied to physical issues.
A certain governor of a certain large State just to the
north of here, about 4 years ago was very proud to release a
document on the Internet that showed where every
telecommunications, electrical network, and critical asset in
the Commonwealth of his State was located, and it was very
public, it was very well known. I am sure Tom Ridge was very
proud of that at the time he was governor, because everyone was
into disclosure using the Internet. I am sure looking back from
his current position, Tom Ridge wonders how he had that crazy
idea 4 years ago to make that information public.
So I would think, Senator, we need to consult with a lot
more people who are, as Mr. Gent was suggesting, involved in
these long-term fixed positions that may or may not be
controlled by cyber relationships before we would say that the
time limit idea intrinsically is a good idea.
Again, in principle, I do not think the IT industry would
be too much concerned about that, but I think a lot of our
customers might be because those physical assets do not change
and those physical vulnerabilities do not change for long
periods of time.
Senator Bennett. Without treading into classified
territory, because in this whole process I have spent an awful
lot of time in places that deny that they exist after I leave
them, as a general principle, someone who is looking over
critical infrastructure needs to know key points. And the key
point in the critical infrastructure can be taken out with a
kinetic weapon many times more efficiently than it can be taken
out with a cyber attack. The interesting thing that comes from
those who analyze this--and I must be careful about this--the
interesting thing that comes from those who analyze this for a
living is that the key points in a critical infrastructure are
very often not obvious. There might be a particular switch in a
particular pipeline or a particular telecommunications switch,
or a substation that for some reason is far more critical than
any other in terms of possibly shutting down the power grid. A
terrorist would give a tremendous amount to know where those
key points are. And I am not sure the people who are giving
information to the government, if my bill was to pass, would
themselves know how key they are or where they are.
And the question becomes--the government could put that
together. The government says, ``OK, we have got this from this
source. We have got this from this source. Uh-oh.'' Back to my
original analysis if I am going to mix metaphors here. If this
particular facility goes down, that is what shuts down the
Fedwire. And the people who manage that facility do not know
that. If that information--that is the pieces of information
that allowed the government to discover that are individually
made available with FOIA, and an analyst working for a hostile
nation state comes to the same conclusion that our analyst came
to, and said, ``Aha, this is the one thing which if we shoot
down, cuts down the Fedwire.'' And that become very valuable
information, and maybe they make the decision, ``We are not
going to go after it in a cyber way. We are going to get
somebody with a truck full of fertilizer to pull up to the
front door of that particular facility and lo and behold
everybody is going to be surprised because they think they have
all of these technological firewalls everywhere else to protect
the Fedwire, and bingo, we can take it out with a fertilizer
bomb.''
Now, that is obviously a hypothetical and obviously that
kind of analysis is going on. But that is the kind of concern
that I have about sharing information. And it may well be that
we could find a division here between some things that could be
disclosed after a 3-year period and some things that could not.
I can anticipate some of you are going to say, ``Well, you are
not going to know that in advance,'' but let us at least have a
quick round on that concern.
Mr. Paller. I think you go back to the bigger question that
your staff got mad at you about, about understanding it is a
management problem. And what I see happening here is what
happens in lots of security conversations, which is different
people looking at different parts of the animal. (1) If that is
what you are going to disclose, it is terrible, and (2) if that
(other thing) is what you are going to disclose, it is fine. I
think maybe this is one of those really hard slogging jobs
where you have to go systematically through every specific type
of data in every specific type of environment and get the
answers to the questions of which are going to be disclosed and
which are not going to be disclosed if you want to get
consensus in the room. I am not sure that the effort is going
to be worth the trouble, but I do not see a way, as long as you
keep a very broad view of what the ``it'' is, to get them to
agree how long or when or whether to disclose it.
Mr. Miller. Senator, I do not know whether it has to do
directly with FOIA legislation. I mean clearly the issue of
saying we do not know what we do not know is a real problem.
Let me give you an obvious lesson that was learned on September
11, and that is redundancy in telecommunication systems. A lot
of companies had learned over time, as part of business
continuity planning, to have redundancy in their
telecommunication systems, which meant having two carriers, two
switches, and two sets of pipes. But a lot of companies put
those switches and those pipes in exactly the same building,
the World Trade Center. So when the World Trade Center went
down they really did not have redundancy. They ended up not
having complete telecommunication systems left. And so that was
a lesson that was learned, or at least it was put out there. I
am not sure whether it has been completedly learned. We are
still having this debate with the Federal Government as you
know, and there is legislation in Congress to require Federal
agencies to begin to think about having true physical
redundancy as opposed to assumed physical redundancy in
telecommunication systems.
So frequently we do not know what we do not know, and we
have to have a tragedy or a direct experience to learn that
lesson.
Would the FOIA exemption you are suggesting help that to
come together? Perhaps because who, other than the government,
does exactly what you say, which is to look at all of the
pieces of the puzzle. At the end of the day, his companies look
at the electricity industry, I look at the IT industry, Mr.
Sagalow and financial ISAC members look at the ISAC industry.
Mr. Paller kind of looks across industries because he has got
experts in all of these. But at the end of the day it is only
the government that looks at the overall view of how these
interdependencies really work in ways that nobody else really
can.
Mr. Sobel. Senator, I just wanted to make the observation
that it seems to me that there is a little bit of a disconnect
in terms of industry's attitude here. I mean on the one hand we
are being told that the agencies that would receive the
information are somehow so incompetent that they would be
releasing highly sensitive information in response to a FOIA
request despite very strong case law supporting withholding,
and yet on the other hand industry seems to believe that there
is something valuable that the government has to tell them or
something valuable the government has to do in the form of
coordinating response activity. So I am not getting a clear
picture from industry in terms of how they see government. Is
government a competent, useful player here or is it something
else, an entity that is going to receive information and very
haphazardly release it to the detriment of all of us?
So I really am hearing two things here.
Senator Bennett. My answer to that question would be yes.
[Laughter.]
Mr. Sobel. Well, then I think it raises----
Senator Bennett. There is no such thing as industry and
there is no such thing as the government. There are a variety
of companies in a variety of industries. It is enormously
complex, and as you have indicated, the vast majority of them
would be very disciplined and act in a responsible way. And
there are few, in your opinion, that would not, that would be
irresponsible and would try to use this in an improper fashion.
There are a variety of people in government who are enormously
competent and who would provide the analysis that we need, and
there are a variety of people who have demonstrated a
regulatory mentality to which I referred earlier, that would
use the information in a way just to prove their regulatory
muscle that would be irresponsible. You only have to sit in a
Senator's office to discover that there is no, ``the
Government.'' There are a variety of human beings, some of
whom, most of whom, act responsibly and intelligently, and
every once in a while there are some regulators who just defy
common sense in the way they do their jobs and hang on to the
regulations that they have.
So my answer to your question, without being facetious, is
yes to both sides of it.
Mr. Sobel. I think that is very true, but as Mr. Tritak
said, if this is a question of trust and establishing trust, I
do not understand why that same regulator is suddenly going to
be trusted by the industry submitter to comply with your new
FOIA exemption if he is not trusted to comply with the existing
protections. In other words, if this is an incompetent or
malicious bureaucrat, why would this new legislation create any
greater trust on the part of the submitter? That is what I am
really missing here.
Senator Bennett. All you can hope for is that you nudge him
in the right way.
Mr. Sagalow. Senator, if I could just emphasize on that
last point you mentioned, because that is exactly what is
happening. In the real world everything is a gray area and what
you need to do is nudge the general counsel in the right way.
What I am hoping that you are hearing from at least the
majority of people that are speaking on this area is a desire
not to throw the baby out with the bath water, that this is a
very essential piece of legislation, very important to the
national infrastructure and our war against terrorism, and that
the people on both sides of the aisle, so to speak, are willing
to look at language in the bill consistent with the
fundamentals: That data is received through independent use
would be exempted, that under certain circumstances criminal
prosecution if documented through that independent use would be
permitted, that certainly it is not the intention of the
legislation, and none of my members are indicating they expect
it to be the intention of the legislation, that the legislation
will somehow allow a company not to disclose what they would
otherwise be obligated to disclose, whether in the criminal
area, the environmental area, or the financial area.
Two other quick comments. My personal belief is that the
fear of data dumping or the bad general counsel while not
unrealistic, is perhaps overstated. General counsels have a
firm belief in the law of unintended consequences. That is why
they are hesitating to permit disclosure in the first place.
And part of the law of unintended consequences is if you do a
data dump thinking that you are going to fool the other side,
something is going to go wrong. Very few general counsels take
that risk unless it is a matter of utter desperation.
And then finally on this issue of the temporal solution to
the problem, I can only echo the point that was made earlier,
that this issue of ``we do not know what we do not know'' is
quite important. We really do not know in any set of documents
or data what are the fundamental issues that may be completely
applicable 5, 6, or 10 years from now.
Senator Bennett. Well, the audience is voting with their
feet in saying that the hearing is over. May I thank all of you
for your contribution. This has been a serious discussion
rather than a simple venting of opinions, and I am grateful to
all of you for your willingness to enter into it in that
spirit.
If I were to summarize my attitude, and speaking solely for
myself, obviously, and not for any other Member of the
Committee, I wish we had the time to go through all of the
issues and ultimately come, as has been suggested here, to a
final consensus where everybody buys off and agrees, because I
think people of goodwill at all aspects of this probably could
arrive there.
I must share with you once again, I feel a sense of urgency
here which is very powerful, and the more time I spend with the
intelligence community, the more time I spend in the Defense
Department, the more times I visit that room in the Pentagon,
where the attacks on our military infrastructure come in in
real time and I see them on the screen, the more sense of
urgency I have.
I think we err on the side of exposing our country and
really with exposing the American economy, exposing the world
to serious damage if we delay too long. And I would rather take
steps as quickly as we can that start us down the road and
maintain a perfect willingness to change the legislation as we
get examples of serious violations of environmental or other
circumstances by the small minority of companies that might try
to take advantage of that, than delay the legislation until we
can theoretically iron out all of the problems.
I do not wish to be an alarmist. I try not to be an
alarmist, but I think this is an issue that requires early
action. And that is why I am grateful to the Chairman for his
willingness to schedule the hearing, and I am grateful to all
of you for your willingness to participate.
With that, the hearing is adjourned.
[Whereupon, at 12:30 p.m., the Committee was adjourned.]
A P P E N D I X
----------
PREPARED STATEMENT OF SENATOR BUNNING
Thank you, Mr. Chairman.
During the past 7 months community leaders, government officials
and average Americans have been re-evaluating the level of security
needed to protect ourselves.
We have seen dramatic changes in the airline industry, and we have
become very concerned about the safety of our ports and other
transportation systems.
Local, State and Federal emergency personnel have been on a high
state of alert. And, we are increasing staffing at our borders.
However, protecting our critical infrastructure is one of the most
important steps we can take to ensure a safe future, and it should not
be overlooked.
The government needs to do everything it can to encourage companies
to share information with each other and Federal officials in an effort
to stop those who are attacking our country.
I understand that some companies are concerned about sharing
sensitive information because they are afraid it may be released to the
public.
If we are serious about protecting our critical infrastructure,
then we have got to be serious about finding a solution to this
problem.
If businesses are afraid their non-public information can make its
way into the public domain, we will never get the kind of open and
productive relationship that we need between the government and
business community.
I am looking forward to hearing more about the legislation
introduced by Senators Bennett and Kyl that begins to address this
problem, and I appreciate the time our witnesses have taken to testify
today.
Thank you.
[GRAPHIC] [TIFF OMITTED] 80597.001
[GRAPHIC] [TIFF OMITTED] 80597.002
[GRAPHIC] [TIFF OMITTED] 80597.003
[GRAPHIC] [TIFF OMITTED] 80597.004
[GRAPHIC] [TIFF OMITTED] 80597.005
[GRAPHIC] [TIFF OMITTED] 80597.006
[GRAPHIC] [TIFF OMITTED] 80597.007
[GRAPHIC] [TIFF OMITTED] 80597.008
[GRAPHIC] [TIFF OMITTED] 80597.009
[GRAPHIC] [TIFF OMITTED] 80597.010
[GRAPHIC] [TIFF OMITTED] 80597.011
[GRAPHIC] [TIFF OMITTED] 80597.012
[GRAPHIC] [TIFF OMITTED] 80597.013
[GRAPHIC] [TIFF OMITTED] 80597.014
[GRAPHIC] [TIFF OMITTED] 80597.015
[GRAPHIC] [TIFF OMITTED] 80597.016
[GRAPHIC] [TIFF OMITTED] 80597.017
[GRAPHIC] [TIFF OMITTED] 80597.018
[GRAPHIC] [TIFF OMITTED] 80597.019
[GRAPHIC] [TIFF OMITTED] 80597.020
[GRAPHIC] [TIFF OMITTED] 80597.021
[GRAPHIC] [TIFF OMITTED] 80597.022
[GRAPHIC] [TIFF OMITTED] 80597.023
[GRAPHIC] [TIFF OMITTED] 80597.024
[GRAPHIC] [TIFF OMITTED] 80597.025
[GRAPHIC] [TIFF OMITTED] 80597.026
[GRAPHIC] [TIFF OMITTED] 80597.027
[GRAPHIC] [TIFF OMITTED] 80597.028
[GRAPHIC] [TIFF OMITTED] 80597.029
[GRAPHIC] [TIFF OMITTED] 80597.030
[GRAPHIC] [TIFF OMITTED] 80597.031
[GRAPHIC] [TIFF OMITTED] 80597.032
[GRAPHIC] [TIFF OMITTED] 80597.033
[GRAPHIC] [TIFF OMITTED] 80597.034
[GRAPHIC] [TIFF OMITTED] 80597.035
[GRAPHIC] [TIFF OMITTED] 80597.036
[GRAPHIC] [TIFF OMITTED] 80597.037
[GRAPHIC] [TIFF OMITTED] 80597.038
[GRAPHIC] [TIFF OMITTED] 80597.039
[GRAPHIC] [TIFF OMITTED] 80597.040
[GRAPHIC] [TIFF OMITTED] 80597.041
[GRAPHIC] [TIFF OMITTED] 80597.042
[GRAPHIC] [TIFF OMITTED] 80597.043
[GRAPHIC] [TIFF OMITTED] 80597.044
[GRAPHIC] [TIFF OMITTED] 80597.045
[GRAPHIC] [TIFF OMITTED] 80597.046
[GRAPHIC] [TIFF OMITTED] 80597.047
[GRAPHIC] [TIFF OMITTED] 80597.048
[GRAPHIC] [TIFF OMITTED] 80597.049
[GRAPHIC] [TIFF OMITTED] 80597.050
[GRAPHIC] [TIFF OMITTED] 80597.051
[GRAPHIC] [TIFF OMITTED] 80597.052
[GRAPHIC] [TIFF OMITTED] 80597.053
[GRAPHIC] [TIFF OMITTED] 80597.054
[GRAPHIC] [TIFF OMITTED] 80597.055
[GRAPHIC] [TIFF OMITTED] 80597.056
[GRAPHIC] [TIFF OMITTED] 80597.057
[GRAPHIC] [TIFF OMITTED] 80597.058
[GRAPHIC] [TIFF OMITTED] 80597.059
[GRAPHIC] [TIFF OMITTED] 80597.060
[GRAPHIC] [TIFF OMITTED] 80597.061
[GRAPHIC] [TIFF OMITTED] 80597.062
[GRAPHIC] [TIFF OMITTED] 80597.063
[GRAPHIC] [TIFF OMITTED] 80597.064
[GRAPHIC] [TIFF OMITTED] 80597.065
[GRAPHIC] [TIFF OMITTED] 80597.066
[GRAPHIC] [TIFF OMITTED] 80597.067
[GRAPHIC] [TIFF OMITTED] 80597.068
[GRAPHIC] [TIFF OMITTED] 80597.069
[GRAPHIC] [TIFF OMITTED] 80597.070
[GRAPHIC] [TIFF OMITTED] 80597.071
[GRAPHIC] [TIFF OMITTED] 80597.072
[GRAPHIC] [TIFF OMITTED] 80597.073
[GRAPHIC] [TIFF OMITTED] 80597.074
[GRAPHIC] [TIFF OMITTED] 80597.075
[GRAPHIC] [TIFF OMITTED] 80597.076
[GRAPHIC] [TIFF OMITTED] 80597.077
[GRAPHIC] [TIFF OMITTED] 80597.078
[GRAPHIC] [TIFF OMITTED] 80597.079
[GRAPHIC] [TIFF OMITTED] 80597.080
[GRAPHIC] [TIFF OMITTED] 80597.081
[GRAPHIC] [TIFF OMITTED] 80597.082
[GRAPHIC] [TIFF OMITTED] 80597.083
[GRAPHIC] [TIFF OMITTED] 80597.084
[GRAPHIC] [TIFF OMITTED] 80597.085
[GRAPHIC] [TIFF OMITTED] 80597.086
[GRAPHIC] [TIFF OMITTED] 80597.087
[GRAPHIC] [TIFF OMITTED] 80597.088
[GRAPHIC] [TIFF OMITTED] 80597.089
[GRAPHIC] [TIFF OMITTED] 80597.090
[GRAPHIC] [TIFF OMITTED] 80597.091
[GRAPHIC] [TIFF OMITTED] 80597.092
[GRAPHIC] [TIFF OMITTED] 80597.093
[GRAPHIC] [TIFF OMITTED] 80597.094
[GRAPHIC] [TIFF OMITTED] 80597.095
[GRAPHIC] [TIFF OMITTED] 80597.096
[GRAPHIC] [TIFF OMITTED] 80597.097
[GRAPHIC] [TIFF OMITTED] 80597.098
[GRAPHIC] [TIFF OMITTED] 80597.099
[GRAPHIC] [TIFF OMITTED] 80597.100
[GRAPHIC] [TIFF OMITTED] 80597.101
[GRAPHIC] [TIFF OMITTED] 80597.102
[GRAPHIC] [TIFF OMITTED] 80597.103
[GRAPHIC] [TIFF OMITTED] 80597.104
[GRAPHIC] [TIFF OMITTED] 80597.105
[GRAPHIC] [TIFF OMITTED] 80597.106
[GRAPHIC] [TIFF OMITTED] 80597.107
[GRAPHIC] [TIFF OMITTED] 80597.108
[GRAPHIC] [TIFF OMITTED] 80597.109
[GRAPHIC] [TIFF OMITTED] 80597.110
[GRAPHIC] [TIFF OMITTED] 80597.111
[GRAPHIC] [TIFF OMITTED] 80597.112
[GRAPHIC] [TIFF OMITTED] 80597.113
[GRAPHIC] [TIFF OMITTED] 80597.114
[GRAPHIC] [TIFF OMITTED] 80597.115
[GRAPHIC] [TIFF OMITTED] 80597.116
[GRAPHIC] [TIFF OMITTED] 80597.117
[GRAPHIC] [TIFF OMITTED] 80597.118
[GRAPHIC] [TIFF OMITTED] 80597.119
[GRAPHIC] [TIFF OMITTED] 80597.120
[GRAPHIC] [TIFF OMITTED] 80597.121
[GRAPHIC] [TIFF OMITTED] 80597.122
[GRAPHIC] [TIFF OMITTED] 80597.123
[GRAPHIC] [TIFF OMITTED] 80597.124
[GRAPHIC] [TIFF OMITTED] 80597.125
[GRAPHIC] [TIFF OMITTED] 80597.126
[GRAPHIC] [TIFF OMITTED] 80597.127
[GRAPHIC] [TIFF OMITTED] 80597.128
[GRAPHIC] [TIFF OMITTED] 80597.129
[GRAPHIC] [TIFF OMITTED] 80597.130
[GRAPHIC] [TIFF OMITTED] 80597.131
[GRAPHIC] [TIFF OMITTED] 80597.132
[GRAPHIC] [TIFF OMITTED] 80597.133
[GRAPHIC] [TIFF OMITTED] 80597.134
[GRAPHIC] [TIFF OMITTED] 80597.135
[GRAPHIC] [TIFF OMITTED] 80597.136
[GRAPHIC] [TIFF OMITTED] 80597.137
[GRAPHIC] [TIFF OMITTED] 80597.138
[GRAPHIC] [TIFF OMITTED] 80597.139
[GRAPHIC] [TIFF OMITTED] 80597.140
[GRAPHIC] [TIFF OMITTED] 80597.141
[GRAPHIC] [TIFF OMITTED] 80597.142
[GRAPHIC] [TIFF OMITTED] 80597.143
[GRAPHIC] [TIFF OMITTED] 80597.144
[GRAPHIC] [TIFF OMITTED] 80597.145
[GRAPHIC] [TIFF OMITTED] 80597.146
[GRAPHIC] [TIFF OMITTED] 80597.147
[GRAPHIC] [TIFF OMITTED] 80597.148
[GRAPHIC] [TIFF OMITTED] 80597.149
[GRAPHIC] [TIFF OMITTED] 80597.150
[GRAPHIC] [TIFF OMITTED] 80597.151
[GRAPHIC] [TIFF OMITTED] 80597.152
[GRAPHIC] [TIFF OMITTED] 80597.153
[GRAPHIC] [TIFF OMITTED] 80597.154
[GRAPHIC] [TIFF OMITTED] 80597.155
[GRAPHIC] [TIFF OMITTED] 80597.156
[GRAPHIC] [TIFF OMITTED] 80597.157
[GRAPHIC] [TIFF OMITTED] 80597.158
[GRAPHIC] [TIFF OMITTED] 80597.159
[GRAPHIC] [TIFF OMITTED] 80597.160
[GRAPHIC] [TIFF OMITTED] 80597.161
[GRAPHIC] [TIFF OMITTED] 80597.162
[GRAPHIC] [TIFF OMITTED] 80597.163
[GRAPHIC] [TIFF OMITTED] 80597.164
[GRAPHIC] [TIFF OMITTED] 80597.165
[GRAPHIC] [TIFF OMITTED] 80597.166
[GRAPHIC] [TIFF OMITTED] 80597.167
[GRAPHIC] [TIFF OMITTED] 80597.168
[GRAPHIC] [TIFF OMITTED] 80597.169
[GRAPHIC] [TIFF OMITTED] 80597.170
[GRAPHIC] [TIFF OMITTED] 80597.171
[GRAPHIC] [TIFF OMITTED] 80597.172
[GRAPHIC] [TIFF OMITTED] 80597.173
[GRAPHIC] [TIFF OMITTED] 80597.174
[GRAPHIC] [TIFF OMITTED] 80597.175
[GRAPHIC] [TIFF OMITTED] 80597.176
-
�