[Senate Hearing 107-550]
[From the U.S. Government Publishing Office]


                                                        S. Hrg. 107-550
 
                      SECURING OUR INFRASTRUCTURE:
                   PRIVATE/PUBLIC INFORMATION SHARING
=======================================================================


                                HEARING

                               before the


                              COMMITTEE ON
                          GOVERNMENTAL AFFAIRS
                          UNITED STATES SENATE

                      ONE HUNDRED SEVENTH CONGRESS

                             SECOND SESSION


                               __________

                              MAY 8, 2002

                               __________

      Printed for the use of the Committee on Governmental Affairs








                           U.S. GOVERNMENT PRINTING OFFICE
80-597                            WASHINGTON : 2003
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512-1800  
Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001








                   COMMITTEE ON GOVERNMENTAL AFFAIRS

               JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan                 FRED THOMPSON, Tennessee
DANIEL K. AKAKA, Hawaii              TED STEVENS, Alaska
RICHARD J. DURBIN, Illinois          SUSAN M. COLLINS, Maine
ROBERT G. TORRICELLI, New Jersey     GEORGE V. VOINOVICH, Ohio
MAX CLELAND, Georgia                 THAD COCHRAN, Mississippi
THOMAS R. CARPER, Delaware           ROBERT F. BENNETT, Utah
JEAN CARNAHAN, Missouri              JIM BUNNING, Kentucky
MARK DAYTON, Minnesota               PETER G. FITZGERALD, Illinois
           Joyce A. Rechtschaffen, Staff Director and Counsel
                        Larry B. Novey, Counsel
             Kiersten Todt Coon, Professional Staff Member
              Richard A. Hertling, Minority Staff Director
                Ellen B. Brown, Minority Senior Counsel
               Elizabeth A. VanDersarl, Minority Counsel
         Morgan P. Muchnick, Minority Professional Staff Member
                     Darla D. Cassell, Chief Clerk







                            C O N T E N T S

                                 ------                                
Opening statements:
                                                                   Page
    Senator Lieberman............................................     1
    Senator Thompson.............................................     2
    Senator Bennett..............................................     4
    Senator Akaka................................................     7
    Senator Carper...............................................    19
Prepared statement:
    Senator Bunning..............................................    53

                               WITNESSES
                         Wednesday, May 8, 2002

Ronald L. Dick, Director, National Infrastructure Protection 
  Center, Federal Bureau of Investigation........................     8
John G. Malcolm, Deputy Assistant Attorney General, Criminal 
  Division, U.S. Department of Justice...........................    10
John S. Tritak, Director, Critical Infrastructure Assurance 
  Office, U.S. Department of Commerce............................    12
Michehl R. Gent, President and Chief Executive Officer, North 
  American Electric Reliability Council..........................    28
Harris N. Miller, President, Information Technology Association 
  of America.....................................................    30
Alan Paller, Director of Research, The SANS Institute............    32
Ty R. Sagalow, Board Member, Financial Services Information 
  Sharing and Analysis Center (FS ISAC) and Chief Operating 
  Officer, AIG eBusiness Risk Solutions..........................    34
David L. Sobel, General Counsel, Electronic Privacy Information 
  Center.........................................................    36
Rena I. Steinzor, Academic Fellow, Natural Resources Defense 
  Council and Professor, University of Maryland School of Law....    38

                     Alphabetical List of Witnesses

Dick, Ronald L.:
    Testimony....................................................     8
    Prepared statement...........................................    54
Gent, Michehl R.:
    Testimony....................................................    28
    Prepared statement...........................................    81
Malcolm, John G.:
    Testimony....................................................    10
    Prepared statement...........................................    64
Miller, Harris N.:
    Testimony....................................................    30
    Prepared statement with attachments..........................    94
Paller, Alan:
    Testimony....................................................    32
    Prepared statement...........................................   112
Sagalow, Ty R.:
    Testimony....................................................    34
    Prepared statement with attachments..........................   123
Sobel, David L.:
    Testimony....................................................    36
    Prepared statement...........................................   166
Steinzor, Rena I.:
    Testimony....................................................    38
    Prepared statement with an attachment........................   172
Tritak, John S.:
    Testimony....................................................    12
    Prepared statement...........................................    77

                                Appendix

Chart with quote from Osama Bin Laden, December 27, 2001, 
  submitted by Senator Bennett...................................   190
Chart entitled ``Reporting and Dissemination of Information.'' 
  Source: The Report of the President's Commission on Critical 
  Infrastructure Protection, October 1997, submitted by Senator 
  Bennett........................................................   191
Chart entitled ``Coincidence or Attack?'' Source: The Report of 
  the President's Commission on Critical Infrastructure 
  Protection, October 1997, submitted by Senator Bennett.........   192
Chart entitled ``Critical Infrastructure Information Security 
  Act'' submitted by Senator Bennett.............................   193
Copy of S. 1456..................................................   194
Laura W. Murphy, Director, ACLU Washington National Office, and 
  Timothy H. Edgar, ACLU Legislative Counsel, American Civil 
  Liberties Union, prepared statement............................   214
John P. Connelly, Vice President, Security Team Leader, American 
  Chemistry Council, prepared statement..........................   222
Catherine A. Allen, CEO, BITS, The Technology Group for the 
  Financial Services Roundtable, prepared statement..............   228


                      SECURING OUR INFRASTRUCTURE:



                   PRIVATE/PUBLIC INFORMATION SHARING

                              ----------                              


                         WEDNESDAY, MAY 8, 2002

                                       U.S. Senate,
                         Committee on Governmental Affairs,
                                                    Washington, DC.
    The Committee met, pursuant to notice, at 9:33 a.m., in 
room SD-342, Dirksen Senate Office Building, Hon. Joseph I 
Lieberman, Chairman of the Committee, presiding.
    Present: Senators Lieberman, Thompson, Bennett, Akaka, and 
Carper.

            OPENING STATEMENT OF CHAIRMAN LIEBERMAN

    Chairman Lieberman. The hearing will come to order. Good 
morning.
    Today the Governmental Affairs Committee takes up the issue 
of protecting our critical infrastructure from terrorist attack 
and the extent to which private industry should share sensitive 
information both within its own community and with the Federal 
Government.
    This is a matter of longstanding interest to Senator 
Bennett, who has introduced legislation with Senator Kyl 
regarding information sharing and our critical infrastructure. 
I would like to take this opportunity to thank him for his 
dedication to this matter of critical importance to our 
national security.
    Senator Bennett's legislation, which is called the Critical 
Infrastructure Information Security Act, would encourage 
companies to voluntarily share information about critical 
infrastructure threats and vulnerabilities with the government 
and among themselves by granting exemptions from the Freedom of 
Information Act and the antitrust laws.
    Senator Thompson and I are working with Senators Bennett 
and Kyl to evaluate the principles and questions embodied in 
this bill, which raises important questions about how to better 
secure our critical infrastructure against what we now must 
conclude are very real terrorist threats and continuing 
criminal threats.
    Critical infrastructure is a term that I take to cover our 
financial, transportation, communications networks, our 
utilities, public health systems, law enforcement, and 
emergency services. Critical infrastructure has been described 
as our Nation's skeleton, but it seems to me that it might more 
aptly be described as our Nation's vital organs. The critical 
infrastructure is what keeps the country humming. It enables us 
to interact with one another. It enables us to continue the 
life of our economy which sustains all of us, and also makes it 
possible for us to have the highest quality of life on the 
planet. The critical infrastructure in that sense is what makes 
America work.
    Many of our critical infrastructures are privately owned, 
and in this information age are increasingly computer-dependent 
and interdependent with each other. For several years, the 
Federal Government has been working to develop a public/private 
partnership to secure critical infrastructure. Companies are 
encouraged to share information among themselves about 
vulnerabilities, threats, intrusions, solutions, and to share 
information also with the government, which can then, as 
appropriate, issue warnings and respond accordingly.
    Because of our oversight role, the Governmental Affairs 
Committee has closely participated in these efforts, although 
Senator Bennett's foresight is such that he was working on this 
proposal, this bill, before September 11. Our task took on 
renewed urgency after the events of September 11. We have held 
a series of hearings in our governmentwide evaluation about how 
best to protect Americans here at home as well as our 
infrastructure, and today's hearing builds on that record that 
this Committee has compiled.
    Let me say that if necessary information is not being 
adequately shared between private entities and the Federal 
Government, we must address that problem for the safety of all 
Americans, but we have also got to be concerned, obviously, 
about unintended consequences, and that would be unduly 
undermining, for instance, the public's right to know. So there 
is a balance here to be struck. It is, in that sense, the 
balance that this Nation has struck since the beginning of its 
existence between, if I may state it too simplistically, 
security and liberty. There is a natural tendency now to move 
along that spectrum towards security after September 11, and it 
is realistic and responsible to do so, but obviously we do not 
want to do it in a way that unduly compromises the blessings of 
liberty which define what it means to be an American and for 
which we are all grateful, and in that sense which we are 
fighting to protect in the war against terrorism itself.
    So those are the very important and difficult questions 
that the legislation before us deals with and we will be 
dealing with this morning.
    I look forward to hearing from today's witnesses to learn 
exactly what kind of private sector information they believe 
the government needs, to effectively protect the critical 
infrastructure and the American people; what the experience of 
industry and government have been regarding information sharing 
thus far; and, to the extent that there are those who believe 
that the proposed legislation would be harmful, or reaches too 
far, why they feel that is so.
    Senator Bennett and I certainly agree that the protection 
of our critical infrastructure is a priority, a national 
concern now, and I look forward to working with him as we go 
forward to achieve a good and reasonable solution.
    Senator Thompson.

             OPENING STATEMENT OF SENATOR THOMPSON

    Senator Thompson. Thank you, Mr. Chairman.
    We certainly are all redoubling our efforts to shore up our 
defenses after September 11. You point out most of the issues 
that we are confronted with. However, there are other issues. 
The role of the Federal Government, with regard to critical 
infrastructure, has never been fully defined. We are in need of 
proposals to define the Federal Government's role, as well as 
assigning specific responsibilities to the State, local and 
private sector entities. And while we want to encourage 
industry to share information with the Federal Government, we 
are still in need of a framework for dealing with that 
information, and assurances about what will be done with that 
information once it is received.
    Senators Bennett and Kyl have introduced legislation which 
is before this Committee, intended to reduce the threat of 
terrorism by encouraging private industry to share information 
with each other and with the Federal Government in order to 
help prevent, detect, warn of and respond to threats.
    Originally cast as a cyber terrorism bill, this bill is 
just as relevant to physical terrorist threats as well. It 
seems to me that instead of mandating requirements or issuing 
regulations for the private sector, we should be incentivizing 
private industry to protect themselves and share information 
with each other and the Federal Government. At this time I 
think the Bennett-Kyl bill is on the right track. There are 
issues and concerns the bill raises, but those are the things 
we will begin to try to work through today.
    One thing is certain, information is vital to this Nation. 
On September 11, despite great physical damage sustained, 
information continued to flow across the country. We learned 
that, for example, Verizon's switching office at 140 West 
Street in Manhattan, which supported 3.5 million circuits, 
sustained heavy damage. Verizon Wireless lost 10 cellular 
transmitter sites. WorldCom lost service on 200 high-speed 
circuits in the World Trade Center basement. Spring PCS 
Wireless Network in New York City lost four cells. 
Notwithstanding these losses, the telecom infrastructure 
continued to bring the Nation sound and images of the events, 
summoned emergency vehicles and alerted the military. But the 
wireless disruptions we experienced here in DC, which were also 
experienced in New York, were localized and due to overload. 
Within 1 week after September 11, Verizon restored 1.4 million 
of the 3.5 million circuits it lost. The New York Stock 
Exchange had phone and data service to over 93 percent of its 
15,000 lines when it reopened. Information is vital.
    The LA Times recently reported that a new CIA report makes 
clear that U.S. intelligence analysts have become increasingly 
concerned that authorities in Beijing are actively planning to 
damage and disrupt U.S. computer systems through the use of 
Internet hacking and computer viruses. This was in the L.A. 
Times April 25.
    I do not know why this is a surprise to anyone. In 1998 the 
Director of Central Intelligence testified in open session 
before the Committee that several countries, including Russia 
and China, have government-sponsored information warfare 
programs with both offensive and defensive applications. So the 
stakes are very high.
    I look forward to hearing from our witnesses today about 
how we can better protect our Nation's critical infrastructure 
and its citizens. Thank you, Mr. Chairman.
    Chairman Lieberman. Thank you, Senator Thompson. Senator 
Bennett.

              OPENING STATEMENT OF SENATOR BENNETT

    Senator Bennett. Thank you very much, Mr. Chairman. I 
appreciate your courtesy and leadership in holding the hearing. 
We have been talking about this for sometime, and I appreciate 
your willingness to raise it to this level.
    I would ask that the record be kept open for a week to 
allow interested parties to submit statements and comments.
    Chairman Lieberman. Without objection, it will be done.
    Senator Bennett. If I may, Mr. Chairman, I would like to 
take a little time to just set the scene, as I see it. And I 
will start out with a chart that shows an interesting quote 
that came on December 27, 2001.\1\ And the quote is being put 
up there, but you and Senator Thompson and Senator Akaka have a 
copy of it. Osama bin Laden says, ``It is very important to 
concentrate on hitting the U.S. economy through all possible 
means . . . look for the key pillars of the U.S. economy. The 
key pillars of the enemy should be struck. . . .'' Making it 
very clear that he is not just talking about bombing buildings 
or symbols. He wants to go after the economy. And, obviously, 
critical infrastructure represents by definition those parts of 
the economy that he would attack.
---------------------------------------------------------------------------
    \1\ Chart with quote from Osama Bin Laden appears in the Appendix 
on page 190.
---------------------------------------------------------------------------
    I am not quite sure of the number. I have used 85 percent. 
Some witnesses say 90 percent of the critical infrastructure in 
this country is owned by the private sector, so that this 
represents a vulnerability different than any we have ever 
faced in warfare before. Always before an enemy would 
concentrate on military targets or production targets that were 
tied to the military. In this case, as Osama bin Laden's quote 
indicates, they are going to go after any aspect of the economy 
that would shut us down. So let us use the more conservative 
number and say 85 percent of the future battlefield is in 
private, not public hands. So if the private sector and the 
government are both targets, they should be talking to each 
other, and they should be talking to each other in ways that 
make the most sense.
    Now, this is not a new issue. If I can go back to a pair of 
charts that were prepared 5 years ago during the Clinton 
Administration by the report of the President's Commission on 
Critical Infrastructure Protection. The first one \2\ has to do 
with this whole question of reporting and disseminating 
information, and the President's Commission, under President 
Clinton, produced this pyramid. And it is a little hard to 
read, so let me walk you through it, Mr. Chairman.
---------------------------------------------------------------------------
    \2\ Chart entitled ``Reporting and Dissemination of Information'' 
appears in the Appendix on page 191.
---------------------------------------------------------------------------
    At the very top of the pyramid are the publicized system 
failures or successful attacks. We would think of this in terms 
of the Nimda attack or the ``I Love You'' virus or other things 
that have caused economic damage, and the reporting and 
dissemination of information about things at the top of the 
pyramid, if you can follow the arrow on the side, is moderate. 
That is there is a fairly sufficient amount of information. I 
cannot resist commenting something I was taught many years ago 
when it came to chart making, which is ``black on blue you 
never do.'' [Laughter.]
    And someone did not notice that when they drew that black 
arrow.
    Anyway, below that top point of the pyramid, there are 
threats to critical infrastructure that are less well known and 
less well reported, and beneath those there are system 
degradations, information about vulnerabilities that are even 
less well known and less discussed. And then below that where 
you talk about the vulnerabilities of particular systems, comes 
the question of interdependencies where one system may be in 
very good shape but threatened because it is tied to another 
that is not in good shape, and then finally, the area that is 
in the very lowest area of reporting and dissemination are 
those other sources of useful information that would apply to 
this.
    As I was saying, this chart was drawn up during the Clinton 
Administration and is now 5 years old. Neither we in the 
Congress nor the administration have done anything formally 
about this. There has been a great deal of effort put forward 
during the Clinton Administration being carried on almost 
frantically in the Bush Administration. But we in the Congress 
have not responded in any way to try to make the reporting and 
dissemination of information more widespread. We are still 
somewhat contented to concentrate entirely on the tip of the 
pyramid and not look at the things below that.
    Now, one of the reasons for the legislation that I have 
introduced along with Senator Kyl, and we have now picked up 
some other co-sponsors, is to encourage sharing of information 
voluntarily across the entire spectrum, that is the 85 percent 
that is in private hands as well as the 15 percent that is in 
government hands. And, yes, we do want to protect that 
information from a FOIA request, Freedom of Information Act. 
The Freedom of Information Act itself allows this to be done. 
That is there are provisions in the act that say that 
information need not be shared. But the real focus of the 
legislation we have introduced is simply to sharpen the 
definitions of the areas that are already in the act. We are 
not trying to repeal the act or in any way damage or change its 
major thrust. We simply want to make the definitions that it 
already contains a little clearer with respect to this threat.
    Now, why would we want to protect information from a FOIA 
request? Because if we do not, we will not get it. There are 
private companies who simply will not give us the information 
if they think it is subject to a FOIA request, perhaps because 
they want to protect it from competitors. It is voluntarily 
given. Why should they voluntarily tell their competitors that 
they are under threat?
    Second, they do not want it to be a road map for 
terrorists. Many people do not realize that you do not have to 
be a U.S. citizen to submit a FOIA request. Osama bin Laden 
could find some third party willing to front for him who would 
submit a FOIA request, find out how successful he was being in 
one of his attacks, and the FOIA request therefore could become 
a road map for the terrorists as they seek to be effective in 
their attacks. Also, we want consistency from agency to agency 
and we believe that this legislation will allow that to happen.
    There is another reason why this information should come to 
the government, because the government needs to analyze it to 
determine whether or not the attacks that are coming are real 
attacks or simply coincidence. Once again, a chart \1\ that 
comes out of the Clinton Administration that is 5 years old, 
simply raises the question of whether or not a variety of 
attacks are a pattern coming from a common source or simply 
coincidence. Here on this map are a series of things that could 
happen in the Northwest--9-1-1 suddenly becomes unavailable. In 
my area of the country there is a threat to the water supply. 
In the Midwest there are bomb threats at two buildings. Some 
bridges go down. And FBI phones get jammed. An oil refinery has 
a fire. These things happen simultaneously. Is there a pattern 
that would indicate that they are being caused by some enemy, 
or is simply coincidence that they are all happening on the 
same day? Without information sharing the government analysts 
who are looking for the possibility of attack simply will not 
know. They will have to guess. And guessing is never a very 
productive kind of thing when you are vulnerable.
---------------------------------------------------------------------------
    \1\ Chart entitled ``Coincidence or Attack?'' appears in the 
Appendix on page 192.
---------------------------------------------------------------------------
    So again this is a chart that is 5 years old, drawn up 
during the Clinton Administration to say we need information 
sharing so that we can determine whether or not this is a 
coincidence or an attack.
    Now, finally if I could put up a chart that I have produced 
that summarizes the position that we are taking with respect to 
this bill.\2\ We believe that there needs to be information 
sharing on the circle on the left of the chart. Within private 
industry people ought to be able to talk to each other. The 
telephone company that is under some kind of cyber attack ought 
to be able to check with somebody in the banking industry to 
see if they are experiencing similar sorts of problems.
---------------------------------------------------------------------------
    \2\ Chart entitled ``Critical Infrastructure Information Security 
Act'' appears in the Appendix on page 193.
---------------------------------------------------------------------------
    Senator Dodd and I introduced legislation with respect to 
the Y2K on exactly this point. And it was passed, and if I may 
say so, the world did not come to an end. There was not a 
shutdown of civil liberties or freedom of information. It was 
simply an opportunity for two industries that are seemingly 
different, but that have the same kinds of computer problems, 
to talk to each other. So we have that circle on the left side 
where people in private industry can talk to each other to say, 
``Gee, my facility is under this kind of cyber pressure. Is 
anything happening in yours that I might know about?'' Then 
comes the arrow at the bottom of the chart where that 
information is shared voluntarily with the U.S. Government. 
Perhaps the most important arrow is the one at the top of the 
chart where the U.S. Government shares back with industry their 
analysis. Harking back to the earlier chart, they can say, 
``No, we see no pattern here. If you have a problem, it is 
probably caused by a disgruntled employee or a private hacker 
that decided you are a target. There is no indication here of a 
major attack.'' Or the information comes back, ``Hey, we have 
analyzed this. What is happening to you in the banking industry 
is similar enough to what is happening in power or other 
utilities, that we think this is a concerted effort being 
mounted by somebody who wishes the entire economy ill.'' It is 
that kind of information sharing and analysis sharing that we 
think will make the entire Nation safer.
    So, Mr. Chairman, I appreciate your willingness to hold the 
hearing. I appreciate your indulgence in allowing me to go on a 
little longer than is normal for an opening statement to 
outline where we are. What I hope we can accomplish in this 
hearing is to determine the degree to which information sharing 
is needed, how the government can get the information that it 
needs from the private sector, how the private sector can get 
analysis and information that it needs from the government, and 
if there are additional barriers to the sharing of information 
that we have not addressed in this legislation that could cause 
us to make changes in it.
    With that, Mr. Chairman, I will participate, obviously, in 
the questioning of the panel, and again, thank you for the 
leadership you have shown in pursuing this issue.
    Chairman Lieberman. Thank you, Senator Bennett. Thanks for 
a thoughtful statement, and incidentally, by Senate standards, 
it was very brief. [Laughter.]
    Senator Akaka, do you have an opening statement?

               OPENING STATEMENT BY SENATOR AKAKA

    Senator Akaka. Thank you very much, Mr. Chairman for 
holding this hearing today on information sharing between the 
private sector and the Federal Government as a part of our 
national strategy to protect our critical infrastructure.
    Such cooperation should be encouraged in order to safeguard 
America's computer systems from devastating cyber attacks, and 
I have listened with interest through the Senator's 
presentation with the charts that shows it so well.
    The interdependency and inter-connectivity of government 
and industry computer networks increase the risks associated 
with cyber terrorism and cyber crimes. Any security weakness 
has the potential of being exploited through the Internet to 
gain unauthorized access to one or more of the connected 
systems. Information sharing can help protect our national 
security and critical infrastructure. The necessary exchange of 
information is furthered through President Clinton's 
presidential decision, Directive 683, which established ISACs, 
Information Sharing and Analysis Centers, to facilitate 
information sharing among private entities. The Directive 
fosters voluntary information sharing by various entities with 
the Federal Government to submit sensitive information that is 
normally not shared to enhance the prevention and detection of 
attacks on critical infrastructures.
    I believe the confidential sharing of information on 
vulnerabilities to the Nation's critical infrastructures is 
necessary. However, we must carefully examine legislation like 
S. 1456, which would make voluntary shared information about 
critical infrastructure security exempt from release under the 
Freedom of Information Act. Exempting this information from 
disclosure might mean that State and local governments would 
not have adequate access to information relating to 
environmental and public health laws like the Clean Air Act. We 
must not provide inadvertent safe harbors for those who violate 
Federal health and safety statutes. I have heard from a number 
of my constituents who believe that measures to ease 
information sharing through a FOIA exemption would bar the 
Federal Government from disclosing information regarding toxic 
spills, fires, explosions, and other accidents without 
obtaining written consent from the company that had the 
accident. States and localities are concerned that other 
proposals would provide companies with immunity from the civil 
consequences of violating, among other things, the Nation's 
environmental, consumer protection and health safety laws. We 
must be careful not to harm the environment inadvertently or 
bar communities from acquiring vital public health information 
by enacting overly broad legislation.
    I look forward, Mr. Chairman, to hearing from our witnesses 
on how to promote information sharing between the Federal 
Government and private sector in a manner that does not turn 
back existing laws and regulations that protect the environment 
or public health. Thank you very much, Mr. Chairman, for 
holding this hearing.
    Chairman Lieberman. Thank you, Senator Akaka.
    We will now go to the first panel which consists of 
representatives of the Executive Branch, the administration. 
Ronald Dick, who is Director of the National Infrastructure 
Protection Center at the FBI; John Malcolm, Deputy Assistant 
Attorney General in the Criminal Division of the Department of 
Justice; and John Tritak, Director of the Critical 
Infrastructure Assurance Office at the Department of Commerce. 
We welcome the three of you.
    There is a light system here. We ask you to try to keep 
your opening statements to 5 minutes. With 1 minute left it 
will go yellow. When it hits red, we are not going to 
physically remove you, but try to bring it to a conclusion.
    I would like to say for the record that the written 
statements that you have submitted to the Committee will be 
printed in full in our record. So we thank you for being here, 
for this very important discussion.
    And, Mr. Dick, why do you not begin?

      TESTIMONY OF RONALD L. DICK,\1\ DIRECTOR, NATIONAL 
      INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF 
                         INVESTIGATION

    Mr. Dick. Good morning Senator Lieberman, Senator Thompson, 
and other Members of the Committee. Thank you for the 
opportunity to discuss our government's important and 
continuing challenges with respect to critical infrastructure 
protection.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Dick appears in the Appendix on 
page 54.
---------------------------------------------------------------------------
    In your invitation to appear before this Committee, you 
asked me to address issues related to information sharing and 
critical infrastructure protection. Because the NIPC is located 
within the FBI, we have access to a great deal of information 
from intelligence sources as well as from criminal 
investigations.
    Only a week ago, our 24 by 7 NIPC watch began receiving 
calls from several of our private sector partners about the 
Klez.h worm. The worm had spread quickly and had the potential 
to affect a number of vulnerable systems by destroying critical 
operating system files. After consulting with our private 
sector partners and within a few hours of the official 
notification, we released an alert which was immediately 
disseminated via E-mail and teletype to a host of government, 
civilian and international agencies. The alert was also posted 
to the NIPC website. This is only the most recent example of 
two-way information sharing and how the private sector works 
with the NIPC.
    The NIPC's InfraGard is an initiative to promote trust and 
information sharing. We have developed InfraGard into the 
largest government-private sector joint partnership for 
infrastructure protection probably in the world. More than half 
of our 4,100 members have joined since I testified before this 
Committee 7 months ago. InfraGard expands direct contacts with 
the private sector infrastructure owners and operators and 
shares information about cyber intrusions and other critical 
infrastructure vulnerabilities through the formation of local 
InfraGard chapters within the jurisdiction of the FBI field 
offices.
    I have created a new unit within the center, whose mission 
includes building trusting relationships with the ISACs that 
had been mentioned earlier that represent critical 
infrastructures. We now have information sharing agreements 
with seven ISACs, including those representing energy, 
telecommunications, information technology, air transportation, 
water supply, food, and chemical sectors. Several more 
agreements are in the final stages. To better share 
information, NIPC officials have met with business, government 
and community leaders across the United States and around the 
world to build the trust required for information sharing. Most 
have been receptive to information sharing and the value of the 
information received from NIPC.
    However, many have expressed reservations due to lack of 
understanding or perhaps confidence in the strength of the 
exceptions found in the Freedom of Information Act. In 
addition, concerns about whether the Justice Department would 
pursue prosecutions at the expense of private sector business 
interests, and finally, simply reluctance to disclose 
proprietary information to any entity beyond their own control 
or beyond the direct control of NIPC.
    The annual Computer Security Institute/FBI Computer Crime 
and Security survey, which was released in April of this year, 
indicated that 90 percent of the respondents detected computer 
security breaches in the last 12 months. Only 34 percent 
reported the intrusions to law enforcement. On the positive 
side, that 34 percent is more than double the 16 percent that 
reported intrusions in 1996. The two primary reasons for not 
making a report were negative publicity and the recognition 
that competitors would or could use the information against 
them if it were released. At the NIPC we continue to seek 
partnerships which promote two-way information sharing. As 
Director Mueller stated in a speech on April 19, ``Our top 
priority is still prevention.'' We can only prevent acts on our 
critical infrastructures by building an intelligence base, 
analyzing that information and providing timely, actionable, 
threat-related products to our private and public sector 
partners.
    As for the Freedom of Information Act, many legal 
authorities have agreed that the Federal Government has the 
ability to protect information from mandatory disclosure under 
the current statutory framework. Indeed, in 1974 Federal courts 
began to hold that FOIA itself anticipates that Federal 
agencies do not have to release private sector commercial or 
financial information if doing so would, ``impair the 
government's ability to obtain necessary information in the 
future.'' And the FBI also has the ability to protect certain 
information provided by the private sector that is compiled for 
law enforcement purposes.
    Nonetheless, the government's ability to protect 
information is of little value if the private sector is 
unwilling to provide that information in the first place. 
Clearly there is room for increasing the private sector's 
confidence level in how we will protect their information from 
public disclosure. stated more simply, if the private sector 
does not think the law is clear, then by definition it is not 
clear.
    Therefore, we welcome the efforts of your Committee in 
improving information sharing, and I look forward to addressing 
any questions that you may have. Thank you.
    Chairman Lieberman. Thank you, Mr. Dick. Now Mr. Malcolm.

  TESTIMONY OF JOHN G. MALCOLM,\1\ DEPUTY ASSISTANT ATTORNEY 
     GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE

    Mr. Malcolm. Thank you, Senator. Mr. Chairman, Members of 
the Committee, I would like to thank you for this opportunity 
to testify about the Department of Justice's efforts to protect 
our Nation's critical infrastructure and about information 
sharing that is needed and related to its protection. It is 
indeed a privilege for me to appear before you today on this 
extremely important topic and I would commend the Committee for 
holding this hearing.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Malcolm appears in the Appendix 
on page 64.
---------------------------------------------------------------------------
    Since the Committee already has my slightly more lengthy 
written testimony, I will use the brief time that I have in my 
oral statement to outline the nature of the critical 
infrastructure protection, the information sharing problems, 
and the Department's current efforts to combat that problem. It 
is clear to the Department of Justice, as it is to this 
Committee, that information sharing is a serious issue and that 
its complexity presents significant challenges to law 
enforcement.
    The safety of our Nation's critical infrastructure is of 
paramount concern to the Justice Department. As you know, the 
term ``critical infrastructure'' refers to both the physical 
and cyber-based resources that make up the backbone of our 
Nation's telecommunications, energy, transportation, water, 
emergency services, banking and finance, and information 
systems. The problem of ensuring delivery of critical 
infrastructure services is not new. Indeed owners and operators 
of critical infrastructure facilities have been managing risks 
associated with service disruptions for as long as they have 
had those facilities. However, the operational challenges of 
ensuring the delivery of the broad array or services that now 
depend upon the Internet and other information systems is a 
challenge that has grown exponentially in the last several 
years.
    The burgeoning dependence of the United States 
infrastructure on the Internet has exposed vulnerabilities that 
have required the U.S. Government to mount new initiatives, to 
create new Federal entities, to help manage critical 
infrastructure protection efforts, and to seek prevention, 
response, and reconstitution solutions. The safety of our 
Nation is of course our first and foremost overriding 
objective. The Justice Department has been working across 
government to address infrastructure issues for several years. 
However, the attacks of September 11 have heightened our 
awareness of these issues and created a new sense of urgency.
    U.S. infrastructure protection efforts are the shared 
responsibility of many entities, both public and private. Many 
of this joint effort is based upon the principle that a robust 
exchange of information about threats to and actual attacks on 
critical infrastructures is a critical element for successful 
infrastructure protection. The following, of course, are just a 
few of the entities that are dedicated to this principle: The 
National Infrastructure Protection Center, headed up by Mr. 
Dick; the Department of Justice's Computer Crime and 
Intellectual Property Section, which I oversee; the Information 
and Analysis Centers that have been referred to; the Critical 
Infrastructure Assurance Office, Mr. Tritak's shop; Office of 
Homeland Security; and the Federal Computer Incident Response 
Center.
    To better protect critical infrastructures government and 
private sector must work together to communicate risks and 
possible solutions. Acquiring information about potential 
vulnerabilities from the private sector is essential. Doing so 
better equips us to fix deficiencies before attackers can 
exploit them. For example, a vulnerability in an air traffic 
control communication system could allow a cyber attacker to 
crash airplanes. That example is not entirely hypothetical. A 
hacker did indeed bring down the communication system at the 
Worcester, Massachusetts airport in 1997. After he was caught 
and prosecuted, and thankfully no lives were lost, nonetheless 
this is a sobering example.
    If we concentrate our time and energy on remediation of 
terrorist attacks after they have occurred, we have already 
lost. Information is the best friend that we have for both 
prevention and response. And we recognize that we can protect 
the Nation only if the private sector feels free to share 
information with the government. However, industry often is 
reluctant to share information with the Federal Government. One 
reason that they give for not sharing this information is that 
the government may ultimately have to disclose that information 
under the Freedom of Information Act or FOIA. Industry is also 
concerned that sharing information among companies will lead to 
antitrust liability, or that sharing among companies or with 
the government will lead to other civil liabilities such as a 
product liability suit or shareholder suit.
    Without legal protections regarding information needed by 
the government and which they possess in order to safeguard our 
infrastructure, even the most responsible civil-minded 
companies and individuals may hesitate before sharing such 
critical information, fearing that competitors may share that 
information and use it to their advantage. With this in mind, 
both the Senate and the House of Representatives have actively 
considered addressing this issue through legislation, and the 
Department appreciates the efforts of, among others, Senator 
Bennett, a Member of this Committee, for sponsoring such 
legislation.
    Such a corporate good samaritan law would provide the 
necessary legal assurance to those parties willing to 
voluntarily provide sensitive information to the government 
that they would otherwise not provide. The Justice Department 
believes that the sharing of the private sector security 
information on critical infrastructure between the private 
sector entities and the Federal Government will help to avert 
acts that harm or threaten to harm our national security, and 
that this is of the utmost importance. We are prepared to work 
very closely with Congress to pass legislation that provides 
this important legal protection.
    Mr. Chairman, I would again like to thank you for this 
opportunity to testify about our efforts. Citizens are deeply 
concerned about their safety and security of our country, and 
by addressing information sharing Congress will enhance the 
ability of law enforcement to fight cyber crime, terrorism and 
protect our infrastructure. And again, the Department stands 
ready to work with this Committee and with Congress to achieve 
those goals.
    Thank you. That concludes my remarks and I look forward to 
answering your questions.
    Chairman Lieberman. Thanks, Mr. Malcolm. Mr. Tritak.

      TESTIMONY OF JOHN S. TRITAK,\1\ DIRECTOR, CRITICAL 
  INFRASTRUCTURE ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE

    Mr. Tritak. Thank you, Mr. Chairman, Senator Thompson, and 
Senator Bennett. It is an honor to be here today.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Tritak appears in the Appendix on 
page 77.
---------------------------------------------------------------------------
    It was not too long ago that national security was 
something that the government did virtually on its own. The 
term ``national economic security'' used to mean largely free 
trade and access to markets and critical materials overseas. 
Now we are confronted with a unique challenge in which we have 
a national security problem the Federal Government cannot solve 
alone. National economic security now literally means defending 
our economy and critical infrastructures from direct attack. As 
Senator Bennett had indicated in his opening remarks, 
terrorists had indicated the economy is a target, and that 
followers have been urged to attack wherever vulnerabilities 
may exist with all means available, both conventional, 
nonconventional, and cyber means.
    Let us be clear what their goal is, too. Their goal is to 
force us to turn inward and to rethink our global commitments 
overseas, especially in the Persian Gulf and the Middle East. 
Securing our homeland today is really a shared responsibility. 
It is protecting our way of life and the core values that we 
cherish. It also is going to require a clarification and maybe, 
in some cases, a redefinition of the respective roles of 
responsibility of government and industry in light of that 
shared responsibility. This is going to require an 
unprecedented level of collaboration, whereby industry must be 
considered and treated as a real partner. Now, I will tell you 
as a government person, that is going to require a cultural 
adjustment on both sides. But we have made it very clear that 
information sharing is an essential element of fostering that 
kind of collaboration, not just for the self interest of the 
companies, but for the public interest. This actually 
constitutes a public good, which is why both the last 
administration and this one have encouraged information sharing 
within the respective infrastructure sectors, because availing 
themselves of that shared information helps them better manage 
the risk that they confront, and sharing between industry and 
government, because there are things that government can bring 
to this equation that industry alone cannot, and together they 
can help address common problems.
    Moreover, information sharing is in fact occurring. There 
have been ISACs, as Ron Dick has mentioned and Senator Bennett 
has mentioned, and information sharing is taking place with the 
Federal Government, but it is clear from everything we have 
heard so far that there is a reluctance on how far that 
information sharing is going to go.
    So I would submit to you that if I had to think through 
this issue in its clearest form, the question is whether the 
current statutory and regulatory environment is conducive to 
supporting a voluntary activity information sharing, which we 
all accept is in the public interest. And I acknowledge, and we 
all acknowledge, that this is not going to be easy because we 
may have public goods that come in conflict from time to time, 
i.e., FOIA exemption versus open government. I do not think we 
are going to solve this problem finally with a passage of 
legislation. Let us be clear, this is not a silver bullet. You 
cannot regulate or legislate trust, which is an essential 
ingredient to information sharing taking place, and you are 
going to hear in the second panel instances where that trust 
has evolved over time and the level of information sharing and 
the quality of that sharing has gone up.
    Some of the newer industries are taking baby steps into 
information sharing, and they may take a little bit of time 
before information sharing in those industries fully matures. 
But what is clear is that if we want to encourage this 
voluntary activity, we need to examine the public policy and 
statutory environment to determine whether or not we are doing 
everything necessary to incentivize and encourage that 
activity. In the absence of a certain level of predictability 
and certainty, there may be an impediment to that kind of 
sharing.
    I want to acknowledge Senator Bennett for the very good 
work that you have been doing, not just since September 11, but 
before September 11, and I think that the attempts at 
addressing the concerns expressed by industry are very 
seriously put forward and in fact are very seriously being 
considered by the administration. I look forward to working 
with you and the Committee, and I would welcome any questions 
you may have. Thank you.
    Chairman Lieberman. Thanks, Mr. Tritak. We will begin the 
questioning. We will have 7-minute rounds since we only have 
three of us here.
    Last September 26, President Bush wrote to Daniel Burnham, 
who is the CEO of Raytheon, but wrote to him in his capacity as 
a leader of the National Security Communications Advisory 
Committee. And in the letter, which was following up on a 
meeting, the President says, ``My administration is committed 
to working in partnership with the private sector to secure 
America's critical infrastructure, including protecting 
information the private sector provides voluntarily to the 
Federal Government in support of critical infrastructure 
protection. ``Accordingly, I support a narrowly-drafted 
exception to the Freedom of Information Act to protect 
information about corporations' and other organizations' 
vulnerabilities to information warfare and malicious hacking.''
    So I guess I will begin by directing it to you, Mr. 
Malcolm. What, if anything, has the administration done to 
develop the policy that the President stated in this letter, 
and more particularly, since the President said he supported a 
narrowly-drafted exception, what are the parameters, if you are 
at a point where you can say so, of what that narrowly-drafted 
exception night be?
    Mr. Malcolm. Sure. Senator, this is, of course, an evolving 
process, and there are several bills--Davis-Moran, Bennett-
Kyl--that are pending and that are being evaluated by the 
administration. The administration likes a number of ideas that 
are in both pieces of legislation, probably prefers some of the 
elements of Bennett-Kyl for reasons that I will be happy to 
discuss with you. Nonetheless, I think it is safe to say that 
the administration has some concerns with all of the bills that 
are pending and is working to try and massage those into what 
the Executive Branch would consider a best practices bill.
    A number of the elements that had been discussed in terms 
of crafting a definition of critical infrastructure information 
that is both large enough to get the information that the 
government needs to protect our critical infrastructure, while 
at the same token not being so large that it protects from 
public disclosure in the open government aspects of FOIA, 
protects being an over broad definition that just covers 
everything. The principle though of coming up with a FOIA 
exemption the administration believes to be a good one because, 
as Senator Bennett has pointed out, 85 to 90 percent of the 
critical infrastructure that is out there is owned and operated 
by the private sector. The government needs to have that 
information so that it can assess vulnerabilities and share 
appropriate information back, and they are not currently 
providing it. They are to InfraGard to some degree, but we need 
more, so there has to be a way to bridge that gap. And if a 
FOIA exemption, narrowly crafted, is the way to go, that is 
fine, whatever it takes to bridge that gap.
    Chairman Lieberman. Would you discuss, if you are prepared 
to, what some of the pluses and minuses are that you see in the 
various bills, which I suppose would help us understand, at 
this point, what ``narrow'' means here.
    Mr. Malcolm. I think that is fine. Again, without getting 
into the specifics of each legislation, I know that both pieces 
of legislation, for instance, have an antitrust exemption. The 
Executive Branch of the administration has traditionally taken 
the approach that an antitrust exemption is unnecessary, that a 
business review letter suffices.
    However, that having been said, we are still studying that 
aspect of these bills. There are provisions in both bills about 
the use to which the government can put voluntarily-obtained 
information. Davis-Moran, for instance, I believe, prohibits 
the use by the government, both direct use and indirect use, of 
that information. Bennett-Kyl, I believe, talks about a 
prohibition in terms of direct use without getting consent. The 
administration has some concerns about those provisions in 
terms of what it might do to hamper government criminal and 
civil enforcement efforts, some of the concerns that Senator 
Akaka addressed. For instance, the administration would want to 
make sure that any information provided to the United States 
could be used by the government for a criminal enforcement act.
    There are incentives that are in departmental policies of 
long standing that we believe provide adequate incentives to 
turn over that information, and we are afraid that anything 
that is broad could allow for a document dump. It could allow 
for industry to just turn over information and the government 
would not be able to enforce its criminal laws or its civil 
laws. It has a similar concern in terms of prohibitions on 
direct or indirect use in terms of civil enforcement actions. 
We would probably prefer something a little more narrowly 
crafted in the sense that it would not tie the government's 
hands in either civil or criminal enforcement actions with 
respect to the information that it obtains. That is an idea of 
the direction where we are going, so we have the same concerns 
that Senator Akaka has about not wanting to protect too much 
information while at the same time giving the government the 
ability to engage in criminal and civil enforcement actions 
where appropriate.
    Chairman Lieberman. OK. That is a helpful response. 
Obviously, there is a lot of detail to it, Mr. Tritak, as we go 
along. Do you have any sense of timing as to when the 
administration would be in a position to either propose 
specific legislation or comment in detail on the proposals that 
are before us?
    Mr. Tritak. I do not, Senator. I know that is a very 
pressing issue. We are aware that you want to act now on this 
matter. We want you to act on this issue, and we want to strike 
while the iron is hot, so I will certainly relay your concerns 
about the timing and get back to you.
    Chairman Lieberman. I appreciate that. Mr. Tritak, you 
talked about trust, which I agree with you, it is a very 
important element here in that the kind of exemption we are 
talking about could create a foundation of trust that sensitive 
information shared with the government will be secured. I want 
to ask you to talk for a moment about two aspects of that. The 
first is, just for the record, on what basis you conclude that 
a new FOIA exemption could actually make a significant 
contribution to information sharing. And as part of that, if 
you would consider what one of the witnesses, by submitted 
testimony, will say on the second panel, which is some 
skepticism that all information that the government would want 
to have will in fact be shared by the private sector, even with 
a FOIA exemption, because of concern about the proprietary, 
private, etc. nature of it.
    Mr. Tritak. I would be happy to. Senator, first I will talk 
to the first question--about what would it actually do. We have 
to take into account that, for example, with the FOIA laws, 
they predate this problem. They were on the books long before 
this issue of information sharing to advance critical 
infrastructure protection came up.
    Chairman Lieberman. Right.
    Mr. Tritak. We have been trying to encourage industry to 
take proactive voluntary steps to do things they are not 
required to do right now. The clarifying of FOIA, and I think 
what Senator Bennett said is exactly the right way, you could 
approach in one of two ways. You can say that the current 
environment, if you are very careful and you watch out, the 
existing exemptions will cover any concerns that may arise 
regarding FOIA, not to worry.
    The response we have usually heard in those instances was, 
``Well, but that makes us have to second guess our actions. 
That makes us have to second guess what we are trying to do 
here.'' And also to be clear, the kind of legislation we are 
looking at and the kind of trust we are trying to create must 
take place in a dynamic environment. It is not a set piece 
exchange where you take a piece of information, you hand it 
over, it gets considered, and it comes back. Information must 
flow all the time and at different levels. You cannot stop the 
process for every little bit of informatin to determine whether 
it is covered under FOIA. It is very interesting that you 
should mention the NSCAC as the letter for the President 
because in fact they have had 20 years of information sharing. 
And the idea here is, is that companies believe more can be 
done if this environment is more clear and predictable in terms 
of the complication of FOIA.
    Now, I think Ron would attest that when it comes to an 
actual event, an incident in real time, there is a lot of 
sharing that goes on. What we are trying to do here is 
encourage proactive sharing before incidents occur and in a 
dynamic setting so that companies will actually take preventive 
and proactive measures. And so I think that is what the trust, 
along with the right legislative framework, will foster.
    In terms of the skepticism, I want to make very clear, as I 
said before, that FOIA alone is not going to be the silver 
bullet to information sharing. You are not going to get an 
avalanche of information being shared with the government just 
because you have this bill piece. What it does, in my judgment, 
is create an environment that is conducive to that kind of 
sharing and send a signal to industry that, if you engage in 
this kind of activity, you will be protected against certain 
types of disclosures.
    Chairman Lieberman. Thanks, Mr. Tritak, I apreciate your 
answer.
    Senator Thompson and I are smiling because, I do not know 
whether it is the quality of your answer or staff deference to 
the Chairman, but the time available to me seems to be growing 
instead of shrinking. [Laughter.]
    Senator Thompson. It is the power of the Chair.
    Chairman Lieberman. Must be. But I am going to have to 
declare that my time is over, and yield to Senator Thompson.
    Senator Thompson. Thank you very much, Mr. Chairman.
    I think that a valid distinction to make here is that under 
FOIA as it exists, although the government may be able to 
withhold certain information that we are talking about here, it 
is discretionary with the government, and the distinction 
between that and this bill would be that it would be mandatory. 
Is that a valid distinction to make, it would be incumbent upon 
the government to withhold it and would have no discretion?
    Mr. Malcolm. My understanding, Senator, is that there is 
some discretion in FOIA as it currently exists except as it 
pertains to trade secrets.
    Senator Thompson. OK. I think that, Mr. Malcolm, it seems 
to me like you are on the right track and asking the right 
questions about this. Many of us are not as steeped in this 
subject as Senator Bennett and some others are. But in looking 
at it I would think that the first thing that you--although 
clearly we need to do something in this direction if it is 
going to help. One of the first things that you would want to 
look at is whether or not it would allow a company that perhaps 
is in a little trouble and sees some vulnerability, to protect 
itself just strictly for the purpose of protecting itself to do 
the document dump.
    Mr. Malcolm. Right.
    Senator Thompson. And the definitions, as they are 
currently drafted, provides protection of sharing of 
information concerning critical infrastructure which it defines 
as physical and cyber-based systems and services essential to 
the national defense, government or economy of the United 
States, including systems essential for telecommunications, 
electric, oil, gas, etc. It seems to me like this is very broad 
language and could cover anything from farming to automobile 
production. And the question would be whether or not if a 
company was doing a very poor job, deliberately doing a very 
poor job to save money and protecting its critical 
infrastructure, and it saw there were some rumblings out there 
concerning civil lawsuits or the government beginning to take a 
look at it, it could get a bunch of stuff to you in a hurry and 
totally protect itself, and keep you, for example, from 
conducting a civil action against them. I would think that 
would be something that nobody would want, and I am not sure 
how you address that, but I think you are asking the right 
questions, and that is something that should be addressed.
    In addition, we are operating under the assumption here--
and I assume we will get more of this from the next panel--that 
information is really being withheld. I think it is important 
to create a public record for a need for this bill. It stands 
to reason logically that if there is some vulnerability out 
there and sharing information, that it is less likely to be 
shared, but do you really hear instances from industry or 
others where they are saying that they are really restrained 
somewhat or afraid to share information for the reasons that we 
have discussed, any of you?
    Mr. Tritak. Well, I will just speak for myself. I have been 
told that precisely, particularly when you are talking about 
potential systemic problems and vulnerabilities--that there is 
a real reluctance to share information about those things 
without better understanding about whether or not you will be 
protected under FOIA. We are hearing this across a number of 
sectors.
    Mr. Dick. Where this comes into play, as was mentioned, 
when we get into a crisis like with Code Red or Nimda or any of 
those, the private sector comes forward very, very willingly.
    Where I think the enhancements need to occur is from the 
predictive and strategic components, wherein information is 
shared on a routine basis so that we can be out in front, if 
you will, of the vulnerabilities so as to share with the 
private sector what actionable things they can do to prevent 
them from becoming victims, and that is the kind of thing that 
needs to occur on a daily basis.
    For example, during the events of September 11, one of the 
things that we did very routinely with the Information Sharing 
and Analysis Center is share physical threat information. We 
did that for two reasons. One, obviously, is prevention and 
protection, but two, as we got threats, let us say to the oil 
and gas industry, only the oil and gas industry experts know 
that industry from an expert level so as to assess, well, is 
the threat as described even viable to the oil and gas 
industry, so as to determine is it a valid threat? So we have 
to have the ability to share at times even classified 
information to the private sector to assess that threat and 
then determine what are the right actions to be taken.
    Senator Thompson. Right.
    Mr. Malcolm. Senator, if I may, I just think it is fair to 
say that to some degree we do not know what we do not know. We 
need to know it and we need to know it now. Obviously, 85 to 90 
percent of the critical infrastructure is owned and operated by 
private sector. When threats happen or when incidents happen, 
all of a sudden information which the government did not know 
about comes forth. We need to have that information now so that 
we can deal with it prophylactically and have that information 
at hand if, God forbid, does happen, track down these 
perpetrators quickly before they repeat their act.
    Senator Thompson. One of the critical parts of all of this 
is private industry cooperation with each other. The bill 
addresses the antitrust aspect of it. And I am wondering 
whether or not, even if that is taken care of, that there will 
still be a concern from a competitive standpoint with regard to 
industry sharing information with each other, they would be 
allowed to do that. The government may not come down on them 
for that, but does that in any way--of course this bill, I do 
not think, addresses that and perhaps cannot. I am just 
thinking from a practical standpoint that we still have a 
problem. I think that was a part of the Presidential Directive 
63, trying to get industry to work with each other and the 
government working with industry, etc. It looks to me like this 
would still be a concern there in the private industry with 
sharing information one company with another strictly from a 
competitive standpoint. Do you have any thoughts on that at 
all?
    Mr. Dick. Senator, it is a valid concern. It is one we hear 
fairly routinely, particularly in the information technology 
arena. However, I think what is--as I talked about in my 
statement, you see with the number of Information Sharing and 
Analysis Centers that are being created, with the amount of 
information that is being shared internally within those 
organizations. There is a building of trust, as Mr. Malcolm 
talked about and I talked about too, amongst them. That does 
not happen overnight, and as was indicated earlier, you are not 
going to legislate that. Only with time and experience, and 
that there is value added to the bottom line of these companies 
through sharing information and reducing the threat is that 
going to come to fruition. But I think there are very positive 
first steps that we have made and this Committee can make, by 
providing the assurances to the private sector that we will 
minimize the harm that could occur.
    Mr. Malcolm. Senator, if I may answer your question 
briefly, I think that even if you had an antitrust exemption, 
that is not going to do away with antitrust lawsuits. I mean it 
is going to then be a question of did the competitors who sat 
down in the room together extend beyond the bounds of the 
information that they were supposed to discuss?
    Senator Thompson. If they only did the things that the 
exemption provides them with in this bill, they would not have 
had any antitrust problem anyway.
    Mr. Malcolm. That is right, and that is, again, when we 
talked about ways in which we are looking at this possibly 
narrowing it, again, these issues have been dealt with in the 
past. There is a business review letter once the government has 
issued a business review letter, which it can in particular 
circumstances actually do fairly quickly. There has never been 
an enforcement or antitrust action brought following the 
issuance of a business review letter, and I think that it might 
provide some protection on the margins in terms of people 
feeling comfortable walking into a room together, but in terms 
of whether they extend beyond the bounds of just talking about 
critical infrastructure information and getting to pricing and 
whatnot, that is still going to lead to allegations and 
possible lawsuits.
    Senator Thompson. Thank you very much.
    Chairman Lieberman. Thanks, Senator Thompson. Senator 
Carper.

              OPENING STATEMENT OF SENATOR CARPER

    Senator Carper. Thanks, Mr. Chairman. Good morning.
    Chairman Lieberman. Good morning.
    Senator Carper. To our witnesses and guests, thanks for 
coming this morning. It is my third Committee hearing I have 
been to, so I apologize for missing most of what you said. I 
just arrived when Senator Lieberman was questioning you during 
his first hour of questioning. [Laughter.]
    I think you have some comments on legislation that maybe 
Senator Bennett has introduced, and I am not aware of what you 
had to say about it. Do you have anything positive that you 
might share with us about the legislation that he has 
introduced, just each of you?
    Mr. Malcolm. Specifically about Senator Bennett's 
legislation, that fact that he has not charged across the desk 
and at me I think is indicative of the fact that we have said 
some very positive things about the legislation.
    Senator Carper. Just share a couple of thoughts you had 
with me.
    Mr. Malcolm. Certainly. It provides, for instance, with the 
government to be able to use independently obtained information 
without restriction, certainly in terms of not prohibiting the 
government's use of indirectly or derivatively obtained 
information in a criminal or civil enforcement action. That is 
a very good thing. I did take some issuance with Senator 
Bennett in terms of saying that perhaps even a direct 
preclusion by the government in terms of the use of information 
might not be in order, but nonetheless, in terms of a thrust of 
bridging the gap between private industry and the government in 
terms of getting that information, we are well down the road 
and in the right direction with Bennett-Kyl.
    Senator Carper. Anyone else? Mr. Dick, do you have any 
thoughts?
    Mr. Dick. We have had a number of discussions, my staff 
with Senator Bennett's staff, and are well aware of the 
legislation, and frankly, are supportive of many aspects of it. 
As I talked about in my opening statement, we believe that 
there are sufficient provisions in the FOIA now to protect 
information that is provided to us. But it really does not 
matter. If the private sector does not believe it, and does not 
feel comfortable with it, then we need to provide them those 
assurances that make them feel that a partnership with the 
government is worthwhile and is value added to them, and 
Senator Bennett's bill as a whole does that.
    Senator Carper. Any changes you would recommend that we 
might consider in his legislation? We are usually reluctant to 
try to amend his legislation, but maybe one or two.
    Mr. Dick. I would defer back to my esteemed colleague, Mr. 
Malcolm, with the Department of Justice in that regard.
    Mr. Malcolm. Well, one of them I have discussed already, 
Senator Carper, which has to do with direct use by the 
government in a civil enforcement action. I think that that 
ties the government's hands inappropriately, but I am pleased 
to see that it is a direct use prohibition and not an indirect 
use prohibition.
    Certainly if we are going to tie the government's hands at 
all, I would prefer seeing, say, a provision in there that 
allows an agency head to designate which section of an agency 
is to receive this voluntary information so that other branches 
of the government can pursue whatever leads it wants to, and 
use any information that it obtains in a full and unfettered 
measure. Again, independently obtained information is in there. 
I forget whether Bennett-Kyl has a requirement that the company 
said that it is voluntarily providing this information and 
intends for it to be confidential, but I think that is a good 
thing.
    As I recall, Bennett-Kyl, although I may be getting my 
bills confused, allows for oral submissions to get FOIA 
protection from the administration's perspective. Again, while 
we are still mulling this over, I think, to use a non-legal 
term, it is a little bit loosey-goosey in terms of it does not 
make clear what information we are talking about, how it is to 
be provided, and certainly the administration would prefer to 
see something in which any oral submission were reduced to 
writing. Those are just a few things.
    Senator Carper. All right, thanks.
    Mr. Tritak, tell us a little bit about your wife.
    Mr. Tritak. I am not sure she is here.
    Senator Carper. She is not. I do not see her. I do not know 
if my colleagues know this, but whenever----
    Chairman Lieberman. You have a right of privacy, Mr. 
Tritak. [Laughter.]
    Senator Carper. No, I think he surrendered that. When the 
roll is called, not up yonder but in the Senate, there are a 
couple of roll clerks who call the roll, and among the people 
who do that are Mr. Tritak's wife. Katie, right?
    Mr. Tritak. Katie.
    Senator Carper. And then while I was presiding yesterday, 
she mentioned to me, she says, ``My husband is going to''--I 
said, ``Is this your first husband, Katie?'' [Laughter.]
    She said, ``He is going to be testifying tomorrow before 
your Committee.'' And I said I would be sure to remember to 
thank you for sharing your wife with us. She does a great job. 
She keeps us all straight and on a very short leash. It is very 
nice to meet you.
    Let me just ask you a question, and I do not care who 
really jumps into this one, but take a minute and tell us how 
you work together, how do your agencies work together in the 
information sharing program?
    Mr. Tritak. I would like to actually restate that. We have 
very clear roles and responsibilities and I would say that our 
working relationship has actually been quite excellent over the 
last few years. Mr. Dick and I probably talk at least once a 
week.
    My own rule generally, although not in particular detail, 
is to try to focus on the front end of getting industry to see 
this as a business case. We have been talking about this as a 
national security issue. I actually think there is a business 
case. I think it is a matter of corporate governance. I think 
this is something that is important for them in terms of their 
own self interest as well as the interest of the Nation. And 
the extent to which we can translate the homeland security 
proposition into a business case, I think we begin to advance 
greater corporate action. There is a lot of corporate 
citizenship that you are seeing now. There is a lot of 
``wanting to do the right thing,'' but it is also helpful to 
understand that this can actually affect the bottom line. This 
is actually something that advances and is in the interest of 
their shareholders, as well in their industry, in general.
    Having achieved that, my goal is frankly to find 
``clients'' for Ron Dick, who then picks up that case and 
develops the operational relationships in terms of the 
specifics of information sharing, working with the lead 
agencies, working with the ISACs who you will hear from in a 
few minutes. So I think that is how I certainly see the matter.
    Mr. Dick. Continuing on with that theme, with the recent 
Executive Order by President Bush and the creation of the 
President's Critical Infrastructure Protection Board under Dick 
Clark has even further solidified that spirit of cooperation 
within the government. The intent of the board creation, in my 
estimation, is to raise the level of security and insofar as 
the government systems are concerned from the CIO level 
actually to the heads of the agencies themselves. And the 
intent of the board is to make the government, if you will, if 
possible, a model to the private sector as to how information 
security should occur as well as information should be shared 
amongst agencies. We have created a number of committees. I am 
on the board and chair of a couple of them, insofar as working 
within the government and with the private sector to develop 
contingency plans as to how we will respond to an incident.
    Frankly, having been in this town for a number of years 
myself, the environment and the people that are heading up this 
effort are truly unique insofar as our willingness to move the 
ball forward, if you will. And the private sector, in my 
estimation, through Harris Miller and some of the others, Alan 
Paller, are frankly coming out front, too, to try and figure 
this out.
    Mr. Malcolm. I have nothing really to add, Senator, other 
than, for instance, the attorneys that I oversee in the 
Computer Crime and Intellectual Property Section have daily, 
sometimes hourly contact with the National Infrastructure 
Protection Center, and then also through dealing on various 
subcommittees with the President's Critical Infrastructure 
Protection Board we also have dealings with Mr. Tritak's shop 
among others. So it works well within government.
    Senator Carper. Well, that is encouraging. Thank you for 
sharing that with us.
    Mr. Chairman, if my time had not expired, I would ask Mr. 
Dick and Mr. Malcolm to report on their wives as well. 
[Laughter.]
    Chairman Lieberman. They and I are happy that your time has 
expired. [Laughter.]
    Senator Carper. I would say to Mr. Tritak, it is a 
privilege serving with your wife, and we are grateful for that 
opportunity and for the testimony of each of you today. Thank 
you.
    Chairman Lieberman. I think we can all agree on that. 
Thanks, Senator Carper. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman. If I can just put 
a slight historical note here. Mr. Malcolm, considering the 
initial reaction of the Justice Department to my bill and your 
comments here, I can say to my colleagues that we have moved a 
long way. [Laughter.]
    Because the initial reaction was not only no, but no, on 
just about everything, and I am grateful to you and your 
colleagues at the Department, that you have been willing to 
enter into a dialog and we have been able to move to the point 
where you are able to make the statements that you have been 
making here. I think it demonstrates great progress. And I come 
back to a comment that Mr. Tritak made, which I think 
summarizes very clearly the problem we have here, when he says 
this is going to require a significant cultural adjustment on 
both sides. We have had grow up in this country the 
adversarial, if you will, relationship between government and 
industry. Maybe it comes from the legal world where everything 
is decided by advocates on two sides who fight it out and then 
presumably the truth comes as a result of this clash.
    This is not something that lends itself to the adversarial 
attitude. This is something that requires a complete cultural 
adjustment. Industry automatically assumes that anything they 
share with the government will be used against them. There is 
an unspoken Miranda attitude that anything I tell the Feds, 
they are going to turn around, even if it is totally benign, 
they are going to look for some way for some regulator to find 
me or damage me in some other way. And some regulators have the 
attitude, unfortunately, that anybody who goes into business in 
the first place is automatically morally suspect, that if they 
had real morals they would teach. [Laughter.]
    Or come to work for the government. And we have got to 
break down those cultural attitudes on both sides and 
recognize, as this hearing has, that our country is under 
threat here, and people who wish us ill will take advantage of 
the seams that are created by these cultural attitudes, and we 
have got to see to it that our protection of our critical 
infrastructure becomes truly seamless between government and 
industry, and there is an attitude of trust for sharing of 
information.
    Now, let me get directly to the issue that Senator Thompson 
raised with you, Mr. Malcolm. Do you see anything in my bill 
that would allow someone to deliberately break the law and then 
try to cover that by some kind of document dump?
    Mr. Malcolm. Well, I will answer you question this way, 
Senator--and I am not meaning to be evasive--I believe the 
intent of your bill, for instance, is not to preclude the 
government from using the information in terms of a criminal 
prosecution, although I believe that intent, assuming that is 
your intent, should be spelled out perhaps a little tighter. 
But assuming that is your intent, that any information provided 
voluntarily or otherwise to the government they can direct use 
of it, derivative use of it in terms of a criminal prosecution, 
then the answer to your question will be no.
    In terms of a civil enforcement action--and of course there 
are many elements that go into a criminal prosecution which may 
or may not be appropriate. Sometimes you want to take, say, 
environmental cleanup efforts or any civil enforcement action 
that is not a criminal prosecution, there is nothing in your 
bill that I see that prevents that action from going forward. 
There are things in the bill that make such an action more 
difficult in terms of precluding direct use of the information 
that is voluntarily submitted, and of course, that does leave 
it to a court to determine when you cross the line between 
direct use and indirect or derivative use. So there is some 
gray area on the margins of what the term ``direct use'' means, 
so it is possible that a company say could be negligent in its 
maintenance of manufacture of some component that deals with 
critical infrastructure could get some noise out there that 
something bad is about to happen that might subject the company 
to civil liability, could do a document dump on the government, 
and the government would be circumscribed to some degree in 
terms of its ability to use that information in a civil 
enforcement action.
    Senator Bennett. Not being a prosecutor and not being 
burdened with a legal education---- [Laughter.]
    My common sense reaction would be if we were getting--I put 
myself now in the position of the government. If we were 
getting a pattern of information from an industry, say a dozen 
different companies were saying, ``This is what is happening, 
this is what is happening, and so on,'' and one company does a 
document dump in which there is an indication that something is 
wrong with their maintenance, it would seem to me, if I were 
sitting in that situation, here is a red flag that these people 
are not giving us legitimate information for legitimate 
purposes. These people have something serious in mind that they 
are trying to protect and would make me examine their 
submission far more than I otherwise would. If I were the CEO 
of a company, and I have been, and somebody in my legal 
department were to come and say, ``Hey, we can cover this. This 
is what we would do.'' In the first place, I would not tolerate 
that in any company that I was running, but if someone were to 
come to me with that idea that this is how we are going to 
cover this, I would say, ``You are up in the night here, this 
is crazy. Fix the problem. Disclose what we need to disclose to 
help deal with the critical infrastructure thing, but do not 
think that the Feds are stupid enough to overlook what you are 
trying to cover here.''
    But that having been said, obviously we have the intention 
you are imputing to us. We do not want, under any circumstances 
to say that the sharing of information with the government will 
provide cover for illegal activity or that it will provide 
cover that somebody in a civil suit could not file a legitimate 
subpoena for that information.
    Mr. Malcolm. The only thing that I am saying, Senator, and 
we are not really disagreeing with each other, we are certainly 
four-square together with respect to a criminal prosecution. 
With respect to a civil enforcement action, if you assume you 
are in the perspective of the government and the evidence has 
been dumped upon you, if you have say a bad faith exclusion for 
dumping documents, that puts you into the difficult position of 
having an evidentiary hearing of sorts to determine what was in 
the minds of the people who dumped the documents. Were they 
doing this in bad faith because they realized that their 
vulnerabilities that were of their own making were about to 
come to light? Or were they dumping it because they realized 
that they had these vulnerabilities, whether they should have 
fixed them or not fixed them. That could harm the government 
and harm the citizenry. Those are evidentiary issues.
    All I am saying, in terms of impeding an effort, is if you 
are in the position of the government and you receive this 
information, and it is now not FOIA-able, because this now fits 
within an exemption, so you are largely relying on the 
government to take an appropriate civil remedial action, there 
are constraints within the bill that you drafted as to what you 
can do with that information and how far the direct use extends 
into information we get. I am not saying it is not doable, 
because for example, in the hypothetical that you used, you 
said, well, there are other companies out there that are making 
rumblings about what bad company is doing. Well, if you get the 
information from those other companies, it is independently 
derived, you are in the clear. But if the crux of the 
information that you have received is from a company that has 
done the document dump, you then are in the area of trying to 
figure out or have a judge figure out what motivated the 
company in terms of making that submission, and you are also in 
the area in terms of saying to what use can you put the 
information that has been provided, and again, it is our belief 
that there are already benefits that a company can get by 
providing the information. There is a policy that gives 
favorable consideration for voluntary disclosures in terms of 
criminal prosecution and civil enforcement actions. That should 
be enough, and that the government's hands should not be tied 
in terms of taking appropriate civil enforcement actions, 
particularly since that information is not going to be FOIA-
able and will probably be protected from other civil lawsuits 
by private organizations.
    Senator Bennett. If I can just very quickly, Mr. Chairman, 
on this whole question of a cultural attitude change, it may 
very well be that the very thing that the head of Homeland 
Security of the Department of Defense needs to know in the face 
of an attack is the particular vulnerability that this one 
company might otherwise not disclose. So I am very sympathetic 
to what you are saying about the need to see to it that people 
do not get off the hook, but let us not lose sight in our 
effort to hang onto that, of the possibility that a terrorist 
has discovered that this company is the most vulnerable because 
of bad maintenance or whatever, and is moving in that 
direction. And if the government does not get that information, 
we could all be sitting here looking at each other after an 
attack, saying, ``Gee, we wish we had paid equal attention.''
    Thank you very much.
    Chairman Lieberman. Thank you, Senator Bennett.
    This is an important line of questioning, and before we 
move on to the next panel, I want to just take it one step 
further, and in fairness give my colleagues an opportunity to 
ask another question also. And this is about the effect on the 
regulatory process--we have talked about civil and criminal 
actions--both the authority of the government and the 
responsibility of private entities under the regulatory 
process. So I would guess we will hear on the second panel a 
concern that has been expressed by the environmental community 
about what an exemption under FOIA as proposed by Senator 
Bennett's legislation would do to a company's obligations under 
the right-to-know laws, where they are providing information 
about environmental health or safety risks and problems, and 
then that information is made available by the government to 
the public. There are concerns that the exemptions granted here 
might give the companies a ground for withholding some of the 
information that otherwise would be public. Similarly, there is 
a concern that if a company voluntarily submits the 
information, receives a FOIA exemption, and then the government 
decides--perhaps the Justice Department--that the information 
should be considered for instance in deciding whether to grant 
a permit, an environmental permit or some other permit for the 
facility, whether the information has to continue to be kept 
secret.
    So my question would be whether you think that those fears 
are justified, and if so, is there a way to handle them in this 
legislation?
    Mr. Malcolm. That is an excellent question, Senator, and in 
part you are going beyond my ken of expertise, but I will 
answer it as best I can. And this goes back actually to the 
point that Senator Bennett just made at the end, which is that 
we are trying to come up with a fine balancing act that 
incentivizes companies to give over this information which is 
desperately and vitally needed by the United States, while at 
the same time not giving them an ability to, if you will, hide 
their misdeeds and to get away. And this is a balancing act.
    In terms of the first part of your question, which I took 
to mean that, gee, if we were to create such an exemption, that 
would give a company an excuse to withhold information that it 
otherwise----
    Chairman Lieberman. That they would otherwise have to make 
public under right-to-know laws.
    Mr. Malcolm. While I would like to give that matter more 
thought and perhaps my answer might change, I will say at the 
risk of shooting from the hip, that I think that concern is 
probably somewhat exaggerated for two reasons, which is, one 
any exemption that would be created here I do not believe would 
take precedence or in any way overrule any other requirements 
that the company might have. So if it is required under some 
other regulation to put forth information, I do not think that 
the company could all of a sudden come back and say, well, I do 
not have to comply with that regulation because of this FOIA 
exemption.
    As well, with respect to private parties' abilities to 
obtain information, I think we need to be clear, one, this is 
information nobody would have had but for the voluntary 
disclosure, and two, it only prevents private parties from one 
avenue of getting this information, and that is through a FOIA 
request. It is not taking precedence in any way of any other 
avenue that civil litigants or interested parties have at their 
disposal and use frequently to great effect to get information 
from private industry. It is just saying that among your 
arsenal of ways of obtaining information, this quiver is being 
taken out of your arsenal.
    Now, you had a second part to your question which dealt 
with any possible effects on, if a voluntary disclosure is made 
in terms of the government's ability to share that information 
in a regulatory environment, and I am afraid, Senator, that 
really is sort of beyond my expertise.
    Chairman Lieberman. I understand. I would ask you to think 
about that, and I appreciate your answer to the first part, and 
as the administration formulates its exact or detailed position 
on this question, I hope you will keep it in mind that it may 
be that we can handle this with a simple explicit reassurance 
in the legislation that there is no intention here to override 
any other responsibilities that anyone otherwise would have had 
under other laws.
    Do any of my colleagues wish to ask another question of 
this panel?
    Senator Thompson. Mr. Chairman, along that line, it would 
seem--I am looking at a summary of the bill here that says the 
voluntarily shared information can only be used for the 
purposes of this act. And so I would assume that the purposes 
of this act would not include environmental enforcement or 
anything like that. And without written consent, cannot be used 
by any Federal, State or local authority, or any third party in 
any civil action. So I think, as you indicated, there is 
nothing in here that would prohibit using the very information 
the company gives you to carry out a criminal action against 
the company. So you can use the information in a criminal 
proceeding, I would assume, although you have got to have some 
company lawyer assuring the boss that there is no criminal 
exposure when they turn that information over, a little 
practical matter there. But assuming they do, you can use it 
directly.
    And in a civil action you can use information derived from 
other sources. You just cannot use the information that the 
particular company sent you. But then you would have to carry 
the burden of proving that you are basing your enforcement 
action on that other material and not this particular 
information this company sent you. Somewhat like when a Federal 
prosecutor gets into sometimes when we have hearings, and he 
has to prove that he is building his case based on things other 
than what was on national television every night for a week, 
and he did not get any information there that he used. There is 
no fruit of the poisonous tree and all that. So there are some 
practical impediments there.
    But getting back to what Senator Bennett said we should not 
forget that what we are doing here is pretty important and 
there are some tradeoffs, it seems to me. There is no way that 
we can avoid some potentially, not the best kind of result. If 
you have got a company that is supposed to be running a nuclear 
reactor and they are doing a shoddy job of it, is it not best 
maybe that we know they are doing a shoddy job of it, even if 
nobody can sue them? [Laughter.]
    On the other hand, what if they persist in doing a shoddy 
job and refuse to do anything about it; what does that leave 
you?
    I think you are on the right track. You are asking the 
right questions, and I think that hopefully we will wisely make 
those tradeoffs. Thank you.
    Chairman Lieberman. Thanks, Senator Thompson.
    Senator Carper, do you have another question?
    Senator Carper. I think I have done enough damage with this 
panel. Thank you. [Laughter.]
    Chairman Lieberman. Senator Bennett.
    Senator Bennett. Well, I think this has been a very useful 
discussion, and certainly we stand ready to make the kinds of 
clarifications Mr. Malcolm is talking about, because it was 
never the intent and never should be, that this desire to get 
information should be used in any way to cover any illegal or 
improper activity. But the one thing that I want to stress one 
more time that has already been mentioned, but just to make 
sure we do not lose sight of it, without the passage of some 
legislation along the lines that I have proposed, in all 
probability the information that we are talking about will not 
be available to anybody anyway. We are not talking about 
something that is a new protection because the ultimate 
protection, absent our legislation, is the lawyer and the CEO 
sitting down and saying, ``We are not going to tell anybody 
about any of this, so that nobody knows. The government does 
not know. Competitors do not know. A potential litigant in the 
environmental community or anyplace else does not know because 
we are just not going to let anybody know about this.'' And if 
the legislation passes and then the CEO says, ``You know, this 
is potentially a serious problem, and we can let this out 
knowing that the effect on our business will be exactly the 
same as if we do not let it out.'' That strikes me as a 
positive good for the government to have. So let us keep 
understanding in all of this discussion that we are talking 
about information that would otherwise not be available to 
anybody.
    Chairman Lieberman. Thanks very much, Senator Bennett.
    Gentlemen, thank you. I agree with Senator Bennett, it has 
been a very helpful discussion, and we look forward, as soon as 
possible to the administration's recommendations to us. Thank 
you.
    We will call the second panel now. Michehl Gent, who is the 
President and Chief Executive Officer of North American 
Electric Reliability Council; Harris Miller, President of the 
Information Technology Association of America; Alan Paller, 
Director of Research at the SANS Institute; Ty R. Sagalow, a 
Board Member, Financial Services ISAC, and Executive Vice 
President of eBusiness Risk Solutions, American International 
Group; David L. Sobel, General Counsel, Electronic Privacy 
Information Center; and Rena I. Steinzor, Academic Fellow, 
Natural Resources Defense Council and also more particularly a 
Professor at the University of Maryland School of Law.
    We thank you all for being here. I know you have been here 
to hear the first panel, and we look forward to your help for 
us as we try to grapple with this serious matter and balance 
the national values that are involved.
    Again I will say to this panel, that your prepared written 
statements submitted to the Committee will be printed in full 
in the record, and we would ask you to now proceed for an 
opening 5-minute statement. Mr. Gent.

TESTIMONY OF MICHEHL R. GENT,\1\ PRESIDENT AND CHIEF EXECUTIVE 
      OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY COUNCIL

    Mr. Gent. Thank you Chairman Lieberman, Senator Thompson, 
and Committee Members for this opportunity to testify on 
information sharing in the electric utility industry, and 
information sharing between industry and government as it 
relates to critical infrastructure protection.
---------------------------------------------------------------------------
    \1\ The prepeared statement of Mr. Gent appears in the Appendix on 
page 81.
---------------------------------------------------------------------------
    Because of electricity's unique physical properties and its 
uniquely important role in our lives, the electric utility 
industry operates in a constant state of readiness. The bulk 
electric system is comprised of three huge integrated 
synchronous networks that depend instantly and always on 
coordination, cooperation, and communication among electric 
system operators. We treat preparation for acts of terrorism 
the same way we deal with the potential loss of a power plant 
or transmission line. We have trained people, facilities and 
procedures in place to handle these contingencies. What we lack 
are security clearances for key electric industry personnel to 
be able to receive and evaluation classified threat 
information. We also lack the equipment that would allow us to 
communicate by voice over secure channels with people that have 
these clearances.
    In my written statement I have outlined our very good 
working relationship with the U.S. Government, the FBI, the 
National Infrastructure Protection Center, the Department of 
Energy, the Critical Infrastructure Assurance Office and 
others. We have successfully managed a number of very difficult 
challenges including Y2K and the terrible events of this past 
September. I commend the NIPC and the DOE specifically for the 
way they have conducted themselves and their programs.
    At the heart of our success is our commitment to working 
with the FBI. We made this commitment nearly 15 years ago, and 
the trust in each other that we have built over the years has 
carried over into the NIPC. The word ``trust'', as you have 
heard here earlier today is a very important word to us. 
Without trust none of these programs will work. We are proud of 
our relationship with the NIPC and the DOE. However, this 
strong relationship could be much better, could be stronger. 
Trust alone is not enough to allow us to do the additional 
things that are needed to prepare for future possible terrorist 
attacks. To be able to share specific information with the 
government we need to have some assurances that this critical 
information will be protected. To be able to share specific 
vulnerability information within our industry and with other 
industries to do joint assessments of inter-sector 
vulnerabilities, we need to have targeted protection from 
antitrust laws. We therefore support S. 1456 introduced by 
Senator Bennett.
    The electric utility industry is building on the trust of 
one another that we developed in its Y2K effort. We are 
approaching critical infrastructure protection similar to the 
way we dealt with Y2K. We have an all-industry organization 
called the Critical Infrastructure Protection Advisory Group. 
In my testimony I have outlined the scope and activities of 
that group. It is very active and we are very proud of the 
progress they are making.
    Our Information Sharing and Analysis Center, or ISAC, gets 
lots of acclaim. We have had a lot of practice and we have been 
doing this information gathering, analysis, and dissemination 
for decades. We did not get much attention before because most 
people have not given too much thought about what it really 
takes to keep the lights on. Adding cyber threat awareness to 
our physical threat analysis programs was a natural. Physical 
and cyber activities are becoming increasingly entwined.
    We believe that our electric industry's experience is a 
great formula for success and an example of how an industry 
organization can best serve the industry that supports it. To 
take the next steps and to deal in greater detail with the 
combined threats of physical and cyber terrorism, our industry 
needs an even greater ability to share information within the 
private sector and with the government.
    In summary here are my recommendations. We need to provide 
a way of sponsoring agencies such as the FBI and DOE, to 
increase the number of industry personnel with security 
clearances. Private industry input is needed for any credible 
vulnerability assessment. We need to provide inexpensive, 
effective, and secure communication tools for industry 
participants that participate in these infrastructure ISACs. We 
need to provide limited specific exemptions from Freedom of 
Information Act restrictions for certain sensitive information 
shared by the private sector with the Federal Government. We 
need to provide narrow antitrust exemptions for certain related 
information sharing activities within the industry. We believe 
that S. 1456 does achieve this result.
    And finally, we need to adopt the reliability legislation 
that has been passed by the Senate as part of the comprehensive 
energy bill.
    Again I thank you for this opportunity. I look forward to 
your questions at the end of the panel.
    Chairman Lieberman. Thanks, Mr. Gent. Mr. Miller, please 
proceed.

   TESTIMONY OF HARRIS N. MILLER,\1\ PRESIDENT, INFORMATION 
               TECHNOLOGY ASSOCIATION OF AMERICA

    Mr. Miller. Thank you very much, Mr. Chairman. On behalf of 
the more than 500 members of the Information Technology 
Association of America, I am very pleased to be here in front 
of you. I know my 5 minutes is going to go quickly, but I just 
want to say a couple of personal things.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Miller with attachments appears 
in the Appendix on page 94.
---------------------------------------------------------------------------
    First of all, Senator Thompson will be sorely missed when 
he retires at the end of this Congress. I am not sure I am 
going to have another opportunity to testify before this 
Committee, but his leadership on information technology issues 
and bringing information technology to the government has been 
quite remarkable and we really appreciate his leadership and 
that of the staff.
    Chairman Lieberman. I agree, and I will be sure to tell 
him. This is one of those rare cases in Washington where you 
say something nice about a person when he is not in the room. 
[Laughter.]
    So that is even more sincere.
    Mr. Miller. Thank you, Mr. Chairman. Second, it is once 
again a pleasure to work very closely with Senator Bennett, 
whose leadership on the Y2K has been continued on this issue 
and we appreciate it.
    And third, Mr. Chairman, one of my senior staff recently 
found a bestseller called ``The Power Broker'' authored by 
you----
    Chairman Lieberman. Your testimony is becoming more and 
more impressive as you go forward. [Laughter.]
    Mr. Miller. And my staffer asked if you would agree to sign 
this. We promise not to go out on the eBay auction site. So 
thank you, Mr. Chairman.
    Last, but not least, I did bring my general counsel, Joe 
Tasker with me. While you were studying at the law school at 
Yale, I was up the street at the political science department, 
so if this gets too technical I may turn to my general counsel 
to help.
    Basically, I want to make just a couple of important points 
today. First of all, we strongly endorse the Bennett-Kyl bill, 
and certainly none of the suggested changes made by Mr. Malcolm 
on behalf of the Justice Department would give us any heartburn 
if the primary sponsor feels that those are acceptable. So the 
kind of narrowing that the Justice Department is suggesting 
sounds quite reasonable if Senator Bennett, Senator Kyl, and 
the House sponsors also agree, so we can certainly go along 
with that.
    Basically three simple messages I want to leave you with. 
The cyber security threats are substantial and growing. Second, 
information sharing requires tremendous trust, and that was 
also discussed in the first panel. And third, we think that 
passage of this legislation is essential if we are going to 
move along that trust quotient that is necessary.
    In terms of the growing threat, I have a lot of data in my 
written submission, but let me just make one simple point. We 
now believe that a new virus or worm is being written and 
unleased out there every 5 minutes, so just while I am 
testifying before your panel, we are going to have a new virus 
or worm out there. In the 2 hours of this hearing you are going 
to have a couple of dozen new viruse worms out there. So the 
threat is enormous. It is growing, and the attention that this 
Congress can put on this issue is very important.
    We know that most citizens are much more scared of physical 
threats and biological threats than they are of cyber threats, 
but as Senator Bennett has so eloquently stated on many 
occasions, the worst-case scenario is really the combination of 
a physical threat or a bio threat with a cyber threat, and 
because our society, our government and our economy are so 
dependent on our cyber network, the attention this Committee 
and this Congress is paying to cyber threats and that the 
administration is paying is absolutely essential.
    Well, if the threat is so real, what is the problem about 
information sharing? Well, we all remember the old adage 
``Macy's doesn't tell Gimbel's.'' Well, it is particularly 
true, as Mr. Dick suggested in the previous panel in the 
information technology industry. We are a very competitive 
industry, and as the head of a trade association, I can tell 
you how difficult it is to get them to share information, and 
in particular, Macy's and Gimbel's do not go tell the cops. 
That just is not the way it is done. But yet as the first panel 
pointed out and you pointed out in your opening statement, Mr. 
Chairman, that is essential if we are going to deal with this 
threat. We need to get a situation where we are sharing the 
information. So how do we do it? How do we get beyond the 
business as usual mentality that these organizations have?
    Well, Senator Akaka mentioned that ``terrible'' acronym, 
ISAC, the Information Sharing Analysis Centers, but those are 
critical. Let me be clear what this is. These are closed 
communities. Now you may say, ``Why do you need a closed 
community?'' Because we are dealing with, by definition, 
sensitive and confidential information, just as the government 
has classified internal information that they do not want to 
share with the public or with potential terrorists or 
criminals, similarly the industry has those issues. And so we 
are creating with these Information Sharing Analysis Centers 
which are closed community environments.
    So the first challenge is to get the ISAC members 
themselves to share information. As one who was instrumental in 
setting up the IT ISAC, for example, I can tell you that is 
still difficult. We are still taking baby steps even though the 
organization was formally announced almost 14 months ago and 
has been in full operation for over 8 months. It is very tough 
to get people to share this kind of sensitive proprietary 
confidential information even though they know in some sense it 
is the right thing to do, because not only, as was pointed out 
in the previous panel, do you have to see the return on 
investment, you also have to be sure there is no enormous 
downside, and that downside of that public disclosure is 
perhaps one of the biggest threats to that.
    And then we have to move on, as Mr. Gent just said in his 
comments, to sharing across the ISACs, so we have that kind of 
sharing. There are institutions being created to do that. There 
are institutions that already exist such as the Partnership for 
Critical Infrastructure Security that encourage that, but we 
really need to advance that.
    And then of course the sharing with the government, which 
is really what Senator Kyl and Senator Bennett's bill is all 
about; how do we move beyond simply sharing within industry, 
again, sensitive information before events occur? And we 
believe that this information sharing will be accelerated if 
key executives, and particularly the lawyers who are the 
gatekeepers here, are willing to allow their companies to share 
information without the threat to FOIA.
    We certainly believe that the good faith provisions that 
Mr. Malcolm and you just discussed, Mr. Chairman, and Senator 
Bennett discussed, are exactly right. We are not trying to 
allow companies to hide bad faith actions, but to get companies 
to the appropriate level of care and trust, we believe this 
passage of this legislation is essential.
    Today, Mr. Chairman, criminals and terrorists are in the 
driver's seat. The bad actors have great advantages. There are 
hacker communities out there. They have conventions. They 
communicate on the Internet. They are not worried about FOIA 
provisions, but we have to get the good guys together in the 
same way. We have to get them to cooperate.
    One final point. Mr. Dick said quite correctly that the 
industry and government are trying to work together on a lot of 
good advances such as the InfraGard program. But we still 
believe, Mr. Chairman, the government perhaps can do a little 
bit more to share sensitive information in the other direction. 
Now, we understand again that is very difficult, and in some 
industries it is being done, but again, that is trust going the 
other way. That is the cultural change on both sides that Mr. 
Tritak referred to, but we would encourage this Committee to 
continue to dialog with industry and with government to make 
sure the information sharing is going in both directions.
    Thank you very much.
    Chairman Lieberman. Thanks, Mr. Miller. Mr. Paller.

  TESTIMONY OF ALAN PALLER,\1\ DIRECTOR OF RESEARCH, THE SANS 
                           INSTITUTE

    Mr. Paller. Thank you, Mr. Chairman.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Paller appears in the Appendix on 
page 112.
---------------------------------------------------------------------------
    Every day millions of attacks are launched across the 
Internet in an ongoing battle between----
    Chairman Lieberman. Mr. Paller, excuse me. Tell us what the 
SANS Institute is.
    Mr. Paller. SANS is the principal education organization in 
information security. We train about 16,000 people a year, the 
intrusion detection analysts, the firewall people, the guys on 
the front lines, and that is who I am representing in this 
discussion today.
    I will start by answering directly the four questions that 
were outlined in the letter that you sent. The government is 
not getting the data it needs from the private sector, either 
to provide adequate early warning or to give a good report to 
you or to the public about the real costs of cyber crime. On 
the other hand, specific elements of government are doing a 
wonderful job of responding very quickly to information the 
private sector provides. For example, the Office of Cyber 
Security in the White House and the FBI created a wonderful 
public/private technical partnership to fight specific worms. 
GSA inside the government is doing a great job of sharing data 
within the government, getting data reported to it and sharing 
it within the government. Private sector organizations are not 
doing very well in sharing attack data. I will give you 
specific information on that. Although they are making good use 
of data on unsuccessful attacks, and I will differentiate that 
in a minute.
    The fourth question is whether legislation is needed. I am 
not a lawyer. I do not have that training, but I believe a 
clarification of the FOIA exemption is not going to cause 
companies to share cyber attack data with the government. I 
fully agree that secrecy of that data is essential when that 
data is presented, to protect the victim from further damage. 
You have to keep it secret because if you do not, the bad guys, 
will pile on. If anybody is known to be attacked, everyone else 
comes in and goes and gets them, plus you have got all the 
problems with the business issues.
    But even if you provide a perfect FOIA exemption, the 
companies under attack are unlikely to share the data. There is 
ample evidence to prove this. Even when the technical trust 
relationship is established--I think of FOIA as a technical 
trust. Trust is a personal issue. FOIA is a technical way of 
trying to build it. Even when the technical trust relationship 
is perfect, the evidence comes from the members of one of the 
ISACs, not the oldest ISAC, but the most active old ISAC in 
this information sharing of cyber data, the Financial Services 
ISAC. They have a reporting system that is absolutely perfect. 
They cannot figure out who reported. And so you would think 
that would solve the problem. But if you go in and check the 
data, you will find that substantially none of them reported 
data on current attacks or reported data on other attacks with 
one single exception, and the exception is actually the reason 
you think there is data, and that is when they have actually 
hired the company that runs the ISAC to be their instant 
response team. So the company that is hired goes in as part of 
the victim's team, and because they know the data as the 
victims know it, they feed it into the database. But the idea 
that if you establish a perfect technical trust relationship, 
you are going to get the data--we have no proof of that?
    Chairman Lieberman. What do you mean by data here?
    Mr. Paller. I mean, ``I am being attacked right now. It is 
coming in through a new vulnerability in IIS. It has gone two 
steps. It has also taken over my database. They are extorting 
money from me.''
    And it is happening right now. Two people get it. One is 
the consultant that was called in, and if they call the law 
enforcement in, they will get it, too. But there is no sharing 
with other people.
    Chairman Lieberman. You mean the fact that it is happening?
    Mr. Paller. The fact that it is happening because it is a 
private event. They are being extorted.
    Chairman Lieberman. Understood. So that is what you mean by 
data here----
    Mr. Paller. Yes, exactly.
    Chairman Lieberman. Because they do not want to reveal it. 
They do not want it to be known----
    Mr. Paller. They do not want to reveal it, and they see no 
benefit in revealing it.
    Chairman Lieberman. And they see danger or vulnerability or 
loss.
    Mr. Paller. It is a bet-your-company loss. It is that big 
to them. So all the other stuff tends to pale.
    If the government--this is the line they do not like to 
say, but if the government wants substantially more people to 
report attack data, I think you are going to need to make 
reporting mandatory through changes in contract and grant 
regulations or through other action in legislation like the 
legislation you have that requires federally insured banks to 
report suspicious activities.
    I have a couple of charts. Is it all right if I show them 
to you?
    Chairman Lieberman. Sure, if you can stay within your time.
    Mr. Paller. Well, since we have 1 minute left, let us not 
do that.
    There are five areas that the data sharing comes in. One is 
vulnerability data. If a utility finds out it has a 
vulnerability in a SCAN system, running its systems, it could 
do a lot of good if it shared that with the government and it 
could do a lot of good if it shared that with the other 
utilities right away, and getting that data is absolutely 
essential to the early warning.
    Two, unsuccessful attack date is being shared very well. 
This is the data that hits your system but you do not want. 
That data has found two worms and it has helped block one of 
them and helped capture the criminal that did the other one. So 
that is working. What is not working are the two sets of data 
that you want when the attack is taking place, when it is 
taking place and you are not getting it after the fact, and as 
I said before, you are not going to get it unless you require 
it.
    The last set of data is the one that actually can do the 
most good. There is a synthesis of data that companies will 
share. The synthesis is ``we have been attacked, so we know 
what we have to do to protect our systems,'' and those are 
called benchmarks. And when the Federal Government and 
commercial organizations share the benchmarks, you can actually 
have a radical impact on the effect of new worms. The NSA, the 
National Institute of Standards and Technology, SANS and the 
Center for Internet Security have just finished, with 
Microsoft's help, standard for securing Windows 2000. There 
will be more coming shortly. If you want to do a lot of good 
make sure the Federal Government uses some kinds of standards 
when they buy new equipment so that they are as safe as they 
can be when they are installed.
    Thank you.
    Chairman Lieberman. Thank you. Mr. Sagalow.

TESTIMONY OF TY R. SAGALOW,\1\ BOARD MEMBER, FINANCIAL SERVICES 
 ISAC AND CHIEF OPERATING OFFICER, AIG eBUSINESS RISK SOLUTIONS

    Mr. Sagalow. Mr. Chairman, thank you for this opportunity 
to testify about the importance of information sharing and the 
protection of this Nation's critical infrastructure.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Sagalow with attachments appears 
in the Appendix on page 123.
---------------------------------------------------------------------------
    My name is Ty R. Sagalow, and I come to you in two 
capacities today. First as a Member of the Board of the 
Financial Services Information Sharing and Analysis Center, the 
FS ISAC. And second, as COO of American International Group's 
eBusiness Risk Solutions Division, the largest provider of 
network security insurance in the world. My full remarks have 
been entered into the record, but I'd like to summarize them 
for you if I can.
    Governor Tom Ridge recently remarked, ``Information 
technology pervades all aspects of our daily lives, of our 
national lives. Disrupt it, destroy it or shut down the 
information networks and you shut down America as we know it.''
    The sad fact is that our information technology systems are 
already under attack, and there is every reason to believe it 
will get worse before it gets better. U.S. companies spent 
$12.3 billion to clean up damages from computer viruses in 
2001. And Carnegie Mellon reported that in 2001 they received 
over 50,000 incident reports. Today it is easier for a cyber 
terrorist to shut down a dam by hacking into its control and 
command computer network than to obtain and deliver the tons of 
explosives needed to blow it up. More frightening, the 
destruction can be launched from the safety of the terrorist's 
living room couch, or cave as the case may be.
    Fortunately, we are not powerless. Ironically, as it is the 
information systems which are the subject of the attack, it is 
our ability to share information which provides our best 
foundation for defense.
    Today the financial institutions that are members of the FS 
ISAC represent more than 50 percent of all credit assets. The 
mission of the FS ISAC is straightforward: Through information 
sharing and analysis provide its members with early 
notification of computer vulnerabilities, computer attack 
subject matter expertise and relevant other information such as 
trending analysis. Unfortunately, I am here today to tell you 
that we have not been wholly successful in that effort, and we 
can not succeed without your help.
    We believe there are chiefly three obstacles that must be 
removed for effective information sharing to take place. The 
reason, as Senator Bennett has already said, companies will not 
disclose voluntarily if their general counsels tell them that 
there is a potential that disclosure will bring financial harm 
to their company. It is really that simple.
    As respect to sharing information to the public sector, the 
fear exists that competitors or terrorists or others will be 
able to obtain that information through the Freedom of 
Information Act. As respect to sharing of information within 
the private sector, there are two fears. First that the sharing 
will be deemed to be a violation of antitrust laws, as been 
previously discussed; and second, that the act of sharing the 
information will lead to civil liability against a company or 
its directors and officers.
    Now, much has already been said of the first two points. 
Permit to speak on the third for a moment. The chilling effect 
of the potential liability lawsuits on voluntary speech cannot 
be underestimated. Private lawsuits, or rather the fear of 
them, have always played an important role in fostering proper 
conduct. However, when applied inappropriately, they can have 
the opposite effect. Such is the situation here. Why disclose 
the potential inadequacy of a security technology of your 
vendors when that disclosure could lead to a defamation 
lawsuit. Why recommend the use of specific technology 
safeguards when such disclosures could lead to lawsuits 
alleging interference with the contractual rights of others? 
Why freely disclose the result of research and analysis and 
best practices, when that disclosure could lead to shareholder 
lawsuits alleging disclosing of company trade secrets?
    The risk is too great. Better safe than sorry. Better to 
keep your mouth shut. These statements represent the danger 
that we face today as they will be the advice given by general 
counsels throughout the Nation.
    Fortunately, this danger can be avoided through thoughtful 
and balanced legislation like the Senator Bennett-Kyl bill and 
similar to the great work done by Senator Bennett in Y2K.
    Putting on my other hat for a moment, I can tell you that 
information sharing is essential to the creation of a stable 
insurance market for network security. Insurance plays a 
critical role in protecting our national infrastructure, both 
through the spreading of risk as well as the influencing of 
standards of good security behavior through the incentives 
inherent in making insurance available and affordable.
    Today my company leads the way in this effort, and we have 
already provided billions of dollars of insurance protection 
for thousands of companies. However, there are very few 
insurance companies willing to provide network security 
insurance. The reason, insurance companies cannot underwrite if 
they do not have access to data on frequency and severity of 
loss or at least the hope of future access to that data. 
Effective and robust information sharing becomes the foundation 
of building the actuarial tables needed to create a stable 
insurance market.
    Therefore and in conclusion, we believe that for voluntary 
information sharing to be both robust and effective, the 
following needs to happen: An exemption for FOIA as seated in 
the Bennett-Kyl bill; an exemption of the Federal-State 
antitrust laws for information that is voluntarily shared in 
good faith, and finally, the creation of a reasonable safe 
harbor provision similar to that that was provided under Y2K, 
to protect disclosure of information within the private sector 
as long as that disclosure was made in good faith.
    Mr. Chairman, I would very much like to thank the Committee 
for permitting me to testify on this important subject. I will 
be pleased to answer any questions you might have.
    Chairman Lieberman. Thanks, Mr. Sagalow. Mr. Sobel.

  TESTIMONY OF DAVID L. SOBEL,\1\ GENERAL COUNSEL, ELECTRONIC 
                   PRIVACY INFORMATION CENTER

    Mr. Sobel. Mr. Chairman, thank you for providing me with 
the opportunity to appear before the Committee.
---------------------------------------------------------------------------
    \1\ The prepared statement of Mr. Sobel appears in the Appendix on 
page 166.
---------------------------------------------------------------------------
    The Electronic Privacy Information Center, EPIC, has a 
longstanding interest in computer security policy, emphasizing 
informed public debate on matters that are of critical 
importance in today's interconnected world.
    While my comments will focus primarily on proposals to 
create a new Freedom of Information Act exemption for 
information concerning infrastructure protection, I would like 
to share with the Committee some general observations that I 
have made as this debate has unfolded over the last few years.
    First, there appears to be a consensus that the government 
is not obtaining enough information from the private sector on 
cyber security risks. I would add that citizens, the ones who 
will suffer the direct consequences of infrastructure failures, 
are also receiving inadequate information on these risks.
    There has not yet been a clear vision articulated defining 
the government's proper role in securing the infrastructure. 
While there has been a lot of emphasis on finding ways to 
facilitate the government's receipt of information, it remains 
unclear just what the government will do with the information 
it receives. In fact, many in the private sector advocate an 
approach that would render the government powerless to correct 
even the most egregious security flaws.
    The private sector's lack of progress on security issues 
appears to be due to a lack of effective incentives. Congress 
should consider appropriate incentive to spur action, but 
secrecy and immunity, which some advocate, remove two of the 
most powerful incentives--openness and liability. Indeed, many 
security experts believe that disclosure and potential 
liability are essential components of any effort to encourage 
remedial action.
    Rather than seeking ways to hide information, Congress 
should consider approaches that would make as much information 
as possible available to the public consistent with the 
legitimate interests of the private sector.
    As indicated, I would like to focus my comments on 
proposals to limit public access to information concerning 
critical infrastructure protection. EPIC and other members of 
the FOIA requestor community have, for the past several years, 
voiced concerns about proposals to create a broad new FOIA 
exemption such as the one contained in S. 1456 for information 
relating to security flaws and other vulnerabilities in our 
critical infrastructure. Government activity in this area will 
be conducted in cooperation with industry, and accordingly, 
will involve extensive sharing of information between the 
private sector and government. To facilitate the exchange of 
information, some have advocated an automatic, wholesale 
exemption from the FOIA for any cyber security information 
provided to the government.
    Given the broad definitions of exempt information that have 
been proposed, I believe such an exemption would likely hide 
from the public essential information about critically 
important and potentially controversial government activities 
taken in partnership with the private sector.
    Critical infrastructure protection is an issue of concern 
not just for the government and industry, but also for the 
public, particularly the local communities in which affected 
facilities are located.
    I believe the proposed exemption is not needed. Established 
case law makes it clear that existing exemptions contained in 
the FOIA provide adequate protection against harmful 
disclosures of the type of information we are discussing. 
Exemption 4, which covers confidential private sector 
information, provides extensive protection. As my written 
statement explains in detail, I believe that exemption 4 
extends to virtually all of the critical infrastructure 
material that properly could be withheld from disclosure.
    In light of the substantial protections provided by FOIA 
Exemption 4 and the case law interpreting it, I believe that 
any claimed private sector reticence to share important data 
with the government grows out of, at best, a misperception of 
current law. The existing protections for confidential private 
sector information have been cited repeatedly over the past 2 
years by those of us who believe that a new exemption is 
unwarranted. Exemption proponents have not come forward with 
any response other than the claim that the FOIA provides a 
``perceived'' barrier to information sharing. They have not 
made any showing that Exemption 4 provides inadequate 
protection.
    Frankly, many in the FOIA requestor community believe that 
Exemption 4, as judicially construed, shields far too much 
important data from public disclosure. As such, it is troubling 
to hear some in the private sector argue for an even greater 
degree of secrecy for information concerning vulnerabilities in 
the critical infrastructure. Shrouding this information in 
absolute secrecy will remove a powerful incentive for remedial 
action and might actually exacerbate security problems. A 
blanket exemption for information revealing the existence of 
potentially dangerous vulnerabilities will protect the 
negligent as well as the diligent. It is difficult to see how 
such an approach advances our common goal of ensuring a robust 
and secure infrastructure.
    In summary, overly broad new exemptions could adversely 
impact the public's right to oversee important and far-reaching 
government functions and remove incentives for remedial private 
sector action.
    I thank the Committee for considering my views.
    Chairman Lieberman. Thanks, Mr. Sobel. And finally, 
Professor Steinzor.

  TESTIMONY OF RENA I. STEINZOR,\1\ ACADEMIC FELLOW, NATURAL 
RESOURCES DEFENSE COUNCIL AND PROFESSOR, UNIVERSITY OF MARYLAND 
                         SCHOOL OF LAW

    Ms. Steinzor. Mr. Chairman, thank you for the opportunity 
to appear before you today on behalf of the Natural Resources 
Defense Council.
---------------------------------------------------------------------------
    \1\ The prepared statement of Ms. Steinzor with an attachment 
appears in the Appendix on page 172.
---------------------------------------------------------------------------
    The issues before you are both significant and troubling, 
especially in the wake of the tragedies that began on September 
11. Obviously, all Americans recognize the importance of doing 
whatever we can to improve homeland security. At the same time, 
as Senator Lieberman said, this country was attacked because we 
are the most successful democracy the world has ever known. If 
we overreact to those who attacked us so viciously, and in the 
process undermine the principles and rule of law that have made 
us such a hopeful example for the world, terrorists will win 
the victory that has thus far eluded them.
    NRDC strongly opposes both the text and the underlying 
principles embodied in S. 1456, the Critical Infrastructure 
Information Act, and urges you to consider more effective 
alternatives to make Americans secure.
    We oppose the legislation for four reasons. The legislation 
has an impossibly broad scope. To the extent that the 
legislation focuses on cyber systems, and by these I mean 
systems that are connected to the Internet and therefore are 
vulnerable to outside disruption, NRDC as an institution has 
little to add to the debate. Computers are not our area of 
expertise. In fact some of us are still using the Windows 95 
operating system.
    Of course, as Senator Thompson has articulated, S. 1456 
extends much further than cyber systems, covering not just 
computers that are connected to the Internet, but also the 
physical infrastructure used to house these systems. The 
legislation covers not just physical infrastructure that has or 
is controlled by computers, but also any physical 
infrastructure that is essential to the economy and might be 
damaged by a physical attack. The legislation is not limited to 
the Freedom of Information Act, but extends to any use by 
anyone of the information in civil actions. Mr. Malcolm spoke 
about the government's use of disinformation. I would stress, 
however, that this applies not just to the government but to 
the use of the information in a civil action by any party.
    And the legislation covers information, not just copies of 
specific documents. It is a slender reed to rest on the 
adjective direct use when it covers information so broadly, and 
information in a different format could still be precluded from 
use in a civil action.
    NRDC is sensitive to the fears all Americans have about our 
vulnerability to terrorist attacks. We are active participants 
in the debate about whether information about the operation of 
facilities during acutely toxic chemicals should be accessible 
on the Internet. The Environmental Protection Agency is 
encountering many challenges as it works diligently to sort 
through these issues.
    But these difficult issues are not within the areas of 
expertise of the government agencies assigned a role in 
implementing S. 1456. Using legislation of this kind as a 
vehicle for stressing how information enhances or combats the 
terrorist threat to physical infrastructure is unwise and 
duplicative. As Senator Akaka stated so well, the legislation 
will have a series of disastrous unintended consequences, 
damaging existing statutory frameworks crafted with care over 
several decades.
    Let me draw in another thread of history. A few years ago 
major industry trade associations, which had members subject to 
environmental regulations, began to push the idea of giving 
companies immunity from liability of the performed self-audits, 
uncovered violations of the law, took steps to solve those 
problems and turned the self-audit over to the government 
voluntarily. The Department of Justice vigorously opposed such 
proposals and they never made it through Congress. Several 
States enacted versions of self-audit laws. In the most extreme 
cases, EPA responded by threatening to withdraw their authority 
to implement environmental programs and the laws were repealed.
    Self-audit bills defeat deterrence-based enforcement, 
creating a situation where amnesty is available even where a 
company has continued in violation for many years and then 
decided to come into compliance at the 11th hour.
    As drafted, S. 1456 is a comprehensive self-audit bill that 
extends not just to environmental violations but to violations 
of the Nation's tax, civil rights, health and safety, truth-in-
lending, fraud, environmental, and virtually every other civil 
statute with the exception of the Securities Act. The 
legislation does not even require that companies cure their 
violations in order to receive amnesty. Redrafting may help, 
but it will be very hard to solve the problems as long as the 
legislation covers physical infrastructure. Secrecy is not the 
best way to protect critical infrastructure, and this Committee 
should abandon that approach. Rather, actually requiring 
changes on the ground is a far preferable solution to the 
threats we face.
    One way to reduce the vulnerability of physical 
infrastructure is to ensure that employees have undergone 
background checks and that site security at the fence line of 
the facility and the area adjacent to vulnerable infrastructure 
is enhanced.
    Another way to protect the public and workers is to 
eliminate the need for the hazardous infrastructure, for 
example, a tank holding acutely toxic chemicals. This approach, 
called Inherently Safer Technologies, is the cornerstone of 
legislation, S. 1602, now under consideration by the Senate 
Environment and Public Works Committee.
    NRDC has also consulted with EPA officials responsible for 
coordinating their agency's contribution to strengthen homeland 
security. EPA has extensive legal authority to take actions 
against companies that fail to exercise due diligence in 
protecting such attacks. The combination of the Corzine bill 
and administrative action will make great strides toward 
addressing these problems.
    As the Committee continues its consideration of these 
issues, we hope that you will continue to consult with a broad 
range of experts and stakeholders and allow us to participate 
in your deliberations. We appreciate the efforts of the 
Committee staff to undertake these discussions in order for all 
of us to better understand the policies, goals and implications 
of the legislation. Thank you.
    Chairman Lieberman. Thanks, Professor.
    Let me see if I can ask a few of you to give a little more 
detail, without disclosing exactly what you do not want to 
disclose, which is what are we talking about here with 
sensitive information? Mr. Paller, in your testimony you gave 
us a series of examples. I wonder if any of the rest of you, 
Mr. Sagalow or Mr. Gent, could give us a little more general 
information about what we are talking about that people you 
represent or you yourselves would not want to disclose without 
this kind of exemption from FOIA?
    Mr. Gent. Senator, you might remember back, I believe it 
was your freshmen year this Committee held hearings, and not 
much has changed about the electric system vulnerability since 
then. And one of the problems back then was that they wanted us 
to build a list of critical facilities, ``they'' being the 
government, so that the government could analyze that and be 
prepared to help us defend at those facilities at that time 
from physical attack of nations or nation states or terrorists. 
Not much has changed. We now have the cyber element that goes 
into this.
    So government agencies are asking us to come forth with 
lists of critical facilities along with their degree of 
vulnerability and what would happen if this facility were taken 
out. And we have, for the last 20 years, said that we are not 
going to build such a list. As others have testified, we have 
no confidence that the government can keep that a secret.
    Chairman Lieberman. Got it. Mr. Miller, do you have an 
example that comes to mind, generally speaking?
    Mr. Miller. In the information technology industry there 
might be a product that is developed, a software product, which 
in most formats works fine, but in conjunction with a certain 
hardware, which a lot of these things are integrated with, 
different types of hardware, in fact there is a vulnerability. 
The software vendor may become aware of that, may decide that 
it wants to communicate with, however, a very limited audience, 
for example--just its immediate customers and clients because 
of that relationship, but would be totally unwilling to share 
that with the government because it does not want to face the 
possibility of broad public disclosure of that.
    Again, we are talking about limited cases, not a massive 
virus attack, where as was discussed in the previous panel, 
everyone wants to work together to get the word out about a 
Code Red or a Nimda. We are talking about a particular--the 
technical term is ``configuration'' of a particular software 
product, where the impetus is to keep it in a closed community 
unless otherwise they are incented to do so, and particularly 
to share it with the government would bring a lot of risk 
because of this possibility, or Senator Bennett, maybe it is 
just the paranoia business, the likelihood that if you share it 
with government it will end up being disclosed.
    Chairman Lieberman. Mr. Sagalow.
    Mr. Sagalow. Mr. Chairman, I will give you two examples of 
information, falling into the areas of best practices that 
might be shared if there was a FOIA exemption. When it comes to 
the Nimda virus, Code Red, those massive attacks, that 
information is being shared. What is not being shared is 
information on risk management techniques, best practices, 
corporate governance, and I will give you two examples.
    If a corporation becomes dissatisfied with their particular 
vendor, one antitrust software works very poorly and they end 
up deciding to terminate that contract and instead incorporate 
another anti-virus software, you would want that information to 
be shared. A general counsel would be extremely reluctant to 
give their CEO or CTO permission to share that type of 
information, fearing potential defamation lawsuits from the 
vendor that you ended up dropping, as well as from other people 
for other causes of action like tortious interference with a 
contractual relationship.
    The second example I would give you is potential 
shareholder actions arising out of disclosure of company 
practices and technology use. There is a business issue of 
whether you want to disclose these things since some may regard 
them as trade secrets. However, if all the CEOs of the world 
were similar to Mr. Bennett, they would disclose a certain 
amount of what is arguably a trade secret if it is consistent 
with protecting our national infrastructure and the good of 
society, as long as it did not do undue harm to the company. A 
general counsel is not going to take that attitude. A general 
counsel is going to say even though it is the right thing to 
do, there are professional plaintiff attorneys out there that 
will start shareholder derivative actions alleging that the act 
of disclosure itself was a breach of fiduciary duty.
    Chairman Lieberman. Thank you.
    Mr. Paller made a statement which was very frank and 
sounded pretty realistic, that even with the exemption 
proposed, that there will be companies who will not share 
because they are still concerned in a voluntary system that it 
will not really be kept confidential, and therefore--not that 
he was recommending this, maybe he was--but that we may need a 
mandatory system.
    Now, I wonder whether, real quickly because I want to get 
on to another question, whether the three of you agree or 
disagree, if we had appropriate exemption from FOIA do you 
think companies would still withhold information?
    Mr. Gent. I think if you made it mandatory, they would not 
withhold.
    Chairman Lieberman. Right. [Laughter.]
    Mr. Miller. I would strongly disagree with Mr. Paller. 
First of all, I do not know what it would mean to be mandatory 
and I do not know how you would possibly enforce that, but I 
think the information sharing is growing. Again, I agree that 
the FOIA is not the silver bullet, Senator, but for the 
interest of the industry, yes, there is growing in the 
communities, electrical, financial services IT, that there is a 
broader community interest because these people who are 
American citizens. They want to support the good of the Nation. 
But they have to be protected on the down side. That is clearly 
the establishment of the ISACs, the establishment of the 
partnerships, that sharing of information through InfraGard is 
a commitment the industry is making.
    Chairman Lieberman. Mr. Sagalow.
    Mr. Sagalow. Our members have told us that if these 
obstacles are removed, there will be a substantial increase in 
disclosure. Of course some people will never disclose no matter 
what, but there will be a substantial increase.
    Chairman Lieberman. Professor Steinzor, let me ask you your 
reaction to the conversation on the last panel, which was: Why 
would not your concerns about the effect of the passage of 
Senator Bennett's legislation on various environmental laws be 
eliminated by inserting language that said that nothing in this 
proposal should diminish any obligation that anyone has under 
any other system of law?
    Ms. Steinzor. That would go a long way to help, but we 
would still be required to fight over such issues as whether 
there was an obligation, there was no obligation, and whether 
the information was submitted before the government asked for 
it. The way this bill is drafted it says that information is 
voluntarily submitted in the absence of such agency's exercise 
of legal authority. So the agency would have to actually ask 
for the information in order for it to be submitted non-
voluntarily. At the moment, there is a lot of information kept 
in companies that the government may not have asked for yet, 
and if it was submitted voluntarily, the protection could be 
asserted. That is just one of the kinds of problems that we are 
concerned about.
    Another way to deal with what you are talking about is a 
savings clause. Such a clause should be something that is 
dynamic, not just for laws that are on the books today but laws 
that are added to the books in the future.
    And one last thing I would like to add, which is that to 
the extent that the information we are concerned about here is 
information that is time-sensitive, one way to approach it 
would be to say the protection only lasts for a certain limited 
period of time. We have heard a lot about an attack is ongoing 
and you need to share the information. Arguably, once you have 
shared it, once the problem is addressed, as we all assume it 
will be, you no longer need to make that information secret. 
Keeping it secret is only important to liability down the line. 
Again, there would be no liability if the problem was solved. 
So that is another way to approach this.
    Chairman Lieberman. Mr. Sobel, do you have a reaction to 
that discussion on the first panel? I know is it not directly 
responsive to your concerns.
    Mr. Sobel. Frankly, Senator, my concern is with this taken 
in combination, the fact that there would be no possibility of 
disclosure apparently at any time running into the future, as 
well as no real governmental ability to address any of the 
vulnerabilities that are made known to the government, and then 
there is this provision that I read as a very broad immunity 
that would also preclude any private actors from seeking 
corrective action. So what I see, taken as a whole, is this 
structure that provides information to the government, but then 
really ties the hands of the government or anyone else to 
direct and compel corrective action. As I said, I think this 
approach protects the negligent as well as the diligent, and 
that is really, I think, the main flaw. Yes, we can certainly 
assume that many, if not most, of the actors in the private 
sector are going to be good actors, but it seems to me that 
this just creates an incredibly large loophole for those 
companies that frankly are more inclined to be negligent than 
diligent.
    Chairman Lieberman. Thanks. Senator Bennett.
    Senator Bennett. Thank you, Mr. Chairman, and thanks to 
everyone on the panel including those who were not quite as 
supportive of my legislation as some of the others, because 
these are obviously the issues that have to be resolved, that 
have to be talked about.
    I sponsored a bill for a long time on the privacy of 
medical records, and ran into much the same kind of very firm 
opinions on all sides of the issue, and I kept saying year 
after year, this is not an ideological issue, this is not 
conservatives versus liberals or Republicans versus Democrats. 
This is a management issue. How do we solve the problem? And my 
staff got sick and tired of me saying it. I would say, if there 
is a management problem raised by this objection, let us solve 
the problem rather than put ourselves into ideological camps 
and then scream at each other? We do a great deal of that in 
the U.S. Senate, usually on the floor, less so in committee, 
but we have a serious challenge here. It is one for which there 
is, frankly, no historic predicate because the coming of the 
information age has changed the world as thoroughly and 
fundamentally as the coming of the Industrial Age did. And if 
you are going to talk about agricultural age warfare after the 
invention of the repeating rifle, you are going to be left 
behind. And the statement by Osama bin Laden is a chilling 
reminder of the fact that we live in an entirely different 
world, and we all, on all sides of this issue, need to view 
that world differently.
    Now, if I were someone who wished this country ill, and I 
have said this before so I am not giving out any secrets, if I 
were someone who wished this country ill, I would be 
concentrating on breaking into the telecommunications 
infrastructure over which the Fedwire functions. If I could 
shut down the Fedwire, I could bring all activity in the 
country to a complete stop. No checks would clear. No financial 
transactions would take place. There could be no clearing at 
the end of every day for the Federal Reserve system. The 
Fedwire is the absolute backbone of everything that goes on in 
the economy. And I have had conversations with Chairman 
Greenspan about protecting the Fedwire from cyber attack. That 
specter before us, how do we deal with the challenge of 
telephone companies, of power companies, of brokerage houses, 
banks, and the Federal Government itself, that are tied 
together in this absolutely intricate network of transactions 
and facilities, and protect the Fedwire from someone sitting in 
a cave somewhere coming after it?
    Now, Mr. Miller could share some information with us, which 
I have seen, that shows the graphs of the level of attacks that 
have come against the United States, cyber attacks, and it is a 
logarithmic scale. It is not just a quiet little incremental 
increase every year. It is almost Malthusian in terms of the 
predictions, and it is a hockey stick. And I have stood in the 
rooms where these attacks are being monitored in real time, 
second by second, in the Defense Department within the 
Pentagon. The interesting things is that just as the number of 
attacks is going up logarithmically, the sophistication of the 
attacks is going up logarithmically, so that our ability to 
defend ourselves, which is also going up logarithmically, is 
just barely keeping up with the sophistication and volume of 
the challenge that we have.
    I first became aware of this with Y2K when I was talking 
with Dr. Hamre, the Deputy Secretary of Defense, as we were 
trying to find out in a hearing on S. 407, Mr. Chairman, over 
in the Capitol, where we can have classified briefings, about 
the degree of this country's vulnerability, and Dr. Hamre said 
to me, ``We are under attack every day.'' And this was 3 or 4 
years ago. And I said, ``Under attack, what are you talking 
about?''
    Well, the attack on the government facilities goes on. My 
fear, the thing that keeps me awake at night is that if those 
who are mounting those sophisticated attacks on government 
facilities--and they are primarily aimed at the Defense 
Department and the intelligence community, CIA, NSA and 
others--were to shift their focus onto the private sector and 
do so in a timing and a circumstance where no one in the 
government knew that that shift had taken place, how vulnerable 
are we, and how will we feel if we say, ``Well, we did not 
facilitate the opportunity for people who are the recipients of 
those attacks to share with the government what was 
happening.'' This is not questioning. I am just responding to 
the panel and sharing with you my deep, and I hope not 
paranoid, desire to see to it that we are prepared for this.
    So in the one minute left before we go back to the second 
round, do any of you, recognizing this is a management issue 
rather than an ideological issue, have any comments across the 
gap that has occurred within the panel, that are not just, oh, 
you are wrong, you do not understand. It is easy for you to say 
that back and forth to each other. Do any of you have any 
solutions that you could suggest across the divide that has 
been created here within this panel in the circumstance that I 
have framed?
    Mr. Miller. Just a brief comment. I thought that Mr. Sobel 
and Professor Steinzor said that with some of the limitations 
that Chairman Lieberman suggested, and Mr. Malcolm discussed it 
in the earlier panel with you as the primary sponsor, that they 
might see some possibility of bridging the gap. Again, these 
are technical legal issues beyond my exact area of expertise, 
but I was pleased to hear that both Mr. Sobel and Professor 
Steinzor indicated that they might--if the language of the bill 
was even more clear as not to allow the worst bad actors to use 
the Freedom of Information Act language to hide behind--that 
they might be open to some kind of compromise. And I thought 
that was a very positive statement by both of them from my 
perspective.
    Ms. Steinzor. Senator, I could not agree with you more that 
this is an enormous challenge and a grave threat, and I am not 
by any stretch of the imagination questioning your motives or 
your sense of urgency about all of this. What is troubling to 
us is that it would seem as if a more direct way to approach 
this would be to try and develop technologies like the one Mr. 
Paller was talking about, to erect firewalls and make cyber 
systems more secure, rather than simply allowing for a shroud 
of secrecy to go over them because of the difficulties of 
drawing lines in this area.
    You know the Freedom of Information Act, in our experience, 
is one of the most ponderous legal tools one can ever use. It 
takes months, years, to get a request answered. And so we are 
puzzled why the urgent exchange of information could not be 
protected in a short timeframe in a different way that does not 
implicate the Freedom of Information Act, which we do not see 
as a very grave threat to the immediate exchange of 
information. People are talking about perceptions on all sides, 
and we are puzzled by that.
    Mr. Sobel. Senator, if I could just follow up on that, on 
the FOIA point. I have a real concern that a new exemption 
approach could actually muddy the waters far more than they are 
right now. We have heard a lot of concern about the advice that 
a general counsel might give within a company in terms of 
whether or not there is adequate protection or not. It seems to 
me, as an attorney who looks at these issues, that 28 years 
worth of very clear case law would give me much more comfort in 
advising a client than a newly-enacted piece of legislation 
that contains some very broad language. I think if I was that 
general counsel and this legislation passed, I would say, 
``Well, you know, this has not yet been judicially construed. 
We do not know how much protection this is going to provide.'' 
I would feel much more comfortable looking at the Critical Mass 
decision from the D.C. Circuit, where the Supreme Court denied 
certiorari, and saying, ``This is a pretty good assurance that 
this information is not going to be disclosed.''
    So I do not think we are disagreeing about goals, but I 
think there is a real question in terms of what is the most 
effective way of providing the assurance that the private 
sector seems to want.
    Mr. Miller. Maybe that is what the hypothetical general 
counsel would believe, Senator Bennett. That is not what the 
real general counsels believe.
    Mr. Sagalow. Senator, let me follow up if I can.
    Chairman Lieberman. Mr. Sagalow, let me just interrupt.
    Senator Bennett, I do not have any other questions. I have 
a couple of colleagues waiting to see me. If you are able, I 
would like to ask you to continue the discussion, and then when 
you are through, to adjourn the hearing.
    Senator Bennett. That is very dangerous on your part. 
[Laughter.]
    Chairman Lieberman. I do not want you to get comfortable 
with the gavel though. [Laughter.]
    Senator Bennett. Thank you, Mr. Chairman.
    Chairman Lieberman. Not at all. Thank you for your 
leadership. It has been a very interesting, important, 
constructive hearing, and I look forward to continuing to work 
with you, Senator Bennett, and with those who have been before 
us to see if we can resolve this in the public interest. Thank 
you.
    Senator Bennett [presiding]. Thank you very much.
    Now, having no constraints upon me, I would like to pursue 
this a little further.
    Mr. Sagalow. Senator, if I could just respond to a couple 
of the comments that were mentioned earlier. My company created 
something called a Technology Alliance, which is a group of 
technology companies that advise us as underwriters on 
evaluating cyber risk, and we have been literally talking to 
dozens of technology companies over the last 2 years and we 
continue to talk to them.
    I can tell you, Senator, that without exception there is no 
technology company that believes that there is a technology 
silver bullet. There is no super firewall. There is no super 
anti-virus or intrusion detection system. There is no single 
technology or combination of technologies that will solve this 
problem.
    On the second issue of the theoretical versus practical 
general counsel, I agree with the comments of my colleague, Mr. 
Miller. I do not know what theoretical general counsels say, 
but I know what they say to me every day. And what they say to 
me every day is their view of current law and regulation 
including case law does not give them a sufficient basis to 
recommend to their CEOs to disclose. More legislation, more 
action is needed.
    Senator Bennett. Let me follow through on that one.
    We have always been under the impression that we were 
helping FOIA by focusing and defining the exemption which, Mr. 
Sobel, you indicated has been done by case law so as to make it 
clear that in this circumstance under these conditions the 
broad exemption that is already in FOIA would clearly apply and 
that we were not in any way repealing or destroying FOIA, we 
were simply focusing the definition.
    Now, Mr. Sagalow, let us go back to you--recognizing you 
have not had this discussion, but your perception of how a 
general counsel would react. Do you think that the passage of 
this legislation would be viewed in that regard and therefore 
make a general counsel more likely to say let us go ahead, or 
do you think they would react to the legislation somewhat in 
the way that Mr. Sobel is? You do not have to agree with his 
opinion of where they are in case law, as to try to say maybe 
he is right that they would say, ``Well, the legislation may 
sound good, but it is still not going to give me any comfort.''
    Mr. Sagalow. I do not know. It is a legitimate issue. I 
believe that, based upon the conversations that I have had so 
far, that the majority of general counsels would be looking at 
it in the first approach. They would be looking at this 
legislation clarifying existing case law in a way favorable 
toward disclosure as opposed to a de novo aspect of legislation 
that they would feel uncomfortable with until years of case law 
interpretation.
    Senator Bennett. Let us go back to Professor Steinzor's 
comment about time. I think that is a very legitimate issue 
that she has raised. I have used the example which, frankly, 
Professor, you shoot down, that Osama bin Laden would mount an 
attack and then file a FOIA request to find out how well it 
worked, and if indeed FOIA would require 4 years before he got 
the information, the technology would have been about five 
generations old by the time he got the information.
    She has raised an interesting question, gentlemen, about 
putting a time limit on this, where you say the FOIA request 
cannot be filed for 3 years, let us say, pick a number. She 
would probably pick 3 months, but let us pick a number and put 
a timeframe on this, and talk about what effect that might have 
in the real world. Mr. Gent.
    Mr. Gent. Senator Bennett, there are certain operational 
information that can be made availble moments afterwards, some 
hours afterwards, some days afterwards, but when it comes down 
to the configuration and vulnerability of the electric system, 
this is something that evolves over decades. So having 
information, in fact, to be honest with you, some of the 
information that is now being released to the public is still 
very dangerous and could be considered as a terrorist handbook. 
So the configuration has not changed that much. The components 
that are vulnerable have not changed that much over the last 
decade. So if you talk about operational information, I would 
be willing to talk about a shorter timeframe, but physical 
configuration of a system is still important after decades.
    Senator Bennett. We need to remember, and you have reminded 
us, that the physical and the cyber are inextricably linked 
here.
    Mr. Gent. We believe that. In fact, Hoover Dam is not going 
anywhere.
    Senator Bennett. But the ability to break into the 
computers that are updated that control the sluice gates, 
somebody could open the sluice gates and drain Hoover Dam 
without blowing it up. Is that an accurate----
    Ms. Steinzor. But, Senator, that again is a cyber issue 
which presumably would be addressed by technology evolving 
within a certain period of time because cyber systems are 
changing all the time. I think the emphasis on the physical 
configuration is exactly what concerns us because a lot of the 
physical configuration, for example, at a chemical plant, is 
heavily scrutinized and regulated by the government. And again, 
this protection does not just apply to Freedom of Information 
Act, it always applies to use in a civil action which could be 
either enforcement or some other type of action that would not 
be able to proceed if the company was not continuing to do 
something wrong.
    So again, my suggestion about the temporal aspect is that 
the assumption must be that once we discover vulnerability, we 
are going to address it right away, whether it is in the 
physical context or the cyber context, that the Freedom of 
Information Act in civil actions would only be viable if those 
problems were not addressed, and therefore a temporal 
limitation might be just the ticket to solve the problem.
    If I could just add one more thing. As an educator of young 
lawyers, let me talk about the theoretical versus the actual 
general counsel. One of the things we always impress on our 
students is the need to zealously protect their clients' 
interests, and while I would sign up tomorrow to be your 
general counsel, you being the hypothetical CEO----
    Senator Bennett. You might not be in a financially 
successful institution. [Laughter.]
    Ms. Steinzor. Well, but you were articulating such good 
ethics and good sense, that I think I might do it. Maybe I 
could keep my university job.
    The problem is that if there is an opportunity to do a 
document dump, which of course would not be conceived in those 
pejorative terms, that it is both a theoretical and actual 
general counsel would be pushing the company to do exactly 
that. They would say, ``Look, CEO, we have vulnerabilities 
involing our physical infrastructure that are very serious, and 
we should go contact Governor Ridge about those and get into 
some conversation with him, and if any agency tries to pursue 
us through one of the more mundane daily laws, we can fend them 
off while we address our vulnerabilities.'' This kind of 
situation is our concern.
    I should have brought a lawyer joke for the occasion.
    Senator Bennett. I have plenty of those.
    Ms. Steinzor. Good.
    Senator Bennett. Anyone want to respond to that? Mr. 
Miller.
    Mr. Miller. Not so much to that, but your earlier question 
about time limitations. It is easy for me to say sure, why not 
in the information technology industry because 3 years is an 
eternity. But again, it is very much tied to physical issues.
    A certain governor of a certain large State just to the 
north of here, about 4 years ago was very proud to release a 
document on the Internet that showed where every 
telecommunications, electrical network, and critical asset in 
the Commonwealth of his State was located, and it was very 
public, it was very well known. I am sure Tom Ridge was very 
proud of that at the time he was governor, because everyone was 
into disclosure using the Internet. I am sure looking back from 
his current position, Tom Ridge wonders how he had that crazy 
idea 4 years ago to make that information public.
    So I would think, Senator, we need to consult with a lot 
more people who are, as Mr. Gent was suggesting, involved in 
these long-term fixed positions that may or may not be 
controlled by cyber relationships before we would say that the 
time limit idea intrinsically is a good idea.
    Again, in principle, I do not think the IT industry would 
be too much concerned about that, but I think a lot of our 
customers might be because those physical assets do not change 
and those physical vulnerabilities do not change for long 
periods of time.
    Senator Bennett. Without treading into classified 
territory, because in this whole process I have spent an awful 
lot of time in places that deny that they exist after I leave 
them, as a general principle, someone who is looking over 
critical infrastructure needs to know key points. And the key 
point in the critical infrastructure can be taken out with a 
kinetic weapon many times more efficiently than it can be taken 
out with a cyber attack. The interesting thing that comes from 
those who analyze this--and I must be careful about this--the 
interesting thing that comes from those who analyze this for a 
living is that the key points in a critical infrastructure are 
very often not obvious. There might be a particular switch in a 
particular pipeline or a particular telecommunications switch, 
or a substation that for some reason is far more critical than 
any other in terms of possibly shutting down the power grid. A 
terrorist would give a tremendous amount to know where those 
key points are. And I am not sure the people who are giving 
information to the government, if my bill was to pass, would 
themselves know how key they are or where they are.
    And the question becomes--the government could put that 
together. The government says, ``OK, we have got this from this 
source. We have got this from this source. Uh-oh.'' Back to my 
original analysis if I am going to mix metaphors here. If this 
particular facility goes down, that is what shuts down the 
Fedwire. And the people who manage that facility do not know 
that. If that information--that is the pieces of information 
that allowed the government to discover that are individually 
made available with FOIA, and an analyst working for a hostile 
nation state comes to the same conclusion that our analyst came 
to, and said, ``Aha, this is the one thing which if we shoot 
down, cuts down the Fedwire.'' And that become very valuable 
information, and maybe they make the decision, ``We are not 
going to go after it in a cyber way. We are going to get 
somebody with a truck full of fertilizer to pull up to the 
front door of that particular facility and lo and behold 
everybody is going to be surprised because they think they have 
all of these technological firewalls everywhere else to protect 
the Fedwire, and bingo, we can take it out with a fertilizer 
bomb.''
    Now, that is obviously a hypothetical and obviously that 
kind of analysis is going on. But that is the kind of concern 
that I have about sharing information. And it may well be that 
we could find a division here between some things that could be 
disclosed after a 3-year period and some things that could not. 
I can anticipate some of you are going to say, ``Well, you are 
not going to know that in advance,'' but let us at least have a 
quick round on that concern.
    Mr. Paller. I think you go back to the bigger question that 
your staff got mad at you about, about understanding it is a 
management problem. And what I see happening here is what 
happens in lots of security conversations, which is different 
people looking at different parts of the animal. (1) If that is 
what you are going to disclose, it is terrible, and (2) if that 
(other thing) is what you are going to disclose, it is fine. I 
think maybe this is one of those really hard slogging jobs 
where you have to go systematically through every specific type 
of data in every specific type of environment and get the 
answers to the questions of which are going to be disclosed and 
which are not going to be disclosed if you want to get 
consensus in the room. I am not sure that the effort is going 
to be worth the trouble, but I do not see a way, as long as you 
keep a very broad view of what the ``it'' is, to get them to 
agree how long or when or whether to disclose it.
    Mr. Miller. Senator, I do not know whether it has to do 
directly with FOIA legislation. I mean clearly the issue of 
saying we do not know what we do not know is a real problem. 
Let me give you an obvious lesson that was learned on September 
11, and that is redundancy in telecommunication systems. A lot 
of companies had learned over time, as part of business 
continuity planning, to have redundancy in their 
telecommunication systems, which meant having two carriers, two 
switches, and two sets of pipes. But a lot of companies put 
those switches and those pipes in exactly the same building, 
the World Trade Center. So when the World Trade Center went 
down they really did not have redundancy. They ended up not 
having complete telecommunication systems left. And so that was 
a lesson that was learned, or at least it was put out there. I 
am not sure whether it has been completedly learned. We are 
still having this debate with the Federal Government as you 
know, and there is legislation in Congress to require Federal 
agencies to begin to think about having true physical 
redundancy as opposed to assumed physical redundancy in 
telecommunication systems.
    So frequently we do not know what we do not know, and we 
have to have a tragedy or a direct experience to learn that 
lesson.
    Would the FOIA exemption you are suggesting help that to 
come together? Perhaps because who, other than the government, 
does exactly what you say, which is to look at all of the 
pieces of the puzzle. At the end of the day, his companies look 
at the electricity industry, I look at the IT industry, Mr. 
Sagalow and financial ISAC members look at the ISAC industry. 
Mr. Paller kind of looks across industries because he has got 
experts in all of these. But at the end of the day it is only 
the government that looks at the overall view of how these 
interdependencies really work in ways that nobody else really 
can.
    Mr. Sobel. Senator, I just wanted to make the observation 
that it seems to me that there is a little bit of a disconnect 
in terms of industry's attitude here. I mean on the one hand we 
are being told that the agencies that would receive the 
information are somehow so incompetent that they would be 
releasing highly sensitive information in response to a FOIA 
request despite very strong case law supporting withholding, 
and yet on the other hand industry seems to believe that there 
is something valuable that the government has to tell them or 
something valuable the government has to do in the form of 
coordinating response activity. So I am not getting a clear 
picture from industry in terms of how they see government. Is 
government a competent, useful player here or is it something 
else, an entity that is going to receive information and very 
haphazardly release it to the detriment of all of us?
    So I really am hearing two things here.
    Senator Bennett. My answer to that question would be yes. 
[Laughter.]
    Mr. Sobel. Well, then I think it raises----
    Senator Bennett. There is no such thing as industry and 
there is no such thing as the government. There are a variety 
of companies in a variety of industries. It is enormously 
complex, and as you have indicated, the vast majority of them 
would be very disciplined and act in a responsible way. And 
there are few, in your opinion, that would not, that would be 
irresponsible and would try to use this in an improper fashion. 
There are a variety of people in government who are enormously 
competent and who would provide the analysis that we need, and 
there are a variety of people who have demonstrated a 
regulatory mentality to which I referred earlier, that would 
use the information in a way just to prove their regulatory 
muscle that would be irresponsible. You only have to sit in a 
Senator's office to discover that there is no, ``the 
Government.'' There are a variety of human beings, some of 
whom, most of whom, act responsibly and intelligently, and 
every once in a while there are some regulators who just defy 
common sense in the way they do their jobs and hang on to the 
regulations that they have.
    So my answer to your question, without being facetious, is 
yes to both sides of it.
    Mr. Sobel. I think that is very true, but as Mr. Tritak 
said, if this is a question of trust and establishing trust, I 
do not understand why that same regulator is suddenly going to 
be trusted by the industry submitter to comply with your new 
FOIA exemption if he is not trusted to comply with the existing 
protections. In other words, if this is an incompetent or 
malicious bureaucrat, why would this new legislation create any 
greater trust on the part of the submitter? That is what I am 
really missing here.
    Senator Bennett. All you can hope for is that you nudge him 
in the right way.
    Mr. Sagalow. Senator, if I could just emphasize on that 
last point you mentioned, because that is exactly what is 
happening. In the real world everything is a gray area and what 
you need to do is nudge the general counsel in the right way. 
What I am hoping that you are hearing from at least the 
majority of people that are speaking on this area is a desire 
not to throw the baby out with the bath water, that this is a 
very essential piece of legislation, very important to the 
national infrastructure and our war against terrorism, and that 
the people on both sides of the aisle, so to speak, are willing 
to look at language in the bill consistent with the 
fundamentals: That data is received through independent use 
would be exempted, that under certain circumstances criminal 
prosecution if documented through that independent use would be 
permitted, that certainly it is not the intention of the 
legislation, and none of my members are indicating they expect 
it to be the intention of the legislation, that the legislation 
will somehow allow a company not to disclose what they would 
otherwise be obligated to disclose, whether in the criminal 
area, the environmental area, or the financial area.
    Two other quick comments. My personal belief is that the 
fear of data dumping or the bad general counsel while not 
unrealistic, is perhaps overstated. General counsels have a 
firm belief in the law of unintended consequences. That is why 
they are hesitating to permit disclosure in the first place. 
And part of the law of unintended consequences is if you do a 
data dump thinking that you are going to fool the other side, 
something is going to go wrong. Very few general counsels take 
that risk unless it is a matter of utter desperation.
    And then finally on this issue of the temporal solution to 
the problem, I can only echo the point that was made earlier, 
that this issue of ``we do not know what we do not know'' is 
quite important. We really do not know in any set of documents 
or data what are the fundamental issues that may be completely 
applicable 5, 6, or 10 years from now.
    Senator Bennett. Well, the audience is voting with their 
feet in saying that the hearing is over. May I thank all of you 
for your contribution. This has been a serious discussion 
rather than a simple venting of opinions, and I am grateful to 
all of you for your willingness to enter into it in that 
spirit.
    If I were to summarize my attitude, and speaking solely for 
myself, obviously, and not for any other Member of the 
Committee, I wish we had the time to go through all of the 
issues and ultimately come, as has been suggested here, to a 
final consensus where everybody buys off and agrees, because I 
think people of goodwill at all aspects of this probably could 
arrive there.
    I must share with you once again, I feel a sense of urgency 
here which is very powerful, and the more time I spend with the 
intelligence community, the more time I spend in the Defense 
Department, the more times I visit that room in the Pentagon, 
where the attacks on our military infrastructure come in in 
real time and I see them on the screen, the more sense of 
urgency I have.
    I think we err on the side of exposing our country and 
really with exposing the American economy, exposing the world 
to serious damage if we delay too long. And I would rather take 
steps as quickly as we can that start us down the road and 
maintain a perfect willingness to change the legislation as we 
get examples of serious violations of environmental or other 
circumstances by the small minority of companies that might try 
to take advantage of that, than delay the legislation until we 
can theoretically iron out all of the problems.
    I do not wish to be an alarmist. I try not to be an 
alarmist, but I think this is an issue that requires early 
action. And that is why I am grateful to the Chairman for his 
willingness to schedule the hearing, and I am grateful to all 
of you for your willingness to participate.
    With that, the hearing is adjourned.
    [Whereupon, at 12:30 p.m., the Committee was adjourned.]
                            A P P E N D I X

                              ----------                              


                 PREPARED STATEMENT OF SENATOR BUNNING
    Thank you, Mr. Chairman.
    During the past 7 months community leaders, government officials 
and average Americans have been re-evaluating the level of security 
needed to protect ourselves.
    We have seen dramatic changes in the airline industry, and we have 
become very concerned about the safety of our ports and other 
transportation systems.
    Local, State and Federal emergency personnel have been on a high 
state of alert. And, we are increasing staffing at our borders. 
However, protecting our critical infrastructure is one of the most 
important steps we can take to ensure a safe future, and it should not 
be overlooked.
    The government needs to do everything it can to encourage companies 
to share information with each other and Federal officials in an effort 
to stop those who are attacking our country.
    I understand that some companies are concerned about sharing 
sensitive information because they are afraid it may be released to the 
public.
    If we are serious about protecting our critical infrastructure, 
then we have got to be serious about finding a solution to this 
problem.
    If businesses are afraid their non-public information can make its 
way into the public domain, we will never get the kind of open and 
productive relationship that we need between the government and 
business community.
    I am looking forward to hearing more about the legislation 
introduced by Senators Bennett and Kyl that begins to address this 
problem, and I appreciate the time our witnesses have taken to testify 
today.
    Thank you.
    [GRAPHIC] [TIFF OMITTED] 80597.001
    
    [GRAPHIC] [TIFF OMITTED] 80597.002
    
    [GRAPHIC] [TIFF OMITTED] 80597.003
    
    [GRAPHIC] [TIFF OMITTED] 80597.004
    
    [GRAPHIC] [TIFF OMITTED] 80597.005
    
    [GRAPHIC] [TIFF OMITTED] 80597.006
    
    [GRAPHIC] [TIFF OMITTED] 80597.007
    
    [GRAPHIC] [TIFF OMITTED] 80597.008
    
    [GRAPHIC] [TIFF OMITTED] 80597.009
    
    [GRAPHIC] [TIFF OMITTED] 80597.010
    
    [GRAPHIC] [TIFF OMITTED] 80597.011
    
    [GRAPHIC] [TIFF OMITTED] 80597.012
    
    [GRAPHIC] [TIFF OMITTED] 80597.013
    
    [GRAPHIC] [TIFF OMITTED] 80597.014
    
    [GRAPHIC] [TIFF OMITTED] 80597.015
    
    [GRAPHIC] [TIFF OMITTED] 80597.016
    
    [GRAPHIC] [TIFF OMITTED] 80597.017
    
    [GRAPHIC] [TIFF OMITTED] 80597.018
    
    [GRAPHIC] [TIFF OMITTED] 80597.019
    
    [GRAPHIC] [TIFF OMITTED] 80597.020
    
    [GRAPHIC] [TIFF OMITTED] 80597.021
    
    [GRAPHIC] [TIFF OMITTED] 80597.022
    
    [GRAPHIC] [TIFF OMITTED] 80597.023
    
    [GRAPHIC] [TIFF OMITTED] 80597.024
    
    [GRAPHIC] [TIFF OMITTED] 80597.025
    
    [GRAPHIC] [TIFF OMITTED] 80597.026
    
    [GRAPHIC] [TIFF OMITTED] 80597.027
    
    [GRAPHIC] [TIFF OMITTED] 80597.028
    
    [GRAPHIC] [TIFF OMITTED] 80597.029
    
    [GRAPHIC] [TIFF OMITTED] 80597.030
    
    [GRAPHIC] [TIFF OMITTED] 80597.031
    
    [GRAPHIC] [TIFF OMITTED] 80597.032
    
    [GRAPHIC] [TIFF OMITTED] 80597.033
    
    [GRAPHIC] [TIFF OMITTED] 80597.034
    
    [GRAPHIC] [TIFF OMITTED] 80597.035
    
    [GRAPHIC] [TIFF OMITTED] 80597.036
    
    [GRAPHIC] [TIFF OMITTED] 80597.037
    
    [GRAPHIC] [TIFF OMITTED] 80597.038
    
    [GRAPHIC] [TIFF OMITTED] 80597.039
    
    [GRAPHIC] [TIFF OMITTED] 80597.040
    
    [GRAPHIC] [TIFF OMITTED] 80597.041
    
    [GRAPHIC] [TIFF OMITTED] 80597.042
    
    [GRAPHIC] [TIFF OMITTED] 80597.043
    
    [GRAPHIC] [TIFF OMITTED] 80597.044
    
    [GRAPHIC] [TIFF OMITTED] 80597.045
    
    [GRAPHIC] [TIFF OMITTED] 80597.046
    
    [GRAPHIC] [TIFF OMITTED] 80597.047
    
    [GRAPHIC] [TIFF OMITTED] 80597.048
    
    [GRAPHIC] [TIFF OMITTED] 80597.049
    
    [GRAPHIC] [TIFF OMITTED] 80597.050
    
    [GRAPHIC] [TIFF OMITTED] 80597.051
    
    [GRAPHIC] [TIFF OMITTED] 80597.052
    
    [GRAPHIC] [TIFF OMITTED] 80597.053
    
    [GRAPHIC] [TIFF OMITTED] 80597.054
    
    [GRAPHIC] [TIFF OMITTED] 80597.055
    
    [GRAPHIC] [TIFF OMITTED] 80597.056
    
    [GRAPHIC] [TIFF OMITTED] 80597.057
    
    [GRAPHIC] [TIFF OMITTED] 80597.058
    
    [GRAPHIC] [TIFF OMITTED] 80597.059
    
    [GRAPHIC] [TIFF OMITTED] 80597.060
    
    [GRAPHIC] [TIFF OMITTED] 80597.061
    
    [GRAPHIC] [TIFF OMITTED] 80597.062
    
    [GRAPHIC] [TIFF OMITTED] 80597.063
    
    [GRAPHIC] [TIFF OMITTED] 80597.064
    
    [GRAPHIC] [TIFF OMITTED] 80597.065
    
    [GRAPHIC] [TIFF OMITTED] 80597.066
    
    [GRAPHIC] [TIFF OMITTED] 80597.067
    
    [GRAPHIC] [TIFF OMITTED] 80597.068
    
    [GRAPHIC] [TIFF OMITTED] 80597.069
    
    [GRAPHIC] [TIFF OMITTED] 80597.070
    
    [GRAPHIC] [TIFF OMITTED] 80597.071
    
    [GRAPHIC] [TIFF OMITTED] 80597.072
    
    [GRAPHIC] [TIFF OMITTED] 80597.073
    
    [GRAPHIC] [TIFF OMITTED] 80597.074
    
    [GRAPHIC] [TIFF OMITTED] 80597.075
    
    [GRAPHIC] [TIFF OMITTED] 80597.076
    
    [GRAPHIC] [TIFF OMITTED] 80597.077
    
    [GRAPHIC] [TIFF OMITTED] 80597.078
    
    [GRAPHIC] [TIFF OMITTED] 80597.079
    
    [GRAPHIC] [TIFF OMITTED] 80597.080
    
    [GRAPHIC] [TIFF OMITTED] 80597.081
    
    [GRAPHIC] [TIFF OMITTED] 80597.082
    
    [GRAPHIC] [TIFF OMITTED] 80597.083
    
    [GRAPHIC] [TIFF OMITTED] 80597.084
    
    [GRAPHIC] [TIFF OMITTED] 80597.085
    
    [GRAPHIC] [TIFF OMITTED] 80597.086
    
    [GRAPHIC] [TIFF OMITTED] 80597.087
    
    [GRAPHIC] [TIFF OMITTED] 80597.088
    
    [GRAPHIC] [TIFF OMITTED] 80597.089
    
    [GRAPHIC] [TIFF OMITTED] 80597.090
    
    [GRAPHIC] [TIFF OMITTED] 80597.091
    
    [GRAPHIC] [TIFF OMITTED] 80597.092
    
    [GRAPHIC] [TIFF OMITTED] 80597.093
    
    [GRAPHIC] [TIFF OMITTED] 80597.094
    
    [GRAPHIC] [TIFF OMITTED] 80597.095
    
    [GRAPHIC] [TIFF OMITTED] 80597.096
    
    [GRAPHIC] [TIFF OMITTED] 80597.097
    
    [GRAPHIC] [TIFF OMITTED] 80597.098
    
    [GRAPHIC] [TIFF OMITTED] 80597.099
    
    [GRAPHIC] [TIFF OMITTED] 80597.100
    
    [GRAPHIC] [TIFF OMITTED] 80597.101
    
    [GRAPHIC] [TIFF OMITTED] 80597.102
    
    [GRAPHIC] [TIFF OMITTED] 80597.103
    
    [GRAPHIC] [TIFF OMITTED] 80597.104
    
    [GRAPHIC] [TIFF OMITTED] 80597.105
    
    [GRAPHIC] [TIFF OMITTED] 80597.106
    
    [GRAPHIC] [TIFF OMITTED] 80597.107
    
    [GRAPHIC] [TIFF OMITTED] 80597.108
    
    [GRAPHIC] [TIFF OMITTED] 80597.109
    
    [GRAPHIC] [TIFF OMITTED] 80597.110
    
    [GRAPHIC] [TIFF OMITTED] 80597.111
    
    [GRAPHIC] [TIFF OMITTED] 80597.112
    
    [GRAPHIC] [TIFF OMITTED] 80597.113
    
    [GRAPHIC] [TIFF OMITTED] 80597.114
    
    [GRAPHIC] [TIFF OMITTED] 80597.115
    
    [GRAPHIC] [TIFF OMITTED] 80597.116
    
    [GRAPHIC] [TIFF OMITTED] 80597.117
    
    [GRAPHIC] [TIFF OMITTED] 80597.118
    
    [GRAPHIC] [TIFF OMITTED] 80597.119
    
    [GRAPHIC] [TIFF OMITTED] 80597.120
    
    [GRAPHIC] [TIFF OMITTED] 80597.121
    
    [GRAPHIC] [TIFF OMITTED] 80597.122
    
    [GRAPHIC] [TIFF OMITTED] 80597.123
    
    [GRAPHIC] [TIFF OMITTED] 80597.124
    
    [GRAPHIC] [TIFF OMITTED] 80597.125
    
    [GRAPHIC] [TIFF OMITTED] 80597.126
    
    [GRAPHIC] [TIFF OMITTED] 80597.127
    
    [GRAPHIC] [TIFF OMITTED] 80597.128
    
    [GRAPHIC] [TIFF OMITTED] 80597.129
    
    [GRAPHIC] [TIFF OMITTED] 80597.130
    
    [GRAPHIC] [TIFF OMITTED] 80597.131
    
    [GRAPHIC] [TIFF OMITTED] 80597.132
    
    [GRAPHIC] [TIFF OMITTED] 80597.133
    
    [GRAPHIC] [TIFF OMITTED] 80597.134
    
    [GRAPHIC] [TIFF OMITTED] 80597.135
    
    [GRAPHIC] [TIFF OMITTED] 80597.136
    
    [GRAPHIC] [TIFF OMITTED] 80597.137
    
    [GRAPHIC] [TIFF OMITTED] 80597.138
    
    [GRAPHIC] [TIFF OMITTED] 80597.139
    
    [GRAPHIC] [TIFF OMITTED] 80597.140
    
    [GRAPHIC] [TIFF OMITTED] 80597.141
    
    [GRAPHIC] [TIFF OMITTED] 80597.142
    
    [GRAPHIC] [TIFF OMITTED] 80597.143
    
    [GRAPHIC] [TIFF OMITTED] 80597.144
    
    [GRAPHIC] [TIFF OMITTED] 80597.145
    
    [GRAPHIC] [TIFF OMITTED] 80597.146
    
    [GRAPHIC] [TIFF OMITTED] 80597.147
    
    [GRAPHIC] [TIFF OMITTED] 80597.148
    
    [GRAPHIC] [TIFF OMITTED] 80597.149
    
    [GRAPHIC] [TIFF OMITTED] 80597.150
    
    [GRAPHIC] [TIFF OMITTED] 80597.151
    
    [GRAPHIC] [TIFF OMITTED] 80597.152
    
    [GRAPHIC] [TIFF OMITTED] 80597.153
    
    [GRAPHIC] [TIFF OMITTED] 80597.154
    
    [GRAPHIC] [TIFF OMITTED] 80597.155
    
    [GRAPHIC] [TIFF OMITTED] 80597.156
    
    [GRAPHIC] [TIFF OMITTED] 80597.157
    
    [GRAPHIC] [TIFF OMITTED] 80597.158
    
    [GRAPHIC] [TIFF OMITTED] 80597.159
    
    [GRAPHIC] [TIFF OMITTED] 80597.160
    
    [GRAPHIC] [TIFF OMITTED] 80597.161
    
    [GRAPHIC] [TIFF OMITTED] 80597.162
    
    [GRAPHIC] [TIFF OMITTED] 80597.163
    
    [GRAPHIC] [TIFF OMITTED] 80597.164
    
    [GRAPHIC] [TIFF OMITTED] 80597.165
    
    [GRAPHIC] [TIFF OMITTED] 80597.166
    
    [GRAPHIC] [TIFF OMITTED] 80597.167
    
    [GRAPHIC] [TIFF OMITTED] 80597.168
    
    [GRAPHIC] [TIFF OMITTED] 80597.169
    
    [GRAPHIC] [TIFF OMITTED] 80597.170
    
    [GRAPHIC] [TIFF OMITTED] 80597.171
    
    [GRAPHIC] [TIFF OMITTED] 80597.172
    
    [GRAPHIC] [TIFF OMITTED] 80597.173
    
    [GRAPHIC] [TIFF OMITTED] 80597.174
    
    [GRAPHIC] [TIFF OMITTED] 80597.175
    
    [GRAPHIC] [TIFF OMITTED] 80597.176
    
                                   - 
