[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]



 
                  IMPLICATIONS OF POWER BLACKOUTS FOR
                THE NATION'S CYBERSECURITY AND CRITICAL
                       INFRASTRUCTURE PROTECTION

=======================================================================

                             JOINT HEARING

                                 of the

        SUBCOMMITTEE ON CYBERSECURITY, SCIENCE, AND RESEARCH AND
                              DEVELOPMENT

                                and the

           SUBCOMMITTEE ON INFRASTRUCTURE AND BORDER SECURITY

                                 of the

                 SELECT COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                      ONE HUNDRED EIGHTH CONGRESS

                             FIRST SESSION

                               __________

                SEPTEMBER 4, 2003 and SEPTEMBER 23, 2003

                               __________

                           Serial No. 108-23

                               __________

    Printed for the use of the Select Committee on Homeland Security


 Available via the World Wide Web: http://www.access.gpo.gov/congress/
                                 house


                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
99-793                      WASHINGTON : 2005
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½0900012005


                 SELECT COMMITTEE ON HOMELAND SECURITY

                 CHRISTOPHER COX, California, Chairman

JENNIFER DUNN, Washington            JIM TURNER, Texas, Ranking Member
C.W. BILL YOUNG, Florida             BENNIE G. THOMPSON, Mississippi
DON YOUNG, Alaska                    LORETTA SANCHEZ, California
F. JAMES SENSENBRENNER, JR.,         EDWARD J. MARKEY, Massachusetts
Wisconsin                            NORMAN D. DICKS, Washington
W.J. (BILLY) TAUZIN, Louisiana       BARNEY FRANK, Massachusetts
DAVID DREIER, California             JANE HARMAN, California
DUNCAN HUNTER, California            BENJAMIN L. CARDIN, Maryland
HAROLD ROGERS, Kentucky              LOUISE McINTOSH SLAUGHTER,
SHERWOOD BOEHLERT, New York            New York
LAMAR S. SMITH, Texas                PETER A. DeFAZIO, Oregon
CURT WELDON, Pennsylvania            NITA M. LOWEY, New York
CHRISTOPHER SHAYS, Connecticut       ROBERT E. ANDREWS, New Jersey
PORTER J. GOSS, Florida              ELEANOR HOLMES NORTON,
DAVE CAMP, Michigan                    District of Columbia
LINCOLN DIAZ-BALART, Florida         ZOE LOFGREN, California
BOB GOODLATTE, Virginia              KAREN McCARTHY, Missouri
ERNEST J. ISTOOK, Jr., Oklahoma      SHEILA JACKSON-LEE, Texas
PETER T. KING, New York              BILL PASCRELL, JR., New Jersey
JOHN LINDER, Georgia                 DONNA M. CHRISTENSEN,
JOHN B. SHADEGG, Arizona               U.S. Virgin Islands
MARK E. SOUDER, Indiana              BOB ETHERIDGE, North Carolina
MAC THORNBERRY, Texas                CHARLES GONZALEZ, Texas
JIM GIBBONS, Nevada                  KEN LUCAS, Kentucky
KAY GRANGER, Texas                   JAMES R. LANGEVIN, Rhode Island
PETE SESSIONS, Texas                 KENDRICK B. MEEK, Florida
JOHN E. SWEENEY, New York

                      JOHN GANNON, Chief of Staff

         UTTAM DHILLON, Chief Counsel and Deputy Staff Director

               DAVID H. SCHANZER, Democrat Staff Director

                    MICHAEL S. TWINCHEK, Chief Clerk

                                  (ii)


           SUBCOMMITTEE ON INFRASTRUCTURE AND BORDER SECURITY

                     DAVE CAMP, Michigan, Chairman

KAY GRANGER, Texas, Vice Chairwoman  LORETTA SANCHEZ, California
JENNIFER DUNN, Washington            EDWARD J. MARKEY, Massachusetts
DON YOUNG, Alaska                    NORMAN D. DICKS, Washington
DUNCAN HUNTER, California            BARNEY FRANK, Massachusetts
LAMAR SMITH, Texas                   BENJAMIN L. CARDIN, Maryland
LINCOLN DIAZ-BALART, Florida         LOUISE McINTOSH SLAUGHTER,
ROBERT W. GOODLATTE, Virginia          New York
ERNEST ISTOOK, Oklahoma              PETER A. DeFAZIO, Oregon
JOHN SHADEGG, Arizona                SHEILA JACKSON-LEE, Texas
MARK SOUDER, Indiana                 BILL PASCRELL, JR., New Jersey
JOHN SWEENEY, New York               CHARLES GONZALEZ, Texas
CHRISTOPHER COX, California, ex      JIM TURNER, Texas, ex officio
officio

  Subcommittee on Cybersecurity, Science, and Research and Development

                    MAC THORNBERRY, Texas, Chairman

PETE SESSIONS, Texas, Vice Chairman  ZOE LOFGREN, California
SHERWOOD BOEHLERT, New York          LORETTA SANCHEZ, California
LAMAR SMITH, Texas                   ROBERT E. ANDREWS, New Jersey
CURT WELDON, Pennsylvania            SHEILA JACKSON-LEE, Texas
DAVE CAMP, Michigan                  DONNA M. CHRISTENSEN,
ROBERT W. GOODLATTE, Virginia          U.S. Virgin Islands
PETER KING, New York                 BOB ETHERIDGE, North Carolina
JOHN LINDER, Georgia                 KEN LUCAS, KENTUCKY
MARK SOUDER, Indiana                 JAMES R. LANGEVIN, Rhode Island
JIM GIBBONS, Nevada                  KENDRICK B. MEEK, Florida
KAY GRANGER, Texas                   CHARLES GONZALEZ, Texas
CHRISTOPHER COX, California, ex      JIM TURNER, TEXAS, ex officio
officio

                                 (iii)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Dave Camp, a Representative in Congress From the 
  State of Michigan, and Chairman, Subcommittee on Infrastructure 
  and Border Security............................................     1
The Honorable Mac Thornberry, a Representative in Congress From 
  the State of Texas, and Chairman, Cybersecurity, Science, and 
  Research and Development.......................................    13
The Honorable Christopher Cox, a Representative in Congress From 
  the State of California, and Chairman, Select Committee on 
  Homeland Security
  Prepared Statement.............................................    13
  Oral Statement.................................................    18
  Prepared Statement.............................................   116
The Honorable Jim Turner, a Representative in Congress From the 
  State of Texas, and Ranking Member, Select Committee on 
  Homeland Security
  Prepared Statement.............................................    16
  Oral Statement.................................................    19
  Prepared Statement.............................................   114
The Honorable Robert E. Andrews, a Representatives in Congress 
  From the State of New Jersey...................................    54
The Honorable Donna M. Christensen, a Delegate From the U.S. 
  Virgin Islands.................................................    48
The Honorable Peter A. DeFazio, a Representative in Congress From 
  the State of Oregon............................................    51
The Honorable Norman D. Dicks, a Representative in Congress From 
  the State of Washington........................................    52
The Honorable Jennifer Dunn, a Representative in Congress From 
  the State of Washington........................................    46
The Honorable Bob Etheridge, a Representative in Congress From 
  the State of North Carolina....................................    49
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island
  Prepared Statement.............................................    16
  Prepared Statement.............................................   116
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas
  Oral Statement.................................................    57
  Prepared Statement.............................................   115
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California
  Prepared Statement.............................................    44
The Honoralbe Ken Lucas, a Representative in Congress From the 
  State of Kentucky..............................................   138
The Honorable Edward J. Markey, a Representative in Congress From 
  the State of Massachusetts.....................................   106
The Honorable Kendrick B. Meek, a Representative in Congress From 
  the State of Florida...........................................   134
The Honorable Bill Pascrell, a Representative in Congress From 
  the State of New Jersey........................................    44
The Honorable Loretta Sanchez, a Representative in Congress From 
  the State of California........................................    17
The Honorable Pete Sessions, a Representative in Congress From 
  the State of Texas.............................................   129
The Honorable John B. Shadegg, a Representative in Congress From 
  the States Arizona.............................................   103
The Honorable Louise McIntosh Slaughter, a Representative in 
  Congress From the State New York...............................    55
The Honorable Curt Weldon, a Representative in Congress From the 
  State of Pennsylvania..........................................    20

                               WITNESSES
                           September 4, 2003

The Honorable J. Cofer Black, Coordinator, Office of the 
  Coordinator for Counterterrorism, Department of State
  Oral Statement.................................................     2
  Prepared Statement.............................................     5
Mr. Paul H. Gilbert, Former Panel Chair, Energy Facilities, 
  Cities, and Fixed Infrastructure, National Research Council
  Oral Statement.................................................    58
  Prepared Statement.............................................    60
Mr. John A. McCarthy, Executive Director, Critical Infrastructure 
  Protection Project, George Mason University
  Oral Statement.................................................    72
  Prepared Statement.............................................    74
Mr. Larry A. Mefford, Executive Assistant Director, 
  Counterterrorism and Counterintelligence, Federal Bureau of 
  Investigation
  Oral Statement.................................................     9
  Prepared Statement.............................................    11
Peter R. Orszag, Ph.D., Joseph A. Pechman Senior Fellow, 
  Brookings Institution
  Oral Statement.................................................    62
  Prepared Statement.............................................    64
Mr. Karl F. Rauscher, Founder and President, Wireless Emergency 
  Response Team
  Oral Statement.................................................    76
  Prepared Statement.............................................    78
Mr Kenneth C. Watson, President and Chair, Partnership for 
  Critical Infrastructure Security
  Oral Statement.................................................    81
  Prepared Statement.............................................    83

                           September 17, 2003

Mr. Robert F. Dacey, Director, Information Security, General 
  Accounting Office
  Oral Statement.................................................   153
  Prepared Statement.............................................   155
The Honorable Robert Liscouski, Assistant Secretary, 
  Infrastructure Protection, Directorate, Department of Homeland 
  Security
  Oral Statement.................................................   117
  Prepared Statement.............................................   119
Colonel Michael McDaniel, Assistant Adjutant General, Homeland 
  Security, State of Michigan
  Oral Statement.................................................   148
  Prepared Statement.............................................   150
Ms. Denise Swink, Acting Director, Office of Energy Assurance, 
  Department of Energy
  Oral Statement.................................................   121
  Prepared Statement.............................................   123

                                APPENDIX
                   Materials Submitted for the Record

Questions and Responses Submitted for the Record by Mr. Robert F. 
  Dacey..........................................................   232
Questions and Responses Submitted for the Record by The Honorable 
  James R. Langevin..............................................   207
Questions and Responses Submitted for the Record by The Honorable 
  Robert Liscouski...............................................   223
Questions and Responses Submitted for the Record by Ms. Denise 
  Swink..........................................................   222
Questions and Responses Submitted for the Record by The Honorable 
  Jim Turner.....................................................   211


                THE ELECTRIC GRID, CRITICAL INTERDEPEN-
                DENCIES, VULNERABILITIES, AND READINESS

                              ----------                              


                      THURSDAY, SEPTEMBER 4, 2003

                    Subcommittee on Cybersecurity, Science,
                              and Research and Development,

                                                and

                             Subcommittee on Infrastructure
                                       and Border Security,
                             Select Committee on Homeland Security,
                                                     Washington, DC
     The subcommittees met, pursuant to call, at 1:00 p.m., in 
Room 2237, Rayburn House Office Building, Hon. Dave Camp, 
[chairman of the Subcommittee on Infrastructure and Border 
Security] presiding.
    Present for the Subcommittee on Infrastructure and Border 
Security: Representatives Camp, Dunn, Smith, Shadegg, Gibbons, 
Sanchez, Markey, Dicks, Cardin, Slaughter, DeFazio, Jackson-
Lee, and Pascrell.
    Present for the Subcommittee on Cybersecurity, Science and 
Research and Development Subcommittee: Representatives 
Thornberry, Smith, Weldon, Camp, Linder, Lofgren, Sanchez, 
Andrews, Jackson-Lee, Christensen and Etheridge.
    Also present: Representatives Cox and Turner.
    Mr. Camp. The joint hearing of the Subcommittee on 
Infrastructure and Border Security and Subcommittee on 
Cybersecurity, Science and Research and Development of the 
Select Committee on Homeland Security will come to order. The 
title of today's hearing is Implications of Power Blackouts for 
the Nation's Cybersecurity and Critical Infrastructure 
Protection: The Electric Grid, Critical Interdependencies, 
Vulnerabilities and Readiness.
    Good afternoon. Chairman Thornberry and I would like to 
welcome and thank you for attending today's hearing on 
infrastructure interdependencies.
    The two subcommittees will hear from a panel of experts 
representing academia, industry and the national security 
community. We have the Honorable J. Cofer Black, Coordinator of 
the Office of the Coordinator for Counterterrorism, Department 
of State; Larry Mefford, Executive Assistant Director of 
Counterterrorism and Counterintelligence, Federal Bureau of 
Investigation.
    Later, we will have Paul Gilbert, Former Panel Chair of 
Energy Facilities, Cities and Fixed Infrastructure from the 
National Research Council; Peter Orszag, Senior Fellow of the 
Brookings Institution; John McCarthy, Executive Director of the 
Critical Infrastructure Protection Project, George Mason 
University; Karl Rauscher, Founder and President, Wireless 
Emergency Response Team; and Ken Watson, President and Chair, 
Partnership for Critical Infrastructure Security.
    Thank you all for your participation. Your experience in 
critical infrastructure security and interdependencies make 
your testimony very valuable as the Homeland Security Committee 
continues to look at ways to strengthen America's critical 
infrastructure.
    The Chair would like to inform members that several 
witnesses have precise departure times, particularly those from 
across the country who have flights to catch; and considering 
the expertise of our two panels and the importance of having 
sufficient time to hear their statements and ask questions, the 
Chair requests that members agree to a unanimous consent 
request to waive opening statements.
    Seeing no objection, we will proceed.
    Today's hearing will examine our Nation's complex critical 
infrastructure and the computers and networks that operate and 
sustain them. There has never been a more compelling time for 
our Nation to be educated on the threats and vulnerabilities 
that terrorists pose to the Nation through attacks on our 
critical infrastructure.
    I would again like to thank our witnesses for being here. 
We will hear testimony from our government panel first, and we 
will begin with Ambassador Black. We have received your written 
testimony and ask that you briefly summarize in 5 minutes your 
statement. Thank you. You may begin.

STATEMENT OF THE HONORABLE J. COFER BLACK, COORDINATOR, OFFICE 
  OF THE COORDINATOR FOR COUNTERTERRORISM, DEPARTMENT OF STATE

     Mr. Black. Mr. Chairman, committee members, thank you for 
giving me the opportunity to speak here today. I look forward 
to discussing some of the key challenges we face in our global 
war on terrorism and how protecting critical infrastructure 
fits into the broader scope of our efforts in this area.
    I have a longer formal statement which, with your 
permission, I would like to submit for the record.
    Mr. Camp. Without objection.
    Mr. Black. Mr. Chairman, the phrase ``critical 
infrastructure'' covers many elements of the modern world. To 
cite a few examples: the computers we use to transfer financial 
information from New York to Hong Kong and other cities, the 
air traffic control systems for international and domestic 
flights and, of course, the electric grid systems.
    The global critical infrastructure is both a contributor 
to, and a result of, the interdependence that exists among 
nations today. Critical infrastructure essentially means all 
the physical and virtual ties that bind us together, not only 
as a society but as a world. Terrorists know this, and they see 
attacking the very bonds that hold us together as one more way 
to drive us apart.
    We have made significant progress in the war on terrorism, 
but the recent blackouts in this country serve as an urgent 
reminder of vulnerabilities that terrorists can possibly 
exploit. We continue to believe that these blackouts were not 
the result of terrorist attacks. We know, however, that 
terrorists have plotted more devastating ways to bring massive 
disruption to our society.
    My role in international cooperation: responsibility for 
protecting critical infrastructure has been assigned to the 
Secretary for Homeland Security. In my role as a coordinator 
for counterterrorism, I am responsible for managing the 
international effort to counter the terrorist threat through 
effective integration and coordination of the efforts of our 
allies and partners with our own.
    The State Department plays an essential role in 
coordinating our government's response to matters surrounding 
critical infrastructure as those issues arise abroad. We are 
working closely on this with regional and global sorganizations 
including APEC, the OAS and the OECD and will convene a 
Southeast Europe cybersecurity conference next week in Sofia, 
Bulgaria, to raise awareness of this issue in that region. In 
addition, we have made this topic a priority of our global 
agenda by drafting three U.N. general Assembly resolutions on 
these issues. All these resolutions were adopted unanimously. 
The U.N.-sponsored World Summit on the Information Society will 
provide yet another forum where we can advance our goals on 
cybersecurity.
    Antiterrorism assistance training. Bilaterally, the State 
Department is also working with countries across the globe. We 
are working with 16 nations on issues of critical 
infrastructure protection, countries ranging from Canada to 
India and Australia. Through the State Department's 
Antiterrorism Assistance Program, known as ATA, we offer three 
separate courses on cyberterrorism that address varying but 
equally important facets of the problem.
    Additionally, ATA offers vital installation security 
courses to foreign law enforcement and security organizations. 
Sixteen countries on four continents have received the ATA 
vital installations course in the past two years and at least 
four more are planned for fiscal year 2004. Our recently 
developed cybersecurity course already has been provided to 
three countries. We plan to engage two more in fiscal year 
2004.
    Budget requests. Our planned courses for fiscal year 2004 
reflect the administration's requested level of ATA funding. 
The Senate foreign operations appropriations bill provides the 
requested level, but the House mark is short by $16 million 
from the administration's $106 million request. These 
reductions could result in cutting at least several 
cybersecurity and vital installation courses during fiscal year 
2004.
    I must also add that funding was cut from our Terrorist 
Interdiction Program (TIP) that helps countries better control 
their borders and from our senior policy workshop program. I 
hope the distinguished members of this committee will encourage 
their colleagues on appropriations committees to support the 
full funding of these critical counterterrorist programs when 
the fiscal year 04 foreign operations appropriation bill goes 
to conference.
    Mr. Chairman, the State Department also plays a role in 
helping to develop technology to counter threats to the 
critical infrastructure. My office co-chairs, with the 
Department of Defense, the Technical Support Working Group 
which conducts the national, interagency combatting terrorism 
technology research and development program. Within the TSWG, 
an interagency working group on infrastructure protection, 
chaired by the Department of Defense with the FBI, focuses on 
meeting interagency requirements for technology development in 
the areas of cybersecurity, information analysis and physical 
protection.
    The TSWG's cybersecurity projects focus on preventing or 
mitigating threats to computer networks vital to defense, 
transportation and critical infrastructure. Our projects are 
aimed at enhancing detection, prevention, response and alert 
capabilities to counter cyberattacks and harden computer 
systems.
    For fiscal year 2004 the TSWG program has allotted 
approximately $10 million to fund rapid prototyping and 
development work on 25 projects in the infrastructure 
protection area based on requirements identified by the 
interagency community.
    In other areas of activity, the Department also has 
provided some 18 key counterterrorist partner countries 
overseas with an intensive senior policy workshop. This helps 
them develop plans and procedures to mitigate any use by 
terrorists of weapons of mass destruction. We are also 
providing a series of workshops to improve energy security in 
the Caspian Basin, focusing on Kazakhstan.
    I would like to put the issue of critical infrastructure 
into the context of our global efforts in the war on terrorism 
by discussing another type of critical infrastructure: the 
alliances, partnerships and friendships that we have worked so 
hard to build. These networks of diplomatic exchange and 
communication serve as the foundation on which our national 
security often rests.
    I just returned this morning from a week in Colombia and 
Barbados where I worked to strengthen our partnerships on 
counterterrorism. In Colombia, kidnapping and drugs are primary 
sources of terrorist funding in that country. While in 
Colombia, I inaugurated a new $25 million anti-kidnapping 
initiative funded by the State Department that will provide 
training and equipment for Colombia's special police and 
military anti-kidnapping units.
    In Barbados, I met with prime ministers from across the 
Eastern Caribbean. Important progress is being made in that 
region. Several Caribbean states are developing national and 
regional immigration alert systems so that they can better 
track and capture terrorists who cross their borders and are 
drafting counterterrorist legislation.
    We have also built new relationships with the countries in 
the tri-border region--Brazil, Argentina and Paraguay. We have 
also initiated new counterterrorism partnerships with China, 
Russia and the central Asian republics.
    Our success in this struggle depends heavily on those 
nations around the world that are working with us to defeat 
terrorism within their own borders. Pakistan has taken more 
than 500 terrorist suspects into custody. Morocco has arrested 
al Qaeda operatives planning attacks against our shipping. Many 
other nations around the world are helping us to uncover 
terrorist networks.
    Since 9/11, the United States and its partners have 
detained more than 3,000 terrorists in over 100 countries. Also 
since 9/11, more than 30 nations have signed on to all 12 of 
the international antiterrorism conventions and protocols, and 
many more have become parties to them. There has been an 
upsurge in the number of laws, both domestic and international, 
that deal with terrorism-related issues.
    Regarding counterterrorism funding, a key part of our 
counterterrorism effort is the designation of terrorists and 
foreign terrorist organizations. The State Department, together 
with the Departments of Justice, Treasury and Homeland Security 
and the Intelligence Community, has been developing legal cases 
for the designation of terrorists and terrorist organizations 
so that we can block funding.
    Since 9/11, over 170 countries and jurisdictions have 
issued orders to freeze terrorist assets. So far, we have 
frozen more than $136 million in terrorist funding and 
designated more than 290 terrorist groups and individuals, 
working hard to help other countries become more effective in 
stopping terrorists from raising and moving funds.
    It is essential that we continue to work relentlessly to 
ensure that terrorists, whatever their ideology, religion or 
ethnicity, do not receive safe haven, funding or any other kind 
of support, both inside and outside our own borders. But with 
each of these victories, new challenges emerge. As the chains 
of commands in these organizations are stressed and broken, it 
becomes more difficult for terrorists to confer with their 
leaders and coordinate large-scale attacks. That is why we are 
seeing an increasing number of small-scale operations against 
softer targets.
    One of the lessons our Nation learned a new on that tragic 
morning nearly 2 years ago was that the fates of all nations 
are linked. This lesson takes on new meaning when considered in 
the context of protecting our national and international 
critical infrastructures because, in the last analysis, it is 
precisely those global systems, structures and networks that 
serve as the foundation for all our efforts to bring freedom, 
prosperity and security to people around the world.
    I thank you, Mr. Chairman; and I would be happy to take 
your questions when you so choose.
    Mr. Camp. Thank you, Ambassador.
    [The statement of Mr. Black follows:]

               PREPARED STATEMENT OF THE HON. COFER BLACK

    Mr. Chairman, Committee Members:
    Thank you for giving me the opportunity to speak here today. I look 
forward to discussing some of the key challenges we face in our global 
war on terrorism. It is a privilege to speak to you on the crucial 
issue of counterterrorism, and how protecting critical infrastructure 
fits into the broader scope of our efforts in this area.
    Critical infrastructure means many different things. It means the 
computers we use to transfer financial data from New York to Hong Kong. 
It means the production facilities that distribute our food across the 
country and the sanitation systems that make our water safe to drink. 
It means the electronic signals that keep our planes in the air and our 
trains on proper course. At the most fundamental level, it means the 
very interconnectedness on which our society so heavily depends. But it 
also means something more.
    We must remain mindful that global critical infrastructure is both 
a contributor to--and a result of--the interdependence that exists 
among nations today. It is because our ties to Europe and Asia are so 
strong that an attack on the banking systems in either of those places 
would have a powerful impact on our country. It is because we rely so 
much on our extensive trade relationships with nations around the globe 
that we must ensure that those products reaching our shores are safe to 
sell in this country. It is because we depend on global partnerships 
for our power that a blackout in one country can trigger a blackout in 
another. Critical infrastructure essentially means all the physical and 
virtual ties that bind us together--not only as a society, but as a 
world. Terrorists know this, and they see attacking the very bonds that 
hold us together as one more way to drive us apart.
    We have made significant progress in the war on terrorism, but the 
recent blackouts in this country serve as an urgent reminder that there 
remain vulnerabilities for terrorists to exploit. We continue to 
believe that these blackouts were not the result of terrorist acts. We 
know that terrorists have plotted more devastating ways to bring 
massive disruption to our society.
    We know, for example, that terrorists have assessed the possibility 
of attacking our nuclear plants and our transportation systems. But, in 
the end, it does not matter to terrorists whether the target is an 
Embassy or a nightclub, a power grid, a hotel, or an unguarded 
building. The targets terrorists attack will no doubt vary widely, but 
the goal toward which they strive remains the same: to undermine the 
security and stability that Americans seek for themselves, their 
country, and the world.

                STATE'S ROLE, INTERNATIONAL COOPERATION

    In the United States, the responsibility for protecting critical 
infrastructure has been assigned to the Secretary for Homeland 
Security. In my role as the State Department's Coordinator for Counter-
Terrorism, I am responsible for managing the international effort to 
counter the terrorist threat through the effective integration and 
coordination of the efforts of our allies and partners with our own.
    The State Department plays an essential role in coordinating our 
government's response to issues surrounding critical infrastructure, as 
those issues arise abroad. We are working closely with regional and 
global organizations from APEC, the OAS, and the OECD, and will convene 
a Southeast Europe cyber security conference next week in Sofia, 
Bulgaria, to raise awareness of this issue in that region. In addition, 
we have made this topic a priority on our global agenda by drafting 
three UN General Assembly resolutions on issues related to information 
technology and cyber security--and all these resolutions were adopted 
unanimously. The UN-sponsored World Summit on the Information Society, 
which will be held in Geneva in December, will provide yet another 
forum where we can advance our goals on cyber security.

                              ATA TRAINING

    The State Department is also engaged bilaterally on this issue with 
countries across the globe. We are working with sixteen nations on the 
issue of critical infrastructure protection--countries ranging from 
Canada to India and Australia. And through the State Department's 
Antiterrorism Assistance program (ATA), we offer three separate courses 
on Cyber Terrorism that address varying but equally important facets of 
the problem; preventive measures, techniques in responding to and 
investigating cyber attacks, and familiarizing senior level officials 
on dealing with the problems of a cyber incident.
    Additionally, ATA offers Vital Installations Security courses to 
foreign law enforcement and security organizations. Sixteen countries 
on four continents have received the ATA Vital Installations course in 
the past two years and at least four more are planned for Fiscal Year 
2004. Our recently developed Cyber Security course already has been 
provided to three countries, and we plan to engage two more in FY 2004.
    Our planned courses for FY 2004 reflect the Administration's 
requested level of ATA funding. The Senate Foreign Operations 
Appropriation bill provides the requested level, but the House mark is 
short by $16 million from the Administration's $106 million request.
    These reductions, if not restored in the Senate-House conference 
committee, would result in cutting at least several Cyber Security and 
Vital Installations courses during FY 2004. I might also add that 
funding was cut from our Terrorist Interdiction Program, which helps 
countries better control their borders, and from our Senior Policy 
Workshop program.
    I hope the distinguished members of this Committee will encourage 
their colleagues on the Appropriations Committee to support the full 
funding of these critical counterterrorism programs when the FY 2004 
foreign operations appropriations bill goes to the conference committee 
in the near future.

                        RESEARCH AND DEVELOPMENT

    Mr. Chairman, the State Department plays a role in helping to 
develop technology to counter threats to the critical infrastructure. 
My office co-chairs, with the Department of Defense, the Technical 
Support Working Group (TSWG) which conducts the national, interagency 
combating terrorism technology research and development program. Within 
the TSWG, an interagency working group on Infrastructure Protection, 
chaired by DOD and the FBI, focuses on meeting interagency requirements 
for technology development in the areas of Cyber Security, Information 
Analysis, and Physical Protection. Other Departments and Agencies 
represented on the Infrastructure Protection Subgroup include the 
Departments of Homeland Security, Energy, Defense, Justice, 
Agriculture, Commerce, Treasury, and Transportation, as well as the 
Federal Emergency Management Agency, the Environmental Protection 
Agency, and the Nuclear Regulatory Commission.
    The TSWG's Cyber Security projects focus on preventing/mitigating 
threats to computer networks vital to defense, transportation, and 
critical infrastructure. Our projects are aimed at enhancing detection, 
prevention, response, and alert capabilities to counter cyber attacks 
and harden computer systems. Our Information Analysis projects focus on 
enabling analysis and understanding of the information space. 
Specifically, we are working on technologies to enhance information 
storage, protection, and analysis. The TSWG's Physical Protection 
projects seek to develop standardized methodologies and decision aids 
for vulnerability analysis and enhanced protection of critical elements 
of the nation's infrastructure with particular emphasis on meeting the 
needs of Supervisory Control and Data Acquisition (SCADA) users and 
systems.
    For FY 2004, the TSWG Program has allotted approximately $10M to 
fund rapid prototyping and development work on 25 projects in the 
Infrastructure Protection area based on requirements identified by the 
interagency community. A number of the Departments and Agencies 
included in the Infrastructure Protection Subgroup are contributing 
funds to support the work of the TSWG in this vital area.
    In another area of activity, the Department also has provided some 
18 key counterterrorist partners with an intensive Senior Policy 
Workshop to help them develop plans and procedures to mitigate any use 
by terrorists of weapons of mass destruction. We are also providing a 
series of workshops to improve energy security in the Caspian Basin, 
focusing on Kazakhstan. These are all part of the important effort to 
strengthen the ability of countries worldwide to counter the variety of 
terrorist threats that face us today.

                             GLOBAL CONTEXT

    I would like to use my remaining time to put the issue of critical 
infrastructure into the context of our global efforts in the war on 
terrorism--by talking with you about another type of critical 
infrastructure: the alliances, partnerships, and friendships that we 
have worked so hard to build. Like other types of critical 
infrastructure, these networks of diplomatic exchange and communication 
serve as the foundation on which our national security often rests.
    I just returned from a week of travel to Colombia and Barbados, 
where I worked to strengthen our partnerships on counterterrorism. In 
Colombia, I saw firsthand the powerful impact of our cooperation 
against kidnapping and drugs--both primary sources of terrorist funding 
in that country. While in Colombia, I had the pleasure of inaugurating 
a new $25 million Anti-kidnapping initiative--funded by the State 
Department--that will provide training and equipment for Colombia's 
special police and military anti-kidnapping units to enhance their 
ability to deal with the estimated 3,000 kidnapping incidents each 
year.
    In Barbados, I met with Prime Ministers from across the Eastern 
Caribbean, and I am pleased to report that important progress is being 
made throughout that region. Several Caribbean states are developing 
national and regional immigration alert systems so that they can better 
track and capture terrorists who cross their borders. Some Caribbean 
countries are also making strides against money laundering and drug 
trafficking--and some are working to develop common laws to achieve 
common goals in the campaign against terrorism. I was pleased to see--
in both Colombia and Barbados--that our partnerships are aimed at 
combating terrorism in a number of different ways.
    In the fight against terrorism--triumph will not come solely, or 
even primarily, through military might. Rather, it will come through 
success on a variety of different fronts with a variety of different 
tools. We need better regional and global methods of collecting and 
exchanging intelligence and information, and better military 
coordination. We need more vigorous cooperation to sever the sources of 
terrorist funding. Our actions must help to win the trust not only of 
governments, but of the people they represent. And success on each of 
these requires effective diplomacy.

                               DIPLOMACY

    Diplomacy is the backbone of our campaign--for one simple reason: 
terrorism has no citizenship. The list of passports that terrorists--
and their victims--carry is long indeed. Those 19 extremists who 
hijacked our planes on September 11, killed the innocent sons and 
daughters of more than 90 countries that day. Those men and women of 
the United Nations whom terrorists attacked in Baghdad last month, had 
come together from across the globe. Terrorism affects all corners of 
the world and we must be united, as a world, in fighting it.
    Secretary of State Colin Powell has worked hard to forge new 
friendships and strengthen existing ones. Through our Smart Border 
Accords with Canada, we held the TOPOFF II exercises last May. This 
five-day, full-scale exercise involved top officials and response 
personnel and gave us a clearer picture of how our country would 
respond to attacks with weapons of mass destruction on major 
metropolitan areas. This exercise is just one example of the success 
old partnerships can produce in facing the new challenges that lie 
ahead.
    On a global and regional level, we continue to work closely with 
organizations, ranging from NATO, the G-7, and the United Nations, to 
ASEAN, the OAS, and the OSCE. We have built new relationships on 
counterterrorism with countries like Brazil, Argentina, and Paraguay 
through the young ``3+1'' Counterterrorism Dialogue. We have also 
initiated new counterterrorism partnerships with China, Russia, and the 
Central Asian Republics. And many more nations hold promise for 
deepened engagement in the future.
    Our success in this struggle largely rests with those nations 
around the world who are working with us to defeat terrorism within 
their own borders. Pakistan has taken more than 500 terrorist suspects 
into custody, including Ramzi bin al Shibh and Khalid Sheikh Mohammed. 
With Jordan's help, two individuals were arrested, both of whom we 
believe are responsible for the murder of USAID employee Laurence Foley 
in October, 2002. Morocco has arrested Al Qaida operatives planning 
attacks against our shipping interests. And Saudi Arabia has helped in 
many ways to capture terrorists and disrupt their activities. Many 
other nations around the world are helping us to uncover the extent of 
terrorist networks; chart the movements of their members; and master 
the means of their demise.
    Just a few weeks ago, we accomplished a key goal in the war by 
capturing Hambali, the mastermind behind Bali bombing in October, 2002. 
Working together with the governments of Thailand and the Philippines, 
we added Hambali to the list of nearly two-thirds of the top Al Qaida 
leaders, key facilitators and operational managers whom we have either 
killed or captured in the past two years. And since 9/11, the United 
States and its partners and allies have detained more than 3,000 
terrorists in over 100 countries.
    And we are making measurable progress on many other fronts, as 
well.

                      COUNTERING TERRORISM FUNDING

    Since 9/11, over 170 countries and jurisdictions have issued orders 
to freeze terrorists' assets--and so far, the international community 
has frozen more than $136 million in terrorist funding and designated 
over 290 terrorist groups and individuals. We are working hard to build 
capacity in those states that are on the front lines of the war on 
terrorism, so that they can better stop terrorists from raising and 
moving funds. Thanks to UN Security Council Resolution 1373, we now 
have specific criteria by which to measure national progress in 
blocking terrorist fundraising. And we are developing international 
standards and best practices, through both the Security Council's 
Counterterrorism Committee and the Financial Action Task Force.
    Since 9/11, more than 30 nations have signed onto all 12 of the 
international antiterrorism conventions and protocols, and many more 
have become parties to them. There has been an upsurge in the number of 
laws--both domestic and international--that deal with terrorism-related 
issues. There are now more laws limiting terrorists' actions in more 
countries than ever before, and more governments are willing to enforce 
those laws. Our country has been involved in helping other nations 
strengthen their counterterrorism legislation and then, enforce it.
    But with each of these victories, new challenges emerge. As the 
chains of command in these organizations are stressed and broken, as 
they were when we captured Hambali, it becomes more difficult for 
terrorists to confer with their leaders and coordinate large-scale 
attacks. That is why we are seeing an increasing number of small-scale 
operations against softer targets.
    The more successful we are, the more likely it is that terrorists 
will act independently against unguarded targets. As a result, we will 
need to exercise heightened vigilance even as we continue making 
measurable progress on many fronts.
    Another key part of our counterterrorism effort is the designation 
of terrorists and terrorist organizations. The State Department--
together with the Departments of Justice, Treasury, and Homeland 
Security, and the Intelligence Community--has been developing legal 
cases for designating terrorists and terrorist organizations so that we 
can freeze funds and prevent attacks.
    To do this, we rely primarily on two legal authorities. The first 
is the Antiterrorism and Effective Death Penalty Act of 1996 which 
amended the Immigration and Nationality Act, to authorize the Secretary 
of State to formally designate foreign terrorist organizations. The 
second one is the Executive Order on Terrorist Financing, which the 
President signed on September 23, 2001. These authorities block the 
property of designated terrorists and make it illegal to provide 
financing and other forms of material support to designated groups. 
Designating terrorists and their organizations is an important tool in 
the war on terrorism because it helps us curb their funding and invoke 
other sanctions. It is essential that we continue to work relentlessly 
to ensure that terrorists--whatever their ideology, religion, or 
ethnicity--do not receive safe haven, funding, or any other kind of 
support both inside and outside our own borders.
    One of the lessons our nation learned anew on that tragic morning 
nearly two years ago was that the fates of all nations are linked--and 
that we deny this at our own peril. This lesson takes on new meaning 
when considered in the context of protecting our national and 
international critical infrastructures. Because, in the last analysis, 
it is precisely those global systems, structures, and networks that 
serve as the foundation for all our efforts to bring freedom, 
prosperity, and security to people around the world.
    Thank you. I would be happy to take your questions

    Mr. Camp. Mr. Mefford.

 STATEMENT OF LARRY A. MEFFORD, EXECUTIVE ASSISTANT DIRECTOR, 
   COUNTERRORISM AND COUNTERINTELLIGENCE, FEDERAL BUREAU OF 
                         INVESTIGATION

    Mr. Mefford. Mr. Chairman, members of the committee, thank 
you very much for the opportunity to speak about this very 
important topic.
    The FBI, in cooperation with the Department of Energy, 
Department of Homeland Security, the North American Electrical 
Reliability Council and Canadian authorities, has aggressively 
investigated the August 14 power outages. To date, we have not 
discovered any evidence indicating that the outages were the 
result of activity by international or domestic terrorists or 
other criminal activity. The FBI Cyber Division, working with 
DHS, meanwhile has found no indication that the blackout was 
the result of a malicious computer-related intrusion.
    This is a preliminary assessment only, and our 
investigative efforts continue today. The FBI has received no 
specific, credible threats to electronic power grids in the 
United States in the recent past; and the claim of the Abu Hafs 
al-Masri Brigade to have caused the blackout appears to be no 
more than wishful thinking at this stage. We have no 
information confirming the actual existence of this group, 
which has also claimed on the Internet responsibility for the 
August 5 bombing of the Marriott Hotel in Jakarta and the July 
19 crash of an airplane in Kenya.
    We remain very alert, however, to the possibility 
terrorists may target the electrical power grid and other 
infrastructure facilities of our country. They are clearly 
aware of the importance of electrical power to the national 
economy and livelihood.
    For instance, al Qaeda and other terrorist groups are known 
to have considered energy facilities and other infrastructure 
facilities as possible targets.
    Guerrillas and extremist groups around the world have 
attacked power lines--.
    Mr. Camp. You may continue.
    Mr. Mefford. --as standard targets in the past.
    Domestic terrorists have also targeted energy facilities in 
the United States. In 1986, the FBI disrupted a plan by a 
radical splinter group connected to an environmental 
organization to attack power plants in Arizona, California and 
Colorado.
    The FBI has developed a multilayered approach to 
investigating potential threats to infrastructure facilities 
that brings together the strengths of law enforcement, the 
Intelligence Community, DHS, Department of Energy and private 
industry. This approach incorporates many new changes the FBI 
implemented since September 11 of 2001. They include:
    The formation of a Counterterrorism Watch, which is a 24/7 
operation center based at FBI headquarters which is responsible 
for collecting and coordinating all FBI threat-related 
activities in the United States, including all terrorist 
threats to the electric power grid of the country.
    The creation of the National Joint Terrorism Task Force at 
FBI headquarters. This entity today incorporates over 35 
Federal agencies and acts as a fusion point for the FBI and 
allows us to share information and coordinate activities 
quickly and efficiently. We have expanded the Joint Terrorism 
Task Forces in the country from 35 prior to September 11 of 
2001 to almost 84 today. These task forces are now located in 
every major metropolitan area of the country and include major 
law enforcement agencies at the local, State and Federal level. 
All of these task forces have opened lines of communications 
with the electric power industry to share information and 
enhance preventive efforts.
    The U.S. intelligence Community is also a key component of 
these task forces.
    We have also enhanced our capabilities in the FBI's 
Counterterrorism Division by significantly increasing 
personnel, including about a five-fold increase in personnel, 
which includes a major increase in analytical personnel as well 
as FBI special agents.
    We have formed the FBI Cyber Division to improve the FBI's 
ability to address Internet crime and computer intrusions and 
threats to our computer networks. This includes potential 
terrorist threats to our utility computer networks and power 
grids.
    We have formed the Office of Intelligence to rapidly 
improve our ability to manage our databases effectively and to 
analyze threats and other related intelligence data.
    We have also joined forces with many different agencies, 
including DHS in establishing and operating the Foreign 
Terrorism Tracking Task Force, the Terrorism Threat Integration 
Center and the Terrorism Financing Operations Section. All of 
these entities are designed to improve information exchange, 
enhance coordination and help us do a better job of preventing 
terrorism in the United States, which is our number one 
priority in the FBI.
    In close coordination with DHS, the FBI works with the 
Information Sharing and Analysis Centers, the ISACs, that have 
been established around the country and members of the FBI's 
InfraGard program. Both the ISACs and InfraGard were 
established to facilitate information sharing between industry 
and law enforcement and to alert industry to potential threats 
and capitalize on private industry knowledge to assess threat 
information. Today, the FBI's InfraGard program consists of 
over 8,000 companies located in all 50 States and serves as an 
important link between the FBI and the private sector. This 
link is used by the FBI to exchange information to help us 
defend against terrorist attacks and is a vital part of the 
FBI's national strategy to prevent and disrupt terrorist 
activities in the U.S. .
    In summary, we have developed a comprehensive and robust 
mechanism to deter and disrupt potential terrorist attacks, 
including attacks on the electrical power grids of the country; 
and we are working on a 24/7 basis with our partners in law 
enforcement and the Intelligence Community to constantly 
improve our preventive capabilities. Understanding that the 
number of critical infrastructure targets is so vast and 
facilities spread so widely that no system can be perfect, the 
structure of private and government entities acting in 
coordination will also provide an effective response in the 
unfortunate event of an attack.
    I thank you, and I look forward to questions.
    [The statement of Mr. Mefford follows:]

                 PREPARED STATEMENT OF LARRY A. MEFFORD

    The FBI, in cooperation with the Department of Energy (DOE), the 
Department of Homeland Security (DHS), the North American Electrical 
Reliability Council (NERC), and Canadian authorities aggressively 
investigated the 14 August 2003 power outages. To date, we have not 
discovered any evidence indicating that the outages were the result of 
activity by international or domestic terrorists or other criminal 
activity. The FBI Cyber Division, working with DHS, meanwhile, has 
found no indication to date that the blackout was the result of a 
malicious computer-related intrusion, or any sort of computer worm or 
virus attack.
    The FBI has received no specific, credible threats to electronic 
power grids in the United States in the recent past, and the claim of 
the Abu Hafs al-Masri Brigade to have caused the blackout appears to be 
no more than wishful thinking. We have no information confirming the 
actual existence of this group, which has also claimed on the Internet 
responsibility for the 5 August bombing of the Marriott Hotel in 
Jakarta and the 19 July crash of an airplane in Kenya.
    We remain very alert, however, to the possibility terrorists may 
target the electrical power grid and other infrastructure facilities. 
They are clearly aware of the importance of electrical power to the 
national economy and livelihood.
         Al-Qa'ida and other terrorist groups are known to have 
        considered energy facilities--and other infrastructure 
        facilities--as possible targets.
         Guerillas and extremist groups around the world have 
        attacked power lines as standard targets.
         Domestic extremists have also targeted energy 
        facilities. In 1986, the FBI disrupted a plan by a radical 
        splinter element of an environmental group to attack power 
        plants in Arizona, California, and Colorado.
    Terrorists could choose a variety of means to attack the electrical 
power grids if they choose to do so, ranging from blowing up power wire 
pylons to major attacks against conventional or nuclear power plants. 
We defer to DHS, however, for an assessment of the vulnerabilities of 
the electrical power system and the necessary responses to damage to 
various types of power facilities.
    The FBI has developed a multilayered approach to investigating 
potential threats to infrastructure facilities that brings together the 
strengths of law enforcement, the Intelligence Community, DHS, DOE, and 
Industry.

         CT Watch is the FBI's 24/7 ``threat central'' for 
        counterterrorism threat information. CT Watch is located within 
        the Strategic Information and Operations Center (SIOC) at FBI 
        Headquarters, and is the primary point of notification for all 
        potential terrorism threats. Upon notification of a potential 
        threat, CT Watch immediately passes the threat information to 
        the DHS Homeland Security Operations Center (HSOC) through DHS 
        representatives detailed to CT Watch. CT Watch then notifies 
        each FBI field office Joint Terrorism Task Force (JTTF) that 
        may be affected by the threat. CT Watch also notifies the 
        National Joint Terrorism Task Force (NJTTF) and the appropriate 
        FBI counterterrorism operational sections. This interagency 
        coordination not only ensures that relevant government agencies 
        are notified of the threats, but also that involved JTTFs take 
        timely action and appropriate remedial action. This is 
        especially noteworthy given that the 84 JTTFs in existence 
        today incorporate all major law enforcement agencies in the 
        country.
         The NJTTF is comprised of representatives from 35 
        government agencies, representing the intelligence, law 
        enforcement, diplomatic, defense, public safety and homeland 
        security communities, co-located at SIOC. The NJTTF acts as a 
        point of fusion for terrorism threat information and manages 
        the FBI's national JTTF program. The NJTTF coordinates closely 
        with CT Watch, the JTTFs, DHS representatives assigned to the 
        CT Watch and NJTTF, and the appropriate FBI sections to ensure 
        threat information has been received by all appropriate 
        entities across federal, state and local levels, as well as 
        other JTTFs. The NJTTF accomplishes this by distributing threat 
        information vertically to the JTTFs, and horizontally to other 
        government agencies that are members of the NJTTF.
         Working with the state departments of homeland 
        security and watch centers, the JTTFs across the country 
        combine local law enforcement, Intelligence Community, and DHS 
        representatives to fuse threat information and coordinate the 
        local response to threats.
         Information from the JTTFs also flows up to the NJTTF, 
        which ensures that it is received by all entities across the 
        federal and pertinent local governments, as well as other 
        JTTFs.
         In close coordination with DHS, the FBI works with the 
        Information Sharing and Analysis Centers (ISACs) and members of 
        the FBI's InfraGard program. Both the ISACs and InfraGard were 
        established to facilitate information sharing between industry 
        and law enforcement and to alert industry to potential threats 
        and capitalize on private industry knowledge to assess threat 
        information. Today, the InfraGard Program consists of over 
        8,000 companies located in all 50 states, and serves as an 
        important link between the FBI and the private sector. This 
        link is used by the FBI to exchange information to help us 
        defend against terrorist attacks, including cyber threats from 
        home and abroad. It is a vital part of the FBI's national 
        strategy to prevent and disrupt terrorist activities in the US.
         The FBI Cyber Division investigates malicious computer 
        intrusions and attacks on computers and networks, including 
        attacks on networks that help control critical infrastructure. 
        We are working with DHS and the electrical power ISAC to 
        preserve and analyze computer logs from electrical companies in 
        connection with the recent blackout.

    The expansion of the FBI's Counterterrorism Division has 
significantly enhanced our ability to uncover threats to infrastructure 
facilities. In addition to CT WATCH, the FBI has established new 
sections to analyze terrorist communications and financial transactions 
for threat-related information, and we have more than quadrupled the 
number of analysts working on terrorism since September 11, 2001.
    The increase in the FBI's resources devoted to terrorism, combined 
with the partnerships with other federal agencies, state and local law 
enforcement, and industry, provides a defense in depth that brings 
together the strengths of law enforcement and intelligence to respond 
efficiently and quickly to threats. Since September 11, 2001, the FBI 
has investigated more than 4,000 terrorist threats to the U.S. and the 
number of active FBI investigations into potential terrorist activity 
has quadrupled since 9/11.
    No threat or investigative lead goes unanswered today. At 
Headquarters, in our field offices, and through our offices overseas, 
we run every lead to ground until we either find evidence of terrorist 
activity, which we pursue, or determine that the information is not 
substantiated. While we have disrupted terrorist plots since 9/11, we 
remain constantly vigilant as a result of the ongoing nature of the 
threat.
    The Patriot Act is another change enhancing our ability to disrupt 
terrorist plots. The provisions of the Patriot Act allowing the freer 
flow of information between intelligence and law enforcement are 
essential to uncovering and foiling terrorist plots, and have allowed 
the FBI to fuse our law enforcement and intelligence missions so as to 
enhance our preventive capabilities. These improved capabilities are 
conducted pursuant to constitutional standards and relevant guidelines, 
and, in my view, have made the country safer for all. For example, the 
ability to share intelligence and law enforcement information was 
essential to the success of the recent indictment of a suspected member 
of the Palestinian Islamic Jihad for conspiracy.
         Given the potential to disrupt critical infrastructure 
        via computer intrusion, the provision of the Act that allows 
        law enforcement, with the permission of the system owner, to 
        monitor computer trespassers is of particular note. This 
        provision puts cyber intruders on the same footing as physical 
        intruders, and means that hacking victims can seek law 
        enforcement assistance in much the same way as burglary victims 
        can invite police officers into their homes to monitor and 
        catch burglars.
         The Patriot Act also bolsters the ban on providing 
        material support to terrorists by clearly making it a crime to 
        provide terrorists with ``expert advice or assistance'' and 
        clarifies that material support includes all forms of money. 
        These provisions have made possible the arrest and prosecution 
        of extremists across the country and have enabled the US 
        Government to cut terrorist organizations off at the source.
    In summary, we have developed a comprehensive and robust mechanism 
to deter and disrupt potential terrorist attacks, including attacks on 
the electrical power grids of the country, and we are working on a 24/7 
basis with our partners in law enforcement and the Intelligence 
Community to improve our preventive capabilities. Understanding that 
the number of critical infrastructure targets is so vast and facilities 
spread so widely that no system can be perfect, the structure of 
private and government entities acting in coordination will also 
provide an effective response in the unfortunate event an attack 
occurs.

    Mr. Thornberry. [Presiding.] The Chair thanks both 
witnesses for their testimony.
    I might mention to members that Mr. Camp and I intend to 
keep the testimony going and trade off going back and forth to 
vote. We are going to try to do the best we can as far as 
calling on members generally in the order they came to the 
hearing but also asking your patience as we try to figure it 
out as people come and go during this series of procedural 
votes.
    I am going to submit any questions I have for this panel 
for the record and will not ask any questions at this time.
    [The information follows:]

 PREPARED STATEMENT OF THE HONORABLE CHRISTOPHER COX, A REPRESENTATIVE 
    IN CONGRESS FROM THE STATE OF CALIFORNIA, AND CHAIRMAN, SELECT 
                    COMMITTEE ON HOMELAND SECURITY,

    Good afternoon. I would like to thank the subcommittee chairmen and 
ranking members for taking the lead on this important examination of 
the lessons learned as a result of the recent power outages, and the 
effects the blackout had to related critical infrastructure around the 
country.
    I am especially pleased to welcome Ambassador Cofer Black, and FBI 
Executive Assistant Director Larry Mefford. Many of us know them as 
friends, colleagues, and dedicated public servants. I am particularly 
eager to hear from all of our witnesses their thoughts on the state of 
affairs for the protection of our national critical infrastructure. 
This is not the first hearing on these matters, and I am certain we 
will continue to explore the subject for years to come. The recent 
power outages on August 14, however, have given us a timely opportunity 
to revisit those things we already know, to ask ourselves if we are as 
prepared as we can be for similar events, and to further examine what 
we would do in the event that something worse occurred.
    Initial review of the blackout tells us that it was not a terrorist 
event. Still, the Department of Energy and the North American Electric 
Reliability Council (NERC) have not completed their analysis of exactly 
what went wrong, and why. In our second part of this hearing on Sept. 
17, hopefully the Department of Energy will have an answer for us. 
Until then, we can assume that our enemies took notice of the massive 
social and economic disruption the blackout caused. The blackout 
shutdown over 100 power plants, including 22 nuclear reactors, cutoff 
power for 50 million people in eight states and Canada, including much 
of the Northeast corridor and the core of the American financial 
network, and showed just how vulnerable our tightly knit network of 
generators, transmission lines, and other critical infrastructure is.
    Today, we seek to learn as much as possible about the interrelated 
nature of our critical infrastructure, the potential risks of physical 
as well as cyber-attacks on the infrastructure, and, quite literally, 
what happens when the lights go out. We are especially interested in 
the capabilities of our enemies to do us harm whether it be by blowing 
up a transformer station or by using the internet to disable our power 
grids.
    Cyber attacks are a real and growing threat. The problem of cyber-
security is unique in its complexity and in its rapidly evolving 
character. Cyber attacks are different from physical attacks since they 
can be launched from anywhere in the world and be routed through 
numerous intermediate computers. Cyber attacks require a different 
skill set to detect and counter, and are not limited to the risks posed 
from al-Quaida. They include threats posed by those criminals and 
hackers who are already attacking our infrastructure for their own 
amusement or using it to steal information and money. As the most 
information technology-dependent country in history, we remain uniquely 
vulnerable to cyber attacks that can disrupt our economy or undermine 
our national security.
    The dependence of major infrastructural systems on the continued 
supply of electrical energy, and of oil and gas, is well recognized. 
Telecommunications, information technology, and the Internet, as well 
as food and water supplies, homes and worksites, are dependent on 
electricity; numerous commercial and transportation facilities are also 
dependant on natural gas and refined oil products. Physical or cyber 
attacks can amplify the impact of physical attacks on this critical 
infrastructure, and diminish the effectiveness of emergency responses.
    We have all heard the reports that the 911 emergency systems in New 
York and Detroit failed during the blackout. New York City's computer-
aided dispatch system for its fire department and rescue squad crashed. 
Reportedly, the New York City Fire Department had to monitor its 12,000 
plus fire fighters, EMTs, and fire marshals manually because its 
computer tracking system couldn't boot up. Harlem's sewage treatment 
plant shut down without power for its pump. Water systems in Cleveland 
and Detroit could not handle the drop in power. Ohio Governor Bob Taft 
declared a state of emergency in Cleveland after all four pumping 
stations that lift water out of Lake Erie went out and residents were 
ordered to boil their water for days. The beaches were off limits for 
swimming after a sewage discharge into Lake Erie and the Cuyahoga River 
sent bacteria levels soaring.
    As a group, the critical infrastructure sectors are backbone 
services for our nation's economic engine and produced approximately 
31% of the Gross Domestic Product (GDP) in the year 2000. The blackout 
rippled through the economy. Nearly all manufacturers in southeast 
Michigan ground to a halt with the blackout. More than 50 assembly and 
other plants operated by General Motors Corp., Ford Motor Co., 
DaimlerChrysler, and Honda Motor Co. were idled by the cascading 
blackout. NOVA Chemicals shutdown plants in Pennsylvania, Ohio, and 
Ontario, Canada. Wallmart closed 200 stores in Canada and the United 
States. Marriott International saw 175 of its hotels in the Northeast 
lose power at the height of the blackout, and seven oil refineries in 
the U.S. and Canada temporarily shut down, worsening an already tight 
gasoline supply situation.
    Hundreds of airline flights were cancelled. For many airports 
throughout the U.S. and Canada, the power failure has exposed the risk 
of fuel supply interruptions from electricity outages, since most hubs 
in North America are fed by pipeline systems. Many airports were not 
closed because of air traffic problems but due to inoperable systems on 
the ground. Tightened security measures established after 9-11 could 
not be maintained as power was not available for baggage screening 
machines. Refueling of aircraft stopped as hydrant systems and fuel 
farms lacked power.
    The examples are endless, and experience shows us that the blackout 
is not alone in its capacity to disrupt the economy. The information 
super highway of the Internet has become a fast lane for computer 
viruses. A computer virus launched one morning can infect computers 
around the world in one day. The Slammer virus, launched in January of 
this year, reportedly infected 100,000 computers in its first ten 
minutes alone. Because of the SoBig computer virus, some rail routes of 
CSX were recently shut down on August 20, until a manual backup system 
started the trains running again. Without railroads to deliver coal, 
the nation loses 60 percent of the fuel used to generate electricity. 
Without electricity, fueling stations cannot pump fuel. Without diesel, 
the railroads will eventually stop running. When the railroads stopped 
running after 9/11 in order to guard hazardous materials, it only took 
the city of Los Angeles two days to demand chlorine or face the threat 
of no drinking water--the railroads began operating again on the third 
day.
    We know that terrorists have assessed the possibility of attacking 
our nuclear power plants and our transportation system. Al-Qaida 
computers seized in Afghanistan in 2001 had logged on to sites offering 
that offer software and programming instructions for the distributed 
control systems (DCS) and Supervisory-control and Data-acquisition 
(SCADA) systems that run power, water, transport and communications 
grids. All critical infrastructure industries are becoming increasingly 
dependent on information management and internal telecommunications 
systems to control and maintain their operations. The U.S. Dept. of 
Commerce's National Telecommunications & Information Administration 
(NTIA) published a study in January 2002 that detailed the myriad of 
uses the internal wireless communications systems to meet essential 
operational, management and control functions including two-way 
emergency restoration and field communications, monitoring power 
transmission lines and oil and natural gas pipeline functions to 
instantaneously respond to downed transmission lines or changes in 
pipeline pressure; sending commands to various remote control switches; 
inspecting 230,000 miles of rail track; managing wastewater, processing 
drinking water, and protective relaying.
    SCADA systems could be attacked simply by overloading a system 
that, upon failure, causes other systems operations to malfunction as 
well. While there is some debate about the ability of a terrorist to 
successfully launch a cyber attack against a SCADA system, there are 
several examples of people or groups who have tried.
    In March 2000 a disgruntled former municipal employee used the 
Internet, a wireless radio and stolen control software to release up to 
1 million liters of sewage into the river and coastal waters of 
Queensland, Australia.
    Similarly, NERC reports that over the past two years, there have 
been a number of ``cyber incidents that have or could have directly 
impacted the reliable operation of the bulk electric system,'' 
including:

         In January 2003, When the SQL/Slammer worm caused an 
        electric utility company to lose control of their SCADA system 
        for several hours, forcing the company operations staff to 
        resort to manual operation of their transmission and generation 
        assets until control could be restored.
         In September 2001, the Nimda worm compromised the 
        SCADA system of an electric utility, and then propagated itself 
        to the internal project network of a major SCADA vendor via the 
        vendor's support communications circuit, devastating the 
        vendor's internal network and launching further attacks against 
        the SCADA networks of the vendor's other customers.

    More telling, perhaps, is a report issued in May 2002 by the 
Defense Department's Critical Infrastructure Assurance Program (CIAP) 
claiming that there was evidence of a coordinated cyber reconnaissance 
effort directed against the critical assets of at least two electric 
utilities participating in the Defense Department sponsored program. 
The report revealed that the probing appeared to come from the People's 
Republic of China, Hong Kong, and South Korea, with each probe building 
upon information previously garnered.
    The blackout is yet another wake-up call to our nation. It 
demonstrated the fragility of our electric transmission system, and 
reminds us of the interdependent nature of our infrastructure. Clearly, 
we need to encourage private industry and government to raise the 
standards of cyber security, and to further enhance our infrastructure 
security against attack.
    We can take heart, however, from the system's durability and our 
society's resilience. The blackout caused major disruption and much 
inconvenience, but it did not cause terror. Our training and 
preparations since 9-11 are beginning to show positive results. Keep in 
mind that power was restored within 48 hours to most of the effected 
areas.
    It is too soon to identify specific equipment, measures, and 
procedures that did or did not work as intended on August 14, but it is 
important to note that large parts of the Eastern Interconnection power 
grid did not suffer the blackout. Protective relays within the 
distressed area operated to remove transmission lines, transformers, 
and generating units from service before they suffered physical damage, 
as designed. It was the action of those individual relays, operating to 
protect individual pieces of equipment, which eventually isolated the 
portion of the grid that collapsed from the remainder of the Eastern 
Interconnection. The fact that the equipment did not suffer physical 
damage is what made it possible to restore the system and service to 
customers as quickly as happened.
    Another factor in the successful restoration of power was the 
restoration plans themselves. Restoring a system from a blackout 
requires a very careful choreography of re-energizing transmission 
lines from generators that were still on line inside the blacked-out 
area as well as from systems from outside the blacked-out area, 
restoring station power to the off-line generating units so that they 
can be restarted, synchronizing those generators to the 
interconnection, and then constantly balancing generation and demand as 
additional generating units and additional customer demands are 
restored to service. Many may not realize it takes days to bring 
nuclear and coal fired power plants back on-line. With those plants 
down, gas-fired plants normally used for peak periods were being used 
to cover baseload needs. The diversity of our energy systems proved 
invaluable.
    Can we do better? Of course we can. We must. It is the job of this 
Committee to help ensure that we do.
    I thank all our witnesses for being with us and look forward to 
your testimony.

PREPARED STATEMENT OF THE HONORABLE JAMES LANGEVIN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF RHODE ISLAND

    Thank you, Mr. Chairman.
    I would like to welcome our witnesses, and express my appreciation 
for your willingness to come here for what I hope will be a very 
enlightening and productive hearing. I look forward to hearing from 
these distinguished experts on our infrastructure and how we regard it.
    Mr. Chairman, it was with great expectation that we created the 
Department of Homeland Security and charged it with protecting us from 
terrorist threats and responding to emergencies here at home. This 
means not just controlling the border or patrolling airports, but 
making sure that the infrastructure that is vital to the daily 
operation of the United States is protected. Our early fears focused on 
our water supplies, but as we have seen in the last two weeks, 
weaknesses in our electrical grid and our communications systems may 
hold even greater potential for terrorist exploitation.
    My concern is that we have not seen meaningful plans or progress 
from DHS in identifying critical infrastructure and existing risks. 
That step is critical before we can talk about how to protect it. This 
is a task DHS needs to be working on closely with local and state 
governments, though several states have decided to identify their 
critical infrastructure even without DHS support. I would like to hear 
from our panel what they believe the first steps should be for our 
national effort of infrastructure identification and protection and how 
they see DHS either leading or supporting the endeavor.
    Again, I greatly appreciate all of our guests taking time to be 
here to discuss this vital issue.

  PREPARED STATEMENT OF THE HONORABLE JIM TURNER, A REPRESENTATIVE IN 
                    CONGRESS FROM THE STATE OF TEXAS

    Thank you, Mr. Chairman.
    The August 14, 2003, blackout left nearly 50 million people from 
the Midwest to the Northeast without power. Our relief that the massive 
blackout of 2003 does not appear to have been the work of terrorists 
should not divert our attention from the core question raised by the 
blackout: Have we done enough since September 11th, 2001 to protect our 
nation's critical infrastructures from potential terrorist attack?
    Although there is no evidence that the blackout was caused by 
terrorism, this incident demonstrated that there are literally hundreds 
of thousands of potential targets that terrorists could choose to 
strike. These include power systems, chemical and nuclear plants, 
commercial transportation and mass transit, skyscrapers, and sports and 
concert venues. In addition to physical assets, we also need to protect 
cyber assets. Recent computer disruptions have had unexpected 
consequences on nuclear plants and other utilities.
    Eighty-five percent of our critical infrastructure assets are 
privately owned. We must, therefore, work in partnership with the 
private sector to improve our national security. But we can not rely 
too heavily on voluntary private action. Companies seeking to maximize 
profits simply are unlikely to have the economic incentives to 
voluntarily make the investments necessary to raise security levels to 
where they need to be.
    While there are many potential targets for terrorists, is there 
enough protection? Are our policies and initiatives equal to the 
urgency and gravity of the threats we face? I note that, with the two-
year anniversary of September 11th approaching, we have not yet 
produced a comprehensive national threat and vulnerability assessment 
for our nation's critical infrastructure, which is the starting point 
for a serious effort to improve homeland security.
    In the absence of sufficient action by critical infrastructure 
owners, we have a duty to take the initiative to protect the American 
people. The federal government need not do so through the heavy hand of 
direct regulation. We must fully explore all the tools at our disposal. 
These can include targeted incentives or other assistance to owners of 
vulnerable critical infrastructure; higher standards for accountability 
when it comes to protecting assets that are at risk; faster timelines 
for implementing better security measures; and only when it is 
absolutely necessary, mandates and regulation.
    Displaying stronger federal leadership to better protect critical 
infrastructure should not be viewed as undue interference, but rather 
the exercise of our constitutional duty to provide for the common 
defense of our nation.
    Today, we face many threats to our country and our way of life. Our 
reaction to the blackout cannot be limited to seeking improvements in 
our electricity grid. This episode should be a wake-up call that we 
remain extremely vulnerable as a nation and that our governments at all 
levels, together with the private sector, must do more to increase the 
security of our critical infrastructures against potential terrorist 
attacks.
    I want to thank the distinguished panel for appearing before us 
today. I look forward to your testimony as we seek to understand what 
progress we have made--and need to make--in increasing the security of 
all of our critical infrastructures.

    Mr. Thornberry. I would yield to the gentlelady from 
California, ranking member of the Border Subcommittee, if she 
has any questions for this panel.
    Ms. Sanchez. Thank you, Mr. Chairman.
    I actually just had one question of Mr. Black, and that is 
the whole issue--one of the reasons we have called this with 
respect to the power blackouts that we had obviously in the 
metropolitan area of the Northeast. I know that you spoke 
broadly to us about the tri-state area and South America and 
other issues. In particular, have you had any particular 
instances where you have actually heard of terrorist groups or 
cells really--from the outside really taking a look at 
penetrating our grids here in the United States?
    Mr. Black. We do know from intelligence collection 
activities of the U.S. Intelligence Community as well as great 
work done by law enforcement to give the FBI--these efforts 
have resulted in the identification of the objectives of a lot 
of these terrorist groups, particularly like the al Qaeda 
organization; and the essence of it is to attempt to stage 
large-scale attacks and, ideally, multiple attacks at the same 
time to create a lot of damage.
    We do know that they look aggressively across the spectrum 
of potential targets to select those targets that they think 
they can work towards and achieve successfully as well as keep 
in mind that there is an active effort to identify their 
operatives and their operational activity.
    Essentially, so far most of their effort has been to 
attempt to kill lots of people; and that is sort of the 
established modus operandi of terrorist groups, primarily using 
explosives, but we do know that some terrorist groups are 
branching out and looking at other potential target sets. This 
would include electrical systems of countries and potential 
targets.
    But I am unaware at this point of a significant emphasis at 
this time on the electrical grid although they are always 
looking for vulnerabilities and they certainly will be aware if 
this event happened in the United States and see if there are 
any potential lessons learned that they can employ in potential 
future attack scenarios.
    Ms. Sanchez. Because of the interest of time and because I 
still have to go over and vote, I have one last question. You 
may not know the answer to this. I might have to go and ask 
somebody else. But I notice in the blackout that we had with 
respect to the Northwest that, in fact, Canada was included in 
some of those outages. I am from California. During our 
problems in California we were looking towards Mexico to see if 
we could get electricity up to our grid up from that area. The 
fact of the matter was that we are not connected with respect 
to our infrastructure grid down into Mexico. My question would 
be--if either one of you would be able to answer it and if not 
I will go look for another source--does that make us more 
vulnerable if in fact we are tied into an infrastructure that 
crosses a sovereign line?
    Mr. Black. Well, I would be prepared fully to defer to my 
close FBI colleague on this. I think that question perhaps more 
appropriately should be addressed to the Department of Homeland 
Security officials and other people in the industry. It is a 
little technical I think at this stage, certainly for me.
    Mr. Mefford. I would concur with that.
    Ms. Sanchez. Okay. Thank you both, gentlemen.
    Thank you, Mr. Chairman.
    Mr. Thornberry. Thank the gentlelady.
    Does Chairman Cox have questions for this panel?
    Mr. Cox. Thank you, Mr. Chairman.
    Mr. Mefford, first, thank you for being here. Mr. Black as 
well. Thank you very much for helping us with these difficult 
issues today.
    In your past career, Mr. Mefford, you have been involved 
with setting up the FBI's cyberefforts. Let me ask both of 
you--and direct my question first to you because you might have 
come across this in your previous work--in the blackouts that 
we experienced in August, tripping mechanisms, at least to the 
extent that the system functioned as we expected, shut down 
generating capacity. Is it possible for those tripping 
mechanisms which are automated to be triggered intentionally 
from the outside through cyber means?
    Mr. Mefford. That is a good question. I, unfortunately, 
would have to defer to the experts on that because I am not 
educated to the degree that I think I could give you a serious 
answer.
    Mr. Cox. Mr. Black, do you happen to know?
    Mr. Black. Unfortunately, sir, I am unable to answer that 
also. I would have to refer that to an expert.
    Mr. Cox. Second, according to the Congressional Research 
Service, one of the means of protection that we have in our 
industrial utilities, in particular the electrical power 
generating industry, and transmission is, ironically, the wide 
variety of legacy codes that are employed, a lot of different 
instructions, a lot of different systems that are unfamiliar to 
modern day hackers. Do we run the risk inevitably when we 
modernize these facilities to make sure that we have the 
capacity that we need of updating everything for the 
convenience of hackers?
    Mr. Mefford. Again, that is another excellent question; and 
I don't have the technical expertise personally to answer that. 
I mean, clearly that is a danger.
    Mr. Cox. Mr. Black, anything?
    Mr. Black. Unfortunately, nor do I, sir.
    Mr. Cox. Well, I think that at least embedded in the 
problem is the potential solution, which is, if we are 
unwittingly the beneficiaries of a wide variety of different 
command instruction protocols, possibly when we update this 
critical infrastructure we can take care not to make it all 
homogenous but to make sure there is a wide variety in there 
that will serve as another means of foiling attacks.
    Mr. Chairman, since there is a vote on the floor, I yield 
back.
    Mr. Thornberry. Thank the chairman. Does the Gentleman from 
Texas, Ranking Member, wish to ask questions of this panel?
    Mr. Turner. Thank you, Mr. Chairman.
    The main subject, of course, that you have addressed here 
today is the issue of the blackouts that we saw in August. To 
me, the main message for this committee flowing from that 
incident was to remind us once again how vulnerable we are; and 
the vulnerabilities of the power grid seems to me to be one of 
many potential vulnerabilities in our critical infrastructure. 
I don't know if, Mr. Mefford, you can answer this or not, or 
Mr. Black, but have either of you ever seen produced by the 
Department of Homeland Security or any other agency of the 
Federal Government a list in terms of priorities of protecting 
our critical infrastructure?
    Mr. Mefford. I have not. I understand that there is 
something in process--in progress at this point, but I have not 
personally seen that.
    Mr. Black. I have not seen it either, Congressman, but I 
understand that was one of the key reasons for the 
establishment of the Department of Homeland Security, to 
identify these vulnerabilities, so I am confident they are 
working on it. But, again, I think that question should be 
addressed to their representative, sir.
    Mr. Turner. Ambassador, you are correct. That is one of the 
principal responsibilities of the new Department of Homeland 
Security: to survey and assess our critical infrastructure, to 
determine our vulnerabilities, to assess the threats, and to 
match those threats, against those vulnerabilities and come up 
with a list of priorities for hardening our critical assets and 
making our country more secure and safer. In the absence of 
that, it seems that we will have a very difficult time knowing 
what our priorities should be and knowing where we should spend 
our limited dollars.
    I know from your perspective, Ambassador, you, of course, 
are looking at the issue of terrorism from the international 
perspective. Do you feel that we are sufficiently providing 
information to the various agencies of the government regarding 
the intelligence that is available out there worldwide that we 
collect to allow the Department or the FBI or any other agency 
to really understand clearly what the current state of threats 
is at any given time?
    Mr. Black. I think that is always a challenge, but I will 
say, Congressman, that certainly in the period since 9/11 there 
has been a tremendous intensification on this exact issue, with 
the United States playing a very key role in the constellation 
of nations that includes virtually every nation in the world 
except for a handful. And the objective is the effective and 
timely exchange of threat information and intelligence 
information. Both the American Intelligence Community and the 
U.S. law enforcement--I will turn to my colleague from the 
Bureau--are key in this.
    The State Department's role would be referred to as the 
first among equals. It is our duty and our responsibility to 
facilitate this process, to enable the Intelligence Community 
and law enforcement, the military and the economic units in the 
United States to exchange information effectively with their 
foreign counterparts. Our job is to facilitate that process. I 
think we have made tremendous strides, truly. It may even be in 
sort of historical proportions. But I think there is a lot left 
to do. I think that everyone in the United States involved in 
this, as well as our foreign counterparts sees this as the 
objective, to have transparency and a timely exchange of 
intelligence and threat information. And I think the progress 
to date has been exceptionally good.
    Mr. Mefford. I concur with that view. From the FBI's 
perspective we have made very significant progress in 
information sharing and analysis; and while it is not perfect, 
we are clearly headed in the right direction.
    Mr. Turner. Mr. Mefford, from your vantage point, do you 
have a sense for what is the most critical need for protecting 
critical infrastructure? We saw the failure of the power grid, 
as you said, not resulting from terrorism. But do you have any 
opinions regarding what portion of our infrastructure--in the 
absence of a clear delineation of vulnerabilities by the 
Department of Homeland Security--do you see any particular 
sector that, from your experience in observing the 
intelligence, would be most critical for us to be concerned 
about currently?
    Mr. Mefford. I think if you look at the comprehensive 
intelligence environment, unfortunately, al Qaeda and groups 
such as al Qaeda have looked at and considered a variety of 
potential targets. We know that based on the analysis of 
information available to us, and it is across the board in a 
variety of infrastructures. So I am really not in a position to 
say that one is more than the other.
    But, obviously, based on what we saw in 2001, the aviation 
and transportation industry is something of concern. We know 
that the Ambassador has mentioned previously in his remarks 
that certain terrorist groups like al Qaeda have talked about 
and focused on electrical power grids, for instance. But we 
haven't seen any specific or credible threats to date. So it is 
difficult for us at this point. Some of that is based on the 
nature of intelligence work inherently, that it is very 
difficult to get clear, precise pictures at various times and 
space. But I think we are making progress. Working with 
Homeland Security I think we will be able to fine-tune our 
efforts and improve efficiencies in the future.
    Mr. Turner. Thanks to both of you for being here with us 
today, and thank you for your service to our country.
    Mr. Black. Thank you, sir.
    Mr. Camp. [Presiding.] Thank you.
    Mr. Weldon, any inquiry?
    Mr. Weldon. Thank you, Mr. Chairman. Thank you both for 
being here. Two questions.
    Number one, last week, the Canadian news reported that 
there had been arrests of individuals with suspected terrorist 
ties who were flying planes and casing out a nuclear power 
plant in Canada; and my concern is that several months ago I 
shared some information with the Intelligence Community 
relative to an alleged threat on a nuclear site in America with 
the first three letters of SEA which could be the Hanford site 
in Seattle or the Seabrook site in New Hampshire. These arrests 
troubled me greatly last week, and so I would ask the question, 
are we aware of any intelligence that has been brought forward 
indicating that perhaps a site--a nuclear site in America may 
in fact be the target of either al Qaeda or other terrorist 
networks and are you aware of the arrests in Canada?
    Mr. Mefford. Yes, sir, we are aware of the arrests in 
Canada. We are working with our counterparts in Canada to 
address those issues. We are told, frankly, that there are no 
links to al Qaeda that have been uncovered to date and there 
are no specific threats against nuclear power plants, 
particularly no threats to power plants in the United States. 
But we continue to work with our allies north of us on a 
constant basis.
    Mr. Weldon. Thank you.
    Second line of questioning is, I happen to think, as a 17-
year-member of the Armed Services Committee, now vice chairman, 
that the greatest threat to our Homeland Security in terms of 
both our energy supply and our electronics would be from a 
deliberate laydown of electromagnetic pulse. There wasn't much 
attention given to this certainly in this book. It is mentioned 
in one page and by people in my opinion who are responsible for 
protecting our infrastructure to the vulnerability of America 
to electromagnetic pulse. We on the Armed Services Committee 
put together a task force which is chaired by an ambassador 
that has been looking at our vulnerability to EMP.
    One, have either of your agencies had any interaction and, 
if so, to what extent with the EMP Commission that has now been 
in force for about year?
    And, Mr. Chairman, I would like to ask this question of 
every other witness before us. My feeling is that perhaps the 
answer will be for most of the witnesses they have had no 
interaction with the EMP Commission. But I will ask these two 
gentlemen. Have you had any direction interaction with the EMP 
Commission?
    Mr. Black. I personally have not. That is not to say that 
others in the State Department may have. I just do not know, 
sir.
    Mr. Mefford. I think my answer would be the same to that.
    Mr. Weldon. Mr. Chairman, this to me is the greatest 
threat. Because, as you well know, all you would need would be 
a low-yield nuclear weapon, which we now know that North Korea 
has and Iran is trying to obtain, and the ability to put it up 
into the atmosphere, which we know that both Iran and North 
Korea have, a low-complexity missile; and by detonating that 
low-yield nuclear weapon off of the coast in the atmosphere the 
EMP laydown would fry all the electronic components within a 
given range within the U.S. In fact, our military has tested 
this type of capability in the past.
    In testimony before the Armed Services Committee, we have 
not hardened our systems. Only our ICBM system is hardened, and 
almost the entirety of our energy complex in America would be 
vulnerable to any EMP laydown. I would ask each of you to 
comment whether or not you have had contact with the 
Commission. What is your assessment of the EMP threat to 
America and to our infrastructure?
    Mr. Mefford. I would have to defer to the technical experts 
in the FBI. I don't have that knowledge personally.
    Mr. Black. I would have to share that answer, sir.
    Mr. Weldon. Mr. Chairman, I would also suggest that at some 
point in time we invite the board of the EMP Commission in 
before this committee; and I would hope that every witness 
before us here--because these are the utility companies, all of 
which would be rendered useless if any EMP laydown occurred, 
none of which I will tell you right now before they testify are 
hardened to deal with an electromagnetic pulse attack.
    [The information follows:]

    [GRAPHIC] [TIFF OMITTED] T9793.017
    
     [GRAPHIC] [TIFF OMITTED] T9793.018
    
     [GRAPHIC] [TIFF OMITTED] T9793.019
    
     [GRAPHIC] [TIFF OMITTED] T9793.020
    
     [GRAPHIC] [TIFF OMITTED] T9793.021
    
     [GRAPHIC] [TIFF OMITTED] T9793.022
    
     [GRAPHIC] [TIFF OMITTED] T9793.023
    
     [GRAPHIC] [TIFF OMITTED] T9793.024
    
     [GRAPHIC] [TIFF OMITTED] T9793.025
    
     [GRAPHIC] [TIFF OMITTED] T9793.026
    
     [GRAPHIC] [TIFF OMITTED] T9793.027
    
     [GRAPHIC] [TIFF OMITTED] T9793.028
    
     [GRAPHIC] [TIFF OMITTED] T9793.029
    
     [GRAPHIC] [TIFF OMITTED] T9793.030
    
     [GRAPHIC] [TIFF OMITTED] T9793.031
    
     [GRAPHIC] [TIFF OMITTED] T9793.032
    
     [GRAPHIC] [TIFF OMITTED] T9793.033
    
     [GRAPHIC] [TIFF OMITTED] T9793.034
    
     [GRAPHIC] [TIFF OMITTED] T9793.035
    
     [GRAPHIC] [TIFF OMITTED] T9793.036
    
     [GRAPHIC] [TIFF OMITTED] T9793.037
    
    Thank you.
    Mr. Camp. Thank you.
    Miss Lofgren may inquire.

 PREPARED STATEMENT OF THE HONORABLE ZOE LOFGREN, A REPRESENTATIVE IN 
                 CONGRESS FROM THE STATE OF CALIFORNIA

 Thank you Chairman Thornberry. It is always a pleasure to work 
with you. It is also a pleasure to be holding this joint hearing with 
the Subcommittee on Infrastructure and Boarder Security. This 
subcommittee is led by my good friend and California colleague, 
Congresswoman Loretta Sanchez, and Chairman Dave Camp of Michigan.
 The blackout on August 14, 2003 left nearly 50 million people 
in 8 states and Canada without power. When the lights went out that 
afternoon, there was widespread concern that this incident might have 
been another major terrorist attack on the United States. The video of 
pedestrians streaming out of Manhattan was eerily reminiscent of the 
events September 11, 2001.
 Thankfully, we quickly determined that terrorism played no 
role in this event. The regional power grid simply was overwhelmed and 
broke down.
 While we can express some relief that the blackout was not a 
terrorist attack, this event does highlight our continuing need for 
better protection of our critical infrastructure.
 Too many of our nation' infrastructure assets remain extremely 
vulnerable to terrorist attack. Power plants, airports, bridges, water 
treatment facilities, and public and private sector computer networks 
are just not sufficiently prepared for an incident of terrorism. There 
are simply hundreds of thousands of assets in our country that must 
better secured.
 I remain greatly concerned the Bush Administration is not up 
to the task of preparing for future terrorist attacks.
 Almost 2 years have passed since the events of September 11th. 
Yet we do not have any comprehensive list of national critical 
infrastructure assets that assesses risks and vulnerabilities. To my 
knowledge, the Department of Homeland Security is not giving advice to 
or sharing information with states and cities on how best to secure 
important facilities.
 I am particularly concerned about the threat of some sort of 
cyber attack. A recent study by the Pew Internet and American Life 
Project found that nearly half of all Americans surveyed say they are 
worried that terrorists could launch attacks through the networks 
connecting home computers and powerful utilities.
 In the past month, several computer worms have struck computer 
networks and systems around the world. There are reports that these 
worms are swamping network systems with traffic, causing denial of 
service to critical servers within organizations, and adversely 
affecting government and emergency response operations.
 As long as worms such as Blaster, Welchia, and SoBig.F can 
adversely affect our computer networks, then our weakest links are 
insecure and the entirety of our infrastructures and communications 
systems is at risk.
 I return to Silicon Valley every weekend. I am constantly 
approached by people in the tech industry--from CEO's to programmers--
who wonder what the Department of Homeland Security is doing to prevent 
cyber attacks. I am frustrated because I can't give them an answer.
 The DHS announced almost 3 months ago the creation of a 
National Cyber Security Division within the Information Analysis and 
Infrastructure Protection Directorate (June 6). On August 3, Secretary 
Ridge said that a director for the cyber division would be chosen soon. 
I have heard countless rumors for over a month about personnel 
announcements, and yet as of today, no one has been chosen to lead this 
division.
 Three months is just too long to wait. Either the Department 
is in complete disarray, or it does not consider cybersecurity to be a 
priority. Perhaps it is both, and that is very troubling.
 I want to thank our witnesses for appearing before us today. I 
look forward to hearing your testimony. I hope you will focus in 
particular on your personal dealings with DHS. I also hope you can 
persuade me that there is some good work being done within the 
Department to protect our nation's critical infrastructures.

    Ms. Lofgren. I will submit my questions for the record.
    Mr. Camp. Mr. Pascrell.
    Mr. Pascrell. Thank you. Thank you, Mr. Chairman. I have a 
few questions.
    First, to Mr. Mefford, who has been before our committee--
subcommittee a few times and appreciate his candidness and his 
forthrightness. You are a credit to the FBI and to this country 
for the service that you have presented. I mean that. If you 
know me, if I didn't feel that way, I would say nothing or to 
the contrary.
    Mr. Mefford. Thank you.
    Mr. Pascrell. But I want to congratulate you for what you 
have done.
    I want to ask you a question. Has the creation of the DHS 
and all of the apparatus of Homeland Security clarified, in 
your estimation, or confused Federal leadership on security? 
What is your estimate of that? And then I am going to ask Mr. 
Black that question, also.
    Mr. Mefford. In the area of critical infrastructure 
protection, in my view it has clarified the role. Historically, 
prior to the formation of that Department, the FBI was 
involved, as you know, investigating terrorism threats and in 
working with our counterparts in private industry to the degree 
that we were able to identify vulnerabilities and assess 
threats to the vulnerabilities. Today, that is the role of the 
Department of Homeland Security; and, frankly, it frees us up 
to focus on the operational end of counterterrorism, being the 
investigative phase so that we can run down every threat and 
that we can use our personnel, frankly, in a way that they are 
trained and focus them in a greater degree.
    So, in my view, in the area of critical infrastructure 
protection, it has helped. It is a new department, but I think 
that they have made tremendous progress, and I look forward to 
working closely with them to achieve their goals. But, having 
said that, I understand that it is very challenging to form a 
large organization quickly.
    Mr. Pascrell. Would you say that you have anticipated any 
confusion in the formation of this apparatus, Homeland Security 
apparatus, in terms of Federal leadership? What do you 
anticipate that could be confusing or perceived as confusing so 
that the message is not clear as to who is working on this and 
who is trying to resolve the problems?
    Mr. Mefford. Well, in the FBI I think, if we are talking 
about critical infrastructure protection, it is very clear to 
us and we have no doubt about the role of the FBI and the role 
of Homeland Security and we see our role as being complementary 
and to assist them as we can. Clearly, if we focus on 
identifying terrorism threats and we focus on prevention and 
disruption of terrorist activities in the country, our role is 
to pass that information rapidly to DHS to allow them to 
improve their evaluation process and their analysis of 
vulnerabilities. But it really is a complementary arrangement; 
and in that area, in the area of critical infrastructure 
protection, I think we are making progress.
    Mr. Pascrell. This was the largest that I know of--I will 
stand corrected--the largest, the most widespread blackout we 
have had in many moons, right? Mr. Chairman, were you prepared? 
Was the FBI's apparatus prepared to deal with it just in case 
there was sabotage involved and did it work? I mean, you went 
into action immediately. What did you do?
    Mr. Mefford. We immediately convened a conference call with 
all of the special agents in charge of the eight field offices 
that were affected by the power outage and based on backup 
energy sources were able to communicate and use the telephone 
and other devices. And we laid out what we knew, what we didn't 
know. We strategized and prioritized, and then we brought in 
the Joint Terrorism Task Forces which I referred to in my 
opening comments. They are really the bedrock of all of our 
counterterrorism efforts, and that brings in the State and 
local law enforcement piece and the Federal law enforcement and 
intelligence piece. So working hand in glove, we immediately 
went out to the private industry folks involved, coordinated 
and started our efforts basically to investigate, looking 
backwards to see if we could assist in identifying the cause of 
the outbreak.
    Mr. Pascrell. Mr. Black, if I may, Mr. Chairman, we know 
that this is a vulnerable area. In fact, we have been warned 
that this could happen again, this blackout; and we have 
responded to--what measures have you taken, specifically in 
concrete, since this time, since the time of the blackout which 
caused devastating losses throughout the Northeast and central 
United States? What have you done in the Department of State to 
avoid this in the future or being better able to respond to it 
if it happens again?
    Mr. Black. First of all, the contributions that we can make 
is from an international standpoint. We--.
    Mr. Pascrell. I didn't hear you. I am sorry.
    Mr. Black. Is from an international standpoint. We support 
other agencies in their work.
    I think you asked for a clarification on Department of 
Homeland Security. I think its mission from a State Department 
standpoint is absolutely critical. Because it is that entity 
that rationalizes the threat information, things that can 
happen to us. Match that up with the potential vulnerabilities 
and do that key work from an international standpoint, from an 
information processing standpoint. That is the most important 
to us.
    We do not see an element of confusion here. We see an 
element of adjustment. When you have such a new department that 
is playing such a key role, the other agencies that are 
supporting this homeland defense adjust.
    As an example, my job is contacts with foreign countries in 
terms of policy formulation and coordination from 
counterterrorism. The Department of Homeland Security has an 
international unit. We have personnel assigned to that, and our 
job is to facilitate their interaction in the protection of the 
homeland.
    So our contribution in this is the facilitation of contacts 
with foreign countries that are affected, whether it is close 
allies like the Canadians or British or others, depending upon 
the threat that materializes here in the United States.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Mr. Camp. Thank you.
    Ms. Dunn may inquire.
    Ms. Dunn. Thank you. Thank you very much, Mr. Chairman.
    Ambassador Black, I wanted to ask a you question based on 
what you were just saying. I gave a speech last month on 
cyberterrorism in London. We were meeting with members of 
Parliament, and I was amazed at how much attention they are 
paying to the very same things that we are dealing with. I had 
used as an example of potentials for cyberterrorism the power 
grid in the United States, and 2 Yays later we saw that happen.
    I guess, first of all, I would like to know, briefly, how 
did you know it wasn't terrorism at the beginning? And, 
secondly, I would like you to expand on what we have learned 
from people in other nations. Are there things that they have 
accomplished that we can learn from and are we doing our work 
in cooperation with them as the experience I had in London last 
month told me we were?
    Mr. Black. Yes, ma'am. I do understand that you are very 
interested in this, as are a number of our allies. The reason 
that I knew it wasn't terrorism was because my colleagues in 
the FBI and the U.S. Intelligence Community advised us of that 
fact. We were the recipients of their good works. So that was a 
very comforting thing, and I think they were able to determine 
that pretty early on in this process.
    I think there has been great interest in cyberterrorism. It 
has been going on for years. And this is something that the 
State Department--our role is to facilitate contacts to make 
sure that the links are there and that our colleagues in the 
FBI and the American Intelligence Community are matched up with 
their foreign counterparts. In this area of expertise we are 
primarily facilitators, and we also provide training to 
countries that have the will to work against this problem but 
not the capacity. So we facilitate the making of contacts as 
well as provide training programs to appropriate foreign 
recipients overseas.
    Ms. Dunn. Mr. Mefford, how did you know it wasn't 
terrorism?
    Mr. Mefford. Our Joint Terrorism Task Forces are looking at 
this issue from various perspectives. One is the external 
threat, to see if there is physical damage, to see if we have 
actual signs of sabotage. We have not found any. And we 
determined that fairly quickly, although I indicated in my 
opening comments our inquiry is ongoing, and so I am not giving 
you a definitive answer at this point. But preliminarily we 
have not found any evidence of that.
    We also looked at the Intelligence Community for input 
regarding their knowledge of plots and efforts on behalf of our 
adversaries around the world that may want to do something like 
this, and we haven't found that.
    In addition, we are very concerned about the insider 
threats, somebody that would have access to critical systems, 
both from a physical standpoint, the sabotage standpoint and a 
computer intrusion. And that applies also for somebody clearly 
on the computer intrusion side, on degrading capabilities and 
attacks through the computer networks. That applies on the 
external threat, also. We have not yet seen evidence of that.
    But this very preliminary assessment that I am giving you, 
because we are working with the Department of Energy, 
Department of Homeland Security and NERC to review the computer 
logs for evidence of that type of malicious activity. We have 
not seen that to date but it is still ongoing.
    Ms. Dunn. Now the threat of insider action of terrorism is 
becoming a very broad theme as we investigate what could be 
harmful to us in the United States. Let me ask you another 
question. You acknowledged in your testimony that terrorists 
could choose a variety of means to attack the Nation's power 
grids. In your opinion, what should we as a committee be 
focusing on? Where should we be directing the Department of 
Homeland Security's oversight, and what should the Department 
of Homeland Security to be focusing on? What are the means that 
are most concerning to you?
    Mr. Mefford. I think in our view you look historically at 
what--when we see our number one threat today remains al Qaeda. 
There are other terrorist groups and members that concern us, 
also. But the number one threat remains al Qaeda today. And if 
you look at their historical activities you have to look at 
things such as what occurred on September 11; the attacks in 
Riyadh, Saudi Arabia, on May 12; the attacks in Casablanca, 
Morocco, I think on May 16 of this year; and other various 
attacks overseas where we are seeing basically truck bombs and 
assaults of individuals.
    We have not seen any indication that al Qaeda possesses a 
sophisticated computer intrusion capability. While potentially 
they may have expressed an interest, we have seen no evidence 
that they possess this capability today. Clearly, it is of 
concern to us, because at some point in the future we are going 
to have to address those types of issues. But at this stage it 
is our view that we have seen very, very basic computer 
functionality on the part of identified terrorists in the 
world. We have not seen sophisticated capabilities if you talk 
about the attacks to networks.
    But we have seen sophisticated capabilities on the physical 
side, sabotage and the traditional terrorist attacks using 
explosives and what we saw on 9/11. So I think we would 
recommend priority to physical, to protect against physical 
sabotage at this point, including the insider threats with 
individuals that have access to your most sensitive 
components--potentially are vetted to ensure that we don't have 
the wrong person in the wrong place.
    Ms. Dunn. Is--just a follow-up on that. Is there an area 
with we ought to be sending more resources?
    Mr. Mefford. I am not educated to the degree that I think I 
can answer that appropriately today.
    Ms. Dunn. Thank you, Mr. Chairman.
    Mr. Camp. Thank you.
    Ms. Christensen may inquire.
    Mrs. Christensen. I thank you, Mr. Chairman.
    Let me see. Let me follow up with a question to Mr. Mefford 
following up on the Ranking Member's question. I think he asked 
a general question on critical infrastructures which pose the 
greatest security concerns and whether or not there had been 
assessment of vulnerabilities. In your testimony, you say that 
you are clearly aware that the terrorists are clearly aware of 
the importance of electrical power; that al Qaeda and other 
terrorist groups have considered energy facilities, et cetera, 
et cetera. Have you received an assessment of vulnerabilities 
specifically related to the electrical power grid?
    Mr. Mefford. No, we have not.
    Mrs. Christensen. You need that to be able--in your 
collaboration with the Department of Homeland Security, that is 
their role in that partnership; is it not?
    Mr. Mefford. Yes. And I understand that it is in progress 
at this point, and that they are working towards that end, and 
we are cooperating in assisting to whatever degree we are 
capable.
    Mrs. Christensen. Another question occurs to me, because, 
for example, in the instance of the blackouts, there is a need 
to immediately restore and repair the break. Does the need for 
immediate repair in any way compromise our ability to determine 
the cause or to investigate where the breakdown may have 
occurred or whether or not it may have been caused by 
international or domestic terrorism?
    Mr. Mefford. In reality it does not impede our ability 
because we have ample experience now, unfortunately, in 
responding to terrorist bombings where clearly the priority is 
protecting and saving human life. At the same time, while that 
process is ongoing, we have devised the capability inside the 
FBI to conduct forensic efforts and crime scene--traditional 
scientific efforts at the crime scene in a way not to impede 
the priority of saving human lives. And I think that same 
principle would apply in the case that you outlined.
    Mrs. Christensen. The CT Watch that you outline seems to be 
a very coordinated way of disseminating information. Is the 
response as coordinated, and has that ever been exercised?
    Mr. Mefford. I guess I am not sure exactly what you are 
referring to. The response to a blackout?
    Mrs. Christensen. Under the CT Watch the information, the 
notification of potential threats are immediately disseminated 
to all the relevant agencies, which evokes the need to respond.
    Mr. Mefford. We think--
    Mrs. Christensen. Has that been exercised? Are the 
responses as coordinated as the dissemination of information 
seems to be?
    Mr. Mefford. I think there is room for improvement, but we 
are definitely making progress, and we are getting better each 
and every day. And based on the volume of threats--and, as you 
know, the vast majority of all these threats overwhelmingly are 
unfounded. The unfortunate part is we have to expend the 
resources because we can't take a chance. We have to follow up 
on each and every threat. We have had over 4,000 in the 
Intelligence Community since September 11. So it is keeping us 
very busy. But we have had ample opportunity to exercise the 
coordination, and I think we are getting much, much better at 
it.
    Mrs. Christensen. I have one last question. The InfraGard 
program, you say, serves as an important link of over 8,000 
companies located in all 50 States. Did you mean States and 
territories, or territories not included in that; and where are 
you in making sure we are included?
    Mr. Mefford. Let me check on that real quick.
    Yes, ma'am. They include territories also.
    Mr. Camp. Thank you.
    Mr. Etheridge may inquire.
    Mr. Etheridge. Mr. Mefford, let me ask you a question on 
the testimony you forwarded as it relates to the role of TTIC, 
Terrorism Threat Integration Center, as you mentioned earlier 
about the critical infrastructure, and here I am expanding 
beyond the blackout because they have that, and you talk about 
potential impact, and you are looking at banking and a whole 
host of things. What role does that play in the analysis of 
threat information against our critical infrastructure?
    Mr. Mefford. The FBI furnishes TTIC with all of our threat 
information, all types, whether it impacts the power grid or 
banking systems or water systems and whatnot, because they are 
the single entity that not only has possession of all this 
information, I think it enhances our capability, as I say, to 
connect the dots and make sense of the information that we 
possess.
    Mr. Etheridge. That being said then, as we look at the 
blackout that we just went through, and whether it was that or 
many others for that matter, whether they be terrorist-
instigated or whether they be mechanical or something else has 
the same devastating economic impact as if we look at a 
situation where there is a hurricane or tornado or terrorists 
initiated it. At the end of the day it has the same impact. My 
question deals with the blackout. How will you characterize the 
FBI's communication with local and State authorities due to 
this last blackout; what did you learn from that situation that 
hopefully in the future, not only for the FBI, but other 
agencies, that will allow us better to deal with something of 
this nature in the future?
    Mr. Mefford. I mean, the Bureau's role is basically twofold 
in this case: Number one, on the preventive side, to collect 
intelligence information and to do so within the confines of 
our Constitution and rules and policies and laws, and to do 
that in conjunction with State and local agencies that are 
members of our joint terrorism task forces. Right there at the 
very basic level it enhances our coordination from the 
beginning. Secondly, if there is an incident, and to respond 
efficiently and to integrate into a broader U.S. Government 
response, the FBI has a very specialized role to play. We are 
not in the driver's seat. We are not directing the response to 
a significant incident like the blackout. We have a very 
specialized role, and to focus our individuals in the FBI and 
our terrorism task forces in that very specialized role is that 
we see the value we can add.
    Clearly there is always room for improvement. We think we 
mustered our investigative capabilities quickly. We responded 
with our partners in State and local law enforcement. We always 
look to ways to improve communication, but overall I think we 
did a very successful job of that. It is still ongoing, and it 
is premature for me to give you any definitive report on 
exactly what we found from a criminal or terrorist standpoint. 
Preliminarily, as I indicated, at this stage we don't have any 
indication of that type of activity.
    Mr. Etheridge. Finally, let me ask a question of both of 
you because you indicated in previous testimony you saw no 
evidence of al Qaeda or others being involved in something this 
sophisticated as attacking the power grid, banking or water or 
sewer, et cetera, or as it relates to our computers. However, 
we just heard of an 18Sec.  17 year-old youngster, pretty 
bright, probably smart enough that he should use his talents 
otherwise, but I would venture to say that it is not restricted 
to the United States. There are very bright youngsters around 
the world. If they can do it, then the potential for the future 
has to be there.
    So my question is this: As it relates to that, I hope you 
will comment on the whole issue of that tied to this final 
question. You might want to touch this one, but I think this is 
a critical piece, and this is a critical piece of our software 
development that has a lot of bugs and trap doors and other 
things linked into it of where it is developed, whether it is 
inside this country or outside this country--the security that 
was mentioned earlier with our current situation so dependent 
on software and computers to move and disseminate information.
    Mr. Mefford. In reference to your first point, the Director 
of the FBI created the FBI Cyber Division specifically to 
address the vulnerability that you outlined, and that is while 
we may not see indications of a sophisticated capability on the 
part of our terrorist adversaries today, it would be foolish 
and unprofessional of us to neglect that area of concern, and 
therefore we are rapidly moving to increase and improve our 
internal capabilities in the FBI. We are working very closely 
with Homeland Security and other agencies for a coordinated 
approach because we see that not only long term, but see that--
if the training continues on these tracks, it is probably an 
inevitable vulnerability.
    In response to your second issue, that is a very, very 
complicated issue, and I will have to refer it to the technical 
experts, and I don't have the education to respond 
appropriately.
    Mr. Black. The issue is for us to facilitate a positive 
process. We seek to make sure that the right contacts are in 
place, that the communication is robust and is sustainable over 
time. I want to make sure that our military is hooked up with 
militaries overseas, and the law enforcement of the United 
States, the FBI, is in contact with the right people overseas, 
and this exchange is working out.
    Cyberterrorism is a threat. We see more of it every day. I 
think the experts involved with this certainly are looking at 
it from the State Department perspective. Our job is to make 
sure they have the right contacts and the velocity of 
communication interaction meets the needs of our country.
    Mr. Camp. Mr. DeFazio may inquire.
    Mr. DeFazio. Thank you, Mr. Chairman. I guess probably I 
will direct this to Mr. Mefford, or perhaps it will have to 
come from a later panel. I guess specifically on the issue of 
electricity and the transmission and the grid, we have had some 
cyberattacks on nuclear plant security that have been 
documented, but what progress have we made since it has been 
identified, as far as I know, for some time as a potential 
target of opportunity? I remember it being a target of 
opportunity. Back in my region of the country, it was thought 
at the time of the millennium both because of inadvertent 
failures, but also because of potential attacks. What progress 
have we made since 2000 or since 9/11 on hardening, 
safeguarding the backbone of the grid and our system of 
electric generation or transmission?
    Mr. Mefford. I am going to defer that to experts. I am not 
privy to the specifics of that.
    Mr. DeFazio. I guess even though the hearing is 
theoretically on that, is there someone in the FBI who 
specifically--
    Mr. Mefford. That is the type of question I think is beyond 
the purview of the FBI and is beyond our role in this.
    Mr. DeFazio. Since you monitor threats, you must have some 
contact with the industry and some idea of steps or suggestions 
that might be--
    Mr. Mefford. And my general impression is that it is 
improving, but there is significant work to be done. And one of 
the improvements relates to education regarding a problem, and 
there is an acknowledgment and understanding of the problem or 
potential problem far greater than what we have had 
historically. But as to actual physical improvements and 
software and improvements to the networks, I would have to 
defer to the experts.
    Mr. DeFazio. Thank you, Mr. Chairman.
    Mr. Camp. Thank you.
    Mr. Dicks may inquire.
    Mr. Dicks. Thank you.
    Mr. Mefford, let me ask you something. The vice chairman of 
our panel Ms. Dunn asked you about whether there was any 
indication of a terrorist involvement in the attacks on the 
power system. What kind of things would you look for if there 
was a criminal or a terrorist attack? What kind of things would 
you be trying to find out?
    Mr. Mefford. Obviously there was not an obvious sabotage 
here. We would have known it.
    Mr. Dicks. Like a bomb?
    Mr. Mefford. Number one, we look for those types of issues. 
Because the network is so widespread and components are in very 
remote areas, you can't ascertain that immediately, and it 
would take a number of hours or days to find the source of 
that. But we clearly didn't find any evidence of that.
    We then looked at the cyber piece, at the computer 
intrusion piece, to see if anybody has maliciously entered the 
networks that has some kind of access or control to the 
physical system. That is ongoing. To date we are working in a 
joint group with the agencies I have outlined, and my 
understanding that we have not found indications of that, but 
it is still ongoing. And then thirdly, it is a significant 
issue, and that is the insider threat. Did anybody do something 
that potentially has access to sensitive equipment and 
components that is not readily apparent on first review? That 
means potentially vetting employees and whatnot. We have not 
seen indications of that, but it is something we are concerned 
about.
    So it is a layered approach, and we start with the most 
obvious. If you look at al Qaeda, for instance, they have been 
involved in physical acts of terrorism. We have not seen 
anything other than that so far. Doesn't mean they won't shift 
gears, and we have to be attuned to that, but we would start 
from that premise and then work up.
    Mr. Dicks. Basically we have not seen al Qaeda launch 
cyberattacks against infrastructure in the United States or 
anywhere else.
    Mr. Mefford. They have not.
    Mr. Dicks. They are using cruder techniques, the car bombs 
and things that you mentioned.
    Mr. Mefford. Yes, sir.
    Mr. Dicks. We hear about the cyberattacks. Is it pretty 
much random, or are there any terrorist groups that have used 
cyberattacks or trying to test it against U.S. systems? I know 
the Defense Department, the State Department have been somewhat 
vulnerable.
    Mr. Mefford. There is a lot of misinformation out there 
today indicating that terrorists have launched attacks in 
attempting computer intrusions and whatnot. We have found no 
evidence of that. Now granted, there are very significant and 
often--we have seen in the last 30 days several significant 
attacks that have been a costly annoyance to U.S. governments 
and businesses, and we have seen various worms and viruses. And 
we have seen that impact on the private industry with the power 
grids and whatnot. We have not seen to date a very precise 
launched attack from a terrorist group. We are attuned to that, 
and we are careful to look for signs for that activity, and we 
have not seen that to date.
    Mr. Dicks. Ambassador Black, let me ask you, are we working 
with either--can you tell us what we are doing--I may have 
missed this in your statement, and forgive me. We had a lot of 
votes today. What are we doing with Canada and Mexico on these 
issues of international perspective in terms of the power grid? 
We know for a fact we are not investing enough money in the 
United States itself to keep our grid up to speed, but are we 
working and trying to cooperate with Canada and Mexico on these 
grid issues?
    Mr. Black. We have a very close relationship with both 
Canada and Mexico. As an example, we have a conference with my 
Canadian counterpart and his delegation in an interagency 
context. We exchange--we go there, and they come here. This is 
going to be here in DC.
    Mr. Dicks. Are there experts involved in this, or is it all 
policy?
    Mr. Black. There are all experts involved, but again, this 
is sort of a recurring theme with the State Department. Our job 
is to facilitate the process; to make sure that everyone is 
communicating correctly, and that the quality of the exchange 
is good. We do not get involved in the mechanics of 
infrastructure defense. It is a process by which we make sure 
the lines of communication between the right agencies and the 
right experts between our two countries is there, ongoing, 
healthy, and it is good. Where there is a problem, we can step 
in and make sure that the appropriate adjustments are made.
    We do a lot of work across the board, in the security 
field, in the law enforcement field, and in the immigration and 
naturalization. So we look to make sure that this relationship 
with these two countries is healthy and is across the board. 
And I think the quality of the exchange is very good. We 
participate in not only looking at the areas of common concern 
along the border, we look at ways we can assist each other in 
the common mission of counterterrorism elsewhere in the world, 
South America, with Canada, and other places in the world where 
they have a particular perspective or insight that is useful in 
the common defense of our respective homelands.
    Mr. Dicks. Mr. Mefford, you made a comment about how DHS 
was doing in terms of developing analysis of the vulnerability 
of our critical infrastructure. Do you have any idea--maybe 
others can speak to this, but how long it is going to take us 
to get a good handle on the major infrastructure of the 
country? I suspect that is going to take a few years to get 
done.
    Mr. Camp. If the witness could answer quickly. The 
gentleman's time has expired.
    Mr. Mefford. The time line, I do not know.
    Mr. Dicks. It is not done as of now.
    Mr. Mefford. That is correct.
    Mr. Camp. Mr. Andrews may inquire.
    Mr. Andrews. Thank you, Mr. Chairman. Thank the witnesses 
for their testimony.
    I wanted to follow up on Mr. Dick's line of questioning, 
sort of ask the first half of the question. Mr. Mefford, if a 
utility company that was involved in the power grid experienced 
what they believe was an intrusion into their networks or their 
database, under what legal circumstances are they required to 
contact the FBI, and under what circumstances are they 
permitted--or is it discretionary for them to contact the FBI?
    Mr. Mefford. That is a good question, and I would have to 
do some research to give you a specific answer from the legal 
context, because I do not think that I am aware of the 
mandatory requirement they contact us.
    Mr. Andrews. I am sure the Chairman is keeping the record 
of the hearing open, and I would be interested in hearing the 
answer to the question.
    Mr. Mefford. I am not sure if there is a specific 
requirement for somebody in that business, because I know in 
other lines of business there is not a mandated requirement.
    Mr. Andrews. Let us hypothesize chillingly that the next 
time something like this happens in the United States, a 
blackout like this, in fact, was intentional, that someone 
tried to get in and cause a blackout. To whom--let us say a 
utility company sees an intrusion into its database and 
believes it was an intentional attack and wants to let someone 
know. Who do they tell?
    Mr. Mefford. They can contact the nearest FBI office and 
relay that information. And the FBI Cyber Division would be 
assigned to look into that.
    Mr. Andrews. Does the FBI tell utility companies that?
    Mr. Mefford. Yes, I think so.
    As far as your earlier question about the potential 
mandated requirement, let me just ask an expert.
    I am informed that there is no mandated requirement.
    Mr. Andrews. I would be interested in the Agency's thoughts 
about what such requirement might look like, whether it is 
desirable or undesirable.
    Mr. Mefford. Also, I might add clearly the company that 
experiences this type of intrusion can contact the Department 
of Homeland Security, for instance, because we work with them 
in these cases, and if they notify the government, it would get 
to the right hands.
    Mr. Andrews. This, frankly, is one of my concerns, and I 
don't fault the FBI for this, or anyone. There is a lot of 
different people they could contact, and it seems to me that 
information can move awfully slowly in a situation where we are 
not sure what it means, as I think you testified. When you have 
4,000 reports you got to run down, you don't jump every time 
you hear one report.
    I think one of the things we ought to look at is some type 
of centralized protocol for the utility industry and for other 
critical infrastructure industries to report such an intrusion 
in one place in real time for the information to be shared with 
the relevant players in real time so there could be an 
assessment done to perhaps prevent such a problem.
    Secretary Black, let me ask you a question. Let us assume 
that such an intrusion originated from another country that was 
somehow linked to us through networks and through other 
computer systems for critical infrastructure. Is there any 
international treaty or international law that requires 
countries to notify us--the scenario would be there is an 
intrusion which is initiated in a European country, let us say, 
that manifests itself in the United States with a breakdown of 
the power grid. Is there any international legal obligation for 
the neighboring state to tell us that?
    Mr. Black. I would have to check, Congressman, and get back 
to you in writing, definitively, the legal aspects and 
requirements to do so. I will get back to you with that answer, 
sir.
    Mr. Black. Practically, an assault on the infrastructure, 
the cyber infrastructure, among most countries would be 
communicated in one fashion or the other as it had an impact 
for the United States. Either internationally or here 
domestically in the United States, the process would be started 
and led by the Department of Homeland Security.
    Mr. Andrews. I hear you say that is a matter of custom and 
not a matter of treaty or obligation.
    Mr. Black. I would have to check on the legal obligation. 
But in addition to that, in the interim, practically, 
information like this is exchanged in a security context.
    Mr. Andrews. As a secure communication among the foreign 
ministries or State Department?
    I thank both of you for your testimony, and I would be 
interested on your thoughts on the question I raised.
    Mr. Camp. Ms. Slaughter may inquire.
    Ms. Slaughter. Thank you, Mr. Chairman.
    Gentlemen, it is nice to have you here today. It was really 
one of the most beautiful days. I was about a mile away from 
the Niagara power facility when the lights went out. First 
thing I heard was Niagara Falls, it is their fault; a lightning 
strike. It was probably the best day we had all summer, and you 
can count those on two hands. And the big trouble was--you 
know, is what has happened. I think our first thought was we 
were perfectly content in our minds that that would never 
happen again; that after the last blackout, that all kinds of 
fail-safe measures were put in place. I don't really believe up 
in my part of the area--we were so worried about the terrorists 
that might have done something, we weren't sure what we were 
doing to ourselves. So we do what we often do: We blame the 
Canadians. And then the mayor of Toronto comes. And he has had 
a perfectly awful year--SARS--and he throws up his hands and 
says, have you ever known the Americans to take the blame for 
anything? Then we say we would all collectively blame 
Cleveland, and then it got over to Detroit.
    As far as I know today, we are really not able to pinpoint 
what in the world happened there. This is probably the most 
frightening part of it to me, that we don't even know after 2 
weeks what happened. And you have to ask yourself, if such a 
benign factor as somebody made a mistake somewhere could 
trigger the largest blackout in the history of North America, 
what in the world could we ever do to prevent something that is 
more malignant against us? And that is probably the thing that 
bothers me the most today. We not only don't know what happened 
then, we certainly don't know that we have anything in the 
world to stop anything in the future.
    Couple of things we have been trying to do since September 
11 is get a northern border coordinator. Since I have been in 
Congress now 17 years, we concentrate on the troubles of the 
southern border with Mexico. We have always had a great 
relationship. But a billion and a half dollars' worth of trade 
crosses that border every single day, and it is critical that 
we do everything we can not only to protect it, but to keep it 
open for trade. And we need a northern coordinator there 
because there are questions my colleagues have asked that are 
terribly important. Nobody knew who to call. All they knew is 
the lights are out, and they were working very hard to get them 
on. I assume they were talking to each other, but it was very, 
very difficult for any of us to know who to call. And I am 
afraid that we are going to get off balance like that again.
    My major concern, and I don't know whether either of you 
have anything to do with it, but why we can't get answers as to 
precisely what happened, where we broke down? And the 
deregulation of electricity has been a terrible thing. We 
forced utilities to divest themselves of generation capacity 
for electricity. The transmission lines have been neglected. 
The prices have gone sky high. The history of Montana is 
replete with it. They had the lowest rates in the country until 
they deregulated. We are about to make some more mistakes here 
in Congress on an energy bill in throwing something in that we 
think might try to solve the problem of the blackout.
    My biggest disappointment is the inability to really have 
any confidence at all in what happened there. While I am sure 
that it was benign, I really believe that, that it could not 
happen again in any given time, and it might give us a sense 
that we will not be able to--whether it was something we had 
done ourselves--unless they came in with bombs or blow up the 
place. But we can really destabilize the harm to this country 
by having this power grid that works well. And I am so 
impressed by this picture that is making the rounds of the 
United States with the blackout part in the New England and the 
Northeast, just dropped off the face of the Earth. And while 
we--I have a little municipal power plant in the town I live 
in, and we had one old coal-fired plant that went right along 
producing power like it was supposed to do all the time.
    But I think we have come not too far in agreements 
concerning the possibilities. I am more worried about nuclear 
power, the vulnerability of nuclear plants than I am of the 
power grid itself. But I am not going to be happy first until I 
know what happened here and to have the will in this Congress 
to fix it, because that is really important. There is no import 
in me asking--you have good contact. We appreciate what you are 
doing very much. And if I could ask a personal favor, Mr. 
Mefford, before you leave, I would like to ask you to talk 
about an incident that happened in my district last week.
    Mr. Camp. The gentlewoman's time has expired. Ms. Jackson-
Lee may inquire.
    Ms. Jackson-Lee. Thank you very much, Mr. Chairman, and I 
will make a comment. I know that we have--if I might inquire, 
because as I am reading it, it is not listed on the front cover 
as two panels, but I assume we have two panels.
    Let me--I hope I will be able to hear. Let me thank the 
witnesses for their presentations and just simply make the 
point, my delay was because we were having hearings on the 
Columbia 7 tragedy, and we decided that the important 
responsibility of Congress is, one, the accountability 
question, and then the what happened question so we would hope 
we wouldn't travel the same journey again.
    I also made a comment that is associated with the Homeland 
Security Committee when the Columbia 7 incident happened on 
February 1, the fact that it happened post-9/11, you can 
imagine the thoughts that occurred as related to that incident, 
whether it was an act of terror. The same, I think, came to a 
lot of our minds with this incident dealing with the blackout. 
So I would hope that this committee would proceed with that 
focus, accountability, without shame, because without saying 
who did it, we can't help those in the future not to do it; and 
then a pathway, if you will, of how we should correct this 
issue.
    So I would just offer to say to Mr. Black if I could, and 
maybe he could give me this brief answer, is that the approach 
being taken by the government agencies? Will we have a sense of 
accountability? And will we also have a pathway as it relates 
to homeland security, the question that we determined--I assume 
we have completed that, and maybe I am premature, that that was 
not an act of terror. Then how do we stand in the way of that?
    Mr. Black. In terms of the blackout and terms of 
accountability, I know from the State Department perspective 
that we all--all of us Americans are looking to--seeking to get 
a full determination in the causes of what happened so this 
cannot happen again. And for additional information I turn it 
over to Mr. Mefford.
    Mr. Mefford. The FBI is participating with a number of 
agencies in an integrated approach to find out what occurred, 
and clearly our perspective is the terrorist or criminal 
perspective; in other words, was somebody involved in criminal 
activity, were there terrorists involved? That is the scope and 
extent of our inquiry. To the degree we can contribute to the 
interagency understanding of what occurred, we are doing so in 
that regard.
    Ms. Jackson Lee. I thank you.
    So the accountability and what happened partnership you 
think is a fair one?
    Mr. Mefford. From my perspective, yes.
    Ms. Jackson Lee. I yield back.
    Mr. Camp. Thank you very much. I want to thank our panel.
    Mr. Pascrell. Could I ask just one more question?
    Mr. Camp. Briefly.
    Mr. Pascrell. I wanted to ask this before, but time ran 
out. Were there any intelligence operations or communications 
affected by the blackout?
    Mr. Mefford. No, sir, not in the environment in which we 
are active. I can't speak for the broader Intelligence 
Community, but from the FBI standpoint, no.
    Mr. Pascrell. Your systems operated 100 percent during that 
blackout even in the areas affected?
    Mr. Mefford. To my knowledge, yes.
    Mr. Camp. Again, I want to thank our panel. I appreciate 
you being here and your testimony. And this is a joint hearing, 
and I will turn the gavel over to Mr. Thornberry, who will 
chair the second part of this hearing.
    Mr. Thornberry. [Presiding.] These witnesses are excused, 
and we would ask the second panel to come up and take your 
places.
    First let me thank these witnesses for your patience, and I 
appreciate very much each of you taking the time to be with us 
today. As with the previous witnesses, we are going to make 
your full statement a part of the record. We are going to ask 
each of you to summarize in 5 minutes your statement and then 
turn to questions. We are going to start with Paul Gilbert, 
former panel Chair on Energy Facilities, Cities and Fixed 
Infrastructure, for the National Research Council.
    Mr. Gilbert, thank you for being here. You are recognized 
for 5 minutes.

   STATEMENT OF PAUL H. GILBERT, FORMER PANEL CHAIR, ENERGY 
FACILITIES, CITIES, AND FIXED INFRASTRUCTURE, NATIONAL RESEARCH 
                            COUNCIL

    Mr. Gilbert. Thank you, sir. Good afternoon, and thank you, 
Chairmen, and all the members of the committee.
    I am Paul Gilbert. I am a senior officer of Parsons 
Brinckerhoff as well as a member of the National Academy of 
Engineering, and was Chair of the National Research Council 
panel responsible for the chapter on energy systems in the NRC 
report, Making the Nation Safer: The Role of Science and 
Technology in Countering Terrorism. Copies of that report have 
been submitted to the subcommittee.
    It is a pleasure to come before you today to assist in 
focusing attention on the vulnerabilities of our electric power 
system, including the cyber subsystems and the enormous 
dependency of our critical infrastructure on the electric 
supply. Over the past decade our electric supply system has 
been tasked to carry ever-increasing loads. It has also 
undergone a makeover from being a highly regulated, vertically 
integrated utility to one that is partially deregulated, far 
less unified, not so robust and resilient as it was. The 
generation side is essentially deregulated and operating under 
an open market set of conditions. At the same time the 
transmission sector remains fully regulated, but under 
voluntary compliance reliability rules, resulting in diminished 
investments in maintenance and spare parts and lower 
reliability.
    Another concern is that in seeking to reduce operating 
costs, the operating companies have installed automated 
cybercontrollers, or SCADA systems, to perform functions that 
people previously performed. These open architecture cyber 
units are an invitation for those who would seek to use 
computer technology to attack the grid.
    The in-place electrical utility assets today are typically 
being operated at close to the limit of available capacity. In 
this mode another characteristic of such complex systems 
appears. When operated near their capacity, these systems are 
fragile, having little reserve within which to handle power or 
load fluctuations. When load and capacity are out of balance, 
shutting down becomes the only way a system element has to 
protect itself from severe damage. However, the loss of a piece 
of the grid, let us say a transmission line, does not end the 
problem. A line down takes down with it the power that it was 
transmitting. The connected power plant that was producing that 
power, having no connected load, must also shut down. In these 
highly integrated grids, more lines have imbalance problems, 
and more plants sense the capacity limitations and they all 
shut down. The cascading effect spreads rapidly in many 
directions, and in seconds an entire sector of the North 
American grid can be down. And this is what we experienced a 
few weeks ago from an accident, not from an attack.
    The exact same consequences could, however, too easily be 
produced by a terrorist attack from a small, trained team. This 
was the scenario assumed in the Making the Nation Safer report, 
where several critical nodes in the grid were taken out in a 
well planned and executed terrorist attack. The cascading 
system failures resulted in regionwide catastrophic 
consequences. Recovery, in the case cited, was estimated to 
take weeks or months, not hours or days, and the damage done to 
our people and our economy was estimated to be enormous.
    Now, while the report does not speculate in any detail on 
the extended consequences of such an event. I have been asked 
to do so here, and so I offer the following as a personal 
opinion. Based on the critical infrastructure, and because that 
critical infrastructure is so extensively integrated, with 
power out beyond a day or two in our cities, both food and 
water supplies would soon fail. Transportation systems would 
come to a standstill. Wastewater could not be pumped. And so we 
would soon have public health problems. Natural gas pressure 
would decline, and some would lose gas altogether, very bad 
news in the winter. Nights would become very dark with no 
lighting, and communications would be spotty or nonexistent. 
Storage batteries would have been long gone from the stores, if 
any stores were still open. Work, jobs, employment, business 
and economic activity would be stopped. Our economy would take 
a major hit. All in all our cities would not be very nice 
places to be. Some local power generators such as at hospitals 
would get back up, and so there would be islands of light in 
the darkness. Haves and have-nots would get involved. It would 
not be a very safe place to be either. Martial law would likely 
follow, along with emergency food and water supply relief.
    At our core we would rally and find ways to get by while 
the systems are being repaired. In time the power would start 
to come back, tentatively at first, with rolling blackouts, and 
then in all its glory. Several weeks to months would have 
passed, and the enormous recovery and clean-up would begin. 
This is simply one person's view, but based upon a fairly in-
depth understanding of the critical interdependency of our 
infrastructure.
    Chapter 6 of the Making the Nation Safer report addresses 
actions that are designed to minimize or control the 
vulnerabilities that exist in the electric power system. Those 
recommendations that were made some 15 months ago are as on 
point today as they were then. In some cases actions have been 
initiated. The blackout last month drew attention to the areas 
of critical infrastructure need and to the frightening 
dependence we have on power supplies.
    We at the Academies are committed to continue to contribute 
our efforts to effectively resolve these issues. Thank you for 
inviting me today and for your leadership in holding these 
hearings, and I will be happy to answer any questions.
    Mr. Thornberry. Thank you.
    [The statement of Mr. Gilbert follows:]

                 PREPARED STATEMENT OF PAUL H. GILBERT

    Good afternoon, Chairman Thornberry, Chairman Camp, and members of 
the Subcommittees. My name is Paul Gilbert. I am an officer and 
director emeritus of Parsons Brinckerhoff, Inc. I am also a member of 
the National Academy of Engineering and was Chair of the National 
Research Council Panel responsible for the Chapter on Energy Systems 
for the NRC Branscomb-Klausner Report, Making the Nation Safer: The 
Role of Science and Technology in Countering Terrorism. Copies of this 
report have been submitted to the subcommittees. As you know, the NRC 
is the operating arm of the National Academy of Sciences, National 
Academy of Engineering and the Institute of Medicine, chartered in 
1863, to advise the government on matters of science and technology. 
The subject report was the product of the mobilized academies following 
the 9/11 attacks. Some 130 volunteers from every branch of science, 
engineering and medicine assembled to undertake this work on an urgent 
basis with the report production financed entirely with private funds 
of the Academies. The report was first presented in June of 2002. It is 
a pleasure to come before you today to assist in focusing attention on 
the vulnerabilities of our Electric Power Systems, including their 
cyber sub systems, and the enormous dependence of other critical 
infrastructure on the electric supply.
    Our basic infrastructure systems include our electric power, food, 
and water supplies, waste disposal, natural gas, communications, 
transportation, petroleum products, shelter, employment, medical 
support and emergency services, and facilities to meet all our basic 
needs. These are a highly integrated, mutually dependent, heavily 
utilized mix of components that provide us with vitally needed services 
and life support. While all these elements are essential to our economy 
and our well being, only one has the unique impact, if lost, of causing 
all the others to either be seriously degraded or completely lost. And 
that, of course, is electric power. Our technically advanced society is 
literally hard wired to a firm, reliable electric supply.
    Over the past decade, that electric supply system has been tasked 
to carry ever-greater loads (power demands). It has also undergone a 
makeover from being a highly regulated, vertically integrated utility 
industry to one that is partially deregulated, far less unified, and 
not so robust and resilient as it was. The generation side is 
essentially deregulated and operating under an open market set of 
conditions where competitive price, low operating costs and return on 
investment are rewarded with profits and bonuses. Applicable 
regulations are broad and not consistent state to state. At the same 
time the transmission sector remains fully regulated but under 
voluntary compliance reliability rules. Reported uneven voluntary 
compliance with reliability rules and diminishing investments in 
maintenance and spare parts by the transmission companies have pointed 
to the need for the legislation pending which intends to make mandatory 
the rules for transmission operations. This result is clearly a 
necessity for our national safety.
    Another concern is that in seeking to reduce operating costs, 
operating companies have installed SCADA units and LANs, automated 
cyber controllers, to perform functions that people previously 
performed. These open architecture cyber units are an invitation for 
those who would seek to use computer technology to attack the grid.
    The dramatic changes described have played out with the result that 
the in-place electrical system assets today are, of necessity, 
typically being operated very efficiently at close to the limit of 
available capacity. In this mode, another characteristic of such 
complex systems appears. When operated near their capacity, these 
systems are fragile, having little reserve within which to handle power 
or load fluctuations. When load and capacity are out of balance, 
shutting down becomes the only way a system element has to protect 
itself from severe damage. However, the loss of a piece of the grid, a 
section of transmission line, does not end the problem. The line down 
takes with it the power it was transmitting. A connected power plant 
that was producing that power, having no connected load, must also shut 
down. In these highly integrated grids, more lines have imbalance 
problems and more plants sense capacity limitations and so they also 
shut down. This cascading failure spreads rapidly in many directions 
and in seconds, an entire sector of the North American grid can be 
down. We had a living example of this event, last month, caused by an 
accident. We were fortunate to see the power return in so short a time.
    The exact same consequences could too easily be reproduced by a 
terrorist attack from a small trained team. This was the scenario 
assumed in the Making the Nation Safer report where several critical 
nodes in the grid were taken out in a well planned and executed 
terrorist attack. The cascading system failures resulted in region-wide 
catastrophic consequences. Recovery, in the case cited, was estimated 
to take weeks or months, not hours or days, and the damage done to our 
people and our economy was estimated to be enormous.
    While the report does not speculate in any detail on the extended 
consequences of such an event, I have been asked to do so here, and so 
offer the following as a personal opinion. Because our critical 
infrastructure is so very integrated, with power out beyond a day or 
two, both food and water supply would soon fail. Transportation systems 
would be at a standstill with no power to pump the fuels. Wastewater 
could not be pumped away and so would become a health problem. In time 
natural gas pressure would decline and some would lose gas altogether. 
Nights would be very dark, and communications would be spotty or non-
existent. Storage batteries would have been long gone from the stores, 
if any stores were open. Work, jobs, employment, business and economic 
activity would be stopped. Our economy would take a major hit. All in 
all, our cities would not be very nice places to be. Some local power 
generators and grids would get back up and so there would be islands of 
light in the darkness. ``Haves'' and ``have-nots'' would get involved. 
It would not be a very safe place to be either. Marshal law would 
likely follow along with emergency food and water supply relief. At our 
core, we would rally and find ways to get by while the system is being 
repaired. In time, the power would start to come back, tentatively at 
first, with rolling blackouts, and then in all its glory. Several weeks 
to months would have passed, and the enormous clean up and recovery 
would begin. This is one person's opinion, based on an understanding of 
this highly dependent infrastructure system.
    We have the means to limit the kind of disaster that has been 
speculated upon above. The recommendations provided in Chapter 6 of the 
report address actions that are designed to minimize or control the 
immediate vulnerabilities that exist in the electric power systems and 
then to seek longer-term, more permanent solutions. Those 
recommendations are as on-point today as they were when published 15 
months ago. In some cases actions have been initiated along the lines 
recommended. To paraphrase key points:
         Immediate attention is needed to mobilize the 
        leadership, and then the resources of people and organizations 
        to first determine the proper roles for each interested party, 
        and then to come together, meet and develop needed plans. Some 
        of this recommendation has been achieved.
         Issues that deter open discussions among the private 
        and governmental parties need to be quickly resolved. These 
        include matters of antitrust, liability and FOIA.
         Review by government of the institutional and market 
        settings for the industry (regulated, deregulated, and open 
        free market) need attention to refocus the included incentives 
        on what the nation needs to live safely.
         Tools now employed by the military to analyze facility 
        vulnerabilities should be mobilized for use on the grids, 
        perhaps by transferring them to DHS.
         Coordinated studies are indicated to identify the most 
        critical equipment in the respective power systems and to 
        describe the protective measures to be taken with each. Some 
        progress has been reported here.
         For these highly complex grids, simulation models that 
        are capable of identifying points of greatest vulnerability and 
        transmission reserves remaining in critical sections of the 
        grid are needed.
         Statutory action is indicated to allow recovery crews 
        to immediately enter what would then be a crime scene following 
        an attack to quickly commence the work of repair, recovery, and 
        restoration of service.
         Regulatory bodies must be encouraged to find the means 
        for transmission organizations to define costs for counter 
        terrorism improvements and for recovering those costs from 
        their operations or from other sources.
         The use of SCADA systems in unprotected configurations 
        should be addressed, and expert advice obtained regarding the 
        options available to correct the vulnerabilities now present.
         Research is indicated that addresses particular 
        critical system equipment needs. First among the list is the 
        potential value of modular universal EHV transformers to 
        support rapid grid recovery.
         For the longer term, research is needed to determine 
        the equipment, technology and processes required for transition 
        our grid systems to become smart grids, intelligent, adaptive 
        power grids.
    There is more substance and detail in Chapter 6 of the referenced 
report. The unfortunate black out last month has drawn important 
attention to this area of critical infrastructure need and to the 
frightening dependence we have on our power supplies. We at the 
Academies are committed to continue to contribute to the efforts to 
effectively resolve these issues.
    Thank you for inviting me today and for your leadership in holding 
these hearings. I will be happy to respond to your questions.

    Mr. Thornberry. And a copy of that report from the National 
Research Council has already been made available to each member 
of the subcommittee. So we thank you.
    Our next witness is Peter Orszag, senior fellow from the 
Brookings Institution. You are recognized for 5 minutes.

 STATEMENT OF PETER R. ORSZAG, Ph.D., JOSEPH A. PECHMAN SENIOR 
                 FELLOW, BROOKINGS INSTITUTION

    Mr. Orszag. Thank you very much for the opportunity to 
appear before you this afternoon.
    The blackout of 2003 has underscored concerns about the 
vulnerability of our Nation's critical infrastructure to both 
accidents and deliberate attack, providing an immediate 
connection to the Nation's homeland security efforts. But the 
blackout may offer a deeper lesson. A common explanation for 
the problems facing the electricity system is that private 
firms have had inadequate incentives to invest in distribution 
lines.
    An important point is that market incentives are extremely 
powerful, but for that very reason it is essential that they be 
structured properly. As the FERC Chairman has put it, we cannot 
simply let markets works, we must make markets work.
    In the context of homeland security, we simply can't let 
markets work either. They won't. So we have to make them work. 
We have to change the structure of incentives facing private 
firms so market forces are directed towards reducing the cost 
of achieving a given level of security instead of providing a 
lower level of security than is warranted. Given the 
significance of the private sector in homeland security 
settings, this task is critical.
    To be sure, private firms do have some incentive to avoid 
the direct financial losses associated with a terrorist attack 
on their facilities or operations. In general, however, and 
despite claims to the contrary made by many homeland security 
officials, that incentive is not compelling enough to encourage 
the appropriate level of security and therefore must be 
supplemented with stronger market-based incentives to increase 
the level of security.
    My written testimony provides several reasons for why 
private markets by themselves do not generate sufficient 
incentives for investments in homeland security. As just one 
example, consider the effect of bankruptcy laws. Such 
bankruptcy laws limit the corporate and individual financial 
exposure to the losses from an attack and can thereby attenuate 
the incentives to protect against attacks, especially in the 
context of catastrophic failures of network systems that can 
cause losses that far exceed the net worth of any individual 
company.
    The general conclusion is that we just can't leave it up to 
the market in protecting ourselves against terrorist attacks. 
The market has an important role to play. Government 
intervention in some form and in some markets will be necessary 
to fashion the appropriate response to the threat of terrorism.
    Now, the need for government intervention in some cases and 
some markets doesn't tell you how the government should 
intervene or precisely when. And in my written testimony I do 
provide some guidelines for when intervention is appropriate, 
and also point to a model that I think is the most auspicious 
in terms of being cost-effective, at least over the longer 
term, which combines some minimal level of regulation and an 
insurance requirement and third-party inspections. Under this 
system, the government would set some level of security 
regulations for private firms and then mandate the purchase of 
antiterrorism insurance. Private insurance firms would then 
provide incentives for safer behavior by offering premium 
reductions to firms that improve their security. And third-
party auditors would help insurance firms make sure that the 
insured firms are actually doing what they are saying they are 
doing, and also helping ensure that the minimum level of 
government regulations are being met without a huge government 
bureaucracy.
    A mixed regulatory insurance system similar to this is 
already applied in many other sectors, such as owning a car or 
a house. Consider your house. There are local building codes 
that regulate the structure of that house. That is a regulatory 
approach. But in general, when you go to get a mortgage, you 
also have to have insurance, and insurance firms provide 
incentives for going beyond the minimum level of the building 
code. If you put in a security system, you will get a premium 
break for doing so. So the insurance firm is providing you an 
incentive to have a safer house than the minimum regulatory 
standard would suggest.
    And I offer other examples that already exist. This sort of 
mixed system of minimum standards coupled with an insurance 
mandate can not only encourage private firms to act more 
safely, but can also provide incentives for innovation to 
reduce the cost of achieving a given level of security over 
time, and I think that is particularly important in the 
homeland security context. It also has the advantage of being 
flexible also, an important attribute in an environment in 
which threats are evolving.
    Studies have shown how such a program could be implemented 
in practice. In Delaware and Pennsylvania, the State 
departments of environmental protection have worked closely 
with the insurance industry to test-pilot this type of approach 
with regard to making chemical facilities safer not against 
terrorist attacks, but safer against accidents, and I think 
that this basic model could be applied in many homeland 
security settings.
    In conclusion, this typed of mixed system of minimum 
regulatory standards, insurance and third-party inspections 
could harness market forces to provide homeland security in a 
cost-effective way. Of course, this approach can and should be 
supplemented or replaced when there is evidence that other 
approaches would be more efficient.
    But my important bottom line is that we cannot simply 
assume that the market will ensure that we are adequately--and 
by ``we,'' I mean our private facilities and operations which 
are so critical to our economy--are adequately protected 
against attack. They won't. We have to make markets work better 
than they would in the absence of government intervention.
    Thank you very much, Mr. Chairman.
    Mr. Thornberry. Thank you very much. I appreciate it.
    [The statement of Mr. Orszag follows:]

  PREPARED STATEMENT OF PETER R. ORSZAG\1\, Ph.D., JOSEPH A. PECHMAN 
      SENIOR FELLOW IN ECONOMIC STUDIES, THE BROOKINGS INSTITUTION

    The blackout of 2003 has underscored concerns about the 
vulnerability of our nation's critical infrastructure to both accidents 
and deliberate attack, providing an immediate connection to the 
nation's homeland security efforts. But the blackout may offer a deeper 
lesson beyond the vulnerability of the nation's electricity grid to 
terrorist attack. In particular, a common explanation for the problems 
facing the electricity system is that private firms have had inadequate 
incentives to invest in distribution lines.
---------------------------------------------------------------------------
    \1\ The views expressed here do not necessarily represent those of 
the staff, officers, or board of the Brookings Institution. I thank 
Michael O'Hanlon, Ivo Daalder, I.M. Destler, David Gunter, Robert 
Litan, and Jim Steinberg for the joint work upon which this testimony 
draws, Emil Apostolov for excellent research assistance, and Howard 
Kunreuther for helpful comments. For related details, see Protecting 
the American Homeland: One Year On (Brookings Institution Press: 2003). 
Also see Howard Kunreuther, Geoffrey Heal, and Peter Orszag, 
``Interdependent Security: Implications for Homeland Security Policy 
and Other Areas,'' Policy Brief #108, Brookings Institution, October 
2002, and Howard Kunreuther and Geoffrey Heal, ``Interdependent 
Security,'' Journal of Risk and Uncertainty 26: 231-249 (March/May 
2003).
---------------------------------------------------------------------------
    The important point is that market incentives are extremely 
powerful. For that very reason, however, it is essential that they be 
structured properly. As Patrick Wood, chairman of the Federal Energy 
Regulatory Commission, has put it: ``We cannot simply let markets work. 
We must make markets work.''\2\
---------------------------------------------------------------------------
    \2\ Quoted in David Wessel, ``A Lesson from the Blackout: Free 
Markets Also Need Rules,'' Wall Street Journal, August 28, 2003.
---------------------------------------------------------------------------
    In homeland security, private markets do not automatically produce 
the best result. We must therefore alter the structure of incentives so 
that market forces are directed toward reducing the costs of providing 
a given level of security for the nation, instead of providing a lower 
level of security than is warranted. Given the significance of the 
private sector in homeland security settings, structuring incentives 
properly is critical.
    To be sure, private firms currently have some incentive to avoid 
the direct financial losses associated with a terrorist attack on their 
facilities or operations. In general, however, that incentive is not 
compelling enough to encourage the appropriate level of security--and 
should therefore be supplemented with stronger market-based incentives 
in several sectors.
        My testimony argues that:
         Private markets, by themselves, do not provide 
        adequate incentives to invest in homeland security, and
         A mixed system of minimum regulatory standards, 
        insurance, and third-party inspections would better harness the 
        power of private markets to invest in homeland security in a 
        cost-effective manner.

Incentives for homeland security in private markets
    Private markets by themselves do not generate sufficient incentives 
for homeland security for seven reasons:
         Most broadly, a significant terrorist attack 
        undermines the nation's sovereignty, just as an invasion of the 
        nation's territory by enemy armed forces would. The costs 
        associated with a reduction in the nation's sovereignty or 
        standing in the world may be difficult to quantify, but are 
        nonetheless real. In other words, the costs of the terrorist 
        attack extend well beyond the immediate areas and people 
        affected; the attack imposes costs on the entire nation. In the 
        terminology of economists, such an attack imposes a ``negative 
        externality.'' The presence of this negative externality means 
        that private markets will undertake less investment in security 
        than would be socially desirable: Individuals or firms deciding 
        how best to protect themselves against terrorism are unlikely 
        to take the external costs of an attack fully into account, and 
        therefore will generally provide an inefficiently low level of 
        security against terrorism on their own.\3\ Without government 
        involvement, private markets will thus typically under-invest 
        in anti-terrorism measures.\4\
         Second, a more specific negative externality exists 
        with regard to inputs into terrorist activity. For example, 
        loose security at a chemical facility can provide terrorists 
        with the materials they need for an attack. Similarly, poor 
        security at a biological laboratory can provide terrorists with 
        access to dangerous pathogens. The costs of allowing terrorists 
        to obtain access to such materials are generally not borne by 
        the facilities themselves: the attacks that use the materials 
        could occur elsewhere. Such a specific negative externality 
        provides a compelling rationale for government intervention to 
        protect highly explosive materials, chemicals, and biological 
        pathogens even if they are stored in private facilities. In 
        particular, preventing access to such materials is likely to 
        reduce the overall risk of catastrophic terrorism, as opposed 
        to merely displacing it from one venue to another.
---------------------------------------------------------------------------
    \3\ It is also possible, at least in theory, for private firms to 
invest too much in anti-terrorism security. In particular, visible 
security measures (such as more uniformed guards) undertaken by one 
firm may merely displace terrorist attacks onto other firms, without 
significantly affecting the overall probability of an attack. In such a 
scenario, the total security precautions undertaken can escalate beyond 
the socially desirable levels--and government intervention could 
theoretically improve matters by placing limits on how much security 
firms would undertake. Unobservable security precautions (which are 
difficult for potential terrorists to detect), on the other hand, do 
not displace vulnerabilities from one firm to another and can at least 
theoretically reduce the overall level of terrorism activity. For an 
interesting application of these ideas to the Lojack automobile 
security system, see Ian Ayres and Steven Levitt, ``Measuring Positive 
Externalities from Unobservable Victim Precaution: An Empirical 
Analysis of Lojack,'' Quarterly Journal of Economics, Vol. 108, no. 1 
(February 1998). For further analysis of evaluating public policy in 
the presence of externalities, see Peter Orszag and Joseph Stiglitz, 
``Optimal Fire Departments: Evaluating Public Policy in the Face of 
Externalities,'' Brookings Institution Working Paper, January 2002.
    \4\ The Coase theorem shows that under very restrictive conditions, 
the negative externality can be corrected by voluntary private actions 
even if the role of government is limited to enforcing property rights. 
But the Coase theorem requires that all affected parties are able to 
negotiate at sufficiently low cost with each other. Since virtually the 
entire nation could be affected indirectly by a terrorist attack, the 
costs of negotiation are prohibitive, making the Coase theorem 
essentially irrelevant in the terrorism context.
---------------------------------------------------------------------------
         Third, a related type of externality involves 
        ``contamination effects.'' Contamination effects arise when a 
        catastrophic risk faced by one firm is determined in part by 
        the behavior of others, and the behavior of these others 
        affects the incentives of the first firm to reduce its exposure 
        to the risk. Such interdependent security problems can arise, 
        for example, in network settings. The problem in these settings 
        is that the risk to any member of a network depends not only on 
        its own security precautions but also on those taken by others. 
        Poor security at one establishment can affect security at 
        others. The result can often be weakened incentives for 
        security precautions.\5\ For example, once a hacker or virus 
        reaches one computer on a network, the remaining computers can 
        more easily be contaminated. This possibility reduces the 
        incentive for any individual computer operator to protect 
        against outside hackers. Even stringent cyber-security may not 
        be particularly helpful if a hacker has already entered the 
        network through a ``weak link.''
---------------------------------------------------------------------------
    \5\ See Howard Kunreuther and Geoffrey Heal, ``Interdependent 
Security,'' Journal of Risk and Uncertainty 26: 231-249 (March/May 
2003), and Howard Kunreuther, Geoffrey Heal, and Peter Orszag, 
``Interdependent Security: Implications for Homeland Security Policy 
and Other Areas,'' Policy Brief #108, Brookings Institution, October 
2002.
---------------------------------------------------------------------------
         A fourth potential motivation for government 
        intervention involves information--in particular, the cost and 
        difficulty of accurately evaluating security measures. For 
        example, one reason that governments promulgate building codes 
        is that it would be too difficult for each individual entering 
        a building to evaluate its structural soundness. Since it would 
        also be difficult for the individual to evaluate how well the 
        building's air intake system could filter out potential bio-
        terrorist attacks, the same logic would suggest that the 
        government should set minimum anti-terrorism standards for 
        buildings if there were some reasonable threat of a terrorist 
        attack on the relevant type of buildings (so that the 
        individual would have some interest in ensuring that the 
        building were protected against biological attack). Similarly, 
        it would be possible, but inefficient, for each individual to 
        conduct extensive biological anti-terrorism safety tests on the 
        food that he or she was about to consume. The information costs 
        associated with that type of system, however, make it much less 
        attractive than a system of government regulation of food 
        safety.
         The fifth justification for government intervention is 
        that corporate and individual financial exposures to the losses 
        from a major terrorist attack are inherently limited by the 
        bankruptcy laws. For example, assume that there are two types 
        of possible terrorist attacks on a specific firm: A very severe 
        attack and a somewhat more modest one. Under either type of 
        attack, the losses imposed would exceed the firm's net assets, 
        and the firm would declare bankruptcy--and therefore the extent 
        of the losses beyond that which would bankrupt the firm would 
        be irrelevant to the firm's owners. Since the outcome for the 
        firm's owners would not depend on the severity of the attack, 
        the firm would have little or no incentive to reduce the 
        likelihood of the more severe version of the attack even if the 
        required preventive steps were relatively inexpensive. From 
        society's perspective, however, such security measures may be 
        beneficial--and government intervention can therefore be 
        justified to address catastrophic possibilities in the presence 
        of the bankruptcy laws.
         The sixth justification for government intervention is 
        that the private sector may expect the government to bail it 
        out should a terrorist attack occur. The financial assistance 
        to the airline industry provided by the government following 
        the September 11th attacks provides just one example of such 
        bailouts. Such expectations create a ``moral hazard'' problem: 
        private firms, expecting the government to bail them out should 
        an attack occur, do not undertake as much security as they 
        otherwise would. If the government cannot credibly convince the 
        private sector that no bailouts will occur after an attack, it 
        may have to intervene before an attack to offset the adverse 
        incentives created by the expectation of a bailout.
         The final justification for government intervention 
        involves incomplete markets. The most relevant examples involve 
        imperfections in capital and insurance markets. For example, if 
        insurance firms are unable to obtain reinsurance coverage for 
        terrorism risks (that is, if primary insurers are not able to 
        transfer some of the risk from terrorism costs to other 
        insurance firms in the reinsurance market), some government 
        involvement may be warranted. In addition, certain types of 
        activities may require large-scale coordination, which may be 
        possible but difficult to achieve without governmental 
        intervention.
    The relative strength of these potential justifications for 
government intervention varies from case to case. Furthermore, the 
benefits of any government intervention must be weighed against the 
costs of ineffective or excessively costly interventions--that is, that 
the government intervention may do more harm than good. Even if an 
omniscient government could theoretically improve homeland security in 
a manner that provides larger benefits than costs, it is not clear that 
real-world governments--suffering from political pressures, imperfect 
information, and skewed bureaucratic incentives--would. The potential 
for government failure depends on the characteristics of the particular 
government agency and the sector involved. For example, it seems 
plausible that government failure is a particular danger in innovative 
and rapidly evolving markets.\6\
---------------------------------------------------------------------------
    \6\ As the great British economist Alfred Marshall emphasized, ``A 
Government could print a good edition of Shakespeare's works, but it 
could not get them written. . .Every new extension of Governmental work 
in branches of production which need ceaseless creation and initiative 
is to be regarded as prima facie anti-social, because it retards the 
growth of that knowledge and those ideas which are incomparably the 
most important form of collective wealth.'' Alfred Marshall, ``The 
Social Possibilities of Economic Chivalry,'' Economic Journal, 1907, 
pages 7-29.
---------------------------------------------------------------------------
    Both the need for government intervention and the potential costs 
associated with it thus vary from sector to sector, as should the 
policy response. Government intervention will generally only be 
warranted in situations in which a terrorist attack could have 
catastrophic consequences. Nonetheless, the general conclusion is that 
we can't just ``leave it up to the market'' in protecting ourselves 
against terrorist attacks. The market has an important role to play, 
but government intervention in some form and in some markets will be 
necessary to fashion the appropriate response to the threat of 
terrorism.

Modifying incentives for the private sector to invest in homeland 
security
    The need for some sort of government intervention to protect 
private property and activities against terrorism does not determine 
how or in which situations the government should intervene. The various 
tools that the government could employ, furthermore, will likely 
determine how costly the intervention will be, as well as who will bear 
those costs. For example, to improve safety in commercial buildings, 
the government could:
         Impose direct regulation: The Federal government could 
        require that certain anti-terrorist features be included in any 
        commercial or public building.\7\
---------------------------------------------------------------------------
    \7\ Although building codes traditionally fall within the 
jurisdiction of local governments, the Americans with Disabilities Act 
(ADA) mandated changes in buildings. A precedent therefore exists for 
Federal pre-emption of local building codes. It should be noted that 
the ADA does not directly affect existing building codes. But the 
legislation requires changes in building access and permits the 
Attorney General to certify that a State law, local building code, or 
similar ordinance ``meets or exceeds the minimum accessibility 
requirements'' for public accommodations and commercial facilities 
under the ADA. Such certification is considered ``rebuttable evidence'' 
that the state law or local ordinance meets or exceeds the minimum 
requirements of the ADA.
---------------------------------------------------------------------------
         Require insurance: The Federal government could 
        require every commercial or public building to carry insurance 
        against terrorism, much as state governments now typically 
        require motorists to carry some form of auto liability 
        insurance.\8\ The logic of such a requirement is that insurance 
        companies would then provide incentives for buildings to be 
        safer.
---------------------------------------------------------------------------
    \8\ The McCarren-Ferguson Act delegates insurance regulation to the 
states. The Federal government could nonetheless effectively impose an 
insurance mandate either by providing strong incentives to the states 
to adopt such a mandate, or perhaps by mandating that all commercial 
loans from a federally related financial institution require the 
borrower to hold such insurance.
---------------------------------------------------------------------------
         Provide a subsidy for anti-terrorism measures: The 
        Federal government could provide a subsidy--through direct 
        government spending or through a tax incentive--for investing 
        in anti-terrorism building features or for other steps to 
        protect buildings against attacks.
    More broadly, each of the various approaches for minimizing the 
dangers and potential damages related to terrorism likely entails a 
different level of aggregate costs, and also a different distribution 
of those costs across sectors and individuals.\9\
---------------------------------------------------------------------------
    \9\ In theory, the different approaches to implementing a security 
measure could be separated from how the costs of the measure were 
financed--for example, firms adhering to regulatory standards could be 
reimbursed by the Federal budget for their costs. In practice, however, 
the method of implementation often implies a method of financing: the 
cost of regulations will be borne by the producers and users of a 
service, and the cost of a general subsidy will be borne by taxpayers 
as a whole. In evaluating different implementation strategies, 
financing implications must therefore be taken into account.
---------------------------------------------------------------------------
Direct regulation
    The principal benefit of a direct regulatory approach is that the 
regulatory standard provides a minimum guarantee regarding anti-
terrorism protection, assuming the regulations are enforced.\10\ For 
example, if skyscrapers are natural targets for terrorists, requiring 
security measures in such buildings accomplishes two goals:
---------------------------------------------------------------------------
    \10\ Fines could be adopted as part of the regulatory system to 
ensure compliance with minimum standards for preventative measures.
---------------------------------------------------------------------------
         First, it ensures that the buildings are better 
        protected against attack.
         Second, it raises the costs of living in skyscrapers 
        and therefore discourages people from living there--which may 
        be appropriate as a means of diminishing the nation's exposure 
        to catastrophic attack, given the buildings' assumed 
        attractiveness to terrorists.
    There are, however, also downsides to direct regulation:
         First, the minimum regulatory threshold may be set at 
        an inappropriate level.\11\
---------------------------------------------------------------------------
    \11\ In other words, an anti-terrorism standard for, say, athletic 
arenas could impose an excessively tight standard (which would involve 
unnecessary costs) or an excessively loose standard (which would 
involve insufficient protection against terrorist threats).
---------------------------------------------------------------------------
         Second, a regulatory approach, especially one that 
        reflects a ``command and control'' system rather than market-
        like incentives, can be an unnecessarily expensive mechanism 
        for achieving a given level of security.\12\ Such an approach 
        may be particularly inefficient because of the substantial 
        resources required to enforce the regulations.
---------------------------------------------------------------------------
    \12\ For example, in the environmental context, placing the same 
limit on emissions of harmful substances by all firms or individuals 
ignores the differences in costs of preventing pollution. That is why 
economists have long advocated market-based approaches to emission 
reductions, such as a permit trading system (which is currently in 
place for sulfur dioxide emissions) or a tax on emissions. Either 
market-based approach to regulation can achieve the same level of 
environmental protection at lower overall cost than a regulatory 
approach because it encourages those who can most cheaply control 
pollution do so (to avoid paying for the permit or the tax). A key 
requirement for a permit trading system or a tax, however, is some 
system for measuring ``outcomes,'' such as the monitoring of pollution 
emitted by parties subject to the tax or participating in the system. 
In the context of anti-terrorism measures, the appropriate metric would 
be related to the expected loss from a terrorist attack. Yet it is 
difficult to see how such expected losses could be quantified and thus 
provide the basis for a permit trading system or a tax.
---------------------------------------------------------------------------
         Third, the regulatory approach does not generally 
        provide incentives for innovation. Firms would have an 
        incentive to meet the minimum regulatory standard, but little 
        incentive to exceed it. Indeed, depending on how it is written, 
        regulation may impede innovation in finding new (and less 
        costly) approaches to improving protection against terrorism, 
        especially if the rules are of the standard ``command and 
        control'' variety.
    These costs of regulation can be reduced, although not eliminated, 
through careful attention to the design of the regulations. In 
particular, the more regulations focus on outcomes and performance, 
rather than specific inputs, the better. For example, a regulation 
affecting an indoor athletic arena could state that the arena's air 
ventilation system must be able to contain a given type of bio-
terrorist attack within a specific amount of time, rather than that the 
system must include specific devices. Compliance with the performance-
based regulation can then be tested regularly by government inspectors 
or third-party auditors. Such a performance-oriented set of regulations 
provides at least some incentive for firms to design and implement less 
expensive mechanisms for achieving any given level of security.

Insurance requirement
    An insurance requirement is a possible alternative to direct 
government regulation.\13\ At first glance, an insurance requirement 
may seem counterproductive: Firms and individuals who have insurance 
against terrorism would appear to lack incentives to take appropriate 
precautions against an attack. However, where such insurance is 
available, it typically comes with provisions (such as a deductible) to 
ensure that the insured bear at least some of the cost of an attack, 
and thus have an economic incentive to avoid such attacks or minimize 
their consequences. Furthermore, and perhaps more importantly, the 
insurance companies themselves have an incentive to encourage risk-
reducing activities.\14\ Insurance firms could provide incentives for 
measures that reduce the exposure of buildings to terrorist attack 
(such as protecting or moving the air intake), or that reduce the 
likelihood of a successful cyber-attack on a computer system or 
intranet (such as improved firewalls and more advanced encryption).
---------------------------------------------------------------------------
    \13\ The insurance requirement would complement the use of the 
liability system to encourage protective measures: Insurance coverage 
would be relatively more important in the context of large liability 
exposures.
    \14\ By similar reasoning, insurers should not be able to use 
genetic information to discriminate in rates charged for health 
coverage since individuals cannot control their genetic makeup.
---------------------------------------------------------------------------
    An insurance requirement is clearly not a panacea, however. One 
issue is the degree to which the insurance market would discriminate 
among terrorism risks (or would be allowed to do so by regulators). For 
example, consider the higher risks for such ``iconic'' structures as 
the World Trade Center, the Empire State building, and other tall 
structures elsewhere in the country. If insurers are not restricted by 
government policy from charging appropriately risk-related premiums, 
insurance markets will discourage the construction of such potential 
terrorist targets in the future. Such an outcome may be efficient in 
the sense of reducing potential exposure to terrorist attacks, but it 
may have other social costs.
    In evaluating the effects of variation in insurance premiums, a 
distinction should be drawn between existing buildings and new 
construction. The owners of existing buildings likely did not 
anticipate the terrorist threat when the buildings were constructed. 
Any additional costs on such existing buildings would reduce their 
market values, imposing capital losses on their owners. Some may not 
view this outcome as fair: it effectively imposes higher costs on the 
owners (or occupants) of an existing building to address a threat that 
was largely unexpected when the buildings were constructed. Others may 
view the outcome as eminently fair, since the alternative would be to 
have the population as a whole effectively provide a subsidy to the 
owners of prominent buildings.\15\ For new construction, the case for 
differentiated insurance premiums is stronger, since the prospective 
owners are now aware of the threat of attack and since differentiated 
premiums could play an important role in encouraging safer designs of 
prominent buildings.
---------------------------------------------------------------------------
    \15\ Failing to allow insurance firms to discriminate across risks 
in pricing policies could also induce ``cherry-picking'' of the lowest 
risks by the insurance firms and make it difficult for the higher risks 
to obtain the insurance from any firm. It is worth noting that in the 
United Kingdom, a government-sponsored mutual insurance organization, 
Pool Re, provides anti-terrorism insurance. The rates vary by location, 
with the highest in Central London and the lowest in rural parts of 
Scotland and Wales. See Howard Kunreuther, ``The Role of Insurance in 
Managing Extreme Events: Implications for Terrorism Coverage'' Business 
Economics April 2002 For further analysis of the Pool Re and other 
programs abroad, see General Accounting Office, ``Terrorism Insurance: 
Alternative Programs for Protecting Insurance Consumers,'' GAO-02-199T, 
October 24, 2001, and Congressional Budget Office, ``Federal 
Reinsurance for Terrorism Risks,'' October 2001.
---------------------------------------------------------------------------
    Another potential problem with an insurance approach involves the 
capacity of insurers to price the insurance and provide incentives for 
specific anti-terrorism steps. If government regulators find it 
difficult to undertake comparative benefit analysis in fighting 
terrorism, it is likely that private insurers would face similar 
challenges--especially in the face of network effects. The problem is 
exacerbated by the absence of solid actuarial information on the risks 
involved, which in turn reflects the nation's good fortune thus far in 
not being exposed to a large number of terrorist attacks. Nonetheless, 
as the Congressional Budget Office has noted, ``Not every new risk has 
proved to be uninsurable. For example, the changing legal environment 
for product liability, which makes predicting losses difficult, has 
affected how insurers manage such risks, but it has not resulted in 
insurers' dropping all product liability coverage. Rather it has 
produced a combination of more restricted coverage, shared 
responsibility, and modifications in producers' behavior.''\16\
---------------------------------------------------------------------------
    \16\ CBO also notes that private insurers in Israel provide some 
anti-terrorism coverage (involving indirect losses such as the costs of 
business interruptions from terrorist attacks). Congressional Budget 
Office, ``Federal Reinsurance for Terrorism Risks,' October 2001.
---------------------------------------------------------------------------
    Perhaps most fundamentally, an insurance system won't work if 
insurers won't offer the insurance or offer it only at extremely high 
prices relative to their underlying actuarial models, or if firms are 
not required to purchase the insurance and don't see a need for it. 
Some economists and market observers have raised important questions 
about whether capital market imperfections impede the ability of 
insurers to provide coverage against catastrophic risks, such as those 
involved in terrorist activities.\17\ A particular concern involves 
reinsurance: the transfer of risk from the primary insurance company to 
another entity. Rather than maintaining high reserves to meet the 
potential costs of extreme events, primary insurance firms buy 
reinsurance from other firms. The reinsurance covers at least part of a 
severe loss, attenuating the risks faced by the primary insurers. To 
ensure that primary insurers continue to cover terrorism risks, the 
Federal government has provided terrorism reinsurance. A temporary 
Federal program makes sense; over time, as new approaches to spreading 
the financial risks associated with anti-terrorism insurance develop, 
the need for any government reinsurance program could be reduced.\18\ A 
substantial flaw with the current reinsurance program, though, is that 
no fee is imposed. A better approach to federal reinsurance would have 
the government share the risk, but also the premiums, from primary 
terrorism insurance.\19\
---------------------------------------------------------------------------
    \17\ See, for example, Kenneth Froot, ``The Market for Catastrophic 
Risk: A Clinical Examination,'' NBER Working Paper 8110, February 2001.
    \18\ For alternatives to a federal reinsurance program, see J. 
Robert Hunter, ``How the Lack of Federal Back Up for Terrorism 
Insurance Affected Insurers and Consumers: An Analysis of Market 
Conditions and Policy Implications,'' Consumer Federation of America, 
January 23, 2002.
    \19\ See, for example, David Moss, Testimony before the U.S. Senate 
Committee on Commerce, Science, and Transportation, October 30, 2001.
---------------------------------------------------------------------------
    Despite these potential problems, it is plausible that a broader 
system of anti-terrorism insurance could develop over the medium to 
long term, and thereby play a crucial role in providing incentives to 
private-sector firms to undertake additional security measures when 
such steps are warranted given the risk of a terrorist attack (at least 
as viewed by the insurance firm).
Subsidies for anti-terrorism measures
    A third form of government intervention would take the form of 
subsidies for anti-terrorism measures undertaken by private actors. 
Subsidies could affect firm behavior, and (if appropriately designed) 
provide some protection against terrorist threats. Subsidies, however, 
carry four dangers:
         First, they can encourage unnecessarily expensive 
        investments in security measures (or ``gold plating'').\20\
---------------------------------------------------------------------------
    \20\ Consider, for example, a tax credit equal to 50 percent of the 
cost of building improvements that protect against terrorism. Such a 
high subsidy rate may encourage firms to undertake too much investment 
in security against terrorism--in the sense that the costs of the 
investment are not fully justified by the protections they provide 
against terrorism. For example, reinforced windows may provide 
protection against shattering in the event of a terrorist attack. Even 
if the protection provided is minimal, the firm may find it worthwhile 
to undertake the investment since so much of the cost is borne by 
others, and since the reinforced windows may provide other benefits 
(such as reduced heating and cooling costs because of the added 
insulation). Relatedly, a subsidy provides a strong incentive for firms 
to classify changes that would have otherwise been undertaken as 
``anti-terrorism'' measures in order to qualify for the subsidy.
---------------------------------------------------------------------------
         Second, a subsidy approach would likely spark 
        intensive lobbying efforts by firms to capture the subsidies--
        which not only dissipates resources that could have been used 
        more productively elsewhere, but may skew the definition of 
        what qualifies for the subsidy toward inappropriate items.\21\
---------------------------------------------------------------------------
    \21\ Lobbying would undoubtedly occur in the context of a 
regulatory approach, but since regulations are made on the basis of 
some kind of evidentiary record and are subject to judicial review, the 
room for lobbying is restricted. In contrast, subsidies are 
expenditures of the government and handed out by Congress, which is 
inherently much more amenable to lobbying.
---------------------------------------------------------------------------
         Third, subsidies could provide benefits to firms that 
        would have undertaken the activities even in the absence of the 
        subsidy--raising the budget cost without providing any 
        additional security.
         Finally, subsidies financed from general revenue are 
        effectively paid for by the entire population. The fairness and 
        feasibility of that approach is debatable, especially in face 
        of the dramatic deterioration in the Federal budget outlook 
        over the past several years and the recognition that other 
        pressing needs will put increased pressure on the budget even 
        without subsidizing private-sector protective measures.
Toward a mixed system: Minimum regulatory standards, insurance, and 
third-party inspections
    As the discussion above has highlighted, all of the various 
approaches to government intervention have shortcomings, and the 
relative importance of these drawbacks is likely to vary from sector to 
sector. Nonetheless, in many cases that require government 
intervention, one longer-term approach appears to be the least 
undesirable and most cost-effective: a combination of regulatory 
standards, insurance requirements, and third-party inspections.
    A mixed regulatory/insurance system is already applied in many 
other areas, such as owning a home or driving a car. Local building 
codes specify minimum standards that homes must meet. But mortgages 
generally require that homes also carry home insurance, and insurance 
companies provide incentives for improvements beyond the building code 
level--for example, by providing a reduction in the premiums they 
charge if the homeowner installs a security system. Similarly, 
governments specify minimum standards that drivers must meet in order 
to operate a motor vehicle. But they also require drivers to carry 
liability insurance for accidents arising out of the operation of their 
vehicles. Meanwhile, insurance companies provide incentives for safer 
driving by charging higher premiums to those with poorer driving 
records.\22\
---------------------------------------------------------------------------
    \22\ To be sure, crucial differences exist between the terrorist 
case and these other examples. For example, stable actuarial data exist 
for home and auto accidents, but not for terrorist attacks. 
Nonetheless, it may be possible for insurers to distinguish risks of 
loss based on differences in damage exposures, given a terrorist 
incident. Some financial firms are already trying to devise basic 
frameworks for evaluating such risks. See, for example, Moody's 
Investors Service, ``Moody's Approach to Terrorism Insurance for U.S. 
Commercial Real Estate,'' March 1, 2002.
---------------------------------------------------------------------------
    A mixed system of minimum standards coupled with an insurance 
mandate not only can encourage actors to act safely, but also can 
provide incentives for innovation to reduce the costs of achieving any 
given level of safety.\23\ The presence of minimum regulatory standards 
also helps to attenuate the moral hazard effect from insurance, and can 
provide guidance to courts in determining negligence under the 
liability laws.\24\
---------------------------------------------------------------------------
    \23\ Moreover, an insurance requirement (as opposed to an insurance 
option) avoids the adverse selection problem that can occur in 
voluntary insurance settings. In particular, if anti-terrorism 
insurance were not mandatory, firms with the most severe terrorism 
exposure would be the most likely to demand insurance against terrorist 
acts. The insurance companies, which may have less information about 
the exposure to terrorism than the firms themselves, may therefore be 
hesitant to offer insurance against terrorist attacks, since the worst 
risks would disproportionately want such insurance. The outcome could 
be either that the insurance companies do not offer the insurance, or 
that they charge such a high price for it that many firms (with lower 
exposure to terrorism but nonetheless some need to purchase insurance 
against it) find it unattractive. This preference for mandatory 
insurance assumes no constraints or imperfections on the supply side of 
the insurance market.
    \24\ For a discussion of the potential benefits of a mixed system 
of building code regulations and mandatory catastrophic risk insurance 
in the context of natural disasters, see Peter Diamond, ``Comment on 
Catastrophic Risk Management,'' in Kenneth Froot, ed., The Financing of 
Catastrophe Risk (University of Chicago Press: Chicago, 1999), pages 
85-88.
---------------------------------------------------------------------------
    A mixed system also has the advantage of being flexible, a key 
virtue in an arena where new threats will be ``discovered'' on an 
ongoing basis. In situations in which insurance firms are particularly 
unlikely to provide proper incentives to the private sector for 
efficient risk reduction (for example, because insurers lack experience 
in these areas), regulation can play a larger role.
    Third-party inspections can be coupled with insurance protection to 
encourage companies to reduce the risk of accidents and disasters. 
Under such schemes, insurance corporations would hire third-party 
inspectors to evaluate the safety and security of plants seeking 
insurance cover. Passing the inspection would indicate to the community 
and government that a firm complies with safety and security 
regulations. The firm would also benefit from reduced insurance 
premiums, since the insurer would have more confidence in the safety 
and security of the firm.
    This system takes advantage of two potent market mechanisms to make 
firms safer, while freeing government resources to focus on the largest 
risks. Insurance firms have a strong incentive to make sure that the 
inspections are rigorous and that the inspected firms are safe, since 
they bear the costs of an accident or terrorist attack. Private sector 
inspections also reduce the number of audits the regulatory agency 
itself must undertake, allowing the government to focus its resources 
more effectively on those companies that it perceives to pose the 
highest risks. The more firms decide to take advantage of private 
third-party inspections, the greater the chances that high-risk firms 
will be audited by the regulatory agency.
    Studies have shown how such a program could be implemented in 
practice. In Delaware and Pennsylvania, the State Departments of 
Environmental Protection have worked closely with the insurance 
industry and chemical plants to test this approach.\25\
---------------------------------------------------------------------------
    \25\ For further information, see Howard Kunreuther, Patrick 
McNulty, and Yong Kang, ``Improving Environmental Safety Through Third 
Party Inspection,'' Risk Analysis. 22: 309-18, 2002.
---------------------------------------------------------------------------
Applying the mixed system
    Three examples of homeland security issues seem relatively well-
suited to a mixed system of regulatory standards, anti-terrorism 
insurance, and third-party inspections:
         Security at chemical and biological plants. Such 
        plants contain materials that could be used as part of a 
        catastrophic terrorist attack, and should therefore be 
        subjected to more stringent security requirements than other 
        commercial facilities. The regulatory standards could be 
        supplemented by an insurance requirement, which would then 
        allow insurance firms to provide incentives for more innovative 
        security measures.
         Building security for buildings that house thousands 
        of people. The Federal government could supplement existing 
        building codes for large commercial buildings with minimum 
        performance-based anti-terrorism standards. Those regulations 
        could then be supplemented by requiring the owners of buildings 
        to obtain anti-terrorism insurance covering some multiple of 
        the value of their property. Adjustments to the basic premium 
        could encourage building improvements that reduce the 
        probability or severity of an attack (such as protecting the 
        air intake system or reinforcing the building structure).
         Cyber-security. Since the steps involved in protecting 
        a computer system against terrorist attack are similar to those 
        involved in protecting it against more conventional hacking, 
        the case for Federal financing is relatively weak. Federal 
        subsidies of anti-terrorism cyber-security measures at private 
        firms would likely induce excessive ``investment,'' since the 
        firms would not bear the full costs but would capture many of 
        the benefits (through improved security against hacking 
        attempts). Nonetheless, a successful terrorist cyber-attack 
        could cripple the nation's infrastructure, at least 
        temporarily. Some performance-oriented regulatory steps may 
        therefore be warranted. For example, the government could 
        require critical computer systems to be able to withstand mock 
        cyber-attacks, with the nature of the cyber-attack varying from 
        firm to firm. Given the ease with which mock attacks and tests 
        could be conducted--which could provide a basis for pricing the 
        insurance--an insurance requirement may be feasible and 
        beneficial. One could even imagine insurance firms hiring 
        cyber-experts to advise insured firms on how to reduce their 
        exposure to cyber-attacks. To be consistent with reasonable 
        thresholds for government intervention, any regulatory or 
        insurance requirements could be imposed only on larger firms or 
        those that have direct access to critical computer 
        infrastructure components.

Conclusion
    This testimony argues that a mixed system of minimum standards, 
insurance, and third-party inspections could harness market forces to 
provide homeland security at minimum cost. This approach can and should 
be supplemented or replaced when there is evidence that other 
approaches would be more efficient or when there are significant 
externalities associated with a given type of terrorism. For example, 
in some cases, the insurance requirement may not be necessary because 
lenders already require terrorism insurance to be carried before 
extending loans--and a government mandate is thus effectively 
superfluous. Furthermore, it will undoubtedly take time for the 
insurance industry to develop appropriate ways of pricing policies 
covering potentially catastrophic attacks.
    The degree of government intervention should clearly vary by 
circumstance. For example, consider the difference between security at 
a mall and security at a chemical facility. Poor security at a mall 
does not endanger remote areas in the nation to nearly the same degree 
as poor security at a chemical facility. The products of chemical 
plants could be used as inputs in a terrorist attack, and therefore the 
facilities warrant more aggressive government intervention than 
shopping malls. Thus security regulations for chemical plants may make 
sense, even if they don't for shopping malls.
    A critical challenge is deciding how extensive government 
regulation should be. It is one thing to set standards for commercial 
facilities such as chemical and biological plants. But should the 
government attempt to provide anti-terrorism regulations for all 
commercial buildings? For hospitals? For universities? Where does the 
regulatory process stop? One answer to this question is provided in 
Protecting the American Homeland, which focuses on reducing the risk of 
large-scale terrorist attacks.
    A final issue is who should pay for improved security in the 
private sector. My general answer is that the costs should be imposed 
on the users and providers of a particular service. Such a 
``stakeholder pays'' approach ensures that those who engage in the most 
dangerous activities (in terms of their exposure to terrorist attacks) 
pay for the costs associated with those risks.

    Mr. Thornberry. Next is John McCarthy, who is executive 
director of the Critical Infrastructure Protection Project at 
George Mason University. Thank you for being here. You are 
recognized for 5 minutes.

  STATEMENT OF JOHN A. McCARTHY, EXECUTIVE DIRECTOR, CRITICAL 
   INFRASTRUCTURE PROTECTION PROJECT, GEORGE MASON UNIVERSITY

    Mr. McCarthy. Thank you, Mr. Chairman, and thank you, 
distinguished members of the committee, for the honor of 
appearing before you today.
    As a preliminary matter I would like to introduce the 
Critical Infrastructure Project within George Mason 
University's School of Law, where I serve as the executive 
director. The CIP Project has a unique role in building an 
interdisciplinary research program that fully integrates the 
disciplines of law, policy and technology. We are developing 
practical solutions for enhancing the security of 
cybernetworks, physical structures and economic processes 
underlying the Nation's critical infrastructures. The project 
is specifically charged with supporting research that informs 
needs and requirements outlined by the various national 
homeland security strategy documents.
    Since its inception a little over a year ago, we have 
sponsored more than 70 substantive research projects touching 
leading scholars at 20 universities, with James Madison 
University as a lead partner, and focusing more than 200 
graduate and undergraduate students on security-related 
studies. The CIP Project-sponsored research ranges from highly 
technical efforts designing new security protocols for 
cybersystems to mapping infrastructure vulnerabilities, to 
exploring legal and business government implications of 
information-sharing, to experimental economic analysis by the 
most recent Nobel Laureate in economics. In addition, GMU leads 
an academic consortium of regional scholars supporting CIP 
vulnerability analysis and interdependency identification for 
homeland security planning efforts here in the National Capital 
region. We are working closely with the Department of Homeland 
Security to ensure vulnerability assessments and modeling tools 
built locally that could be deployed nationally.
    The Northeast blackout provides a clear example of 
disruption to our vital infrastructures. I will focus my 
comments today on those issues I believe are key areas of 
critical infrastructure protection that require continued 
emphasis, these being the need to develop a comprehensive 
understanding of infrastructure vulnerabilities and tools to 
assess those vulnerabilities; the need to better understand the 
complex interdependencies between infrastructure sectors; and 
the need to develop effective systems of public/private 
partnership that afford true information-sharing.
    The blackout and its consequences serve as an effective 
yardstick by which to measure critical infrastructure 
protection since 9/11. On a positive note, most areas that were 
affected by the blackout had power restored within 24 hours. 
Considering the large geographic area, the number of 
jurisdictions involved and the international aspect of the 
blackout, this was a sound response. Particularly noteworthy 
were the cross-sector public-private communications that took 
place away from the eyes of the media. These communications 
involved industry, State, local and national decision-makers. I 
believe these relationships were not ad hoc responses to the 
blackout, but the results of efforts of the past decade in 
developing a means for enhancing information exchange between 
the public and private sector.
    First, the blackout experience highlights our Nation's 
serious problems with infrastructure, including poor 
comprehension of our vulnerabilities and lack of awareness or 
preparedness for the interdependencies of those 
infrastructures. The blackout stresses the need to further 
identify, map, define our critical assets and properly assess 
their vulnerabilities, as 9/11, the first bombing of the World 
Trade Center, Y2K and numerous debilitating cyberattacks have 
shown us also. Comprehensive infrastructure mapping allows us 
to assess exactly where vulnerabilities are, what redundancies 
are needed, and how to recover quickly from a disruption by 
physical or cyber means.
    It is important to map out each of the critical 
infrastructures and how they work with each other and study the 
possible effects that losses on one infrastructure will have on 
another. This type of mapping is vital in addressing and 
managing future infrastructure disruptions. These analyses must 
also include evaluation of myriad possible scenarios that may 
pose threats to critical systems and provide identification of 
physical and process actions, as well as economic incentives to 
industry that afford greater resiliency and security of key 
infrastructure assets. For example, in the short term, the use 
of redundant electrical generation at hospitals in New York 
resulted in virtually no loss of service delivery capability 
for emergency and health care providers.
    Next, the blackout also highlights infrastructure 
interdependencies, which underscore the need to develop a 
comprehensive understanding of how these infrastructures work 
together. The loss of power to the energy grid implicated more 
than just our energy infrastructure and cascaded into other 
infrastructures. For instance, as sewage piled up in Harlem 
because there was no power to pump it through the facility, a 
diver had to be sent in through 40 feet of liquid sewage to get 
the pump working again. GMU, as well as other research 
universities, have particular technical expertise to bear in 
both risk assessment of critical assets and advancing the 
understanding of infrastructure interdependencies.
    Finally, the interconnectivity of modern infrastructures 
goes beyond the technical systems themselves. The human element 
of critical infrastructure protection is equally, if not more, 
important. People must communicate in order to prevent and 
respond to critical infrastructure failures. This high-level 
communication process is complex and involves many layers of 
connectivity. It is perhaps the most vital piece of effective 
infrastructure protection that we can provide because we cannot 
anticipate every contingency.
    Robust information-sharing must afford sufficient levels of 
detail at both the executive and the operational levels. As a 
former first responder and trained incident commander, I 
believe management of these complex social response networks at 
all levels of the Federal structure will be increasingly 
important in the successful resolution of future incidents of 
national significance relative to our infrastructure.
    The CIP project has the primary goal of research with the 
real-world issues and problems faced by industry and government 
leaders that face the important--face us at this important time 
in our history. We thank the committee for its support of 
academia in this area, and I look forward to your questions.
    Mr. Thornberry. Thank you, sir.
    [The statement of Mr. McCarthy follows:]

                 PREPARED STATEMENT OF JOHN A. McCARTHY

    Thank you, Mr. Chairman and distinguished members of the Committees 
for the honor of appearing before you today. I am here to testify about 
issues and challenges in providing for critical infrastructure 
protection in the context of the recent blackout and how George Mason 
University is assisting in this agenda.
    As a preliminary matter, I'd like to introduce the Critical 
Infrastructure Protection (CIP) Project, within the George Mason 
University School of Law, where I serve as Executive Director. The CIP 
Project has a unique role in building an inter-disciplinary research 
program that fully integrates the disciplines of law, policy, and 
technology. We are developing practical solutions for enhancing the 
security of cyber networks, physical structures, and economic processes 
underlying our nation's critical infrastructures. The CIP Project is 
specifically charged with supporting research that informs needs and 
requirements outlined in the various National Homeland Security 
Strategy documents. Since its inception a little over a year ago, we 
have sponsored more than 70 substantive research projects, touching 
leading scholars at 20 universities and focusing more than 200 graduate 
and undergraduate students on security related studies. CIP Project 
sponsored research ranges from highly technical efforts to design new 
security protocols for cyber systems, to mapping the vulnerabilities of 
various infrastructures, to exploring the legal and business governance 
implications of information sharing, to experimental economic analysis 
of the energy sector under the direction of Dr. Vernon Smith--the most 
recent Nobel Laureate in economics. In addition, GMU leads an academic 
consortium of regional scholars, supporting CIP vulnerability analysis 
and interdependency identification for homeland security planning 
efforts here in the National Capital Region. We are working closely 
with the Department of Homeland Security to ensure vulnerability 
assessment and modeling tools are developed locally that can be 
deployed nationally.
    The Northeast Blackout provides a clear example of disruption to 
our vital infrastructures. I will focus my comments today on those 
issues I believe are key areas of critical infrastructure protection 
that require continued emphasis. These are:
        - The need to develop a comprehensive understanding of 
        infrastructure vulnerabilities and tools to assess these 
        vulnerabilities;
        - The need to better understand the complex interdependencies 
        between infrastructure sectors; and
        - The need to develop effective systems of public-private 
        partnerships that afford true information sharing.
    The Blackout and its consequences serve as an effective yardstick 
by which to measure critical infrastructure protection development 
since 9/11. On a positive note, most areas that were affected by the 
blackout had power restored within 24 hours. Considering the large 
geographic area, the number of jurisdictions involved, and the 
international aspects of the Blackout, this was a sound response. 
Particularly noteworthy were the cross-sector public-private 
communications that took place away from the eyes of the media. These 
communications involved industry, state, local and national decision-
makers. I believe these relationships were not ad-hoc responses to the 
Blackout, but the result of the efforts of the past decade in 
developing a means for enhanced information exchange between the 
public-private sectors.
    First, the Blackout experience highlights our nation's serious 
problems with infrastructure, including poor comprehension of our 
vulnerabilities and lack of awareness or preparedness for the 
interdependencies of infrastructures. The Blackout stresses the need to 
further identify, map and define our critical assets and properly 
assess their vulnerabilities--as have 9/11, the first bombing at the 
World Trade Center, Y2K, and numerous debilitating cyber attacks. 
Comprehensive infrastructure mapping allows us to assess exactly where 
vulnerabilities are, what redundancies are needed, and how to recover 
quickly from a disruption by physical or cyber means. It is important 
to map out each of the critical infrastructures, how they work with 
each other, and study the possible effects that the loss of one 
infrastructure will have on others. This type of network and 
vulnerability mapping is vital in addressing and managing future 
infrastructure disruptions. In addition, this will afford the insurance 
and reinsurance industries the opportunity to gather sufficient 
information so they can determine their appropriate role in the 
terrorism risk insurance arena.
    These analyses must also include evaluation of myriad possible 
scenarios that may pose threats to critical systems and provide 
identification of physical and process actions, as well as economic 
incentives to industry that afford greater resiliency and security of 
key infrastructure assets. For example, in the short term, the use of 
redundant electrical generation at hospitals in New York City resulted 
in virtually no loss in service delivery capability for emergency 
responders and health care providers during the Blackout.
    Next, the Blackout also highlights infrastructure 
interdependencies, which underscore the need to develop a comprehensive 
understanding of how these infrastructures work together. The loss of 
power to the energy grid implicated more than just our energy 
infrastructure; it cascaded into several other infrastructures. For 
instance, sewage piled up at a Harlem treatment plant because there was 
no power to pump it through the facility. A diver had to be sent in 
through 40 feet of liquid sewage in order to get the pumps working 
again. GMU, as well as other research universities, have particular 
technical expertise to bring to bear in both the risk assessment of our 
critical assets and the advanced understanding of infrastructure 
interdependencies. We are fully supporting DHS's efforts to accelerate 
understanding in these key areas.
    Finally, the interconnectivity of modern infrastructures goes 
beyond the technical systems themselves. The human element of critical 
infrastructure protection is equally, if not more important. People 
must communicate in order to prevent and respond to critical 
infrastructure failures. This high-level communication process is 
complex and involves many layers of connectivity. It is perhaps the 
most vital piece of effective infrastructure protection we can provide 
because we cannot anticipate every contingency. Robust information 
sharing must afford sufficient levels of detail at both the executive 
and operational levels. It should candidly identify vulnerabilities, 
prioritize key infrastructure assets, and allow public and private 
officials to prevent, respond to, and recover from potential 
disruptions. By the same token, sufficient safeguards and incentives 
must be structured for all stakeholders to fully participate in the 
process. As a former first responder and trained incident commander, I 
believe management of these complex social response networks at all 
levels of the federal response structure will be increasingly important 
in the successful resolution of infrastructure incidences of national 
significance, be they physical, cyber, or both. The establishment of a 
public-private liaison as a senior advisor to Secretary Ridge is an 
important and needed step in developing and advancing this emerging 
need.
    The Committee has chosen to address these issues at the right time, 
and I commend you in holding this hearing. The CIP Project's primary 
goal is to match scholarly research with the real-world issues and 
problems faced by industry and government leaders at this important 
time in our Nation's history. With your continued support, the academic 
community can continue to provide unique fora to assist decision-makers 
in discussing and developing solutions to these pressing issues.
    Thank you. I look forward to answering any questions you may have.

    Mr. Thornberry. Our next witness is Karl Rauscher, founder 
and president of the Wireless Emergency Response Team. 
Appreciate you being with us, and you are recognized for 5 
minutes.

STATEMENT OF KARL F. RAUSCHER, FOUNDER AND PRESIDENT, WIRELESS 
                    EMERGENCY RESPONSE TEAM

    Mr. Rauscher. Chairman Thornberry, Chairman Camp and other 
distinguished Members, thank you for the opportunity to speak 
today and provide a perspective from the communications 
infrastructure.
    My name is Karl Frederick Rauscher. I am the founder and 
president of the Wireless Emergency Response Team, a nonprofit 
organization supported by expert volunteers from the private 
sector and government. The mission of WERT is to provide vital 
help by using advanced wireless technology to support search 
and rescue in a national crisis, by conducting focused 
research, and by providing emergency guidance for 911 centers, 
law enforcement, and family members. My experience related to 
today's subject matter includes 18 years of experience at Bell 
Labs and Bell Communications Research. As the vice chair of the 
industry's Network Reliability Steering Committee, I oversee 
deep dive cause analyses for major network outages. These 
analyses are conducted voluntarily by the industry for the 
purpose of determining if existing best practices are 
sufficient to prevent similar future events. The ATIS NRSC 
publishes an annual report on the health of the Nation's public 
networks.
    As a member of the Telecom-Information Sharing and Analysis 
Center, I am routinely involved in industry mutual aid 
responses, including the activities for the recent power 
blackout. I have led combined government and industry efforts 
to produce over 500 best practices for network reliability and 
homeland security. These FCC NRIC best practices are the most 
comprehensive and authoritative guidance in the world for 
public communications networks. These best practices, while 
totally voluntary, are implemented at a high level throughout 
the industry and are consistently credited for preventing 
network service disruptions.
    My perspectives include very human aspects of this 
discussion. My experiences have made a lasting impression on 
the vital need to connect the best minds of the industry with 
the most vital needs of its subscribers in an emergency.
    Wireless communications are vital in disaster response. On 
the morning of September 11, wireless communications were used 
by countless Americans in their usual ways. And then evil 
terrorists emerged to make their dark mark on human history. 
During those same moments, wireless devices such as cell phones 
and PDAs were used by brave hostages in the skies to report the 
hijacking of their planes, and then by expectant victims to 
speak their last ``good-bye'' and ``I love you'', and then by 
rescue teams as they rushed to bring aid. Instruments routinely 
used for conducting business and nurturing relationships were 
then, in their final mission, being used to secure the safety 
of the United States of America, or bring two individuals 
together for a final, treasured moment. In the following hours, 
an unprecedented wireless industry effort sprang into action to 
support search and rescue efforts at the World Trade Center 
disaster site.
    WERT's final report documents its key lessons and 
recommendations. May God forbid that such a tragedy and horror 
would ever be visited on us again, but if it does, WERT will be 
ready to bring the best minds and resources of the wireless 
industry to work hand in hand with traditional first responders 
on the never-changing top priority after disaster-saving human 
life.
    Most of the characteristics of the recent power blackout 
were similar to crises already experienced by the 
communications industry. For example, the duration was similar 
to power outages caused by large ice storms. Other 
characteristics, while familiar, were turned up a few notches 
in intensity. And a third set of characteristics was mostly 
new; for example, the most notable being that, like September 
11, this event was unanticipated. Also there were multiple 
cyberthreats in play around this time.
    Concerning wireless networks, during the first half hour 
after the power was lost, enormous spikes in the number of call 
attempts were seen, up to 1,000 percent of normal traffic 
levels. During the next several hours, traffic hovered around 
100 percent above normal levels. Any service problems during 
the early time frame were likely due to congestion caused from 
this very unusual demand.
    For the most part, the wireless systems and networks were 
working as designed. When commercial power was lost, cell 
towers drew power from back-up batteries until power was 
restored or until the battery power was consumed. The wireless 
industry will factor new insights gleaned from this historic 
event into future risk assessments and emergency planning 
capabilities.
    During times of heavy congestion, a text message attempt is 
more likely to succeed than a voice call because there are 
lower requirements for bandwidth. It is encouraging that early 
reports indicate there was a marked increase in the use of 
``exting'' during the blackout.
    The national communications system's ISAC is now part of 
the Department of Homeland Security Information Analysis and 
Infrastructure Protection Directorate. This ISAC interacted 
effectively with the Electricity Sector ISAC during the 
blackout, an immense demonstration for the potential of what 
could be accomplished in the future with ISAC-to-ISAC 
coordination.
    Another lesson learned during the blackout is that homes 
should have a corded phone as an emergency back-up. As many 
learned, cordless phones depend on commercial power.
    Concerning government industry partnerships, make no 
mistake about it, the communications industry is a fiercely 
competitive battlefield, yet a remnant of something 
tremendously precious survives. An aspect of the culture of the 
traditional phone company lives on. It is one that ascribes to 
itself an obligation to the safety of society. As the head of a 
nonprofit volunteer organization, this is tremendously 
encouraging. WERT has captured some of that spirit in 
harnessing the expertise, will and compassion of so many 
volunteers along with their companies or agencies. 
Intergovernmental partnerships are supported by significant 
volunteer effort and are highly effective.
    I hope that my insights today will be useful to the 
committee. Thank you.
    Mr. Thornberry. Thank you. I appreciate your testimony.
    [The statement of Mr. Rauscher follows:]

                 PREPARED STATEMENT OF KARL F. RAUSCHER

Chairman Thornberry, Chairman Camp, Congresswoman Lofgren, 
Congresswoman Sanchez, Congressman Cox, Congressman Turner, and other 
Distinguished Members: thank you for the opportunity to speak today and 
provide a perspective from another critical infrastructure--the 
telecommunications and Internet services industry

Introduction
    My name is Karl Frederick Rauscher. I am the Founder and President 
of the Wireless Emergency Response Team, a non-profit organization 
supported by expert volunteers from the private sector and numerous 
government agencies. My experience related to today's subject matter 
includes . . .
         18 years of communications industry experience at Bell 
        Communications Research & Lucent Technologies Bell Labs
         I have led numerous highly successful improvement 
        programs in quality and reliability. With a background of 
        advanced concepts in software, systems, architectures and 
        networks, I have invented software testing techniques that have 
        delivered dramatic breakthrough quality improvements. I am a 
        recipient of the Bell Labs President's Award for bringing the 
        first telecommunications network switch to ``6 9's'' of 
        reliability, which means 99.9999% uptime, or less than 30 
        seconds of downtime per year (independently verified with pubic 
        data). In my 10 years at Bell Communications Research, I have 
        personally uncovered over 1000 software design errors in 
        programs running on live network systems. I have recently 
        conducted Homeland Security research at an offshore software 
        development outsourcing facility.
         As Vice Chair of the industry's Alliance for 
        Telecommunications Industry Solutions (ATIS) Network 
        Reliability Steering Committee (NRSC), I oversee the ``deep 
        dive'' cause analyses that occur for each major network outage. 
        These analyses are conducted voluntarily by the industry for 
        the purpose of determining if existing Best Practices are 
        sufficient to prevent similar, future events. The NRSC also 
        provides an annual report on the health of the nation's public 
        networks.
         As a member of the Telecommunications-Information 
        Sharing and Analysis Center (ISAC), I am routinely involved in 
        industry mutual-aid responses. I was directly involved in the 
        communications industry's coordination and response to the 
        recent Power Blackout--from the initial report assessments 
        through ongoing after-action reviews.
         I have led combined government and industry efforts to 
        produce over 500 Best Practices for network reliability and 
        Homeland Security. The Federal Communications Commission (FCC) 
        Network Reliability and Interoperability Council (NRIC) Best 
        Practices are the most comprehensive and authoritative guidance 
        in the world for public communications. Best Practices, while 
        totally voluntary, are implemented at a high level throughout 
        the industry, and are consistently credited with preventing 
        network service disruptions. In addition, I have led industry 
        discussions on blended physical and cyber attacks.
         I am the Chair-Elect of the international IEEE 
        Technical Committee on communications Quality and Reliability. 
        I oversaw Best Practice guidance on ultra-high reliability and 
        ultra-high security for world-class events, which benefited the 
        Olympics, among others.
         I am on the Board of Advisors for the Center for 
        Resilient Networks
         I have participated in the President's National 
        Security Telecommunications Advisory Committee (NSTAC)
         Most importantly, I have access to the right people--
        those who are world-class experts, who will tell it like it is, 
        and then take the necessary actions.
    My perspective includes very human aspects of this discussion. In 
pressure-heated crises, I have brainstormed with brave first responders 
and listened to family members--pleading for everything to be done with 
technologies that they do not understand--to save their loved ones. In 
moments of heavy telephone silence, I have connected on a personal 
level with strangers in distant places--this has made a lasting 
impression on the vital need to connect the best minds of the industry 
with the most vital needs of its subscribers in an emergency.

Role of Wireless Communications in Disaster Response
    On the morning of September 11, wireless communications were used 
by countless Americans in their usual ways.
    And then evil terrorists emerged to make their dark mark on human 
history.
    During those same moments, wireless communications were used by 
brave hostages in the skies to report the hijacking of their planes, 
then by expectant victims to speak their last ``GOOD BYE'' and ``I LOVE 
YOU'', and then by rescue teams as they rushed to bring aid.
    Wireless devices, such as cell phones and PDAs, played a vital role 
on September 11 because they are popular, easy to operate, one of the 
few items carried everywhere by their users, and can still function 
when severe damage is done to surrounding infrastructure. Instruments 
routinely used for conducting business and nurturing relationships were 
then, in their final mission, being used to secure the safety of the 
United States of America, or bring two individuals together for a 
final, treasured moment.
    That night, news reports stated that cell phones were being used to 
call for help from the rubble in New York City. At this point, the 
vision for a coordinated industry emergency response was conceived. In 
the following hours and days, an unprecedented wireless communications 
industry mutual-aid effort sprang into action to support Search and 
Rescue efforts at the World Trade Center disaster site. The Wireless 
Emergency Response Team was formed.
    Due to the nature of the building collapse, the team was not able 
to rescue victims from the rubble. However, value was realized in 
several ways: keeping rescue teams from danger by quickly discrediting 
false reports, confirming those thought to be missing as safe, and 
helping to bring closure for family members. WERT's Final Report 
documents the key lessons-learned and recommendations, so that this 
capability can be enhanced and optimized. May God forbid that such a 
tragedy and horror would ever be visited on us again. But if it does, 
WERT will be ready to bring the best minds and resources of the 
wireless industry together to work hand-in-hand with traditional first 
responders on the never changing top priority after a disaster--saving 
human life.

The August 2003 Power Blackout
    Observed Characteristics
    Most of the characteristics of the recent Power Blackout were 
similar to crises already experienced by the communications industry.
        1. The duration was similar to very large power outages, for 
        example the result of large ice storms
        2. The hot and humid seasonal climate was challenging for 
        electronic equipment
        3. There were rolling blackouts and requests for load shedding
Other characteristics, while familiar, were turned up a few notches in 
intensity and resulted in more pressure on our industry:
        4. While ice storms, heavy snowfalls and hurricanes have been 
        widespread, the August Blackout was even more widespread, 
        affecting multiple major U.S. cities.
        5. The cause was unknown
        6. Many people have cordless phones in their home that could 
        not function
        7. Because of the times we are living in, New Yorkers were more 
        jittery, intensifying their need for wireless communications
The third set of characteristics was mostly new, and their study will 
be the source of new lessons-learned from this event:
        8. The most notable being that, like September 11, this was a 
        widespread catastrophic event that was unanticipated (unlike 
        ice and snow storms, or hurricanes)
        9. Also, there were multiple cyber threats in play around this 
        time
        10. Air and other public transportation was halted
        11. There were new levels of pressure on fuel suppliers, who 
        are critical in supporting back-up power generators

Wireless Network Observations
    During the first half-hour after the power was lost, enormous 
spikes in the number of call attempts were seen--up to one thousand 
percent of normal traffic levels. During the next several hours, 
traffic hovered around one hundred percent above normal levels. Any 
service problems during the early timeframe were likely due to 
congestion caused from this very unusual demand.
For the most part, the wireless systems and networks were working as 
designed. When commercial power was lost, cell towers drew power from 
back-up batteries until power was restored or until the battery power 
was consumed. The wireless industry will factor new insights gleaned 
from this historic event into future risk assessments and emergency 
planning capabilities.

New Areas That Worked Well
Mobile Text Messaging

The WERT Final Report points out that during times of heavy congestion, 
a text message (e.g., SMS) attempt is more likely to succeed than a 
voice call because there are lower requirements for bandwidth. 
Interestingly, mobile text messaging also has consumes less power in 
both the network and the handset. It is encouraging that early reports 
indicate that there was marked increase in the use of text messaging 
during the Power Blackout.
Telecom--ISAC and Electricity Sector ISAC Interactions
Inter-ISAC interaction was effective. This was an immense demonstration 
for the potential of what could be accomplished with ISAC-to-ISAC 
coordination.

Other Lessons Learned
         It is better to have one national point of government-
        industry information sharing through the various sector's ISACs 
        for efficiency and accuracy
        Homes should have a corded phone as an emergency back-up, 
        because the batteries of cordless phones can run out
        Businesses should conduct risk assessment to determine the 
        criticality of back-up power capabilities to their operations

Government--Industry Partnerships
    Make no mistake about it: The communications industry is a fiercely 
competitive battlefield. Yet a remnant of something tremendously 
precious survives. Through the divestiture of the 1980s and the 
Telecommunications Act of 1996, a precious aspect of the culture of the 
traditional telephone company lives on--it is one that ascribes to 
itself an obligation to the safety of society.
    As the head of a non-profit volunteer organization, the spirit that 
was exhibited by thousands on September 11, and the recent Power 
Blackout, is tremendously encouraging. WERT has captured some of that 
spirit in harnessing the expertise, will and compassion of so many 
volunteers, along with their companies' or agencies' support. Two years 
ago, for 3 weeks, we knew that, if there were victims in the rubble 
with cell phones, we may be their only hope. WERT volunteers did 
everything possible to listen for any signal from a possible survivor. 
By continuing to fulfill the mission of WERT, the wireless industry 
shows itself good stewards of its powerful technologies.
    The President has called on the people to be volunteers. In 
addition to soup kitchens and mentoring programs, critical 
infrastructure technology experts have figured out what they can ``do 
for their country'' in these anxious times. There are countless 
individuals who give of their vacation time, evenings and weekends 
because of their sense of duty and love for this country. They develop 
Best Practices and standards, conduct research, provide explanations to 
government officials and are on call 24 by 7 for the next crisis.
Industry-Government partnerships are supported by significant volunteer 
effort and are highly effective.

Dependence on Cyber and Wireless Capabilities
    There are awesome advantages for a society connected by high-speed 
mobile communications. More information, in a variety of formats 
(voice, data, video) will be delivered. Wireless communications and the 
Internet play increasingly important roles in society, and particularly 
in emergency response. In the not-to-distant
future . . .
         A firefighter may have hands-free constant 
        communication with his team
         His vital signs may be monitored remotely from the 
        safety of a distant command center
         As he carefully walks from room to room, infrared 
        imaging data from the floors and walls may be combined with 
        that of other firefighters to alert those in harm's way to 
        possible danger.
    The possibilities are endless, for every aspect of society. On the 
horizon is a world where cell phones, household appliances and even 
vehicles are nodes on many interconnected networks.
    But with this increased connectedness, come inherent 
vulnerabilities and risks of an imperfect cyber world. The consequences 
of a software design error can have far reaching effects throughout 
society. Previous testimony has articulated numerous concerns related 
to cyber security vulnerabilities, threats, and proposed solutions. In 
the context of this testimony, I offer several points.
    In addition to strengthening reactionary measures--our cyber threat 
detection and response capabilities--the appropriate investment needs 
to be made for longer term fixes that address the root of all these 
problems. Those bailing water out of the boat tend to get a lot of 
attention because they can show results. We need the patience and 
resolve to plug the holes and/or build other boats. What are often 
referred to as ``vulnerabilities'' in the cyber community are usually 
the manifestation of a software design error. The kind of thinking that 
reserves the term ``vulnerability'' for those characteristics that are 
truly intrinsic weaknesses of the programming language and operational 
environments will provide a better grasp of how to get control of this 
situation. Following on this, I expect that those bold enough to 
develop new, robust paradigms for programming and those applying 
classical quality control principles will make major contributions in 
this area.

Conclusion
The next time you click your ``SEND'' button to send an email, I ask 
you to consider the previous effort of the message-bearing marathon 
runner of ancient Greece. We are now living what has only been dreamed 
of for centuries before us--and we are just about there--being able to 
communicate in any fashion, at any time, at any place.
    May it be that when a generation from now looks back on how we 
faced these cyber and physical challenges, that the scientists and 
engineers were found to be unimaginably innovative; may our leaders be 
found to have been enablers of life, liberty and the pursuit of 
happiness; and may the horrors of terrorism and cyberhackers . . . be 
only distant memories.
    I hope that my insights offered today on the recent power blackout, 
government-industry partnerships, and dependencies on wireless and 
cyber infrastructure will be useful to the committee.

    Mr. Thornberry. Finally, we have Mr. Kenneth C. Watson, 
president and chair of the Partnership for Critical 
Infrastructure Security. Thank you for being here. Mr. Watson, 
you are recognized for 5 minutes.

     STATEMENT OF KENNETH C. WATSON, PRESIDENT AND CHAIR, 
        PARTNERSHIP FOR CRITICAL INFRASTRUCTURE SECURITY

    Mr. Watson. Thank you very much, Mr. Chairman and 
distinguished Members. I appreciate the opportunity to testify 
today regarding the interdependence of critical 
infrastructures.
    I am president and chairman of the Partnership for Critical 
Infrastructure Security, the PCIS, launched in December of 1999 
as one of the industry responses to the Federal Government's 
call for public-private partnerships in critical infrastructure 
protection. The PCIS is the forum for cross-sector, public-
private dialogue on reducing vulnerabilities, mitigating risks, 
identifying strategic objectives, and sharing sound information 
security practices. Currently the PCIS is working on an 
interdependency risk assessment handbook, and the board meets 
monthly by teleconference to discuss cross-sector critical 
infrastructure protection issues.
    In 1998, the Federal Government recommended the appointment 
of industry sector coordinators in each critical industry to 
coordinate critical infrastructure protection efforts across 
each sector and with appropriate Federal lead agencies. The 
PCIS board of directors is structured so that the sector 
coordinators always comprise its majority.
    Mr. Watson. Across industry and government the role of the 
sector coordinator is growing in importance and needs to be 
better understood. The Department of Homeland Security is 
developing a best practices guideline for sector coordinators 
and working with lead agencies and industry leaders to organize 
the new sectors and identify appropriate coordinators.
    Initial interdependency research has only been sufficient 
to illuminate the importance of modeling analysis and 
exercises. Sandia and other national labs have studies of 
various sector intersections with energy.
    The National Security Telecommunications Advisory 
Committee, or NSTAC, has done similar work addressing 
intersections with telecommunications. The National 
Infrastructure Advisory Council, or NIAC, has a current effort 
to develop policy recommendations on interdependency risk 
assessments, and at the invitation of the NIAC working group, 
the sector coordinators are involved in that study which will 
become available after delivery to the President. The PCIS is 
coordinating with this working group so that the handbook we 
develop aligns with NIAC policy recommendations.
    Cross-sector vulnerability assessments must be built on 
high fidelity models of each sector. Each sector model must 
describe how the network elements work, their capacities, and 
how and where they connect to each other. Network owners 
already know their key assets and critical nodes. What they 
don't know is whether they are in the same geographic vicinity 
as those of their competitors or whether underlying 
infrastructure is truly diverse.
    Models must use up-to-date industry data, and 
infrastructure owners and operators must be the primary 
beneficiaries of results. A comprehensive infrastructure 
modeling project will require additional government funding, 
and the sectors are prepared to work with DHS to develop the 
best approach for each sector. Capabilities from various 
national labs and Federal departments will be needed to develop 
a model that can be built once, routinely refreshed by 
industry, and used by many to analyze vulnerabilities and 
develop mitigating strategies. Without higher funding levels, 
this may take a decade to accomplish and only marginally 
benefit the sectors.
    DHS has begun to sponsor regional exercises to identify 
vulnerabilities, dependencies, and cross-sector points of 
contact to develop contingency plans to respond to physical and 
cyber attacks. TOPOFF and TOPOFF II represented small steps 
toward addressing physical threats, but these included little 
private sector input or expertise. Livewire is an upcoming 
cyber exercise that will have some private-sector input.
    Feedback from the sectors to date is that these small-scale 
exercises do not benefit critical infrastructure owners and 
operators who have the responsibility of acting first during a 
crisis. To be effective, they must include private-sector 
experts to help build the exercises' design scenarios and 
participate as key stakeholders.
    The PCIS and sector coordinators would be happy to work 
with DHS and other government stakeholders to plan and execute 
such a series of interdependency exercises.
    I have three recommendations for Department of Homeland 
Security:
    First, coordinate with lead agencies and industry leaders 
to rapidly organize the newly named sectors, named by the 
national strategy for homeland security; identify appropriate 
sector coordinators and clarify sector coordinator roles; and 
actively promote the sector coordinator function to key 
industry and government executives.
    Second, improve coordination among all appropriate national 
labs and Federal departments to apply computer models and 
simulations to critical infrastructure mission areas; ensure 
that sector coordinators and their constituents are involved in 
establishing modeling objectives, peer reviews of model 
creation, data mining and results; and ensure the protection of 
this very sensitive data.
    Third, sponsor comprehensive regional and national 
exercises that cover the physical and cyber aspects of attacks 
on critical infrastructures as well as dependencies; ensure 
that sector coordinators and their constituents are involved in 
the exercise design, scenario creation, participation, and are 
the primary recipients of exercise lessons learned.
    DHS leadership has been very inclusive of industry as they 
organize to protect critical infrastructures. The department 
cannot be expected to protect critical infrastructures alone. 
Industry must be part of its organizational culture as our 
Nation's approaches to homeland security mature. The industry 
leaders I work with are willing to do their part to protect our 
national and economic security.
    Thank you for the time. I would be happy to answer any 
questions.
    [The statement of Mr. Watson follows:]

                PREPARED STATEMENT OF KENNETH C. WATSON

Chairman Thornberry, Chairman Camp, Congresswoman Lofgren, 
Congresswoman Sanchez, Congressman Cox, Congressman Turner, and other 
Distinguished Members: thank you for the opportunity to testify today 
regarding the interdependence of our critical infrastructures. The 
nearly universal dependence on privately owned and operated 
infrastructures, their dependence on computer networks, and their 
interdependence on each other, were the primary drivers prompting the 
creation of the President's Commission on Critical Infrastructure 
Protection (PCCIP, ``The Marsh Commission''), which reported its 
findings in October 1997. We have made a lot of progress in the six 
years since the Marsh Commission published its report, but there is 
still much to be done. The attacks of September 11, 2001, the northeast 
blackout of August 14, 2003, and the rapid sequence of Internet worms 
seen in the last three weeks highlight the need to maintain a sense of 
urgency as we continue to address these issues.

My background. I am President and Chairman of the Partnership for 
Critical Infrastructure Security (PCIS), launched in December 1999 as 
industry's response to the Federal government's call for public-private 
partnerships following the publication of the Marsh Commission report 
and the subsequent issuance of Presidential Decision Directive 63 (PDD-
63) in May 1998. I also manage Cisco Systems' involvement in critical 
infrastructure assurance activities. In 1997 I retired from the US 
Marine Corps after 23 years of service, the last eight of which were 
devoted to what is now known as Information Warfare or Information 
Operations. My last tour of duty in the Marines was as Marine Liaison 
Officer to the Air Force Information Warfare Center in San Antonio, 
Texas, where we advanced the art of defending against attacks against 
information and information systems. The thought processes behind the 
defensive planning, modeling, and exercises we conducted ten years ago 
apply directly to the problem of critical infrastructure protection 
today.

PCIS. Following the Marsh Commission recommendations, in 1998 the 
Federal government established several organizations and positions to 
coordinate critical infrastructure protection efforts, and recommended 
the creation of ``sector coordinators'' in each critical industry 
sector to coordinate across each industry and with appropriate Federal 
lead agencies. Working with industry leaders, lead agencies initially 
appointed eight individuals, most from industry trade associations, as 
sector coordinators. Some sectors have more than one coordinator 
because of their size and complexity.
    The PCIS is the forum for cross-sector and public-private dialog on 
reducing vulnerabilities, mitigating risks, identifying strategic 
objectives, and sharing sound information security practices. It is a 
public-private partnership that is also a non-profit organization run 
by companies and private-sector associations representing each of the 
critical infrastructure industries. When we created the PCIS, we 
structured the Board of Directors so that the sector coordinators would 
always be its majority. The number of Directors is flexible, 
anticipating the creation of additional sectors and naming of new 
sector coordinators. There are currently twelve sector coordinators, 
representing five of the thirteen sectors outlined in the National 
Strategy for Homeland Security. Ten of these are on the PCIS board. The 
current list, including the Federal lead agencies and representatives, 
is attached. The mission of the PCIS is to coordinate cross-sector 
initiatives and complement public-private efforts to promote the 
reliable provision of critical infrastructure services in the face of 
emerging risks to economic and national security.
    In the four years since its creation, the PCIS has accomplished a 
great deal. A PCIS public-policy white paper on barriers to information 
sharing got the attention of Congressmen Davis and Moran, who co-
sponsored the first bill to provide a narrowly written exemption to the 
Freedom of Information Act (FOIA) for critical infrastructure 
information. Senators Bennett and Kyl followed with a similar bill, and 
after conference committee work, the provision is now part of the law 
that created the Department of Homeland Security (DHS). PCIS also 
coordinated industry input to the National Strategy to Secure 
Cyberspace, offering each of the sectors' strategies and an overview 
document comparing commonalities and differences on the PCIS web site. 
The PCIS developed an information sharing taxonomy, including the terms 
commonly used by all industry Information Sharing and Analysis Centers 
(ISACs) and government agencies that share cyber vulnerability, threat, 
and solution information. Currently, the PCIS is working on an 
interdependency risk assessment handbook, and the board, including the 
sector coordinators, meets monthly by teleconference to discuss cross-
sector critical infrastructure protection issues.
    Interdependence Examples. We all depend on telecommunications--in 
fact, when recently asked to list their dependence on other sectors, 
the sector coordinators rated telecommunications as first or second on 
their list. Nearly equal to telecommunications was electric power. 
Without electricity, there is no ``e'' in e-commerce. However, without 
railroads to deliver coal, the nation loses 60 percent of the fuel used 
to generate electricity. Without diesel, the railroads will stop 
running. Without water, there is no firefighting, drinking water, or 
cracking towers to refine petroleum. Without financial services, 
transactions enabling all these commodity services cannot be cleared. 
Yet, these are not just one-way dependencies. When the railroads 
stopped running after 9/11 to guard hazardous material, it only took 
the city of Los Angeles two days to demand chlorine or face the threat 
of no drinking water--the railroads began operating again on the third 
day. Throughout the Northeast, dependencies on electric power were 
obvious. Some areas had electric water pumps, and they had to boil 
their drinking water for days after the blackout.

Gaps and barriers
    Sector Coordinator Roles Poorly Understood. The role of the sector 
coordinator is not well understood, either in industry or government. 
DHS is developing a ``best practices'' guideline for sector 
coordinators, and working with sector agencies and industry leaders to 
organize new sectors from which candidates for the job will emerge. In 
many critical infrastructure industries, CEOs and other executives are 
not aware of the role of sector coordinator, do not know who their 
coordinator is, and use other means to coordinate their critical 
infrastructure assurance actions. Industry sectors are neither 
homogeneous nor hierarchical, but in the rapid-paced, complex world of 
critical infrastructure assurance, single ``belly-buttons'' are 
absolutely needed to coordinate actions within and across critical 
sectors.
    Interdependence vulnerability research inadequate, incomplete, and 
underfunded. All of our critical infrastructures are interlinked in 
complex, sometimes little-understood ways. Some dependencies are 
surprising, contributing to unusual key asset lists. Studies, modeling, 
and exercises represent the three primary interdependence research 
methods.
    Studies. Some rudimentary research has been done on 
interdependencies, but it has only been sufficient to illuminate how 
important this type of modeling and analysis could be. Sandia and other 
national labs have initiated interdependency studies, looking at 
intersections with the energy sector. The National Security 
Telecommunications Advisory Committee (NSTAC) has done similar work, 
addressing intersections between telecommunications and other sectors. 
The National Infrastructure Advisory Council (NIAC) has a current 
effort to develop policy recommendations on interdependency risk 
assessments. The sector coordinators are involved in that study, which 
will become available after delivery to the President in the October 
timeframe. The PCIS is coordinating with this NIAC working group to 
ensure that the handbook we develop is in harmony with NIAC policy 
recommendations.
    In the FY2004 Budget submitted to Congress, approximately $500 
million has been requested to assess the security of the nation's 
critical infrastructure. Of this, $200 million is allocated to develop 
and maintain a primary mapping database, and $300 million has been 
allocated to work with states and industry to identify and prioritize 
protective measures to mitigate any risks identified through the 
($200M) database consequence-mapping activity. We expect this level of 
funding to grow at a rate of about 2% per year over the next five 
years.
    While this seems like a lot of money, there is concern that the 
complexity associated with this type of analysis is not readily 
recognized. Conducting cross-sector vulnerability assessments presumes 
that each of the individual sectors has already been modeled. This is 
not the case. Each sector will need to be modeled to some degree of 
fidelity before any cross-sector studies can be accomplished. These 
individual sector models must incorporate how the network elements 
work, their capacities, how they connect to each other, and where they 
connect to each other. It is not sufficient to simply ask the sectors' 
major infrastructure owners for a list of their key assets and critical 
nodes, so that they can be ``mapped.'' Mapping an asset without 
modeling how it works or how it connects to or impacts the next element 
in the network is an exercise without merit. The network owners already 
know their key assets and critical nodes--what they don't know is 
whether their key assets and critical nodes are in the same geographic 
vicinity as their competitors' nodes, or whether underlying or 
supporting infrastructure is in fact, truly diverse. In highly 
competitive sectors, such as telecommunications or finance, it would 
not be unusual to find that each of the major providers has intended to 
buy diversity and redundancy from numerous entities, only to find that 
all these entities use the same underground conduit for transport that 
goes through the same underground tunnel, and they are powered by the 
same power generation plant. The NSTAC has studied the implications of 
these types of cross-sector dependencies and has developed a number of 
programs that the telecommunications sector uses to mitigate these 
risks. It is time, however to take it to the next level, covering all 
cross-sector and multi-sector interdependencies.
    Modeling. Existing computer modeling and simulation has not been 
effectively utilized for critical infrastructure protection purposes. 
DoD operates high-fidelity models to support military missions. DoD is 
not funded for homeland security, and its modeling capability is 
probably fully utilized for the purposes for which it was designed. 
However, DHS could take advantage of DoD model designs and algorithms, 
applying critical infrastructure data and missions. DoE national labs 
use sophisticated models to help with energy planning, and they have 
developed the National Infrastructure Simulation and Analysis Center 
(NISAC), which is now part of DHS. NISAC capability is still being 
developed by DHS. Modeling can help develop plans, and it can save some 
of the expense and time required for regional exercises, but (a) the 
data used must be up-to-date industry data; and (b) sector coordinators 
(and the infrastructure owners they represent) must be the primary 
beneficiaries of modeling results--after all, the sector coordinators 
are responsible for developing and executing plans to protect critical 
infrastructures. One of the challenges will be that much of the data 
required may be proprietary.
    To date, the NISAC has centered its modeling efforts on the energy 
sector. To understand the complexity of this modeling problem, consider 
the NISAC model of the energy sector as a baseline, and apply it as a 
level of magnitude to the telecommunications sector. While we do not 
know the precise amounts, it is our understanding that the current 
electrical sector modeling cost about $30-40 million to develop and was 
done over the course of 3 to 8 years. If you assume that the level of 
detail developed within the electrical sector model is appropriate (and 
we do not know that to be the case) and simply multiply this $30-40 
million times the number of facilities-based networks that comprise the 
telecommunications sector, then you would conservatively multiply this 
estimate by a factor of 9 networks (5 wireless + 1 wireline + 2 IXC + 1 
paging), resulting in a baseline model for telecommunications in the 
$270-$360 million range. Even if all $200 million was dedicated to 
telecommunications modeling, it would take 1 to 2 years of currently 
allocated funding, and an even longer actual modeling effort, to model 
telecommunications alone. Multiply that by 12 sectors, and then you can 
start on the cross-sector interdependency modeling.
    The sectors, particularly the telecommunications sector 
coordinators, have initiated conversations with the national labs to 
determine how this important work could be undertaken, and what level 
of support the national labs would need to marry their modeling, 
testing and data mining expertise with industry knowledge regarding how 
the various networks work and how they interrelate to each other within 
the sector. This project will require government funding, and the 
sectors are prepared to work with DHS to develop the most appropriate 
approach for each sector. It is our sense that various capabilities 
from numerous national labs (DoE, DoD, etc) will be needed to develop a 
model that can be built once, routinely refreshed by industry and used 
by many, in the analysis of vulnerabilities and the development of 
mitigating strategies. It is also our sense that in the absence of 
higher funding levels, this statutory requirement may take a decade to 
accomplish and any benefits to the sectors watered down significantly. 
This information has not been communicated fully to DHS-the department 
is still undermanned in this area. This is not an accusation or 
complaint, but simply a reflection of start-up reality. The sectors are 
prepared to work closely with DHS once it is ready.
    Exercises. DHS has begun to sponsor regional exercises to identify 
vulnerabilities, dependencies, and cross-sector points of contact for 
the purpose of developing contingency plans to respond to physical and/
or cyber attacks. This effort must be accelerated and expanded to cover 
every region of the country. Lessons learned must be shared with the 
sector coordinators so that all the critical industries on the front 
lines of defense can understand what they need to do and with whom to 
coordinate.
    ``TOPOFF'' and ``TOPOFF II'' represented small steps toward 
addressing physical threats, but these were exercises with little 
private-sector input or expertise, and certainly no funding for the 
insertion of this expertise into these exercises. ``Livewire'' is an 
upcoming cyber exercise that will have some private-sector input. 
Feedback from the sectors to date is that these small-scale exercises 
serve primarily to educate government consultants and do not benefit 
critical infrastructure owners and operators, who have the 
responsibility of acting first during a crisis. Regional exercises are 
a must for the physical dimension, and sometimes cyber exercises will 
be national in scope. To be effective, they must include private-sector 
experts to help build the exercises, design scenarios, and participate 
as key stakeholders. Funding must support private-sector participants' 
time as it currently does that of the government consultants. More 
importantly, their design should encourage private sector involvement 
by telling them things they need to know (e.g., business continuity 
planning). These exercises must include both the cyber and physical 
dimensions of critical infrastructure planning, and must involve all 
the critical infrastructure sectors to ensure a complete understanding 
of interdependency. The PCIS and the sector coordinators would be happy 
to work with DHS and other government stakeholders to plan and execute 
such a series of interdependency exercises.

    Recommendations for DHS
    Coordinate with lead agencies and industry leaders to rapidly 
organize the newly named sectors, identify appropriate sector 
coordinators, and clarify sector coordinator roles. Actively promote 
the sector coordinator function to key industry and government 
executives, and within the federal government.
    Coordinate with all appropriate National Labs to apply appropriate 
computer models and simulations to critical infrastructure mission 
areas. Ensure that sector coordinators and their constituents are 
involved in model creation, data mining, and results. Assure the 
protection of sensitive data.
    Sponsor a comprehensive set of regional and national exercises that 
cover the physical and cyber aspects of attacks on critical 
infrastructures, as well as dependencies. Assure the protection of 
sensitive data, and ensure that sector coordinators and their 
constituents are involved in exercise design, scenario creation, 
participation, and are the primary recipients of exercise lessons 
learned and other information they need to defend their part of the 
critical infrastructures.

Conclusion. DHS leadership has been very inclusive of industry as they 
organize to protect critical infrastructures. Everyone in government 
must understand that in this area, public-private partnership is not 
just for appearances?it is absolutely essential. Since critical 
infrastructure owners and operators are on the front lines, the sector 
coordinators must be part of all critical infrastructure planning, 
strategy development, exercises, remediation, and responses to threats 
and attacks. DHS cannot be expected to protect critical infrastructures 
alone--industry must become part of its organizational culture as it 
matures. National and economic security are forever intertwined. The 
industry leaders I work with understand and embrace their role as 
front-line defenders, and are willing to do their part to protect our 
national and economic security.

                             Appendix A: Critical Sector Points of Contact: 4-14-03
----------------------------------------------------------------------------------------------------------------
            Sector & Sub                                                    Sector         Sector
   #          Sectors            Lead Agency         Sector Liaison     Representative  Coordinator
----------------------------------------------------------------------------------------------------------------
        (as found in the HS  (as found in the HS                       Government       Organizatio  Name
         Strategy)            Strategy)                                                  n
----------------------------------------------------------------------------------------------------------------
    1   Agriculture          Department of        Jeremy Stump (USDA)  James Smith
                              Agriculture                               (USDA)
----------------------------------------------------------------------------------------------------------------
    2   Food
----------------------------------------------------------------------------------------------------------------
          Meat & poultry     Department of        Jeremy Stump (USDA)  James Smith
                              Agriculture                               (USDA)
----------------------------------------------------------------------------------------------------------------
          All other          Department of        Stuart Simmonson
                              Health & Human       (HHS)
                               Services
----------------------------------------------------------------------------------------------------------------
    3   Water                Environmental        Mary Kruger (EPA)                     AMWA         Diane VanDe
                              Protection                                                              Hei
                               Agency
----------------------------------------------------------------------------------------------------------------
                                                  Janet Pawlukiewicz   Cayce Parrish
                                                   (EPA)                (EPA)
----------------------------------------------------------------------------------------------------------------
    4   Public Health        Department of        William Raub (HHS)   Roberta Lavin
                              Health & Human                            (HHS)
                               Services
----------------------------------------------------------------------------------------------------------------
    5   Emergency Services   Department of        DHS
                              Homeland
                               Security
----------------------------------------------------------------------------------------------------------------
                                                  DHS                                   NYSP         Dave
                                                                                                      Christler
----------------------------------------------------------------------------------------------------------------
    6   Government
----------------------------------------------------------------------------------------------------------------
          Continuity of      Department of        DHS
         government           Homeland
                               Security
----------------------------------------------------------------------------------------------------------------
          Continuity of      All departments and
         operations           agencies
----------------------------------------------------------------------------------------------------------------
    7   Defense Industrial   Department of        Glenn Price (DoD)
         Base                 Defense              (Acting POC)
----------------------------------------------------------------------------------------------------------------
    8   Information &        Department of        Nancy Wong (DHS)     Kathleen Kenyon  ITAA         Harris
         Telecommunications   Homeland                                  (DHS)                         Miller
                               Security
----------------------------------------------------------------------------------------------------------------
        (as found in the HS  (as found in the HS                       Government       Organizatio  Name
         Strategy)            Strategy)                                                  n
----------------------------------------------------------------------------------------------------------------
                                                                                        TIA          Matthew
                                                                                                      Flanigan
----------------------------------------------------------------------------------------------------------------
                                                                                        USTA         Daniel
                                                                                                      Pyhthyon
----------------------------------------------------------------------------------------------------------------
                                                                                        CTIA         Kathryn
                                                                                                      Condello
----------------------------------------------------------------------------------------------------------------
    9   Energy               Department of        Patrick Burns (DHS)                   NERC         Mike Gent
                              Energy
----------------------------------------------------------------------------------------------------------------
                                                                                        ConocoPhlll  Bobby
                                                                                         ips          Gillham
----------------------------------------------------------------------------------------------------------------
   10   Transportation       Department of        DHS/TSA                               AAR          Ed
                              Homeland                                                                Hamberger
                               Security
----------------------------------------------------------------------------------------------------------------
                                                                                        ACI-NA       David
                                                                                                      Plavin
----------------------------------------------------------------------------------------------------------------
                                                                                        APTA         Bill Millar
----------------------------------------------------------------------------------------------------------------
   11   Banking and Finance  Department of the    Michael Dawson       Eric Robbins,    BOA          Rhonda
                              Treasury             (Treasury)                                         Maclean
                                                    Brian Tishuk
                                                   (Treasury)
----------------------------------------------------------------------------------------------------------------
   12   Chemical Industry &                       EPA                  Mary Kruger
          Hazardous                                                     (EPA)
         Materials
----------------------------------------------------------------------------------------------------------------
                                                  Tom Dunne (EPA)      Craig
                                                                        Matthiessen
                                                                         (EPA)
----------------------------------------------------------------------------------------------------------------
   13   Postal & Shipping    Department of        Pat Mendonca (USPS)
                              Homeland
                               Security
----------------------------------------------------------------------------------------------------------------
   14   National Monuments   Department of the    Steven Calvery
         & Icons              Interior             (DOl)
----------------------------------------------------------------------------------------------------------------


    Mr. Thornberry. Thank you. I appreciate your testimony.
    Again, I appreciate the testimony of all the witnesses. I 
think we have heard each of you provide interesting and helpful 
perspectives, coming from different places, on the challenges 
that we face.
    Let me first turn to Chairman Camp for any questions he 
would like to ask.
    Mr. Camp. Well, thank you. And I agree with Chairman 
Thornberry; I appreciate your testimony today. It is very 
helpful. I just have a few questions.
    Mr. Watson, what do you really think is the weak link in 
terms of our electrical and other security?
    Mr. Watson. Mr. Chairman, I am not sure you can point to a 
single weak link. Over the last 20 years, all of the 
infrastructures have become more and more dependent on 
networks, and they have become more and more interconnected. I 
think the key that we need to study in research and modeling 
and exercises is interdependency. Each of the sectors is 
dependent on each of the others and sometimes we don't even 
know what these dependencies are without modeling and 
exercises.
    Mr. Camp. I realize the information may not all be 
available, but in your opinion, the August 2003 blackout, was 
that primarily a cyber problem or a human error problem?
    Mr. Watson. From what--and I am not an expert on that, and 
I haven't seen any firsthand information that they are using to 
conduct the investigation, but what I have seen in the press 
and what I have heard from experts is that it was not cyber 
related; that it was an unintentional fault that cascaded.
    Mr. Camp. What do you think the Federal Government should 
do or what mechanisms might the Federal Government employ to 
assist in preparing for a recovery from an outage of that kind?
    Mr. Watson. To assist preparing for a recovery, there are a 
range of things from prevention to response. But the first 
thing I think the Federal Government can do is provide guidance 
on priorities. Just as the President provided guidance that the 
financial market should be up and running within a week of the 
terrorist attacks of September 11, that kind of guidance and 
motivation would be appropriate in a large-scale attack or 
outage if that--if we needed that kind of guidance.
    Mr. Camp. It seemed as though there was a chain reaction 
shutdown in August, and what sort of safeguards can we put in 
place to prevent that, a more segmented system or what is your 
thought there?
    Mr. Watson. I don't have the technical expertise in the 
electric power sector. I would recommend talking to the North 
American Electric Liability Council or the Department of 
Energy, who both have more details on that.
    Mr. Camp. Would any other witnesses care to comment on that 
question?
    Yes, Mr. Gilbert.
    Mr. Gilbert. As far as the recent loss on the 14th, it is a 
failure of a system that is being too heavily used, that hasn't 
got the ability to deal with normal fluctuations within its 
operation, and so it caps out and has to shut off. And the 
question is how to contain that event in as small a zone as 
possible, how to ``island'' the problem.
    The industry has been working on better switches and better 
control mechanisms in order to be able to do that and clearly 
not all of the different properties within the grids have 
implemented such changes as yet.
    I think we saw an excellent example in Pennsylvania and New 
Jersey, where the system was robust. They did have a good set 
of switching and controls and cyber, and they stopped the surge 
coming towards DC in Pennsylvania. So that is an illustration 
of the kind of configuration that might be looked upon as a 
model of what other systems might go towards.
    But I think the discussion also brought here on motivation 
is very important, because the reason that these other systems 
haven't instituted the kinds of improvements is in part 
motivational and in part simple economics. The amount of return 
on investment that is available is insufficient to make the 
investment to improve the systems. That can be corrected.
    Mr. Camp. Thank you.
    Mr. Rauscher, I wondered if you could just for a minute 
talk about our telephone and Internet, wireless and the wire 
line systems and how susceptible you think they are to cyber 
attack; and do you think that is more than other sectors? And 
what efforts might be made to prevent that, or have they 
already been made?
    Mr. Rauscher. It is difficult for me to make a comparison 
to other infrastructures. I would say that we take very 
seriously in our industry the possibilities of planned attacks, 
whether physical or cyber. In fact, the FCC's Network 
Reliability Interoperability Council has been focused for 
nearly 2 years now, since September 11, on developing best 
practices in a very aggressive time frame. There is both a 
focus on cyber prevention and restoration best practices, and 
physical prevention and restoration best practices. In 
addition, there are blended attack discussions. I am involved 
in leading some of those.
    So looking at a combination of cyber and blended attacks, 
the thing that gives me the most assurance is the additional 
rigor that we are now taking. These best practices I have been 
referring to have been around for about 10 years, and they have 
been developed largely from historic analogy. So whenever we 
would see a major outage, we would do a deep-dive analysis and 
determine what would prevent this, what more could be done. And 
pretty much whenever there is a major outage, we know there was 
a best practice that existed that for some reason wasn't 
implemented.
    Going forward, instead of just looking at the historic 
analogy, we are saying, independent of any threat knowledge, 
systematically, ``what are all the vulnerabilities?'' and 
``what are all the different ingredients that make up the 
communications infrastructure?'' And then we have 
systematically addressed those vulnerabilities with best 
practices. And this is something new that is provided much 
additional rigor and you can find more information out about 
that from the [NRIC and NRSC] reports.
    Mr. Camp. Okay. Thank you. My time has expired. Thank you 
very much.
    Mr. Thornberry. I thank the gentleman. The gentlelady from 
California, the ranking member of the Border Subcommittee.
    Ms. Sanchez. Thank you, Mr. Chairman. My questions are 
going to be directed, I think, to Mr. McCarthy and maybe Mr. 
Watson and maybe Mr. Orszag. I am glad all of you gentlemen are 
before us today, and I know you have a deadline, so I was 
interested, Mr.--Dr. Orszag on the whole issue of there not 
being enough incentive for private industry to ensure that it 
works through the whole issue of security.
    You know, if you own something quite large, whatever type 
of infrastructure it is, most of the time you can't build it if 
you don't have some type of insurance on it. You can't continue 
to operate it even if you are self-insured. Most States have 
some type of regulation with respect to some type of fund set 
up and set aside and reserves for that.
    Why do you think that is not sufficient, really, to 
encourage people to protect their own assets if that is the way 
they are making their money?
    Mr. Orszag. Let me give you an example that I think is 
particularly timely, involving chemical facilities.
    Let's say that you have a chemical facility. It is worth a 
billion dollars. It houses chemicals. There are 123 chemical 
facilities in the United States that contain chemicals that 
could injure or kill more than a million people. The value of a 
million lives can easily exceed, well exceed a billion dollars.
    You may well have some incentive to make sure that there is 
some level of security to ensure that your plant is not 
intruded upon and those chemicals are not dispersed and harm 
people. But it is not adequate because your financial loss is 
much smaller than society's loss that would occur if a 
successful attack did unfortunately take place.
    And that kind of example occurs, you know, in a wide array 
of settings. And I--in my written testimony I provide lots of 
other types of examples, but I think that might be a 
particularly timely and compelling one, where any time that 
private financial losses that you suffer are vastly smaller 
than the losses that we as a society would suffer, you don't 
have enough incentive, bottom line.
    Ms. Sanchez. So even if I am operating and I have liability 
insurance, you think that a carrier of liability insurance 
wouldn't take a look at the worst-case scenario of, you know, 
hundreds of thousands of lives, given the type of chemicals 
that I control in my facility.
    Mr. Orszag. In some cases they will, but I think it is--I 
don't know if ``naive'' is the word, but ``too optimistic'' to 
think that without a push that this will automatically happen. 
So, for example, when you argue that insurance firms may be 
providing that kind of incentive already, a requirement that 
you have insurance would just back that up.
    You know, to the extent that insurance firms are already 
doing this, a requirement that they do so doesn't add any extra 
burden. To the extent that insurance firms are not doing this, 
and I would add in the context of smaller chemical facilities 
that they may not be, I think that the danger is these. Then a 
requirement will push them up to the appropriate level of 
activity.
    So in some cases, clearly, insurance firms are already 
playing the role that I, for example, would envision that they 
play under the sort of mixed system that I laid out. In other 
cases, they are not. The important point is that they should be 
in all the cases in which there would be catastrophic losses 
from a terrorist attack.
    Ms. Sanchez. Okay. Thank you.
    Mr. McCarthy, I think you have a student that was recently 
in the news with respect to using some public information to 
map out every business and industrial sector in the American 
economy and layering on top of it the fiber-optic system that 
exists throughout the United States. And I think it was pretty 
much on target. Of course, he ran into some problems with that 
I think because it was considered a danger to national 
security.
    I have been pushing and a lot of us on this committee have 
been pushing the Department of Homeland Security to, in fact, 
come up with a vulnerability list or risk assessment with 
respect to infrastructure that we have out there, not only in 
the public sector, but also in the private sector. And I think 
it is fair to say that it has been a difficult process to even 
get information about what kind of criteria, et cetera, they 
are using.
    What would you--what would be your guideline? Do you think 
that it is possible to do that, in particular with respect to 
private industry and what infrastructure we have out there? And 
how long do you think that type of a vulnerability risk 
analysis would take for someone to do, given that you had a 
graduate student who was able to do it with respect to fiber-
optic in a not-too-short time frame?
    Mr. McCarthy. Well, first of all, that student is one of 
our best and brightest and we are very proud of his work and 
stand behind it.
    The particular study that you refer to actually has 
garnered a tremendous amount of interest from every element, 
ranging from our Defense and Intelligence Communities, to the 
homeland security and civilian agency community, to the private 
sector, which tells me that there is an information vacuum, 
that people saw what this student was doing; and we have been 
deluged with questions regarding his work and the work of the 
type that was behind it.
    With respect to the time frame, let me give you a little 
perspective on that student, using it as the case model. This 
student's graduate work is in the area of mapping and 
geospatial visualization, which Ken Watson referred to in his 
testimony as a critical area, and I fully support that. The 
supervisor of his research, the Ph.D., her work is in the area 
of transportation networking. And what they have done is 
combined two disciplines to begin to look at a completely 
different sector or infrastructure. In this case, it was fiber-
optic, being the fiber-optic network overlayed with the 
telecommunications network, overlayed with the banking and 
finance network.
    Now, the issue of the data in open source, that was one of 
the most sensitive elements of the research, tells us a couple 
of stories. Number one, that data took 4 years to compile and 
refine. So it wasn't just gathering the data; it was taking the 
data and refining it and working it through a series of tools 
and algorithms to come up with a different element of 
information out of the data to look at it from a different 
perspective.
    Ms. Sanchez. But that was not asking people for information 
in the form that your graduate student needed it. That was 
going out and trying to find the information, trying to figure 
out what type of form do I need it in and what am I going to do 
to get it into a place where it is equal to all the rest of 
data I have, correct?
    Mr. McCarthy. Right. That was going out into the Ethernet, 
out into the Internet, out into the public domain and bringing 
the information in and gathering it, which is another public 
policy lesson out of the research. It is out there and it is 
happening.
    We have a very smart guy and a very smart supervisor, 
Ph.D., who are loyal, dedicated Americans doing good work, 
working in a reputable university on reputable research. That 
research is relative to the discussion and agenda we are 
talking about today.
    I am equally convinced that there are very smart, equally 
dedicated people who are looking at our infrastructures, who 
don't have our best interest in mind, who are doing similar 
types of research; and I think that is a significant emerging 
area that we have got to focus on fast.
    There is a balance. This whole issue transitions into the 
information-sharing area, which is another broad concern of 
the--both these committees. You know, how do we make this 
balance between the government's information that they hold and 
retain, that is useful to the industry for vulnerability 
assessment, the data that exists within the industry itself 
about itself, and the reams of data that exist out in our 
academia community which heretofore has been significantly 
ignored, in my opinion, as part of the partnership.
    This research is evidence of that. I have gotten dozens of 
phone calls across some significant universities, calling very 
quietly, You know, look, John, we would just like to have a 
quiet conversation off line. How do you deal with this, 
internal to the university?
    You know, how are you maintaining a program where you have 
to get a Ph.D. candidate published so that they can get their 
Ph.D. and you have to get a young professor on a tenure track 
tenured? That happens with publication. The government's 
instinct is to collect the information and classify it. The 
industry's instinct is, it is proprietary, it is going to give 
away a trade secret. The academic's instinct is to want to 
publish it.
    How do you balance that? That is a key issue.
    Ms. Sanchez. Mr. McCarthy, I agree with that and I would 
like to go over to Mr. Watson, because, you know, one of the 
biggest problems we have is that, of course, private business 
doesn't want to be regulated, Doctor; as you know, it is a 
difficulty.
    But more importantly, if 80 percent of our critical 
infrastructure is in private hands, Mr. Watson, how do we--the 
biggest concern that we have heard out of private industry is, 
well, if we give you the information or we collaborate with 
you, and then there is a set of plans somewhere of everything 
and--everything that is going on, then we are afraid that just 
makes another level of information available for cyber attack 
or ability for the terrorist to get--in other words, the more 
information there is out there about what we actually have, 
which is what we are trying to protect from a proprietary 
standpoint or just from a security standpoint, all of a sudden 
the government also has it and we don't really trust you guys 
to be able to really keep this under lock and key.
    What's your answer representing those types of companies 
that are worried about this?
    Mr. Watson. That is a good question. And leaks occur 
everywhere, not just in the government; but they do occur from 
government and they do occur from industry on occasion.
    You know, if you have a secret and you tell it to someone, 
it is no longer a secret. The problem that industry wants to 
avoid is giving information that the bad guys can use before 
the good guys have a chance to do something about it.
    We are very heartened by the narrowly written exemption to 
the Freedom of Information Act that is in the Department of 
Homeland Security law, that provides for industry, their 
voluntary sharing of information on cyber, critical 
infrastructure threats, vulnerabilities and countermeasures 
with the DHS and have that information protected. That is 
something that has been needed for some time, and we are glad 
that it is there.
    As far as its usefulness, we will have to see how it is 
used in the future and go from there. The provision is there, 
and I think that we are going to see opportunities to share 
information. We have already seen some sensitive information 
shared across public and private sectors.
    The ISACs have been brought up earlier today, the 
information-sharing analysis centers. There are some 15 ISACs, 
if you count them one way, maybe 10 ISACs if you count another 
way, that have stood up to support each of the vertical 
industries.
    After the blackout, the telecommunications ISAC asked for 
some updates from the electricity sector ISAC, and they got 
updates every 2 yours. And the ES ISAC and the telecom ISAC 
were on the phone together, which was an extraordinary amount 
of collaboration between those two sectors.
    The ES ISAC also collaborated with the IT ISAC to discuss 
cyber threats and vulnerabilities and understand that.
    There is an informal ISAC council that has formed that has 
the leadership of the 10 largest ISACs to share information; 
and then I understand the telecom--well, the telecom ISAC and 
the ES ISAC are also sharing information with the government. 
The ES ISAC has reporting responsibility with the FBI, and the 
telecom ISAC is housed within the Department of Homeland 
Security's NCS function.
    So information sharing is getting better. We are overcoming 
the trust barriers and those trust circles are widening.
    Ms. Sanchez. Mr. Chairman, I think you probably forgot to 
turn on the--
    Mr. Thornberry. I turned it off for the gentlelady because 
she was asking such good questions.
    Ms. Sanchez. Well, thank you, Mr. Chairman. I appreciate 
that.
    I have a lot of other questions. I think I will submit them 
for the record, because I think this has been an incredibly 
good panel and I do have a lot of concerns about whether the 
Department of Homeland Security is really doing what we need it 
to do in order for me to feel safer as an American.
    But considering that I have other colleagues who have 
waited a while, thank you, Mr. Chairman for your indulgence. 
And thank you, gentlemen.
    Mr. Thornberry. I thank the gentlelady.
    The gentleman from Texas.
    Mr. Turner. Thank you, Mr. Chairman.
    First, I want to compliment Mr. Rauscher's son, who I think 
is about two rows back, who has been back there listening 
carefully today and taking a few pictures. I think he has got a 
great future.
    Mr. Rauscher. Thank you.
    Mr. Turner. We were talking about the work of one of your 
graduate students, Mr. McCarthy, and I read the article in the 
Washington Post. It is dated July 8. It describes the shock 
that government officials, as well as some folks in the private 
sector had when they saw the results of his work. And I gather 
all of this was produced with publicly available information.
    Obviously, it could be very useful to terrorists; and as 
you said, you have a feeling that there are those out there who 
may be collecting that same information to do us harm rather 
than to do us good.
    What is the answer to this? What should we be doing? Is 
this information that rightfully should be protected? Or is it 
already in the public domain and it is going to stay there, and 
it is just the way things are?
    Mr. McCarthy. Well, sir, I think yes and no. The 
information is out in the public domain. I think there are 
common-sense things that have--as awareness grows, as groups 
like the Partnership for Critical Infrastructure Security and 
others raise awareness--critical information and data is taken 
off. Some of this is the way we do process. There are--a lot of 
the ways that these gentlemen got information or these 
researchers got information is they called up the local 
municipality and they looked for permitting, where were you 
allowed to dig to go lay a piece of fiber-optic? Some things as 
simple as that.
    It takes a very concerted effort. It takes a very thought-
out methodology and it takes lot of time to do it. That is why 
it takes so long to get a Ph.D., I guess. But the bottom line 
is that I believe that this kind of work is going to go on in 
academia, and I think this kind of work should be encouraged in 
academia.
    I think the real story that didn't come out in the 
Washington Post, because as you all know, you don't get on the 
front page of the Washington Post without having a real hotshot 
story, there are some misconceptions about the story. Number 
one, the government never ever tried to suppress the 
dissertation. That was never in the mix. The real story that 
was being--we were being interviewed for was, one, young, smart 
researchers that are involved in the homeland security agenda. 
We support that, as a university, in terms of getting that 
message out.
    And, number two, how a university can work with the 
government and industry.
    What didn't come out in the article is that when I came to 
the university to assume this project and we were looking at 
funding mechanisms to--what research within the university to 
fund, obviously their project came right out at me as one we 
needed to begin to move forward quickly. So in the process we 
got funding to them.
    And I also engaged in a process to begin to--for lack of a 
better word, begin to ``shop'' their research around. Number 
one, we looked internally to make sure there is a lot of 
sensitive data here. How are we handling it? And we had very 
solid procedures in place within the university. Coming from a 
government career, handling a lot of classified materials, I 
was very satisfied with the procedure the university had in 
place. We beefed it up a bit, particularly after the July 
article. But there were--this is an example of academia acting 
responsibly. Then we went to government and business alliances 
that deal with this--that have a use for this type of modeling, 
and we engaged in discussions with them.
    That, to me, is the real message of the article, and that 
is a positive thing. That should happen all over the 
universities. I believe that is the way we instill and preserve 
the academic freedom element; and it is also--another key 
element of this is, we have to grow the next generation of 
security professionals.
    We have to grow the next generation of thinkers in this 
area that are going to take us to the next level, to alleviate 
some of the frustration--some of the kind of frustrating, 
seemingly, lack of control over our understanding of our 
vulnerabilities.
    I don't think we have--our capability is just emerging to 
be able to visualize and build the kind of models that are 
going to help us; and so we are in this kind of gap period. So 
it is very important that we find a way to make this kind of 
relationship work, and in our small way at GMU, we tried to do 
that with this project.
    Mr. Turner. So what you are saying is that the work that 
Sean Gorman did in his dissertation is, in effect, a kind of 
model for what you think perhaps ought to go on in a wide 
variety of critical infrastructure sectors so that eventually 
we would have the capability to comprehensively map our 
infrastructure in a way that we could then manipulate the data 
and identify our critical vulnerabilities and assess the impact 
that the disruption of one or an other sector might have on 
other sectors?
    Mr. McCarthy. Yes, sir. I fully support that statement.
    And to piggyback on a comment again that Mr. Watson made 
relative to the national labs, the national labs play a 
critical role in helping the sectors. It is defined in the 
security strategy in helping the sectors help with this 
modeling and simulation and visualization capability. That is 
what they do well.
    I also think, and I would like the committee to be aware 
that academia is out doing this also, and it is very critical 
that we just don't put all of our examples in one basket in 
that area, that we support the activities going on relative to 
these kinds of projects. Because, number one, the academia, 
the--again, the research and information is out there and it is 
happening, so we have to find a way to capture it and make sure 
that we develop responsible standards by which academics should 
act.
    And I think that we have plenty of models out there. We 
have done this with biological research, we have done this with 
nuclear research, and we are doing it now with cyber and 
infrastructure research, so we have models to check concerns 
that are legitimate; and in the other area, that we should 
just--we should be opening up.
    We have a very rich and robust higher educational structure 
that we have to leverage to this problem. And we have done it, 
again, in the past. We did it in World War II. We did it with 
the Manhattan Project. We did it with getting to the moon. And 
this is critical infrastructure. And cyber security and 
terrorism, all of these issues, to me, are equivalent to those 
processing. We couldn't have done those things without the 
proper relationship between government, industry and academia 
working together.
    Mr. Turner. Thank you.
    Mr. Thornberry. The gentlelady from the Virgin Islands.
    Mrs. Christensen. Thank you, Mr. Chairman.
    Mr. Gilbert, has--this is a similar question to one that 
Mr. Turner asked the previous panel. But has your--the panel 
that you chair formulated an opinion on which of our critical 
infrastructures pose the greatest security concerns, that is, 
greatest risks of attack, vulnerability to attack and potential 
consequences?
    Mr. Gilbert. Yes, ma'am. And we wrote about it in the 
report. And as a matter of fact, we placed that dubious honor 
with the electric utilities, not only because of the 
vulnerabilities that they represented, but also the enormous 
dependency of the other basic infrastructures' support systems, 
that we all rely upon, that are so dependent upon the constant 
reliable supply of electricity. We are truly hard-wired as a 
society and as an economy to the electrical supply.
    Mrs. Christensen. Thank you.
    Mr. McCarthy, obviously, George Mason is doing a great job 
of providing researchers and growing that next generation of 
thinkers. You talked about the research projects and your 
collaborations with the universities. I was wondering, of those 
20 or more universities, how many are historically black 
colleges and universities or minority-serving institutions?
    Mr. McCarthy. Immediately, off the top of my head, two. 
Norfolk State University we are working closely with on both 
cyber security and information warfare which--they are 
developing a fantastic program down there on that. And we are 
supporting them closely with that. And they are also supporting 
us in the National Capital Region Assessment that we are doing. 
And also Howard University. We have professors from Howard 
involved in our National Capital Region Assessment.
    Mrs. Christensen. Great. Thank you. Also, I was interested 
that your critical infrastructure protection is based in the 
school of law in the area where, among the many things that you 
are exploring are the legal implications of information 
sharing; and I was wondering if--as you are looking at that, if 
there have been any concerns raised.
    Many of us are concerned, for example, with the loss of 
privacy and intrusions into civil liberties. Have you been 
discussing any of that thus far?
    Mr. McCarthy. Oh, yes, ma'am. First let me say, I 
appreciate your recognizing that we base this project in the 
school of law. Highly, highly unusual. I am not a lawyer. I am 
not a technologist. I come from the information policy arena 
and a government background.
    We based this project in the school of law, and it is 
really the school of law, economics, and we have made this with 
a mandate for interdisciplinary research. It comes with the 
premise that if you just look at the Federal grant process, you 
would put on the table stacks and stacks of Federal grants for 
technology development. You put another stack out there for the 
policy and kind of business governance things. It kind of goes 
down pretty significantly. Then you go down and you put in for 
grants that we are sponsoring to develop this agenda in the 
area of law and you get virtually none.
    So we kind of reversed the model for the use of this money. 
We fund technical research, and the technical research is 
critical to integrating what we are doing. But our primary 
emphasis is looking at law, economics, business governance and 
policy issues relative to the homeland security CIP agenda, and 
it is to work in complement with what is happening with the 
technologist, the--and I will give you one quick example.
    The technologist. One project we are sponsoring is to look 
at attacker fingerprinting. When somebody comes into your 
computer, they are leaving traces; and it is just like when the 
FBI comes in and dusts. We are looking to develop that. As that 
research reaches a certain level of maturity, we are going to 
take that research and bring it into the law school to look at 
the intellectual and privacy implications of the technology, so 
when the whole project is released, you see not just the 
technological application, but you also see the concerns that 
are raised relative to privacy and intellectual property.
    Mrs. Christensen. Thank you.
    And my last question would be directed to both, I guess, 
Mr. McCarthy and Mr. Gilbert, but anyone could answer it.
    Both of you talk about, for example, Mr. Gilbert, issues 
that deter open discussions among the private and governmental 
parties that need to be correctly resolved. And I think that 
Mr. McCarthy refers to that.
    Do you have any recommendations as to how we resolve those 
issues? Because it comes up not only in this area, but in 
Project Bioshield and just about everything that the Select 
Committee looks at.
    Mr. McCarthy. I will defer to Mr. Gilbert.
    Mr. Gilbert. Well, the primary areas that came up in our 
interviewing of people who had vested interests in the 
utilities were in antitrust and freedom of information. In the 
freedom of information, it was the problem that the private 
sector is quite willing to talk about what they have and what 
they are doing and all of that, but they don't want those 
minutes to become a part of a public record where it is then 
readily available for tomorrow morning's newspaper or for their 
competitors. So there is--I believe, under the Homeland 
Security, there is a classification now of homeland security 
information, ``infrastructure information,'' which is a source 
of information that can be protected. And I think that is an 
important step to overcoming the observations that we had when 
we were putting this report together.
    So I think progress is being made. But those are the kinds 
of issues--antitrust is a big problem, and it is always filled 
with a great deal of uncertainty as to what is or is not a 
violation of an antitrust matter and whether or not there will 
be a knock on the door by the State's attorney and so on and so 
on.
    So clarification in that area is more what is being sought.
    Mr. McCarthy. I would very much agree with that. We held a 
seminar at the law school on the antitrust issues relative to 
this agenda. And the consensus among the legal scholars and 
legal practitioners was that there really probably aren't that 
many antitrust issues involved. However, the industry 
representatives at the forum, their general counsel--
predominately the general counsel community is, hey, it is a 
perception issue; and if my CEO comes to me and says, I want to 
share the data or not share the data, I am immediately going to 
say, don't share the data. You know, that is just to protect--
that is his job or her job to protect the company.
    So there is part of that mentality out there. There is--but 
I don't think that predominates the discussion.
    I think what we need to do is develop islands where we can 
protect information properly. And again I think there are 
models out there. The national communications system was 
mentioned. That is a good model of industry, government and 
academia working together to create an island of protection.
    The ISACs were raised. I think the ISACs have the potential 
to be those islands of protection for information if we can 
come down and get past the FOIA and the antitrust and the kinds 
of things that are bogging down the discussion, and move 
forward with kind of a vision of articulating what the economic 
and business model is to incentivize someone to participate in 
an ISAC and also to lay out, from the government's perspective, 
what is it that they really want to get from ISACs.
    Mrs. Christensen. Mr. Chairman, could Mr. Rauscher also 
answer that? Thank you.
    Mr. Rauscher. Yes. I agree very strongly with the comments, 
that the NSC for the communications infrastructure and the 
telecom ISACs are the right place to do this. I would like to 
say that for the communications industry, government requests 
at all levels--Federal, State and local--for information about 
critical infrastructure are very much a concern. And it is not 
just for the reasons that were emphasized here about priority 
information dealing with businesses and business issues, but 
for, very much, homeland security concerns.
    You know, much of the communication infrastructure is 
privately owned. Most of it is. And the experts, the physical 
security experts that have been assembled to develop best 
practices and look at those issues from across the 
communications infrastructure, are consistently and firmly in 
agreement on this point. And we believe it would be helpful if 
we could avoid government at every level, asking for stuff, 
because if you just think of all the lists that would exist of 
all the critical sites; and so, while normally you want to 
manage by facts and collect information, that is the normal 
approach, there needs to be an exception when you are dealing 
with sensitive information and those exceptions need to be very 
clear for specific purposes and information protected 
sufficiently and information destroyed and returned when you 
are complete with it.
    One other comment referring to the earlier discussion that 
hasn't been said, but it should be clear that critical 
infrastructure designers and operators need to be careful about 
what they put on public Web sites.
    Mrs. Christensen. It has come up before. Thank you.
    Thank you, Mr. Chairman.
    Mr. Thornberry. I thank the gentlelady.
    Let me ask a series of brief questions because I know we 
kind of have a hard deadline here of 4 o'clock. Some of the 
witnesses need to go, and so I don't want to take too long.
    Mr. Gilbert started out this panel with his personal 
opinion about a possible scenario where you have a power 
failure that affects food, water, all sorts of things. My 
impression--does anybody on the panel disagree with that as a 
real possible scenario, where failure in one infrastructure 
affects other infrastructures?
    Mr. Watson.
    Mr. Watson. Mr. Chairman, you asked earlier about the most 
critical thing to study, and I mentioned interdependency. And 
this speaks directly to that. Yes, there, the interdependency 
and the cascading failure issue is the hardest problem to 
solve. I don't necessarily think that we would see an electric 
power failure that lasted weeks and months, you know, that 
would create that kind of a doomsday scenario that was painted.
    And some of the sectors are pretty robust. The 
telecommunications sector has many ways of communicating and to 
work around problems. But the cascading failure of the 
dependencies is something that just isn't known. That is why I 
recommended modeling as one way to solve the problem.
    Mr. Thornberry. Which is an interesting thing. We do lots 
of modeling and simulation, of course, in the military.
    Mr. Gilbert, did your committee look at modeling? I mean, 
you mentioned it, I believe, modeling and simulation. And one 
of the things that concerns me is we could spend, I don't know, 
maybe Mr. Watson talked about time and money for a long time 
study. Meanwhile, the terrorists are active.
    It leaves us in a little bit of a quandary about--
    Mr. Gilbert. Well, fortunately, at least insofar as the 
electric utilities are concerned, there is in the Electric 
Power Research Institute an ongoing activity in developing 
simulation models that deal with the operations of their 
assets. That needs to be vastly expanded. There has also been 
some very good work done at Sandia Labs in this area.
    Mr. Thornberry. On interdependency, how the failure of one 
affects another?
    Mr. Gilbert. Yes. Sandia has gone into more 
interdependency; the Electric Research Institute has gone--
mostly staying within the family in its study work. But there 
is good framework there. There are good algorithms. The 
challenge is getting useful data on the condition of existing 
facilities and on not only what the different switches and 
components of a piece of the grid might be, but their actual 
condition with respect to maintenance and remaining life and 
functionality and so on, which is giving away a lot of 
information when you start to gather that kind of--.
    Mr. Thornberry. And when you start to gather it, it may 
change by the time you are finished gathering it if you are 
talking about the condition of things. But that is part of the 
challenge.
    Mr. Gilbert. But it also provides a source of important 
information which is to begin to get some trend information on 
different kinds of components--this kind of components 10 years 
out there, if the weather is looking like this and so on.
    Mr. Thornberry. Yeah. Good point.
    Dr. Orszag, I think that your testimony is very helpful at 
a level of specificity that we have been trying to cope with, 
for example, in cyber security. What is the right combination 
of government regulation and market incentives for the best 
practices that fits with each sector? And you made some 
specific recommendations for cyber security, which is one of 
our primary responsibilities on this particular subcommittee.
    Have you run your suggestions past industry trying to ask 
the question, for example, is this enough? Would this sort of 
framework affect the way you do business or affect the 
decisions that you make when you are buying things or trying to 
figure out how to allocate resources in your company?
    Mr. Orszag. We have had, or at least I have had, informal 
discussions with industry reps. I don't know that it is my 
particular role to interact in that particular fashion with 
industry. And I would underscore a comment that Congresswoman 
Sanchez made, which is that, of course, industry is not 
enthusiastic about any additional requirements.
    But I don't think that should be the defining consideration 
here. In some sense, there is a national objective that private 
interests in this area, and you know, it is unfortunate that 
the incentives need to be realigned, but we need to push them 
closer together.
    Ms. Sanchez. I wasn't necessarily agreeing.
    Mr. Orszag. No. I understand. I got it.
    Mr. Thornberry. But it is very important.
    Mr. Orszag. It makes it harder.
    Mr. Thornberry. Mr. Watson, if I could just ask a few 
things of Mr. McCarthy. What is the time frame? When are you 
going to have something for us to see or for the Department of 
Homeland Security to see where you have taken some of the 
economics that we were just talking about, the legal concerns 
that Mrs. Christensen was asking about, and merge that 
together.
    Mr. McCarthy. Actually, sir, the Department of Homeland 
Security has already seen a number of our products. A number of 
our products have been published in peer review.
    Peer review is very important, without going into details. 
And as we speak, we are at the printer right now printing the 
collective research on the project for the last year, and 
findings; and I would be happy to provide that to both 
committees.
    Mr. McCarthy. And if I could just make one comment relative 
to this discussion, this question you just had: Comment was 
made in the first panel, not meaning to be critical, but the 
term ``costly annoyance'' was used relative to the cyber 
attack. I think something fundamental that has come out the 
last few months here is the drag on the economy.
    I was talking to one international bank, just one bank. 
They have done their quick economic analysis which you can 
imagine how that was done pretty quickly and pretty accurately. 
Fourteen man-years in one week, 14 man-years in one week simply 
to deal with patching and plugging. That doesn't talk about the 
impact on the bank itself and the transactions.
    I believe that the sectors are going to start doing this 
economic analysis, which isn't very sophisticated and it is 
moving much past the idea of ankle biting and annoyance.
    Mr. Thornberry. Good point. And I am not sure everybody 
understood that yet, by the way.
    Mr. Rauscher, your testimony actually has been some of the 
most positive that I have heard about ISACs so far. A number of 
witnesses before, in previous hearings, have been concerned 
that ISACs were not working as well as they should for a 
variety of reasons. But eventually what you are saying from 
your experience is that the telecommunications ISAC and the 
electricity ISAC were working well together with the IT ISAC 
for this event. And so maybe there is hope yet.
    Mr. Rauscher. Yes, and maybe it is--the ISAC. I am familiar 
with the telecom ISAC, which is the one within the Department 
of Homeland Security. I was on [the conference bridge] from 
actually the first minute of that the exercise Responsive 
coordination began from the start of the blackout through 
several days and I heard briefings from the other ISAC about 
whether power was going to be restored and helpful guidance 
that we could use to position generators and experts and 
prepare for fuel supplies. Very helpful activity occurred, and 
as I mentioned in my statement, I think--it was the first time, 
I think, some really inter-ISAC activity occurred.
    Let me also mention that the Wireless Emergency Response 
Team, which was started on September 11, was a new 
organization--a capability that involved hundreds of people 
being mobilized within hours, was able to be done because the 
support of the telecom ISAC. This was on September 11, before 
all the readjustments had been done.
    I am really hoping that the positive, trusted and 
environment that exists there continues.
    Mr. Thornberry. Absolutely. Maybe we can learn from what is 
going well with some ISACs and apply those to some that are 
having more trouble, and that is helpful.
    And finally, Mr. Watson, you spent a fair amount of time 
talking about sector coordinators within the government. In 
your--should they be the ones to be a primary, if not the 
primary, contact with the ISACs for their sector as the key, as 
a key contact within the government?
    Mr. Watson. No, Mr. Chairman. Let me clarify what I said.
    Sector coordinators are in industry. They are nominated 
with consultation between government and lead agencies and 
industry leadership to identify those leaders and coordinators 
across the sector. And yes, they should be the primary contact.
    Mr. Thornberry. On behalf of the ISACs?
    Mr. Watson. On behalf of the industry sector, because they 
have a broader reach than some of the ISACs, and one of their 
responsibilities is to establish information-sharing capability 
which includes the ISAC for the sector.
    Mr. Thornberry. Okay. I think your chart probably confused 
me, because you had the USDA and various agencies beside some 
of the names. But what you are saying is that is who they 
interact with?
    Mr. Watson. There are sector leaders in the lead agencies 
and sector coordinators in each industry sector.
    Mr. Thornberry. I've got you. Okay.
    Mr. McCarthy. Sir, if I could just make one comment very 
quickly. We just had a seminar and called and asked all of the 
ISAC community to come in, along with the Department of 
Homeland Security, again to provide some independent third-
party kind of analysis.
    One of the key elements that jumped out at us, there 
isn't--there are no standard models of action. There are 
functions at all different levels of operational activity and 
maturity, and I think one key action item that can come out of 
this is the development of, A, what is the standard? What is it 
that we want out of an ISAC? What is the standard? Does the 
industry adhere to that standard?
    And you can make better evaluation.
    Mr. Thornberry. What are the characteristics? They may have 
to be somewhat different from this industry's best.
    The gentleman from Arizona is recognized.
    Mr. Shadegg. Thank you, Mr. Chairman.
    Mr. Watson, I want to begin with you and follow up on a 
question that the chairman just propounded dealing with your 
testimony that the sector coordinator rules are poorly 
understood. I guess I would like you to give a further 
explanation of that than I see in your testimony, and in doing 
so, explain to me how you think the sector coordinator should 
be working with the ISACs and how that would work.
    Mr. Watson. I will do my best to do that.
    The original idea of sector coordinators came out of the 
President's Commission for Critical Infrastructure Protection 
that reported in October 1997; and they recommended that the 
government identify, in coordination with industry, a leader in 
each sector to coordinate across the sector. It is very 
difficult to coordinate, you know, with 80,000 IT companies and 
6,000 electric power companies or whatever. You know, one from 
the government, from DHS, or whatever agencies the government 
is dealing with.
    Mr. Shadegg. Let's stop right there and then say, who then 
is the sector coordinator?
    Mr. Watson. That is another hard problem. It varies by 
sector. DHS's working to developing a best practice for sector 
coordinators.
    Mr. Shadegg. Sector meaning the IT sector, like telecom?
    Mr. Watson. Yes industry sectors.
    Initially most sector coordinators were industry groups 
(associations). However, currently the sector coordinator for 
financial services is an individual at the Bank of America.
    So a company is representing that sector and coordinating 
across the sector. The sector coordinator for financial 
services has developed a Financial Services Sector Coordination 
Council that includes all of the trade associations throughout 
the financial services industry, and part of that includes the 
ISAC.
    One of the responsibilities the sector coordinator is to 
establish and maintain an information-sharing capability within 
the sector, across the sectors, and between the industry and 
government.
    In the electric power sector the sector coordinator is the 
president of NERC, the North American Electric Reliabilty, and 
they also operate the ISAC, so it is a different model for that 
sector. NERC provides for automatic membership of all the trade 
associations in the electrical power industry to participate in 
this ISAC as well as other sector responsibilities. The sector 
coordinator is responsible for things beyond information 
sharing, like research prioritization, public policy and other 
kinds of areas that are concerned with some of this information 
sharing.
    Mr. Shadegg. With the creation of the Department of 
Homeland Security do we need to formalize the sector 
coordinator role and give it structure so that they are the 
same from sector to sector and have some degree of authority 
that they apparently lack at the moment?
    Mr. Watson. I would like to see the sector coordinator role 
promoted in industry and government, and the DHS is coming out, 
is developing sector coordinator best practices guidelines. 
They don't want to go so far as to decree what is right or 
wrong for the sector coordinator, because industries differ. 
But if they can come up with what works and what doesn't work 
and publish a best practices guideline, that will be very 
helpful to be able to meet those guidelines and do the job of 
sector coordinator.
    A definition of the role of sector coordinator is needed 
and then promoting that responsibility is also needed.
    Mr. Shadegg. Let me ask all of you a question, and maybe it 
is too broad to be susceptible of an easy answer; but it seems 
to me that you look at different sectors and you look at 
interdependencies, and some are better than others. It seems to 
me, for example, in telecom there are--the telecom industry 
seems to me does a pretty good job. If you can't take this 
route, you have got this route and this route and this route. 
And we covered some things that went down on 9/11, but we 
discovered they were able to quickly come back by some other 
routes.
    I was just downstairs in a hearing on this issue, on the 
blackout. We have--we really have a system there of, if one 
goes down, then usually the others can cover and you don't wind 
up with a blackout. But your testimony, all of you today, kind 
of illustrates how to kind of step beyond that.
    When you go from sector to sector, you get in deep trouble. 
For example, power goes out and the next thing you know, you 
can't pump water, so the water system goes down. You can't pump 
the sewage. In your testimony, you talked about a diver having 
to go through 40 feet of sewage to restart a pump. Sewage goes 
out. And fuel pumps go out. You can't pump gasoline, you can't 
pump diesel fuel.
    Who is responsible?
    And it--should it be DHS's function, should it be something 
that this committee is looking at for forcing some coverage to 
make sure that, you know, there is an--somebody is examining 
the missing link and says, Okay, well, we should mandate backup 
power plants for these kinds of things like we have for 
hospitals.
    I mean, somebody obviously thought through if the hospital 
goes down we had better have a generator sitting outside to 
bring it back up so that the discussion that is ongoing can be 
complete. But we apparently haven't done that for the sewage 
plant that is mentioned in the testimony, and there may be too 
many other places where we haven't.
    My question is, who has got that responsibility?
    Mr. Watson. I think DHS has the responsibility within the 
IAIP Directorate. That is information analysis infrastructure 
protection to identify the problem, work with industry to 
develop solutions together in a public-private partnership. 
Industry owners and operators understand their key notes and 
critical assets, but they don't know all of where they depend 
on other infrastructures and that--that higher level problem is 
something that DHS could provide some guidance and help with.
    Mr. Shadegg. Anybody else want to comment?
    Mr. Rauscher. In infrastructure protection--speaking for 
the telecommunication infrastructure we should understand not 
only its vulnerabilities, but do risk assessments and make 
appropriate plans for how to deal with those.
    Mr. Shadegg. Do you agree DHS has that responsibility?
    Mr. Rauscher. Many of these infrastructures are privately 
owned. So what about the expertise? The first question is the 
duplication of the expertise. There has to be a partnership 
with the industry and I think there are things like the 
President's National Security Telecommunication Advisory 
Committee that has policy issues, the industry does bring those 
forward. So much of the ideas are going to come from the 
experts within the industry.
    Mr. McCarthy. I believe the Department of Homeland Security 
has responsibility to build and manage a comprehensive 
framework that allows the industry, depending on the sector, to 
be able to hang their issues and their problems and to be able 
to do the analysis they need to do. The success stories for 
information sharing and ISACs come from the fully funded 
governmental--the national communications fully funded. I mean, 
it is an entity that the industry has invited to come into. The 
FSISAC is coming from pure industry funds, but there is a 
significant amount of money to it.
    So that tells me something. And you analyze the water 
industry, and that is a very decentralized activity than the 
cascading effect is is a local cascading effect and the true 
threat is the undermining of public confidence across--you 
know, it is not the connection between the infrastructure; it 
is if you do this in New Jersey, what is going to happen in 
Detroit?
    Mr. Orszag. I do think the responsibility rests with the 
Department of Homeland Security. I would just say that 
obviously one needs to be careful. I would not want an array of 
government bureaucrats coming in and saying you, firm A, needs 
a backup generator. Instead, you need to be thinking about the 
government structure that provides incentives for that firm to 
do that on its own. And I frankly think that this is, I don't 
want to say the--one of our biggest failures in homeland 
security. I do not think the Department of Homeland Security is 
thinking through incentives that should be provided to the 
private sector in, as far as I can tell, any kind of systematic 
fashion. And I think it comes back to the concern about 
changing the incentives in any way and I think that that is a 
very substantial and critical vulnerability that this committee 
and others should frankly force them to change.
    Mr. Gilbert. Add my two cents. I want to be very careful 
about what we say the homeland security should do, because I 
think it may serve the role as convener, it may serve the role 
of facilitator, may serve the role of organizer, but you have 
got all levels of government involved in these various elements 
of your infrastructure and a lot of private parties as well. 
And so each one has their own set of issues they have to deal 
with. So I think if the homeland security organization can help 
to focus and plan and describe and lay out what the interlinked 
needs requirements are and then work with these various levels 
and organizations, where the means by which financing and 
implementing and so on can take place, then I think we can make 
some progress.
    I was involved with the first responders and the early 
attempts to try to get something out that would improve their 
situation, and there was a whole lot of talk and a very little 
bit of delivery and a lot of expectations raised, which didn't 
get fulfilled. Some still aren't. So I think we have to be 
cautious about how we rush forward here.
    Mr. Thornberry. Mr. Watson, I understand that you have to 
leave and to catch a plane, which is the last chance. So at 
this point you are excused.
    Mr. Markey. Could I ask Mr. Watson just one question if you 
still have time?
    Mr. Watson. I can do it, sir.
    Mr. Thornberry. Gentleman from Massachusetts is recognized 
briefly.
    Mr. Markey. Mr. Watson, what time is your flight?
    Mr. Watson. At 6.
    Mr. Thornberry. The gentleman from Massachusetts is 
recognized for a more extended period.
    Mr. Markey. And that brings me to my point which is that, 
you know, we got a lot of Federal agencies that really don't 
ask a lot of questions, you know, to get the real situation 
identified so that then you can deal with the reality of it the 
way we just did about when your flight is, which helps so 
everyone can conform to the reality of the situation. So back 
in January, the slammer worm disabled computer systems at First 
Energy Davis Bessie reactor and other utilities. And in at 
least one case, this was because A, people didn't download 
their security patch, or B, that the T-1 and remotely-connected 
computers circumvented the fire wall. So actually, believe it 
or not, nothing actually happened at the NRC after that in 
terms of warning other nuclear reactors that there was a 
problem. Kind of shocking that they didn't do that.
    What I did on August 22 was I wrote a letter to the NRC and 
I asked them about this incident back in January and what they 
had done and what were their recommendations for the other 
nuclear utilities since they actually hadn't said a word to any 
other nuclear utility in 7 months. And then remarkably one week 
later, the NRC sent out an information notice to all nuclear 
power plants in the United States explaining what had happened 
7 months before in their nuclear power plant, but they actually 
had no orders to fix the same problem in their own nuclear 
reactors if they had such a problem--no orders at all.
    So my question to you, Mr. Watson is, shouldn't homeland 
security be mandating to each of these agencies that work with 
them that they inform affected parties, potentially affected 
parties of critical infrastructure and the critical 
infrastructure sectors of vulnerabilities and then specifically 
recommending fixes that could prevent the very same problem 
from occurring in their utility?
    Mr. Watson. Let me make sure I understand the question 
correctly. You are asking the question should the DHS be 
responsible for mandating that other Federal agencies provide 
warnings so that industry could provide--could implement fixes 
when vulnerabilities are discovered?
    Mr. Markey. And the Nuclear Regulatory Commission obviously 
just flubbed this completely until I notified them and that is 
not a good situation given the fact that we are right now 
wondering whether or not a worm or blaster might have helped to 
aggravate the problem at First Energy. This doesn't seem to be 
an awareness at the Nuclear Regulatory Commission of the 
pervasive nature of this cyberterrorism threat in terms of its 
potential consequences for nuclear power plants.
    Mr. Watson. This is a multi-phased question. Patching is a 
complex problem. The idea of warning and providing information 
on vulnerabilities is another problem. And the idea of mandates 
on either area is a third question.
    Mr. Markey. Should there be a warning first?
    Mr. Watson. I believe there should be a warning. I am not 
sure whether--and not knowing enough about every kind of 
possible threat, I am not sure whether that should be mandatory 
for Federal agencies. As far as patching goes--
    Mr. Markey. I don't understand what you mean. The Nuclear 
Regulatory Commission has jurisdiction over nuclear power 
plants and their safety. Here is a problem that was identified 
at Davis Bessie with regard to the slammer virus and no warning 
was given to the other 103 nuclear power plants in the United 
States that this incident had occurred. So the first question 
is should the other 103 nuclear reactors have been notified?
    Mr. Watson. I believe they should.
    Mr. Markey. Does everyone agree they should have?
    Mr. Watson. I am not sure it is NRC's responsibility to 
make their notification.
    Mr. Markey. It is their responsibility. Under the Atomic 
Energy Act, it is their responsibility.
    Mr. Markey. Who do you think the responsibility would have 
been with?
    Mr. Watson. The information on the slammer and other cyber 
kinds of worms and viruses flows through the ISACs action and 
the energy ISAC, and the electricity sector ISAC had the 
information and they were spreading it across to industry 
members of the ISACs. I believe that that information flowed 
very quickly. As far as recommendations on when to patch and 
how to patch, that can be complex.
    Mr. Markey. Do they have authority to mandate that there be 
a patch--ISAC?
    Mr. Watson. They do not have the authority to mandate a 
patch, and I am not sure mandating a patch would be the right 
idea.
    Mr. Markey. Do they have--do they have the power to mandate 
that the utility inspect to see whether or not a similar 
problem exists within their nuclear--
    Mr. Watson. ISACs do not have power or authority over 
industry members.
    Mr. Markey. What I am saying it is inside the Nuclear 
Regulatory Commission. They are the agency responsible for the 
safety of nuclear power plants in the United States. And when 
they were given this information, it was they who had the 
principle responsibility delegated by this Congress and by 
ultimately as this committee has now jurisdiction over it by 
the Homeland Security Committee to ensure that that information 
is communicated, or else we wind up with a same problem that we 
had in, you know, in August of 2001, where information was 
there, but not communicated in a way that could be effectively 
used.
    Mr. McCarthy. Your scenario actually raises an additional 
issue that I think is of vital concern. There has been numerous 
discussions of infrastructure since the President's Commission 
report, et cetera. And as you get into the room and we 
discussed the room almost divides into two camps, one that says 
never can happen, absolutely never and the other one that says 
it is happening and the sky is falling. So we have to find that 
place in between where you know the notion of an intrusion into 
a nuclear plant, and again, there are many systems in a nuclear 
plant and whether that intrusion went into a vital critical 
system is what is at issue rightfully and I think that you 
point that out. But the key issue there is when you are trying 
to do this vulnerability assessment and get the data to run the 
models and to do the visualization and see what is there, you 
run across this constant tension of can never happen and 
therefore let us not talk about it anymore, because you are 
just giving information to bad guys, a road all the way to the 
world is coming to an end, and we have to get past that.
    Mr. Markey. I think the problem we identified here was 
obviously one that is central to the reason why our committee 
was constructed, which is there is not an effective 
dissemination of information to potentially affected parties of 
relevant information of threats that have been identified. And 
I think that here, if there was a similar problem in another 
nuclear power plant, that the Nuclear Regulatory Commission had 
an obligation in a timely fashion, in my opinion, after 
September 11, that means immediately to send that information 
to all of the nuclear power plants. That is not proprietary 
information to Davis Bessie. It is now relevant information to 
vulnerabilities inside of nuclear power plants that could be 
exploited.
    And I don't think that happened and I just think that 
unless we have a systematic way of ensuring that these agencies 
respond not to the utility, but rather to public safety and 
security as their principal responsibility which, by the way, 
each of these agencies have as their principal charter 
responsibility, then we will have some brilliant al Qaeda Ph.D. 
from MIT or Harvard or CALTECH some day in the future exploit 
that vulnerability. Thank you, Mr. Chairman.
    Mr. Thornberry. The gentlelady from Texas.
    Ms. Jackson-Lee. Dr. Orszag, I would like to focus my 
questions in your direction and to suggest that the thrust of 
this committee, my understanding, was to ensure that we would 
be called the Homeland Security do-something committee as 
opposed to do nothing. And I say that in the backdrop of the 
issue of terrorism never announces its entry in our lives. We 
saw that on 9/11. And so, I believe it is important that we 
have a mind-set of preparedness and readiness, and therefore, I 
find it very difficult that we don't take the laboratory of the 
blackout and really act.
    And governmentally we have to act because the private 
sector responds that we don't want to be intrusive. We want a 
robust private sector, but they don't respond in many 
instances, and I understand it unless we give guidance or 
regulations or defined policies that they can abide by. One of 
the issues in this committee is to empower citizens, that is 
more preparedness in neighborhoods and communities. I hope that 
is very good. I would like to ensure that the ISAC now have 
legs, teeth and arms and can move.
    And frankly, I believe that they were very comfortable 
advisory committees which I applaud. If we can claim a success 
on the days of the blackout, I think the success comes from the 
way local government responded. We can clearly probably see a 
distinction between 9/11 and now. I think they were efficient, 
they were calm, they were effective. That means mayors of the 
respective cities and our first responders and I want to 
compliment them on that. But I want to focus on some comments 
that you made regarding the administration's strategy leaves 
out several key priorities for action, including major 
infrastructure in the private sector, which the administration 
largely ignores.
    Can you elaborate on how the current policies ignore 
critical infrastructure protection, what must be done to 
increase increased critical infrastructure security and from A 
to F, if you had to grade the Department of Homeland Security, 
DHS and White House efforts to protect critical infrastructure 
in the private sector, what grade would you give? And let me 
say, this is based upon two aspects, and I said it earlier 
today, accountability and then finding what happened so that we 
hopefully will not retrace our steps. It is not accountability 
for its sake simply, but it is to say that my sense of the 
blackout is urgency, one, a crumbling infrastructure which is 
no one's fault, it is aging and no intervention.
    But I say that in the context that we are so grateful that 
what that was, as we understand it to date, was a crumbling 
infrastructure. Suppose it was not. And I think that gives us 
the extra added burden, the urgency to act yesterday. And as a 
government entity for us to say that who is responsible or not 
responsible but for us to be in the context that we can even 
pause for a moment is a difficult position--I find it a 
difficult position to be in. And I would appreciate if you 
comment on that.
    And I have one other question. And gentlemen, please, Mr. 
Watson, we smile because we are dark through the airport one 
minute before, but you do it the right way. So if you are able 
to comment right after him, I would not want you to be in a 
complex situation. And I don't know if you can comment on the 
policies, but hopefully you can comment on the question of 
critical infrastructure protection. Maybe you just want to 
comment.
    Mr. Watson. I have not been raising my hand to ask to be 
excused the whole time. I have been trying to get--a lot of 
questions have been asked about the role of regulation versus 
market pressure and that is one of the areas that is being 
studied by the National Infrastructure Advisory Council. They 
are looking at the role of regulation, or actually the best 
security driver sector by sector. In some sectors, regulation 
will impede security. In other sectors, regulation will enhance 
security. When you look at State and local governments and some 
of the public sectors that includes some of the utilities, they 
may need regulation to provide needed funding that they don't 
have. But in other sectors like the IT industry, regulation 
tends to inhibit innovation. It tends to mandate the lowest 
common denominator and those systems and products that are 
produced from regulation are two or three versions behind the 
State of the art and actually can harm security for that 
sector.
    So I think that you will be benefitted and all will be 
benefitted when the NIAC finishes its study and publishes it 
and looks at what the most effective security drivers are for 
enhancing security across the sectors.
    Ms. Jackson-Lee. Could you include in your response the 
point made in your book about the DHS now having responsibility 
for overseeing critical infrastructure protection and 
elaborating on the lack of effectiveness on the concept of 
closer attention, whether close enough attention being paid.
    Mr. Orszag. I think I suggested before, I think one of the 
most glaring vulnerabilities that we face as a Nation is 
precisely in the incentives that private firms have to protect 
against terrorist attacks. And I think one of the reasons that 
I have been disappointed by the actions taken thus far, we are 
almost 2 years after 9/11 is that there does not seem to be 
recognition of that point. If you listen to the rhetoric that 
comes from both the Department of Homeland Security officials 
and others, it is very much of the sort that the private sector 
has incentives to do all of this and I just fundamentally 
disagree with that. They do have some incentives but not strong 
enough.
    I also agree that a heavy-handed sort of command and 
control regulatory approach is probably not the right answer in 
the vast majority of sectors; I would think that would be the 
sort of task of last resort. That would be the thing that you 
would use last. And instead what you want to be thinking about 
is ways of using private markets to create incentives for 
better protection so that you can get the innovation over time 
and have a more flexible system, and it is not a rigid 
approach.
    But I don't see that kind of discussion coming out of the 
Department of Homeland Security. It is not sort of consistent 
with the rhetoric. There was one, I think, glaring example of 
this I remember on NPR several months ago in which a senior 
Department of Homeland Security official basically said we 
don't need to worry about this. The private sector will take 
care of it. Again, for the reasons I lay out in my testimony, I 
just think that is dangerously and fundamentally wrong.
    Ms. Jackson-Lee. How would you grade them?
    Mr. Orszag. Well, having spent 3 years grading students, I 
am a little reluctant to give a grade, because I know the sorts 
of complaints it engenders, but it is not a passing grade.
    Ms. Jackson-Lee. And do you think it warrants us acting now 
and very quickly, thoughtfully but quickly?
    Mr. Orszag. I think thoughtfully is important. One does 
need to weigh--I am a firm believer in the power of private 
markets and incentives that firms face in determining the 
efficiency with which they do things. And I think you need to 
be very careful not to intervene in an excessively costly way. 
That having been said, we are now almost 2 years after 9/11. I 
raised chemical facilities before. That is just one of many 
sectors in which there has been absolutely inadequate movement, 
as far as I can tell, to correct incentives that firms face.
    Ms. Jackson-Lee. Mr. McCarthy.
    Mr. McCarthy. On your grade, teaching a graduate course 
myself, I would give the Department of Homeland Security, given 
beyond the operational and policy things that have to happen, 
there is a tremendous amount of building that needs to take 
place. We are trying to build the airplane, design it, fly it 
and serve drinks at the same time. So from that standpoint I 
give the Department of Homeland Security a C, which as a 
professor and a teacher, it tells me the concepts are there, 
the pieces are there, and I do believe that organizationally we 
have built the right thing. We have the constructs.
    Some levels of maturity gradations out in the private 
sector we have the right pieces in the government fundamentally 
to move forward. We have to allow some maturity and some areas 
in the identification of key assets to deal with the immediate, 
I agree we have to get that done and get that moving forward, 
but I would give them a better grade than that.
    Mr. Orszag. It is the difference between grading on a 
curve.
    Mr. Thornberry. Let me thank each of the witnesses because 
each of you has done and are doing important work that helps us 
to improve their grade and improve the grade of the whole 
government and the whole country, and that is what we are here 
to do. I thank the gentlelady from California for sticking it 
out as well as all of her work in the area of homeland 
security. We may have additional questions we will submit. If 
we don't ask the question but you have a suggestion, send it to 
us anyway as well as future publications and so forth. Again, I 
thank all the witnesses and this hearing stands adjourned.
    [The information follows:]
    [Whereupon, at 4:25 p.m., the subcommittee was adjourned.]


                        ELECTRIC GRID, CRITICAL
                    INTERPENDENCIES, VULNERABILITIES
                             AND READINESS

                              ----------                              


                     WEDNESDAY, SEPTEMBER 17, 2003

                             Subcommittee on Infrastructure
                                       and Border Security,
                                                and

                             Subcommittee on Cybersecurity,
                     Science, and Research and Development,
                             Select Committee on Homeland Security,
                                                    Washington, DC.
    The subcommittees met, pursuant to call, at 3:30 p.m., in 
Room 2359, Rayburn House Office Building, Hon. David Camp 
[chairman of the subcommittee] presiding.
    Present: Representatives Camp, Sessions, Dunn, Smith, 
Weldon, Sanchez, Dicks, Jackson-Lee, Christensen, Etheridge, 
Slaughter, Lucas, Pascrell, Meek and Cox.
    Mr. Camp. [Presiding.] The Subcommittee on Infrastructure 
and Border Security and the Subcommittee on Cybersecurity, 
Science and Research and Development joint hearing will come to 
order. Today's business is to conclude part two of the hearing 
entitled Implications of Power Blackouts for the Nation's 
Cybersecurity and Critical Infrastructure Protection, the 
Electric Grid, Critical Interdependencies, Vulnerabilities and 
Readiness.
    Good afternoon. The vice chair of the Cyber Subcommittee, 
Congressman Pete Sessions, will join me in this joint hearing, 
as he has agreed to sit for the chairman, who had a scheduling 
conflict. I would like to thank all of you for attending 
today's hearing, The Federal Response to the August 2003 
Blackouts.
    The two subcommittees will hear first from federal agencies 
that played a direct role in response and communications 
procedures during the blackout. We will then hear from a panel 
offering the state perspective and comments on information 
sharing. Our witnesses in order of testimony are the Department 
of Homeland Security Assistant Secretary of Information 
Protection Robert Liscouski, Department of Energy Acting 
Director of the Office of Energy Assurance Denise Swink, State 
of Michigan Assistant Adjutant General for Homeland Security 
Colonel Mike McDaniel, and General Accounting Office Director 
of Information Security Robert Dacey.
    I want to thank all of the witnesses for their 
participation. The investigations into the blackout are still 
ongoing, and I understand that neither Mr. Liscouski nor Ms. 
Swink will be able to testify about the cause of the blackout 
at this time. However, your direct experience in responding to 
the blackout, and your critical infrastructure expertise, makes 
your testimony very valuable as the Homeland Security Committee 
continues to look at ways to strengthen America's critical 
infrastructure. The committee appreciates your willingness to 
be here today.
    To allow more time for witness testimony and member 
questions, the chair requests that members agree to a unanimous 
consent request to waive opening statements. The record will 
remain open for members to insert their statements in the 
record. So with no objection and agreement to waive statements, 
we will proceed.
    Again, I want to thank our witnesses for being here today. 
We will hear testimony from our federal panel first, and we 
will begin with Assistant Secretary Robert Liscouski. Before 
you begin your statement, I would like to acknowledge before 
the committee that you also testified before the Cyber 
Subcommittee, and I would like to extend the committee's 
appreciation for your willingness to address this committee 2 
days in a row.

  PREPARED STATEMENT OF THE HONORABLE JIM TURNER, A REPRESENTATIVE IN 
                    CONGRESS FROM THE STATE OF TEXAS

    Thank you, Mr. Chairman.
    I greatly appreciate the efforts of the sub-committees to continue 
their inquiry into the widespread blackout in August that left nearly 
50 million Americans without power. Although the power outage does not 
appear to have been the work of terrorists, it clearly served as a wake 
up call for us examine not just our electrical grid, but all of our 
critical infrastructures and ask an important question, ``Have we done 
enough since September 11, 2001, to comprehensively assess and protect 
our nation's critical infrastructures from potential terrorist 
attack?''
    America's critical infrastructures comprise the backbone of our 
economy. They are essential to our way of life. In addition to electric 
power systems, these essential infrastructures include chemical and 
nuclear plants, water systems, commercial transportation and mass 
transit.
    Our country's infrastructure also includes the extensive computer 
and information technology systems which we increasingly rely upon to 
operate and interconnect our many diverse physical assets.
    There are hundreds of thousands of potential critical 
infrastructure targets that terrorists could choose to attack. In light 
of the potential threats and vulnerabilities we face, I want to draw 
the committee's attention to Governor James Gilmore's testimony last 
week before the full committee: ``A good national strategy can reduce 
the risk (of a terrorist attack), and direct our resources to the 
correct priorities.''
    A comprehensive risk assessment is central to any robust strategy. 
Such an assessment should include a thorough assessment of threats, 
vulnerabilities, and consequences. Furthermore, in order to 
successfully execute a strategy, you need a robust organization; 
effective coordination between federal, state, local, and private-
sector officials; and a clear set of objectives and standards by which 
to measure progress.
    I remain concerned, however, about whether the administration has 
done all that it can do to assess the threats to and vulnerabilities of 
our critical infrastructures, and implement a strategy to protect them.
    The problem we face today is that we are attempting to secure the 
homeland without a comprehensive strategy based on an assessment of 
threats and vulnerabilities.
    This is like building a home without a blueprint or a pilot 
navigating through the clouds without instruments. Until we have a 
clear understanding of the likely threats against us and a ranking of 
our vulnerabilities it is impossible to set priorities, establish 
security benchmarks, and measure progress.
    I hope we will hear today from our government witnesses how far 
along we are on completing a comprehensive risk assessment of our 
critical infrastructure. And I am interested in learning what the 
Department of Homeland Security's plan is for protecting our 
infrastructure once the assessment has been completed. Specifically, I 
would like to know what federal assets are going to be dedicated to 
this task, how the Department of Homeland Security intends to assert 
leadership at the federal level, and how it will interact with the 
private sector to provide an acceptable level of security for all 
Americans.
    I hope to hear that we have a solid plan that will move quickly to 
remedy the gaping holes in security--only one of which was so clearly 
exposed by the blackout last month.
    I want to thank the distinguished panel. I look forward to your 
testimony.

       PREPARED STATEMENT OF THE HONORABLE SHEILA JACKSON-LEE, A 
           REPRESENTATIVE IN CONGRESS FROM THE STATE OF TEXAS

    Subcommittee Chairman, thank you for your efforts in holdingtoday's 
joint hearing on this important matter. We take up this subject matter 
in an extremely timely fashion, given the threat of hurricaneIsabel in 
this local metropolitan area.
    The purpose of this hearing is to expound upon the examination of 
the blackout of August 14, 2003 that left some 50 million people in 8 
states and Canada without power. The areas most affected, according to 
the North American Electric Reliability Council (NERC) were the Great 
Lakes, Michigan, Ohio, New York City, Ontario, Quebec, Northern New 
Jersey, Massachusetts, and Connecticut. This incident, thus far, has 
not been determined to be terroris-relates; however, the extent by 
which it crippled the above-referenced expansive sectors of our nation 
and Canada was frightening to the point that it should have given the 
Administration a ``wake-up call'' as to the inadequacy of our existing 
critical infrastructure. The primary theme, or issue, of to day's 
proceeding is ``Whether we have done enough since September 11, 2001 to 
protect our nation's critical infrastructures from potential terrorist 
attack?''
    In our task of collaborating and fine-tuning the newly developed 
Department of Homeland Security against the projected needs of our 
nation, we must begin our evaluation at the most basic levels. Critical 
infrastructure protection is important to every member of our national 
and local communities. In order to implement a program of securing 
cyberspace and critical infrastructure at a national level, we must 
follow a course of risk assessment, education, and careful reaction at 
the local level to protect our schools, hospitals, and rescue 
facilities. These goals are part of the impetus for the amendments that 
I offered as to the Department of Homeland Security Appropriations Act 
and to the Project BioShield Act so that funding mechanisms and the 
Secretary's discretion contain the control provisions necessary to 
ensure the proper and effective allocation of resources to the places 
that have the most urgent needs. An illustration of the disjunct in our 
infra and super-structure is the television broadcast of the tens of 
thousands of New Yorkers who had to walk across the Brooklyn Bridge to 
end their workday. This is vulnerability. Thousands of riders of 
underground mass transit systems trapped in cars, frugal in their 
consumption of oxygen and hopeful that their rescue team was near 
equates to vulnerability. Because we cannot cast blame for this 
occurrence on a terrorist group means that we are vulnerable to 
ourselves first and foremost. The Administration must increase our 
awareness of the status of the areas that are most open to corruption.
    In Houston last year, a 21-year old man was sentenced to three 
years in prison for a terrorist hoax concerning a plot to attack the 
opening ceremonies of the 2002 Winter Olympics in Salt Lake City. The 
Houston resident was sentenced by the U.S. District Judge and ordered 
to pay $5,200 in fines. The Judge told the Defendant that she had 
sentenced him to three years because he had failed to demonstrate his 
understanding as to the seriousness of his crime and disruption that he 
had caused to federal agencies and private citizens.
    The perpetrator told the FBI in Houston that he had intercepted e-
mails between two terrorists plotting a missile attack during the 
opening Olympic ceremonies on February 8, 2002. The e-mails supposedly 
detailed plans to attack Salt Lake City with missiles launched from 
northern Russia. He later confessed to making up the story during 
questioning, telling agents that stress led him to tell his tale and 
that he had fabricated the e-mails.
    Just a few months ago, Federal prosecutors charged a University of 
Texas student with breaking into a school database and stealing more 
than 55,000 student, faculty, and staff names and Social Security 
numbers in one of the nation's biggest cases of data theft involving a 
university. The student, a twenty-year old junior studying natural 
sciences, turned himself in at the U.S. Secret Service office in 
Austin, Texas. He was charged with unauthorized access to a protected 
computer and using false identification with intent to commit a federal 
offense. This incident sent a wave of fear across the campus of the 
nation's largest university, causing students and staff to consider 
replacing credit cards and freezing bank accounts. The studen-
perpetrator was released without bail and thereafter had limited access 
to computers. If convicted, the student faced as many as five years in 
prison and a $500,000 fine. After searching this student's Austin and 
Houston residences, Secret Service agents recovered the names and 
Social Security numbers on a computer in his Austin home. According to 
the indictment, Phillips wrote and executed a computer program in early 
March that enabled him to break into the university database that 
tracks staff attendance at training programs, reminding us how 
vulnerable we all are even when our Social Security number is misused. 
To combat the vulnerability linked to Social Security numbers, the 
university must limit its dependence on Social Security numbers as 
database identifiers and instead use an electronic identification 
number that corresponds to Social Security numbers only in an encrypted 
database. This data theft was probably the largest ever at a 
university.
    Therefore, since the threat to critical infrastructure is realized 
at a very local level, we must channel our resources and technology to 
the first-responders and leaders in the local communities. The movement 
to securing our homeland needs to be expansive, not retracting. If our 
local hubs and first-responders were disabled by a terror threat, we 
would have a hard time developing effective protective measures for our 
nation as a whole.
    Just as we must ward against the large threats to our critical 
infrastructure, the ``small'' incidents must not be allowed to create a 
larger vulnerability.

           PREPARED STATEMENT OF THE HONORABLE JAMES LANGEVIN

    Thank you, Mr. Chairman. I would like to welcome our witnesses, and 
express my appreciation for your willingness to come here for what I 
hope will be a very enlightening and productive hearing. I look forward 
to hearing from these distinguished experts about our infrastructure 
and what we need to do to protect it.
    Mr. Chairman, it was with great expectation that we created the 
Department of Homeland Security and charged it with protecting us from 
terrorist threats and responding to emergencies here at home. This 
means not just controlling the border or patrolling airports, but 
making sure that the infrastructure that is vital to the daily 
operation of the United States is protected. Congress was assured that 
infrastructure protection would be a top priority at DHS, but until the 
blackout, there has been no indication on the status of those efforts. 
Despite the open forum we are in, I am hopeful that we may get at least 
a preliminary update today.
    Ultimately, the real problem is that we have not seen meaningful 
plans or progress from DHS in identifying critical infrastructure and 
existing risks. That step is critical before we can talk about how to 
protect it. This is a task DHS needs to be undertaking in close 
cooperation with local and state governments, though several states 
have decided to identify their criticalinfrastructure even without DHS 
support. A graduate student and his advisor took two years to produce a 
map of our fiber optic network from publicly available information. DHS 
has far more manpower and resources, so one would assume it could 
produce assessments much more quickly. I would like to hear from our 
panel what they think of DHS's efforts, or lack thereof, towards the 
goals of infrastructure identification and protection, and how they 
envision DHS either leading or supporting the endeavor.
    Again, I greatly appreciate all of our guests taking time to be 
here to discuss this vital issue.

             PREPARED STATEMENT OF THE HON. CHRISTOPHER COX

    Good afternoon. I would like to thank the subcommittee chairmen and 
ranking members for taking the lead on this important continued 
examination of the lessons learned as a result of the recent power 
outages, the effects the blackout had on related critical 
infrastructure around the country, and how the Department of Homeland 
Security communicated and worked with state and federal agencies, and 
our international neighbors during the crisis.
    I am pleased to join in welcoming all of our witnesses, and 
especially wish to thank Assistant Secretary Liscouski for returning 
for a second day of testimony after testifying before the Subcommittee 
on Cybersecurity, Science, and Research & Development, just yesterday.
    It is often said that if we train like we fight, we will fight like 
we train. How DHS reacted and communicated with other federal and state 
agencies during the blackouts was the first major test of the 
Department's Information Analysis and Infrastructure Protection 
Directorate (IAIP), and I am eager to hear of the Department's 
successes, failures, and lessons learned from the blackout.
    We now know that within less than an hour, DHS officials determined 
that the blackouts were not the result of a terrorist attack. It has 
been only a little more than a month since the blackout occurred, and 
although the exact cause of the blackout remains unknown, it is my 
hope, that the Committee will learn from today's first panel the 
present status of that investigation, and when the nation might expect 
conclusive answers. Also, I look forward to the witnesses' testimony 
addressing how DHS was able so quickly to determine that the blackout 
was not the result of a terrorist attack or other bad actor.
    Although initial analysis of the blackout indicates that it was not 
a terrorist event, we can be sure our enemies noticed the effect the 
blackout had on the nation. I note that in Ambassador Black's prepared 
remarks, from the first part of this hearing on September 4, he 
asserted that ``the recent blackouts in this country serve as an urgent 
reminder that there remain vulnerabilities for terrorists to exploit.''
    The examples of the interconnected nature of our critical 
infrastructures are endless. As Assistant Secretary Liscouski notes in 
his prepared remarks ``If one infrastructure is affected, many other 
infrastructures will likely be impacted.'' Colonel McDaniel's prepared 
remarks provide dramatic examples of the truth of those remarks.
    Furthermore, experience shows us that intentional attacks other 
than a failure of the power grid can also disrupt the economy. The 
SoBig computer virus caused certain CSX rail routes to shut down on 
August 20, until a manual backup system started the trains running 
again. Without railroads to deliver coal, the nation would lose 60 
percent of the fuel used to generate electricity. A computer virus or 
even a series of targeted terrorist attacks that shut down our rail, 
telecommunications, or fuel delivery systems could once again plunge 
significant parts of the nation into blackout and adversely affect the 
economy.
    As recently as September 5, Larry Mefford, the FBI's Assistant 
Director for Counterterrorism, who also testified at the first part of 
this hearing, stated that the FBI has evidence of al-Qaeda's continued 
presence in the United States, and that the FBI's primary worry is that 
there might be terrorists here whom the FBI has not identified and more 
who are trying to enter the country. We know that al-Qaeda has assessed 
the possibility of attacking our power plants and transportation 
systems. Our ability to assess and protect against the very real 
threats to our infrastructure is crucial to our war on terror.
    We learned many unfortunate lessons from September 11th. One of 
them is that our first responders often do not have the capability to 
communicate on shared radio channels even within the same city or town. 
The blackout confirmed this is still a problem. We need to ensure that 
additional spectrum bandwidth is in the hands of first responders as 
quickly as possible. We need to continue our efforts to enhance the 
communications capabilities of our first responders, as well as 
communications between federal, State and local officials.
    We formed DHS seven months ago with the intent that the attacks of 
September 11, 2001, would never happen again. I am eager to hear what 
progress the Department has made towards this goal.
    I thank all our witnesses for being with us and look forward to 
your testimony.

    DHS is actively engaged in many areas, and the directorate 
that you are involved in is of special interest to many members 
and subcommittees. We have received your written testimony and 
ask that you just briefly summarize your testimony. You have 5 
minutes, and thank you for being here.

    STATEMENT OF THE HONORABLE ROBERT LISCOUSKI, ASSISTANT 
 SECRETARY, INFRASTRUCTURE PROTECTION, DIRECTORATE, DEPARTMENT 
                      OF HOMELAND SECURITY

    Mr. Liscouski. Thank you Chairman Camp and Chairman 
Sessions and members of the committee. It is a pleasure to 
appear before you today to discuss the implications of power 
blackouts for the nation's cybersecurity and the critical 
infrastructure protection.
    The Information Analysis and Infrastructure Protection 
Directorate, and specifically my office of Infrastructure 
Protection, has been actively involved in the analysis of the 
cause of the blackout, and the implications of the blackout on 
security of the electric grid as a whole. I would like to 
provide a brief summary of the efforts. Following the regional 
power outage in the Northeast on August 14, the Department of 
Homeland Security set up a crisis action team to monitor the 
situation and to conduct real-time analysis of other potential 
events. The blackout is the first major event of its type that 
the IAIP team handled, and I am pleased to report that our team 
simultaneously tackled the issue from multiple angles.
    The Infrastructure Coordination Division focused on the 
outage itself and the operational impact of the 
infrastructures. The national Cybersecurity Division looked 
into the possibility that the blackout might have been caused 
by a cyber-attack. And our Protective Security Division 
assessed emerging vulnerabilities caused by the blackout to 
assess the ``what is next'' picture. Concurrently, the 
Information Analysis Office analyzed previous and current 
intelligence traffic, and coordinated with the intelligence 
community and law enforcement partners to ascertain if the 
cause of the blackout was attributed to a terrorist or criminal 
activity.
    Additionally, the Homeland Security Operation Center was 
involved in the response effort, coordinating communications 
between state and local first responders, the administration 
and other federal agencies. Situational awareness of the 
affected area, the entire nation, was maintained throughout the 
event. DHS coordinated with sectors affected by the outage, 
both updating them on information related to the cause and 
responding to requests for information. While no actionable 
threat information emerged during the event, it is important to 
note that the ability to communicate with the infrastructure 
sectors was in place to facilitate the sharing of information. 
Our coordination and monitoring of activities was not limited 
to the energy sector, but included telecommunications, banking, 
finance, health services, transportation and the water sector.
    While the national focus was primarily on the blackout and 
its cause, our teams were hard at work assessing the cascading 
effects into other sectors. Interdependencies among the sectors 
were again demonstrated by this event. Seven major petroleum 
refineries suspended operations, many chemical manufacturing 
plants were shut down, grocery stores lost perishable 
inventories, air traffic ceased at several major airports, and 
emergency services capacity was tested. Web sites were shut 
down. ATMs did not work in the affected areas and the American 
Stock Exchange did not operate for a period of time. The effect 
of the blackout highlighted what we already knew at the 
department. If one infrastructure is affected, many other 
infrastructures are likely to be impacted as well. Indeed, all 
the critical infrastructure sectors were affected by this 
event. Understanding the vulnerabilities and interdependencies 
associated with cascading events is an area of great importance 
to the department. We have people focused on this issue to 
ensure we can anticipate those affects, prioritize our efforts 
based upon the bigger picture, not just reacting to the easily 
and the immediately observed.
    Preventing a physical or cyber attack on key nodes of our 
nation's power grid is a fundamental effort to protecting the 
homeland. Accordingly, DHS is working closely with the 
Department of Energy and other federal agencies as we identify 
factors that caused and contributed to the blackouts and look 
for protective measures to prevent such an outage in the 
future.
    On August 28, I was appointed the co-chair to the Security 
Working Group of the U.S.-Canada Power System Outage Task 
Force. The Security Working Group is focused on determining if 
a cyber event directly caused or significantly contributed to 
the events of August 14. The data collection and analysis is 
ongoing and much work remains to be done before we have a 
definitive answer. IAIP was tasked with ensuring that the 
Secretary and the President had the complete picture of what 
was happening during the event, looking for areas that might be 
more vulnerable as a result in coordinating the information 
flow throughout the sectors with other federal agencies.
    We learned valuable lessons. We are incorporating those 
lessons today. I am proud of the way the IAIP team responded to 
this event and I am confident that we are developing a solid 
team that Americans can count on in difficult times, whether 
they be in times of heightened threats, attempted attacks or 
blackouts or other natural disasters.
    While it will be some time before the task force determines 
the exact cause of blackout, we know the system is vulnerable 
and we maintain a daily watch over what parts of the grid might 
be more vulnerable to attack because of system operations. We 
have conducted vulnerability assessments at power facilities. 
We have a protection strategy for key components. And we are 
working with the industry and our federal partners to determine 
the best way to implement that strategy. We have made progress. 
Our work is ongoing. We have a lot of work ahead of us.
    I look forward to your questions after the conclusion of 
Ms. Swink's statement.
    [The statement of Mr. Liscouski follows:]

            PREPARED STATEMENT OF THE HON. ROBERT LISCOUSKI

    Thank you Chairman Thornberry, Chairman Camp and Members of the 
Committee. It is a pleasure to appear before you today to discuss the 
implications of Power Blackouts for the Nation's Cybersecurity and 
Critical Infrastructure Protection.
    The Information Analysis and Infrastructure Protection Directorate 
(IAIP), and specifically my office, Infrastructure Protection, has been 
actively involved in the analysis of the cause of the blackout and the 
implications of the blackout on security of the electric grid as a 
whole. Let me provide you with a summary of our efforts.
    Following the regional power outage in the Northeast on August 14, 
2003, the Department of Homeland Security (DHS) set up a Crisis Action 
Team (CAT) to monitor the situation and to conduct real-time analysis 
of other potential events. The blackout was the first major event of 
its type that the IAIP team handled and I am pleased to report that our 
team simultaneously tackled the issue from multiple angles. The 
Infrastructure Coordination Division focused on the outage itself and 
the operational impact on the infrastructures, the National Cyber 
Security Division looked into the possibility that the blackout might 
have been caused by a cyber attack, and our Protective Security 
Division assessed emerging vulnerabilities caused by the blackout to 
assess the ``what's next'' picture. Concurrently, Information Analysis 
(IA) entities analyzed previous and current intelligence traffic and 
coordinated with Intelligence Community and Law Enforcement partners to 
ascertain if the cause of the blackout was attributed to a bad actor. 
Additionally, the Homeland Security Operations Center was involved in 
the response effort, coordinating communications between state and 
local first responders, the administration, and other federal agencies. 
Situational awareness of the affected area, and the entire nation, was 
maintained throughout the event.
    DHS coordinated with the sectors affected by the outage, both 
updating them on information related to the cause and responding to 
requests for information. While no actionable threat information 
emerged during the event, it is important to note that the ability to 
communicate with the infrastructure sectors was in place to facilitate 
the sharing of information.
    Our coordination and monitoring activities were not limited to the 
energy sector, and included telecommunications, banking/finance, health 
services, and transportation.
    While the national focus was primarily on the blackout and its 
cause, our teams were hard at work assessing the cascading effects into 
other sectors. Interdependencies among the sectors were again 
demonstrated by this event: seven major petroleum refineries suspended 
operations; many chemical manufacturing plants were shut down; grocery 
stores lost perishable inventories; hospital emergency rooms treated an 
above average number of cases of suspected food poisoning; air traffic 
ceased at several major airports; and emergency services capacity was 
tested. Websites were shut down, ATMs did not work in affected areas 
and the American Stock Exchange did not operate for a period of time. 
The effect of the blackout illuminated what we already knew at the 
Department: If one infrastructure is affected, many other 
infrastructures will likely be impacted. Indeed, all of the critical 
infrastructure sectors were affected by this event.
    Understanding vulnerabilities and the interdependencies associated 
with cascading events is an area of great importance to the Department, 
and we have people focused on the issue to insure that we can 
anticipate effects and prioritize our efforts based on the bigger 
picture, not just reacting to what is easily and immediately observed.
    Preventing a physical or cyber attack on key nodes of the nation's 
power grid is fundamental to protecting our Homeland. Accordingly, DHS 
is working closely with the Department of Energy and other federal 
agencies as we identify the factors that caused and contributed to the 
blackout, and look for protective measures to prevent such an outage in 
the future.
    As has been widely reported, the portion of the power grid affected 
by the August 14th blackout is made up of a very complex interconnected 
network of scores of separate companies that includes hundreds of 
power-generation facilities. In addition to physical connections among 
the facilities involving the transmission of power, there are numerous 
cyber connections among their IT infrastructures and those of companies 
that were unaffected. There is a wide range in age and sophistication 
of the technologies upon which these systems depend. In recent years, 
the process control systems that facilitate decision making in critical 
situations have often been made easier by the use of computer 
technology. The industry is in the process of moving forward with 
efforts to reduce possible vulnerabilities and improve cyber security. 
This information provides a backdrop for why we are investigating the 
possibility of a cyber connection to the blackout. There is presently 
no evidence that the blackout was caused by any criminal or terrorist 
cyber attack, although we continue to coordinate and share information 
with law enforcement to support our investigation.
    On August 28, I was appointed Co-Chair to the Security Working 
Group (SWG) of the U.S.--Canada Power System Outage Task Force. The 
SWG, which consists of Federal and State government representatives 
from the United States, as well as Canadian representatives, is focused 
on determining if a cyber event directly caused or significantly 
contributed to the events of August 14th. The data collection and 
analysis is ongoing and much work remains to be done before we have a 
definitive answer.
    IAIP was tasked with ensuring that the Secretary and the President 
had the complete picture of what was happening, looking for areas that 
might be more vulnerable as a result, and coordinating the information 
flow throughout the sectors and with other federal agencies. We learned 
some valuable lessons that have already driven some internal changes, 
such as institutionalizing joint operations within IAIP, and the 
absolute requirement of maintaining a forward-looking ``what's next'' 
posture, not becoming focused exclusively on current events.
    I am proud of the way the IAIP team responded to this event and I 
am confident that we are developing a solid team that America can count 
on in difficult times, whether they be times of heightened threats, 
attempted attacks, or blackouts.
    While it will be some time before the Task Force determines the 
exact causes of the blackout, we know the system is vulnerable and we 
maintain a daily watch over what parts of the grid might be more 
vulnerable to attack because of system operations. We have conducted 
vulnerability assessments at electric power facilities, we have a 
protection strategy for key components, and we are working with 
industry and federal partners to determine the best way to implement 
that strategy.
    Progress has been made, but the work is ongoing. I look forward to 
providing this committee and Congress with further updates.
    This concludes my prepared statement and I would be glad to answer 
any questions you may have at this time.

    Mr. Camp. Thank you very much.
    Ms. Swink?

   STATEMENT OF MS. DENISE SWINK, ACTING DIRECTOR, OFFICE OF 
             ENERGY ASSURANCE, DEPARTMENT OF ENERGY

    Ms. Swink. Chairman Camp, Vice Chairman Sessions and 
members of the committees, my name is Denise Swink and I am the 
Acting Director of the Office of Energy Assurance at the U.S. 
Department of Energy, a position I have held since March of 
this year.
    At the Office of Energy Assurance, we contribute to the 
Department of Energy's efforts to ensure that America's homes, 
businesses and industries have a secure and reliable flow of 
energy. Our activities are designed to protect our critical 
energy infrastructure, detect problems quickly, mitigate the 
impacts of a failure attack, and recover rapidly from damage. 
We respond to a variety of potential threats including natural 
disasters, accidents, aging of system components and system 
reliability flaws.
    As you know, our energy infrastructure is vast, complex and 
highly interconnected. It includes power plants, electric 
transmission and distribution lines, oil and gas production 
sites, pipelines, storage and port facilities, information and 
control systems and other assets. Many of these entities own, 
operate, supply, build or oversee their infrastructure. The 
private sector owns about 85 percent of these assets and a host 
of federal and state agencies regulate energy generation, 
transport, transmission and use.
    Necessarily, our program uses a collaborative approach to 
coordinate all the various players and activities. Within the 
federal government, coordination efforts are with the 
Department of Homeland Security, the Department of 
Transportation, the Department of Defense, the EPA, FEMA, FERC 
and at least seven other offices within DOE. We assist in 
state-level emergency response planning and preparedness, 
working through a variety of state organizations.
    For the private energy sector, a sector liaison has been 
designated for electricity, and one for oil and gas. We share 
information with key organizations in each of these sectors. On 
the international front, we have agreements with both Canada 
and Mexico to coordinate energy assurance across our borders. 
Several universities are helping us analyze specific physical 
and cybersecurity issues, and we have set up a laboratory 
coordinating council to coordinate at least 500 ongoing lab 
activities related to infrastructure protection.
    Training is an important component for improving system 
resilience. That and energy infrastructure lesson plans are in 
development for various stakeholder groups, and databases and 
visualization tools are being assessed to monitor and 
understand energy infrastructure performance under various 
scenarios. All these coordination efforts help to provide an 
effective national response in the face of threats or 
disruptions to our energy infrastructure.
    A review of the events that occurred immediately after the 
blackout will help to illustrate how we operate. On August 14, 
the department activated its Emergency Operations Center. Staff 
members were assigned to monitor, analyze and mitigate impacts 
of the events. Regular staff briefings were held with 
representatives of FERC, Nuclear Regulatory Commission and DHS. 
And we place representatives at the DHS watch office and the 
FEMA control center. Our Emergency Operations Center continued 
to monitor impacts and calculate resources. Specialists looked 
at diesel fuel for backup generators, remedial actions for 
pipeline outages, refinery production availability, and 
associated cascading energy supply impacts.
    Based on these analyses, DOE encouraged electric utilities 
to bring refineries in Ohio back online expeditiously, and we 
also coordinated dry route extension and fuel waivers for 
Michigan. Within hours after the blackout, the Secretary 
directed the New England and New York independent system 
operators to energize the cross-sound cable, an action that is 
believed to have prevented rolling blackouts in New York after 
electricity was restored.
    On August 28, the Secretary indefinitely extended operation 
of the cable to benefit the transmission systems of New York 
and New England. Direct communications were established with 
state energy offices and state governors, while the DOE Office 
of Congressional and Intergovernmental Affairs issued status 
reports to Congress and responded to inquiries. To keep the 
public informed, DOE issued an August 14 statement about then 
blackout, and immediately posted information on its Web site. 
The Office of Public Affairs responded to hundreds of media 
calls and interview requests. The Secretary conducted multiple 
TV interviews on August 15 to 18 to report progress. As power 
was restored, the Secretary worked with state and local 
officials to urge citizens in affected areas to restrain their 
energy use until systems stabilized.
    As you know, President Bush and Prime Minister Chretien 
established a joint U.S.-Canada task force to discover why the 
blackout occurred, how it spread, and to prevent a recurrence. 
The task force has been gathering and analyzing information on 
tens of thousands of events that occurred over 34,000 miles of 
transmission lines, and involved hundreds of generation 
stations, switching facilities and circuit protection devices. 
The investigation is being conducted through three separate, 
yet coordinated, working groups, electric system working group, 
the nuclear power group, and the security group. These groups, 
as Bob mentioned, are making progress. On September 12, the 
task force released the DTL time line of events that led to the 
blackout. This is an essential tool for reconstructing the 
events of August 14.
    In summary, coordination among the many entities involved 
in our energy infrastructure is essential to help us prevent 
energy outages and ensure quick response and recovery if one 
occurs. Our planning and coordination efforts prior to August 
2003 laid the groundwork for successful coordination after the 
blackout occurred. The time line released by the joint U.S.-
Canada task force will allow the working groups to move forward 
in uncovering the root causes of the blackout. We are putting 
the puzzle together and proceeding as quickly as possible 
without sacrificing accuracy.
    [The statement of Ms. Swink follows:]

                   PREPARED STATEMENT OF DENISE SWINK

    My name is Denise Swink. I am Acting Director and Deputy Director 
of the Office of Energy Assurance in the U.S. Department of Energy, a 
position I have held since March of this year. The Office of Energy 
Assurance is responsible for leading the Department of Energy's effort 
to ensure a secure and reliable flow of energy to America's homes, 
businesses, industries, and critical infrastructures. Energy assurance 
addresses a variety of potential threats including natural disasters, 
accidents, terrorism, aging assets, system reliability, and cascading 
failures involving related infrastructures. DOE's Office of Energy 
Assurance addresses these threats using several strategies: protection 
of energy systems, detecting problems quickly, mitigating the impact of 
a failure or attack, and recovering rapidly from damage. We work in 
close collaboration with the Department of Homeland Security (DHS) and 
in partnership with the energy industry, state and local governments, 
and other federal agencies. Because of the importance of energy 
assurance, my Office reports directly to the Deputy Secretary of 
Energy.
    The Office fulfills key federal responsibilities for energy 
assurance that date back to the origins of the Department of Energy. 
Selected legislative authorities include the Department of Energy 
Organization Act, the Federal Energy Administration Act of 1974, the 
Federal Power Act, the Public Utility Regulatory Policies Act of 1978, 
and the Robert T. Stafford Disaster Relief and Emergency Assistance 
Act. Many of these authorities address the powers and responsibilities 
of the Secretary of Energy during energy emergencies but some cover the 
broad responsibilities of the Secretary in ensuring that consumers have 
available an adequate and reliable supply of energy. The Office also 
fulfills federal responsibilities for securing and improving the energy 
infrastructure that are outlined in the President's National Strategy 
for Homeland Security and the President's National Energy Policy.
    The Office of Energy Assurance focuses on six priority areas that 
address these responsibilities and respond to the findings of leading 
studies of the reliability of the energy infrastructure conducted over 
the past seven years and vulnerability assessments conducted after 
September 11,2001. The six focus areas are: 1) Energy Emergency Support 
and Management, 2) State and Local Government Support, 3) Criticality 
of Energy Assets, 4) Enabling Partnerships, 5) Technology Development 
and Application, and 6) Policy and Analysis Support. These are all 
critical elements of developing a balanced approach to our immediate 
energy protection needs and our longer term energy assurance needs.
    The Nation's energy infrastructure is vast, complex, and highly 
interconnected. It encompasses a multitude of power plants, electric 
transmission and distribution lines, oil and gas production sites, 
pipelines, storage facilities, port facilities, information and control 
systems, and other assets that are integrated into our national energy 
system. This energy infrastructure is also the backbone for other 
critical infrastructures such as telecommunications, transportation, 
and banking and finance. In addition, there are a large number of 
entities that own, operate, finance, supply, control, build, regulate, 
monitor, and oversee our energy infrastructure. Eighty-five percent of 
the Nation's infrastructure is owned by the private sector. Regulation 
and oversight of energy production, generation, transportation, 
transmission, and use is governed by a host of federal agencies and 
states. As a result, a successful program in energy assurance must 
involve a collaborative approach that includes public-private 
partnerships to coordinate the various players and activities.
    Coordination and collaboration are central principles of our 
approach to energy assurance. President Bush stated that homeland 
security is a shared responsibility that requires a national strategy 
and compatible, mutually supporting state, local and private sector 
strategies. This approach was embodied in the National Strategy for 
Homeland Security. The Department of Energy has lead federal 
responsibility for working with the energy sector in protecting 
critical infrastructures and key assets, in collaboration with the 
Department of Homeland Security. Two additional strategies, the 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets, and the National Strategy to Secure 
Cyberspace, expound on this responsibility and direct the Department of 
Energy to develop and maintain collaborative relationships with state 
and local governments and energy industry participants.
    We work closely with the Department of Homeland Security, which 
leads, integrates, and coordinates critical infrastructure protection 
activities across the federal government. To aid this effort, DOE and 
DHS are in the process of developing a Memorandum of Agreement between 
the two agencies that will outline specific areas of collaboration and 
responsibilities. This encompasses critical infrastructure protection 
of physical and cyber assets, science and technology, and emergency 
response. We are also beginning to work with key parts of DHS, such as 
the Coast Guard and the Federal Emergency Management Agency (FEMA), to 
determine how best to coordinate our efforts. For example, in July we 
attended a meeting which included representatives of DOE, DHS, the 
Defense Intelligence Agency, and the National Institute of Standards 
and Technology to consider options for developing a collaborative 
National SCADA Program. This program would help improve the physical 
and cyber security of supervisory control and data acquisition (SCADA) 
systems, which are used in the energy sector to remotely control and 
manage the flow of electric power and fuels throughout the energy 
infrastructure.
    We also work with other federal agencies that have energy-related 
responsibilities. We work closely with the Department of 
Transportation's Office of Pipeline Safety to coordinate our respective 
efforts and identify areas for collaboration. We also coordinate with 
the Environmental Protection Agency (EPA) to avoid redundant efforts 
with petrochemical facilities. During the recent blackout, we assisted 
EPA in their review of Michigan's fuel waiver, which was ultimately 
granted. The waiver allowed the sale of 9 RVP gasoline in lieu of 7.8 
RVP gasoline, which created more available resources for the State of 
Michigan and thereby prevented a possible gasoline shortage. We also 
partnered with several federal agencies (including the Federal Energy 
Regulatory Commission (FERC)), state regulators, and industry to assess 
the implications of a loss of natural gas supply to certain regions of 
the country. This study will help government policymakers and the 
natural gas industry to reduce the industry's vulnerability to 
terrorism, operational disruptions, and natural disasters.
    Within the Department of Energy, we coordinate across a variety of 
offices:
         DOE's new Office of Electric Transmission and 
        Distribution on issues related to the electric grid, most 
        notably the recent blackout, which I will expand upon later;
         The Office of Security to improve the operations of 
        DOE's Emergency Operation Center.
         The Chief Information Officer on the development of a 
        joint facility to support continuity of operations;
         The Office of Energy Efficiency and Renewable Energy's 
        regional offices to support our meetings With state energy 
        offices;
         The Office of Fossil Energy on new technologies to 
        harden oil and gas pipelines;
         The Office of Science on visualization techniques 
        through their Advanced Scientific Computing Research Program; 
        and
         The Office of Independent Oversight and Performance 
        Assurance on cyber security protection.
    Collaboration with the private sector is critical to improving 
energy assurance. As part of the President's strategy, we have 
designated ``sector liaisons'' to work with the electricity and oil and 
gas sectors. These liaisons in turn employ ``sector coordinators'' who 
function as DOE's primary interfaces on energy infrastructure security 
issues. DOE's sector liaisons share information and discuss 
coordination mechanisms with the American Petroleum Institute (API), 
the American Gas Association (AGA), the Interstate Natural Gas 
Association of America (INGAA), the Gas Technology Institute (GTI), the 
National Propane Gas Association (NPRA), the Edison Electric Institute 
(EEl), the Electric Power Research Institute (EPRI), the National Rural 
Electric Cooperative Association (NRECA), the American Public Power 
Association (APPA), and the North American Electric Reliability Council 
(NERC). For example, we are participating in NERC's Critical 
Infrastructure Protection Advisory Group and have briefed them on our 
activities related to electric reliability and cyber protection. We 
have had similar discussions on our oil and gas activities with API, 
which serves as the sector coordinator for oil and gas. To help create 
a strong business case for security investment, we are also 
collaborating on potential studies with the Council on Competitiveness.
    States and local governments are also essential parts of energy 
assurance. They are responsible for emergency planning and response, 
and are the organizations that citizens turn to in times of crisis. We 
support a variety of state efforts to plan for, respond to, and 
mitigate actions that adversely affect the energy infrastructure and 
disrupt energy supplies. In the short time our program has been in 
existence, we have held several meetings with the National Association 
of State Energy Officials (NASEO), the National Governors Association 
(NGA), the National Association of Regulatory Utility Commissioners 
(NARUC), and the National Conference of State Legislatures (NCSL) to 
better understand how we can assist the states with emergency planning, 
emergency response tools, training and education, and elevating public 
awareness. We funded an NCSL study of energy security guidelines and 
options for state legislatures which was published in April 2003. We 
have additional efforts underway to develop model state guidelines for 
energy assurance plans and improved systems and procedures for multi-
state coordination.
There are several other types of coordination underway which deserve 
mention. First and foremost, we tap the excellent scientific and 
technical resources of our national laboratories to address energy 
assurance issues. DOE has already identified over 500 ongoing 
activities in the national laboratories related to the protection of 
our Nation's critical infrastructures. We have also initiated a 
Laboratory Coordinating Council, representing all our major 
laboratories, to coordinate capabilities and activities related to 
infrastructure protection that can help meet our energy assurance 
challenges. We are also working with several universities on physical 
and cyber security issues. As part of our technology assessment 
efforts, we engaged Carnegie Mellon University to characterize needs 
related to vulnerabilities in the electricity sector. We are also 
exploring opportunities with George Mason University's Critical 
Infrastructure Protection Project. Our program is utilizing the 
greatest repository of physical structure engineering expertise--the 
International Union of Operating Engineers (IUOE). DOE and IUOE have 
begun development of energy assurance training curricula for energy 
infrastructure stakeholder groups, with initial courses offered by the 
International Union of Operating Engineers.
    As the recent blackout demonstrated, our energy systems are 
interconnected with our North American neighbors. We cannot ignore the 
importance of coordinating energy assurance across our borders. 
Canada's electric grid is interconnected with the U.S. grid across our 
northern border and nearly all of Canada is an integral part of three 
of the ten NERC regions. As you know, we are currently working with 
Canada on the Task Force to investigate the cause of the blackout, 
which I will discuss in a moment. Although there are fewer electricity 
interconnections with Mexico, there are two small portions of Mexico 
that are also part of NERC regions. However, the United States also has 
bilateral agreements with Mexico under the Mexico-United States 
Critical Infrastructure Protection (CIP) Framework for Cooperation and 
the Smart Borders Initiative. In these, we agree to develop mechanisms 
for exchanging information on threats, sabotage and terrorist actions 
and provide coordination and cooperation in actions and measures to 
address detected vulnerabilities
    The present concern of this Committee is how coordination works 
when a critical infrastructure fails, such as in the August 2003 
blackout. I mention all these coordination efforts because I believe 
they provide the foundation for an effective national response for 
energy assurance.
    Our process for helping others prepare for emergencies includes 
several elements. First, each electric energy provider is required to 
file an Emergency Incident and Disturbance Report when a system 
disruption occurs that meets certain criteria. An initial report must 
be filed within one hour and a final report within 48 hours. This 
allows DOE to be aware of potential major electric energy problems. 
Second, we provide active support for two Information Sharing and 
Analysis Centers (ISACs): the Energy ISAC (for oil and gas) and the 
Electricity Sector ISAC (for electricity). These ISACs provide a 
mechanism by which the industry can share important information about 
vulnerabilities, threats, intrusions, and anomalies among energy 
companies and provides a mechanism to communicate with the government 
The energy ISACs also coordinates with other ISACs. For example, during 
the blackout the Electricity Sector ISAC was in communication with the 
Telecom ISAC to monitor how electric problems might affect 
telecommunications. Our Office is coordinating with the energy ISACs 
and providing some financial support for their operation. Third, DOE 
participates in the Federal Response Plan through Emergency Support 
Function #12, Energy Annex. In the Plan, which is prepared by DHS/FEMA, 
DOE is the lead organization to gather, assess, and share information 
on energy system damage and impacts during an emergency.
    Let me now review the events that took place immediately after the 
blackout occurred and explain how we coordinated within the Department, 
with other federal agencies, with the energy sector, and state and 
local governments.
    On August 14, the Department's Emergency Operations Center (EOC) 
was activated with all relevant staff gathering there. Assignments were 
made regarding monitoring, analysis and mitigation of impacts of the 
event. Schedules were developed for convening status briefings. Federal 
Energy Regulatory Commission, Nuclear Regulatory Commission and 
Department of Homeland Security had a continual presence with their 
staff, too. DOE had representatives at the DHS Watch Office and FEMA 
Control Center, too.
    The security of DOE's facilities was assessed, and it was 
determined that only the Brookhaven National Laboratory in New York was 
affected. For that facility, backup emergency power was available and 
increased security police personnel were called up and deployed. DOE's 
security activities were coordinated with the FBI, the National Joint 
Terrorist Task Force, and DHS.
    With respect to monitoring of the event unfolding, an open phone 
line was connected to NERC. Market impact assessments were made 
continually. Determinations were made on availability of diesel fuel 
for backup generators. Availability of additional backup generators was 
researched, and commitments for delivery if needed were obtained. 
Pipeline outages were assessed to determine if remedial actions were 
required. Production availability of refineries was determined, as were 
associated cascading impacts of disruptions. These monitoring and 
assessment activities led to DOE intervening to encourage more direct 
support by electric utilities for bringing petroleum refineries in Ohio 
back into production, and ultimately coordinating drive hour extension 
and fuel waivers for Michigan.
    On August 14, 2003, and only hours after the blackout occurred, the 
Secretary issued an order pursuant to his authority under section 
202(c) of the Federal Power Act, directing the New England and New York 
Independent System Operators to energize and operate the Cross-Sound 
Cable. The Secretary issued the order because he determined that an 
emergency existed and that issuance of the order would alleviate the 
emergency and serve the public interest. Before issuing the order, the 
Secretary had received the unanimous recommendation of the North 
American Electric Reliability Council, the New York Independent System 
Operator (NYISO), ISO New England, Inc. (NEISO), and electric utilities 
in both New York and Connecticut supporting issuance of an emergency 
order.
    The Cable was energized a short time after his order was issued. 
Within hours, it was delivering 300 MW of energy from Connecticut to 
Long Island and also providing valuable voltage support and 
stabilization services for the electric transmission systems in both 
New England and New York. It has been reported that operation of the 
Cable prevented rolling blackouts from occurring in New York in the 
hours immediately after electric service was restored.
    On August 28, the Secretary issued another order that extended 
indefinitely the period that the Cross-Sound Cable could be operated. 
The August 28 order also directs Cross-Sound to continue providing 
voltage support and stabilization services, which benefit the 
transmission systems of both New York and New England. The August 28 
order stated that "it has not yet been authoritatively determined what 
happened on August 14 to cause the transmission system to fail 
resulting in the power outage, or why the system was not able to stop 
the spread of the outage." Because these questions have not yet been 
answered, the appropriate responses obviously have not yet been 
identified or taken. Therefore, the Secretary determined that an 
emergency continues to exist and operation of the cable should continue 
to be authorized.
    With respect to State coordination, affected State Governors were 
contacted and an open communication process was established. Direct 
communications were established with State Energy Offices.
    Letters to Members of Congress were written with the most current 
status information, and staff within the Office of Congressional and 
Intergovernmental Affairs were made available for inquiries from 8 AM 
to 8 PM each day. DOE staff was available for visits to Members' 
offices on request.
    As part of the Department of Energy's response to the blackout of 
August 14, there were a number of public communications items. The 
Department issued a statement on August 14, coordinated by Deputy 
Secretary Kyle McSlarrow, noting that DOE had initiated its protocol 
for contingency situations. The statement noted that DOE was working 
with appropriate agencies including FERC, the Nuclear Regulatory 
Commission (NRC), FEMA, and DHS, as well as entities such as the North 
American Electric Reliability Council to assess the situation.
    The Department immediately updated its website by adding a special 
section on its homepage with information related to the blackout. For 
example, all statements released from the Department were highlighted, 
as was general information on transmission grids and frequently asked 
questions on electricity. Reporters and the public often found answers 
to their questions. More than one reporter who called DOE's Office of 
Public Affairs noted the usefulness of the website information.
    DOE's Office of Public Affairs answered hundreds of media calls and 
interview requests on August 14 and in the days following. An impromptu 
``blackout'' media e-mail list was created for quick access to these 
reporters. In addition, the Secretary of Energy conducted multiple TV 
interviews from August 15 to 18 to communicate with the public on 
progress being made to resolve the blackout.
    As power began to be restored, the Secretary of Energy issued a 
statement urging citizens of the areas affected by the blackout to use 
caution in energy use while the system was coming back on line. DOE 
worked with state and local officials on getting the message out that 
appliance use should be cut back until systems stabilized.
    Following the blackout on August 14, President Bush and Prime 
Minister Chretien established a Joint US-Canada Task Force to 
investigate the cause of the blackout, discover why it spread to such a 
large area, and determine ways to prevent any recurrence. Secretary 
Abraham and Canadian Minister of Natural Resources Herb Dhaliwal serve 
as Co-Chairs of that Task Force.
    In addition to Secretary Abraham, the U.S. members of the Task 
Force are Tom Ridge, Secretary of Homeland Security; Pat Wood, Chairman 
of the Federal Energy Regulatory Commission; and Nils Diaz, Chairman of 
the Nuclear Regulatory Commission. In addition to Minister Dhaliwal, 
the Canadian members are Deputy Prime Minister John Manley; Kenneth 
Vollman, Chairman of the National Energy Board; and Linda J. Keen, 
President and CEO of the Canadian Nuclear Safety Commission.
    The Task Force has an enormous job. From the first day, they've 
been in the field collecting and verifying vast amounts of detailed 
data from power generating plants, control facilities, utilities, and 
grid operators. In essence, they are busy gathering and analyzing 
information on tens of thousands of individual events that occurred 
over 34,000 miles of voltage transmission lines and involved hundreds 
of power generating units and thousands of substations, switching 
facilities, and circuit protection devices. The teams have been 
interviewing and collecting records on the numerous people, policies, 
and procedures that play a part in our complex power infrastructure.
    The investigation is being conducted through three separate yet 
coordinated working groups focused on the Electric System, Nuclear 
Power, and Security.
    The Electric System Working Group, led by experts at the Energy 
Department and the Federal Energy Regulatory Commission along with 
Natural Resources Canada, is focusing on the transmission 
infrastructure, its management, and its functioning.
    The Nuclear Power Working Group, managed by the Nuclear Regulatory 
Commission and the Canadian Nuclear Safety Commission, is examining the 
performance of nuclear plants in the affected area during the blackout.
    The Security Working Group, which is managed by the Department of 
Homeland Security and the Canadian government's Privy Council Office, 
is assessing the security aspects of the incident, including cyber 
security.
    The good news is that these groups are making real headway. On 
September 12, the Task Force released a detailed timeline of events 
that led up to the blackout. This timeline is an essential tool for 
reconstructing the events of August 14 so that we can successfully 
understand exactly what caused the blackout.
    The Electric System Working Group's assignment is challenging due 
to the sheer size and complexity of interrelationships among the 
diverse components of the electricity infrastructure. Recognizing the 
scope of this challenge, the Electric Systems Group has enlisted 
additional expert assistance. Technical experts with the Independent 
System Operators in the affected regions and with NERC are working with 
members of this group to determine how all the events are interrelated. 
They are also examining the procedures and control mechanisms that were 
designed to prevent a blackout from spreading from one area to another.
    The Consortium for Electric Reliability Technology Solutions 
(CERTS), which has broad expertise in transmission and power delivery 
issues, is also assisting with Working Group. This team includes some 
of the world's top authorities on power system dynamics, transmission 
engineering and reliability, grid configuration, wholesale power 
markets, and outage recovery.
    This group led the study of the 1996 blackout in the West and also 
helped DOE produce the comprehensive National Transmission Grid Study 
that recommended grid upgrades to meet transmission demands in the 2151 
century. Transmission experts from the Bonneville Power Administration 
are also providing technical assistance.
    The Security Working Group includes members from DHS, DOE, the 
National Security Agency, the United States Secret Service, the Federal 
Bureau of Investigation, and NERC. This group is examining whether a 
physical or cyber security breach contributed to the cause of the 
blackout.
    The Security Working Group is working with the other Task Force 
Working Groups; developing an inquiry plan that articulates a detailed 
timeline for review of data including forensics, and interviews of 
company representatives to better understand each company's cyber 
topology; and working to obtain the detailed supporting data that will 
allow the team to better understand what caused, did not cause, or may 
have contributed to the events of August 14.
    In summary, our vast energy infrastructure is built, managed, 
operated, regulated, and overseen by a large number of entities. 
Coordination among these stakeholders is essential to help prevent 
energy outages and ensure quick response and recovery if one occurs. 
The Department of Energy's planning and coordination efforts prior to 
the August 2003 blackout laid the groundwork for success coordination 
after the blackout occurred. The blackout time line released by the 
Joint US-Canada Task Force will allow the working groups to move 
forward in uncovering the root causes of the blackout. We are putting 
the puzzle together and proceeding as quickly as possible without 
sacrificing accuracy.

    Mr. Camp. Thank you very much. Thank you both for your 
testimony.
    Mr. Liscouski, I just have a couple of questions. I 
wondered what office or division played the lead role in 
responding to the events of August 2003, the blackout?
    Mr. Liscouski. Yes, sir. Within the context of DHS?
    Mr. Camp. Yes, within the context of DHS.
    Mr. Liscouski. The way the events unfolded, I would say the 
lead office was the IAIP office. We had the initial reports to 
our office about the blackout that enabled us to reach out to 
the private sector and to the sector at-large to get 
situational awareness around what was occurring. As soon as we 
were able to determine what did occur, we quickly coordinated 
with the other offices and directorates within DHS and the 
responsibility for that coordination moved over to the Homeland 
Security Operations Center.
    Mr. Camp. All right. Is that who also has the lead in 
assessing the causes of the outage and why? Or is that another 
part of the agency?
    Mr. Liscouski. No, sir. In the context of the Security 
Working Group, the Infrastructure Protection Office has the 
lead responsibility for that.
    Mr. Camp. I am interested in your thoughts on what would 
have happened if the power outage lasted longer. As you 
testified, there were a lot of other areas that were impacted. 
Clearly, airports had shut down, and even when some reopened 
with their generators, the Customs computers were down and 
flights were diverted to other cities. Water systems shut down 
and restaurants that were not even in the power outage area 
could not open because their water supply was not safe. Can you 
talk a little bit about what might have happened had it gone 
longer in terms of the impact on infrastructure and public 
health?
    Mr. Liscouski. Sure. In fact, we are in the process of 
doing the analysis right now. So at the top level, the 
assessment that I can provide to you is really based upon 
ongoing work. But I think it is fair to say that we had 
anticipated it. These types of events obviously occurred 
before, and we have a number of redundant systems in place, 
particularly in some of the critical areas such as 
telecommunications in which we are able to have redundancies 
that mitigate the effects of these longer-term types of 
outages.
    I think you correctly point out the implications on 
immediate food supply and the potential there of what the 
implications might be. Fortunately, with the modeling we are 
doing we saw nothing catastrophic. Clearly, there were elements 
that were impacted. As we saw, the exchanges opened up shortly 
thereafter. So I think the positive result of our analysis so 
far is that many of the systems worked the way they were 
intended to do, providing more redundant capabilities and power 
with generation capabilities that allowed the systems to come 
back on fairly quickly.
    Mr. Camp. The Homeland Security Act of 2002 transferred the 
Department of Energy's energy security and assurance functions 
to DHS. How well has that integration proceeded?
    Mr. Liscouski. The integration has been working very well. 
The capabilities that were transferred over to DHS from the 
Office of Energy Assurance really provided us a baseline 
capability off of which we have leveraged significantly our 
ability to conduct vulnerability assessments across all the 
critical infrastructure. So it has really allowed us to build 
the capability within DHS that, as I indicated, we have 
leveraged across all those infrastructures. We continue to 
build our partnership with the Department of Energy's Energy 
Assurance Office.
    Mr. Camp. So with respect to the blackout of August 2003, 
how is your assessment on how that integration worked with 
regard to that incident?
    Mr. Liscouski. Very well. I think our internal skill sets 
that came to us from the Energy Assurance Office worked very 
well in understanding exactly how we had to respond to it and 
what types of questions and expectations we had as we outage 
continued to unfold. But I would say it is important to 
recognize that the real strength of what we have done is really 
the combination of other resources that came to DHS as well. So 
I would argue that if we did not have the elements from NIPC 
come to DHS, the elements of the NCS that came to DHS and the 
cyber components that we would have had as a stand-alone 
effort, they would have probably been within the same range of 
capabilities that they had if they remained at DOE.
    But the combination of the resources we had among all of 
those elements between cyber and our ability to reach out to 
the sectors across sectors, really amplified our ability to 
respond and understand what was going on in those sectors and 
really put a plan forward. That was really the critical point 
here that I think in the past historically had not been within 
the capability. We didn't look at the event in a slice in time 
of the event occurring and that was all we were concerned 
about. The real advantage we had within DHS was the ability to 
keep one eye on that event and situational awareness to 
understand what was going on, but quickly also extrapolate from 
that event to how things may have progressed if in fact it were 
a terrorist event or how it might have been exploited if 
terrorists decided to take this as a target of opportunity, 
because we had people precisely looking at that going forward. 
That was a tremendous advantage which I would say did not exist 
before DHS came to be.
    Mr. Camp. Thank you very much.
    Mr. Sessions, you may inquire.
    Mr. Sessions. Thank you, Mr. Chairman.
    I appreciate both of you being here today. I would like to 
direct my question, if I could, to Director Swink.
    I know that the Energy and Commerce Committee has held any 
number of hearings concerning the blackout and what occurred. 
Today you are before the Homeland Security Select Committee. 
Are there lessons that we learned from this that you believe 
that together with the Department of Energy and Homeland 
Security that you believe we should learn as a recommendation 
from you that don't have to go through the processes of 
lawmaking and perhaps change things?
    In other words, do you see something that we need to know 
perhaps today or will you be issuing a report that will say, 
``Here is something that happened, we need to change this 
rather quickly, and here are our recommendations''? Are you 
prepared at all today to address that?
    Ms. Swink. Yes, if I could make some comment. Actually, our 
table top, lessons learned, hardcore evaluation was set in our 
emergency operations center for tomorrow morning, but we have 
activated it to respond to the issues with the hurricane, so we 
will have to postpone it some. But I can just say that, one, 
clearly a couple of the areas that I know, and I believe it is 
the same thing with DHS, one of them is that we have to get 
much better at having monitoring information readily available 
to government agencies, not intrusive, but the information so 
we are not always on the phone calling people to find out what 
is happening. We actually have some very good monitoring data 
available to us. And there are capabilities out there, and we 
will be exploring those. In addition to that the ability to, as 
Bob was talking about, run some scenario analyses based on 
that. We were very concerned about the refineries being down, 
especially the two in Ohio, and being able to have a capability 
that accurately helps us understand the product movement from 
those refineries, what their feedstock concerns are. I think we 
have a ways to go to develop that set of databases as well as 
the level of knowledge to do those scenarios. By the way, our 
notion is to make those tools available throughout the United 
States, available to state organizations and nonprofit 
organizations also.
    Mr. Sessions. Did part of your planning involve being 
notified by someone perhaps in Ohio, or on the actual site, to 
call someone to say, ``We have problems; we want you to know 
this is not a terrorist attack; we think we know what it is,'' 
or did you have to initiate that call? In other words, was this 
part of the scenario, where they provided information to you 
from their basis, or did you have to seek that information to 
find out what had occurred?
    Ms. Swink. It was actually a combination. In some cases, we 
received calls. In other cases, we needed to call. But one of 
the things in working with state organizations that we have 
over the past several months, the state energy offices, the 
regulatory utility commissions, the state legislators, we are 
all working on developing a nationwide system that is a 
communications system that can aid the states, but also aid 
federal agencies in the energy area.
    Mr. Sessions. From this member's perspective, I was very 
pleased. While I was not exactly aware of what was happening 
until probably they were in the midst of it, it looked 
organized. I believe that people came out very quickly and 
clearly and enunciated what we were looking at. I was very 
pleased to see up and down the line governors and other people 
who appeared to be working together, instead of pointing 
fingers, and were concerned about solving the problem. I must 
say that I felt like from the perspective of homeland security, 
I felt very good that Homeland Security, Department of Energy, 
as well as the White House at least were involved and active 
and seemed to have a handle on it.
    I yield back my time.
    Mr. Camp. Thank you.
    Ms. Sanchez may inquire.
    Ms. Loretta Sanchez of California. Thank you, Mr. Chairman.
    Mr. Secretary, on April 29 you briefed our subcommittee 
with respect to infrastructure and border security. In that 
slide, a PowerPoint presentation that you had, you outlined the 
department's goal to assess and compile a list of critical 
infrastructure vulnerabilities and to address 60 percent of the 
vulnerabilities in the list within 180 days. It has been four-
and-a-half months since that date. Can you tell me, does there 
exist a single document that comprehensively assesses the 
nation's critical infrastructure risks and serves as a guide 
for us and for you in our efforts and as far as the spending 
program? And if not, when do you think that document is going 
to be ready? And in light of the 180-day time frame you 
discussed in the briefing, what progress have you made in 
assessing and addressing the 60 percent of the vulnerabilities?
    Mr. Liscouski. Thank you for the question. Actually, it is 
a good news story from my point of view. We really have made a 
significant amount of progress in addressing a lot of those 
vulnerabilities. I just want to clarify one point about that 
briefing. We really focused on some of the more critical ones 
that were first categorized during the Operation Liberty 
Shield, if you recall correctly. When the Iraq war started, we 
created a list, and this was just before I started with DHS, to 
identify some of those things that we thought were most 
critical to protect during the course of the war. That was the 
list that we referred to during the course of that briefing.
    We have made some significant progress. I would be happy to 
share that with you in a written response downstream. But what 
we focused on were really a number of things during the course 
of that 180-day effort. As you recall, we were really focusing 
on how do we create DHS, you know, the IAIP director, the 
primary focus that I have been on all of a month, and we had to 
figure out what kind of business we were in. We were at war. We 
had a number of threats we had to respond to, and we had to 
build an organization. That was the primary focus, organizing 
ourselves around that war to really understand how we had to 
create an organization. And we have been moving out smartly on 
that.
    We have looked at a variety of the critical infrastructure 
sectors to determine what practices had to be put in place. We 
did the vulnerability assessments. So, madam, I would say we 
are on track with the goals we set in that document.
    Ms. Loretta Sanchez of California. So you are telling me 
that in a month and a half, we are going to have a list with 
all of the very critical infrastructure sectors and where that 
infrastructure is, and what type of protection we need to do 
for it, or how we are going to protect and what it is going to 
cost us, and a prioritization of that list so that we on this 
committee can figure out where we get the dollars and how we 
are going to do this over time?
    Mr. Liscouski. And I will shortly retire right after that, 
too. [Laughter.]
    No. In fact, I was really referring to the Liberty Shield 
list. The other work in progress, and this is really an 
continuous work in progress, is the assessment of all the 
critical infrastructure throughout the United States. I did not 
mean to mislead you to think that we would have all that 
categorized in the next month and a half. I would be surprised, 
frankly, if we had that done in the next 5 years. It is going 
to be an ongoing process. That is sort of peeling away the 
layers of the onion. The more you learn, the more you realize 
you do not know. Identifying the interdependencies among those 
critical infrastructures is also a body of work.
    So no, ma'am, I am sorry to say we are not going to have 
that list in that period of time, but clearly we will have our 
processes in place so we can begin to move. We are doing that 
work now, but that will be an ongoing process. I do not think 
that will ever end.
    Ms. Loretta Sanchez of California. What do you think are 
the most vulnerable infrastructure sectors and how do you make 
that determination? Do you do it asset by asset, regionally? 
Are you looking at it sector by sector? Can you give us some 
indication? I am sure you probably have this in writing 
somewhere and you will let us take a look at it.
    Mr. Liscouski. I think it is probably not fair to 
categorize one critical sector more vulnerable than another or 
more important than another. I think really there is a variety 
of contextual pieces here that have to be applied. The first 
is, what is the nature of the threat? The vulnerabilities 
really are contingent on the threat and your ability to negate 
those risks.
    So rather than getting into a discussion about what I 
believe is the most vulnerable, I think we look at those and 
all the priorities, and we have work around identifying all 
those critical infrastructures. From our point of view, the 
nexus of what we do is constantly looking at threat information 
and then mapping those threats into the vulnerabilities we have 
identified.
    At this point, we really are threat-driven. We are 
constantly turning over information we receive from the 
information analysis component and through the intelligence 
community. We are mapping those threats against what we have 
identified as those vulnerabilities. I think the end-state of 
where we would like to go is multi-pronged, from our point of 
view. We are trying to raise the bar across all the critical 
infrastructures and we want to get out of the threat-response 
mode and much more into the programmatic approach of saying we 
want to bake in good security processes across all critical 
infrastructure, irrespective of the threat so we really lower 
vulnerabilities across the board.
    Ms. Loretta Sanchez of California. I know my time is up, 
but I am a little concerned about the fact that you said you 
are really threat-driven, because I hope this committee is not 
threat-driven and therefore we are really looking for less 
critical infrastructure, less vulnerabilities and a risk 
analysis so that we can decide where to put investment. I hope 
it is not because today they told us they were going to hit us 
in New York and tomorrow they are going to hit us in Alabama.
    Mr. Liscouski. If I may respond, I think it is worth 
clarification, and that is, again I will just remind the 
committee of the obvious here, that we have only been in 
business for 6 months. We have to respond to those things which 
we really do understand are being driven by factors outside of 
our control. But where we want to go at an end- state is really 
have a full understanding of all our vulnerabilities, and be 
much more focused on the vulnerabilities and responding to the 
right remediation practices and best practices and not be 
threat-driven at this point.
    Mr. Camp. Thank you.
    Ms. Dunn may inquire.
    Ms. Dunn. Thank you very much, Mr. Chairman.
    Welcome back, Mr. Liscouski. I had one question for you, 
actually two questions for you.
    How effective were your interactions, do you believe, 
during this crisis in the Northeast? How effective was 
Department of Homeland Security in communicating with other 
agencies? What were your frustrations? What would you like to 
be able to do better and more quickly and more effectively?
    Mr. Liscouski. I think DHS responded very well and I think, 
you know, pridefully, because I was part of the process. I am 
not going to self-criticize too much, but I will be candid with 
you. I think we did a very good job communicating across 
federal sectors. I know our partners with DOE, as Ms. Swink 
pointed out, we had their members on our CAT team, on our 
Crisis Action Team. There were also at the Homeland Security 
Operations Center. So the benefit we have had was we did not 
have to establish communications with our federal partners 
during the event because we had ongoing communications with our 
federal partners prior to the event.
    So that is the type of success story that I think DHS can 
tell very well. It is a continuous process. I would just 
emphasize the fact that we think about these things all the 
time, irrespective of whether there is an event or not. We are 
always in the mode of identifying what do we have to worry 
about. Because of that, we are in constant contact. So whether 
it is with DOE or EPA or whoever it might be, we are constantly 
engaged.
    In terms of what we can improve better, there is always 
room for improvement. A continuous improvement process is what 
we are all about, particularly in a nascent organization such 
as DHS. So I think our own abilities to coordinate our 
processes, incorporating better technologies, as Denise pointed 
out, better visualization models, those things are process-
oriented, but I think they are opportunities for fixes for us.
    Ms. Dunn. This whole thing took place, and I had just given 
a speech a couple of days before on cybersecurity, 
cyberterrorism. One of the examples I used was how our power 
grid was linked into the Internet, and how it would be a target 
of vulnerability for terrorists. So 2 days later it happened, 
and I was watching with great interest as things happened on 
CNN. Very quickly, CNN came out and said that it was determined 
not to be a terrorist act. I am wondering, if you were involved 
in making that decision, how that decision was made and whether 
that is something that is still in flux and to be determined, 
or were we very quickly able to realize that it was not a 
terrorist act?
    Mr. Liscouski. I was a part of that process, but we relied 
heavily upon other partners in that process as well. The FBI, 
as you well know, and I think Larry Mefford testified last week 
about their involvement in that. So the combination between 
looking at the active investigation the FBI had ongoing, we did 
a very deep reach back as quickly as we could through our 
information analysis component, and through the intelligence 
community, to identify any previous or existing threats that 
may have been out there. We looked at that. But the combination 
of the lack of intelligence about this, which from the world we 
come from that is not the final say, but the lack of physical 
evidence and any other attributes that we could identify as 
being related to criminal activity or terrorist activity 
allowed us to conclude at the initial outset that there was no 
nexus of terrorism or criminal activity. But to your follow-on 
question, clearly the ongoing analysis of the cyber-data and 
other information is what we are still in the process of 
collecting and analyzing to determine that conclusively.
    Ms. Dunn. Dr. Swink, did you have any comment on that?
    Ms. Swink. The one comment on assessing the cyber area is 
that if you want to describe an area that has been working very 
well in a partnership, the DOE National Laboratory System has a 
lot of expertise in the cyber area, and we have been working 
very well under Bob's leadership of that working group.
    Ms. Dunn. Good to hear. Let me ask you another question, 
Ms. Swink. All of us realize that there are interdependencies 
within the energy sector, as well as across infrastructure 
sectors. I am especially interested and concerned in how an 
attack on one center, such as on the power grid, could have 
serious effects on other critical infrastructure, such as our 
transportation system and communications systems.
    Which interdependencies are the most vulnerable in your 
opinion? Are there hidden interdependencies that have not yet 
been focused on?
    Ms. Swink. The answer to the first question is that I don't 
think there is one that is most important. And to give you an 
example of answering the second part of your question, for the 
Olympics we did a table-top exercise in Salt Lake City for all 
of the infrastructures involved there, if there was a 
disruption there. And one of the things that came out that the 
telecommunications people had no understanding of was that they 
use a lot of water to cool their server stations. If the power 
went out in Salt Lake City, the availability of water pumped to 
their facilities to cool their facility would bring their 
server stations down.
    So I think what is important is for us to continue to work 
on these scenario analyses and work on regional exercises and 
table-top exercises, because that is where you become more 
intelligent and more understanding of what these 
interdependency and cascading effects can be.
    Ms. Dunn. Thank you very much.
    Thank you, Mr. Chairman.
    Mr. Camp. Thank you.
    Mr. Meek may inquire.
    Mr. Meek. Thank you, Mr. Chairman.
    It is good to be here at this committee today. I had some 
of the same questions as it relates to this, and we had a 
hearing just the other day in another subcommittee talking 
about power outage and what actually happened. I noticed, Mr. 
Secretary, in your testimony as it relates to the phone service 
was limited. I wanted to ask where did that come from? Where 
did that evidence come from as it relates to phone service 
being limited?
    Mr. Liscouski. I am sorry. I am not so sure if I understand 
the question.
    Mr. Meek. I am sorry. I was reading your written testimony 
when you also stated here today that it was power outages. 
Television was at a limited basis, and also the 
telecommunications services were limited. How were they 
limited?
    Mr. Liscouski. If I recall correctly, and I can give you a 
more accurate answer in a written statement because we have 
done a lot of work on this. I recall the telecommunications 
system limitations really, Mr. Meek, I have to apologize. My 
sense is that some of the cell towers were out, and if I recall 
correctly, and again, I have a lot of data on this. I am just 
drawing a blank on the specific answer.
    The things that we do in terms of assuring these services 
is what I can focus on with an immediate response in terms of 
the national communications system is particularly adept in 
working with the telecommunications industry to assure those 
services and assure that, as Ms. Swink pointed out earlier, 
that we have the appropriate fuel supplies going to the 
telecommunications providers for backup generators and things 
like that.
    The initial outage I believe was related to that coming 
online. Again, I have to apologize. I will get back to you with 
a written answer.
    Mr. Meek. No problem. It is just one statement that you 
made. It goes to my question when we had our hearing the other 
day talking about telecommunications, and how it relates to 
communicating with the public when these things happen. I did 
make you aware of a piece of legislation that myself and many 
other members of the Congress are pushing as it relates to the 
ready-call bill, to make sure that individuals know what is 
going on when it is happening.
    I can tell you, Ms. Dunn asked a question about how quickly 
we were able to excuse the issue of terrorist attack or an 
attack on our Internet capabilities or infrastructure, but I 
think it is important that we continue to push the private 
sector and also the public sector on the urgency. I am just 
kind of repeating myself yesterday, but since you are here 
today we have both agencies here. I think it is important that 
we remember that that is important while we are in somewhat 
calm waters. I know that there are going to be some task forces 
put together to make sure that that communicates from the 
private sector, and what homeland security has to do, what your 
agency has to do also towards moving us north. I look forward 
to working with you to that end.
    I am very, very interested as it relates to our 
telecommunication capability in the time of homeland attack or 
what could be a potential attack in any geographical area to be 
able to communicate with Americans as expeditiously as possible 
and to be able to give good information and good intelligence 
that can be shared commonly with the private sector.
    Mr. Chair, that completed my questions. Thank you.
    Mr. Camp. Thank you very much. The chairman of the full 
committee, Mr. Cox, may inquire.
    Mr. Cox. Thank you. I would like to welcome our witnesses 
again and add my gratitude to what you have heard from other 
members for your time and the help that you are providing this 
committee in our oversight.
    Mr. Liscouski, the Security Working Group is looking into a 
possible cyber-connection to the blackout. I take it that we 
use the words ``cyber-connection'' advisedly because we still 
want to include the small chance that there might be a bad 
actor, as well as simply mechanical or computer failure. Is 
that right?
    Mr. Liscouski. That is correct, sir.
    Mr. Cox. When do you expect that we will have an answer on 
that part of the investigation?
    Mr. Liscouski. I would like to report that it would be 
soon, but my fear is that it is going to take us quite sometime 
before we can come a conclusion.
    Mr. Cox. What does that mean? Ballpark?
    Mr. Liscouski. Probably several months. We are talking 
about 3 or 4 months, based upon the amount of data, which is 
really going to be dependent upon how focused we become on the 
initial root cause. Just at a top level, our process is really 
going to be geared at working with the electrical working group 
to identify root cause. Once we can identify the root cause of 
the issue, then we can begin to quickly look around at the 
surrounding causes that might be cyber- related.
    In a classic investigation, if we are capable of doing 
that, we can potentially reduce our timeframe for the analysis. 
But if we have to look across all different platforms outside 
just a specific root cause area, then we are talking about 
terabytes of data through which we have to do analysis. That Is 
extremely time consuming.
    Mr. Cox. In addition to the cyber aspects, is this Security 
Working Group also looking at other means of bad actor, for 
example detonation of explosions, causes for the accidents or 
causes for the blackout?
    Mr. Liscouski. Yes, sir, we are looking at that as a 
component of it. Fortunately, those are more visible signs, but 
there are other potential causes that might be more physically 
oriented that we are examining as well.
    Mr. Cox. At the time that the country was assured that this 
was not a terrorist attack, my understanding is that it was the 
Department of Homeland Security that for the United States 
Government shared that information through the media. Is that 
correct?
    Mr. Liscouski. I believe that is correct, sir. Yes.
    Mr. Cox. And was that by prearrangement, or was that just 
how it happened?
    Mr. Liscouski. I don't recall exactly how that transpired. 
I can certainly get back to you with the sequence of events.
    Mr. Cox. I raise it because, first, it seems to have 
worked. Second, if it was just serendipity as opposed to a 
plan, then we can probably add this the list of lessons learned 
and make it part of the plan for next time.
    Mr. Liscouski. Yes.
    Mr. Cox. I suspect that there probably was some, if not 
total, fore-ordination of this because otherwise everybody 
would be trying to elbow their way to the front. And obviously, 
the Department of Homeland Security was created for this 
purpose. But as you can imagine, on the public side it is 
vitally important that people have a clear answer from the USG. 
When we conducted TOPOFF II, we learned in an analogous way 
what happens when the Department of Energy was competing with 
the EPA about data concerning when the mayor can tell the 
public that the radiation is blowing your way or somebody 
else's way. We have to have somebody in charge. That was the 
lesson learned there. So from this real-life activity, it is 
very important that we recognize this seems to have worked. DHS 
took the lead role, and that should be institutionalized, if it 
isn't already.
    Mr. Liscouski. Yes, sir, if I may respond. The lack of 
conclusion I can provide you is my role during that course of 
the process was actively engaged and working with Secretary 
Ridge, and we were involved in the secure video teleconference 
with the FBI and CIA and State and the White House. During that 
discussion, we came to consensus on the determination. 
Unfortunately, I just wasn't present when the actual 
announcement was made.
    Mr. Cox. I understand, and I appreciate your undertaking to 
get that detail back to us. The two of you, or at least the 
departments that you represent, are working on an MOU. Is it 
the case that it is also you personally that are both working 
on this, or is it other people in the departments?
    Mr. Liscouski. No sir. It is our offices, I believe, in 
addition to our policy staff who are also working on agreements 
with DOE.
    Ms. Swink. We will cover the arrangements with the Science 
and Technology Office and the Emergency Response Office, too, 
but I believe that for this memorandum of agreement on critical 
infrastructure, the point will be Bob's office.
    Mr. Cox. And when do you expect the MOU will be completed?
    Mr. Liscouski. I would say it is ongoing, sir. I am not 
quite sure exactly what the time frame is going to be. What we 
are looking to do is looking at similar agreements we have to 
make with other agencies. Rather than just make one that we 
will have to make continuous adjustments for, our goal is to 
look at the commonalities for this agreement that would be 
applicable across all of the sectors.
    Mr. Cox. Ms. Swink, you testified that in real time you are 
also talking, for example, to NIST and DIA. Are you looking to 
execute parallel MOUs with them, or are you trying to roll that 
into the same agreement with the Department of Homeland 
Security?
    Ms. Swink. I know that our priority right now is to sort 
out the agreement with the Department of Homeland Security, and 
as Bob says, as much as possible create some model frameworks 
that all departments can look at with respect to developing 
that relationship. We have been sharing information actually 
for months on what should go into that type of agreement. As 
soon as that framework is there, there should be no reason at 
all that the other agencies don't become part of it.
    Mr. Cox. Thank you. My red light has gone on. I will just 
leave you with the question which is, Mr. Liscouski, the crisis 
action team that you set up in order to respond to the 
blackouts, which incorporated the infrastructure coordination 
division, national cyber-security division, protective security 
division and certain IA entities, was this ad hoc-ery or was 
this pre-planned? And to the extent that it worked, which you 
testified that it did, is it something that we are going to 
institutionalize?
    Mr. Liscouski. Yes, sir. It is an institutionalized 
capability. The Homeland Security Operations Center is the 
focal point for coordination for incidents. All of the elements 
of DHS are represented on the HSOC, as well as the are 
components of our sister agencies who have response 
capabilities and proactive responsibilities as well. This is 
already institutionalized.
    If I may, sir, just make one clarification with respect to 
MOUs. DHS, DOE, the other agencies with whom we work do not 
require an MOU to work going forward. There are all sorts of 
responsibilities for things that we have a very good 
understanding in terms of how we do work together. That is why 
the only clarification in terms of needing an MOU, our concern 
is, not concern, but working forward with other federal 
agencies. We believe we have a very good role and understanding 
based upon the Homeland Security Act and how DHS was formulated 
in the first place.
    Mr. Cox. Thank you.
    Thank you, Mr. Chairman.
    Mr. Camp. Thank you very much.
    Mr. Lucas may inquire.
    Mr. Lucas. Thank you, Mr. Chairman.
    Mr. Secretary, in my district in Kentucky it has been 
ascertained that about 85 percent of our potential targets are 
in the private sector, like chemical plants and materials 
handling companies and things like that. Of course, they are in 
business to make a profit. They look to the bottom line. In 
your view, do you think that DHS relies too heavily on the 
voluntary private sector action to improve their infrastructure 
protection?
    Mr. Liscouski. No, sir, I don't. I believe appropriately 
the private sector needs guidance and needs to understand what 
the best practices are in the context of the threats that they 
face today. I do not believe the voluntary approach in the 
private sector is the inappropriate approach. Coming out of the 
private sector, I can tell you that it is something was always 
in the front of the minds of the corporations that I worked 
for. We did not need to be told necessarily how to do our work, 
but in the context of understanding the behaviors we needed to 
apply about what our responsibility was, was something we would 
engage with, and we consistently engaged with with the federal 
government. No, I believe the voluntary approach is the right 
approach.
    Mr. Lucas. Thank you. I relinquish the balance of my time.
    Mr. Camp. Thank you.
    Mr. Weldon may inquire.
    Mr. Weldon. Thank you, Mr. Chairman.
    As my colleagues know, I come at these issues from the 
security standpoint of the Armed Services Committee and threats 
to our security.
    Mr. Liscouski, you mention in your testimony that we are 
focusing on the issue to ensure that we can anticipate effects 
and prioritize our efforts based on the bigger picture, not 
just reacting to what is easily and immediately observed. 
Apparently, this blackout that we just experienced was caused 
by accidental incidents. We are putting into place processes to 
protect us from additional accidental incidents. But a 
terrorist is not going to rely on that kind of capability, and 
my own feeling is that we are, if not totally, just about 
totally vulnerable to what I think is the biggest threat to 
both our power grid and to our information technology 
capability and our way of life.
    I do not think we are prepared, and I am going to ask each 
of you to respond very specifically, in your agency, who has 
the responsibility to develop plans for us against what other 
nations have been planning to deliberately do if a nuclear war 
were to start? I am familiar with Russian nuclear doctrine. 
Their first attempt at attacking us would be to lay down an EMP 
burst off of our coast with a nuclear weapon that would not 
hurt one person, but would fry all of our electronic 
components, including our electrical grid system. It would shut 
down America, including our vehicles, that have chips in them 
that would stop on the roads.
    Now, we tested this capability in 1962 when we did four 
tests at the Kwajalein Atoll in the Pacific. We were startled 
that within 800 miles everything was shut down, streetlights. 
We stopped cars dead in their tracks, and we fried the major 
electronic components of our telephone system. We did those 
tests in 1962. That is not classified. That has been reported 
in the media, and in fact it was just in a book put out by Dan 
Verton called ``The Black Ice.''
    In 1999, we in the House held hearings on this phenomenon, 
not because of 9-11, but because we knew of the implications. 
Directed energy has become the weapon of choice for the future 
for nations that want to bring us down or harm us. We are doing 
research ourselves, and so are other countries on directed 
energy, let alone the EMP phenomenon. Who specifically and what 
department of both of your agencies has assessed and is 
responsible for protecting America from the standpoint of 
electromagnetic pulse lay-down and directed energy threats? 
Each of you.
    Ms. Swink. I will have to supply a more expanded answer for 
the record to get the level of detail that you are requesting. 
I will say that the DOE national laboratory system has been 
doing evaluations over the past year or more on the 
implications of EMP on SCADA systems themselves, supervisory 
control analysis data acquisition systems. At this point in 
time, there is a high concern for vulnerabilities, serious 
vulnerabilities. But with respect to exactly where in the 
department the leadership is for it, I will have to find that 
out for you.
    Mr. Weldon. Mr. Liscouski?
    Mr. Liscouski. Mr. Weldon, in the context of Homeland 
Security, we have been studying this effort. I know there is an 
EMP commission. Our NCS, national communication system, has 
been working with the commission to study the effects. I am 
looking at some of the notes with respect to that. Modeling has 
been done with lightning strikes as a small- scale in 
understanding the implications of that. I know this is a big 
threat. We are taking it seriously. We are working with the 
commission to understand the effects of it. Our S&T 
organization is one that we have working with as well. So, no 
question, sir, it is a big problem.
    Mr. Weldon. My problem is, Mr. Chairman, it is not 
mentioned in any of the testimony. The EMP Commission to which 
I assume you are referring is actually a congressional 
commission that we created.
    Mr. Liscouski. Yes, sir.
    Mr. Weldon. It is not a commission established by Homeland 
Security or the Energy Department.
    Mr. Liscouski. Yes, sir.
    Mr. Weldon. The executive director of the commission is 
sitting in the room and he has had no contact with either of 
your agencies. To me, that is an indictment if we are 
supposedly preparing this country for what we call not just 
what is easily and immediately observed, but the bigger 
picture.
    There is no more, no more threat to our security and our 
quality of life than a terrorist using electro-magnetic pulse, 
which we now have 10 countries that have nuclear capability. We 
are talking about low-yield weapons that would not harm one 
person. We detonate it in the atmosphere and we know 70 
countries have missiles that could launch such a capability off 
of our coast.
    We have tested this capability. We know what it does. My 
own feeling, Mr. Chairman and members of the full committee, is 
that we are not taking this issue seriously. We have no 
hardening of any of our systems in the country except for our 
ICBM system. That is the only hardening we have. I just think 
we have to start to raise the awareness. I congratulate the 
Congress, both sides, for establishing the EMP Commission. I 
introduced the executive director, Peter Prye, former CIA agent 
who is in the room. I would just say that I would think this 
distinguished panel ought to have more involvement with the 
agencies that are responsible for protecting us against the 
worst threats to our security.
    Thank you.
    Mr. Camp. Thank you.
    Mr. Dicks may inquire.
    Mr. Dicks. Thank you, Mr. Chairman. I want to go back to 
this question about how we are doing our threat assessment, how 
we are cataloguing critical infrastructure. What is the 
responsibility of the states? Are the states asked to do a plan 
of critical infrastructure in their state, on a state-by-state 
basis? It seems to me, if we haven't approached this problem 
yet, which I think we should, that that might not be a bad way 
to do it. I mean, to come up with some criteria--here is what 
is important--and have the states fill it out, so they can give 
you their perspective of what is critical infrastructure in 
their states.
    What is wrong with that? Or is it being done?
    Mr. Liscouski. Sir, in fact we are working very closely 
with the states. To your point earlier, or actually to Mr. 
Lucas's point, with respect to critical infrastructure being 
owned 85 percent within the private sector, 100 percent of it 
is in at the local level. The state and local governments with 
whom we work very closely are obviously responsible for helping 
us protect that and taking the lead in many ways in protecting 
that.
    So we work very closely with them, and we have set up ways 
to begin. Again, this is a beginning effort. We recognize that 
this is clearly the beginning stages of DHS to develop this 
capability. But we are working with state and locals to develop 
training capabilities and to build their capacity to conduct 
vulnerability assessments at the local level. This is not about 
DHS conducting vulnerability assessments for every single piece 
of critical infrastructure across the United States. We need 
our state and local partners. So to your point, sir, we are 
aggressively moving out on that.
    Mr. Dicks. Well, it seems to me, and maybe we will have to 
legislate this, but somehow getting the states to do a plan 
which would include the assessment seems to be a very 
fundamental way to start, and the states have the joint 
terrorism task forces. They have the heads of the National 
Guard. The governors have their people who are working on these 
issues. It just seems to me that if we gave them a modest 
amount of resources and said do a plan for how you are going to 
handle critical infrastructure, and then work with your 
department, we might make some real progress and it would not 
take nearly as long. I think the state people know what is 
critical in their state, maybe even a little bit better that 
the feds do.
    Mr. Liscouski. Sir, I may not have been clear. I wanted to 
articulate we are exactly doing that.
    Mr. Dicks. Okay, you are doing it?
    Mr. Liscouski. Yes, sir.
    Mr. Dicks. Okay. Well, that is good. When do you think you 
will have these plans in place?
    Mr. Liscouski. Yes, sir, as I indicated, with our nascent 
effort. We are doing a couple of things, with building our 
organization and staffing up, as well as providing the 
capabilities out to the field. We are training state and local 
police agencies, law enforcement entities, on how to conduct 
vulnerability assessments, what the expectations are, basic 
standards and methods and how to do these things. This is an 
ongoing process.
    Mr. Dicks. As you think about this, we have had hurricanes. 
We have had blackouts. These almost became like an exercise for 
DHS, for the department, the federal government, and FEMA. 
These things come along from time to time. In some cases, the 
catastrophic events are in some ways what would be very similar 
to what would happen in a terrorist attack. So it seems to me 
that maybe you take these events as they come along and it 
gives you a good chance to train your people, to really be 
prepared and to lay out your game plan for how you are going to 
deal with any catastrophic event. Obviously, we hope we will 
not have terrorist events, but at least it gives you some 
ability to train. Would you agree with that?
    Mr. Liscouski. Absolutely, sir. I do.
    Mr. Dicks. We know we are going to have these kind of 
events. There is no way around it.
    My staff tells me that California and New York have already 
done their plans, but DHS has not asked for them. Is that 
accurate?
    Mr. Liscouski. I don't believe so, sir. In fact, we are 
working closely with them.
    Mr. Dicks. Why don't you check that out.
    Mr. Liscouski. I would be happy to.
    Mr. Dicks. Ms. Swink, I have a question for you. This is a 
parochial matter. I hope my colleagues will forgive me just for 
a moment. I have been working for a number of years in the 
State of Washington on a project called HAMMER. This is not 
named after the majority leader, by the way.
    [Laughter.]
    This is called the Hazardous Materials Management and 
Emergency Response Training and Education Center. This is a 
place where we do a lot of training. I understand that you are 
getting this turned over to you. Is that right?
    Ms. Swink. That is correct.
    Mr. Dicks. I just hope you will take a very close look at 
this facility. I think for training first responders, National 
Guard, homeland security, this is an ideal facility. I just 
hope you will take a good close look at it.
    Ms. Swink. Mr. Dicks, I have been out and spent a couple of 
days at the HAMMER facility. It is an incredible asset, 
certainly, for what the Department of Energy sees needs to be 
done in the energy assurance area, but across the board. DHS 
actually has a border station there now. It is a major large 
prop training facility for which I think is going to be a 
tremendous asset.
    Mr. Dicks. My time has run out, but I will do like the 
chairman did and leave you with one parting thought. I do not 
think that voluntarism is going to work. I think you are going 
to have to have some guidelines and some direction to the 
private sector.
    Thank you.
    Mr. Camp. Thank you.
    Ms. Jackson-Lee may inquire.
    Ms. Jackson-Lee of Texas. I would like to pursue a line of 
questioning with the Assistant Secretary for Infrastructure 
Protection. We had this line of questioning the day before 
yesterday about the assessments being made on the blackout. Is 
this the time for the report or are we still embargoed?
    I think the question I was pursuing is what we have been 
able to determine by study and research on what happened and 
how you determined that it was not certainly a terrorist act, 
but it certainly was an infrastructure problem which can be 
equally disconcerting in light of the fact that out of that, 
horrible incidences can occur. So you delayed me in your 
response, and I am trying to find out now if this is the time 
or are we still doing the research?
    Mr. Liscouski. No, ma'am. In fact, I mentioned earlier we 
are in the process still of doing the analysis. This report is 
not going to be provided by the task force for a couple more 
months yet. I am afraid I cannot share the conclusions with 
you. We just don't have conclusions at this point.
    Ms. Jackson-Lee of Texas. When you say a couple of months, 
why don't you just project for me a basic timeframe on that.
    Mr. Liscouski. Ma'am, I am afraid I am not in charge of the 
time line for the publication of the report. I am contributing 
to the report to the task force. I would have to defer that to 
the task force leadership.
    Ms. Jackson-Lee of Texas. So you think, however, it is a 
couple of months?
    Mr. Liscouski. Yes, ma'am. I can tell you earlier Chairman 
Cox asked me about the analysis we are doing. The analysis we 
are conducting for the cyber investigation is quite involved 
and potentially may be even longer than that.
    Ms. Jackson-Lee of Texas. Let me try to find out the status 
of the DHS developing a comprehensive CIP risk assessment. Can 
you let us know where you are in doing that? And in your 
opinion, which of our critical infrastructure sectors pose the 
greatest national security concern?
    Mr. Liscouski. Yes, ma'am. In fact, since we started this 
effort with DHS back in March, as you know, we have been 
building the organization and simultaneously responding to 
threats posed to us by the Iraq war as our first order of 
business. The team did a great job in preparing protection 
plans to respond to the threats that were posed to us by the 
Iraq war, and then subsequently went on to the next effort of 
categorizing and identifying the critical sectors and the 
critical assets as part of our infrastructure protection plan.
    That is an ongoing body of work. If we do this right, we 
will never be completed with it because if we are successful we 
will continue to identify the interdependencies of the critical 
infrastructure to uncover additional vulnerabilities. We are 
going to refine it. We have begun. As I have indicated, I have 
developed the capability to comprehensively begin this effort. 
We have begun the effort in earnest. I just will caution you 
that this is a very complex issue, one which DHS will be 
engaged with as federal partners and state and local and 
territorial partners for quite some time. So there will be no 
time line in which we will say we are finished. And in 
responding to the question concerning which are the most 
critical, I think you asked?
    Ms. Jackson-Lee of Texas. Yes.
    Mr. Liscouski. Again, it is in the context of we look at 
all 13 critical infrastructure components in the five key asset 
areas as they have been identified by the Homeland Security Act 
as just that, as critical. And really, we really look at them 
in the context of right now which are the most threatened, and 
we have a perspective on that, and we are continually culling 
the intelligence community for current threat information to 
identify those which require particular attention right now, as 
we are building capabilities. As you know, this critical 
infrastructure has been in the United States for quite some 
time, and we have never had a comprehensive look at protection 
of critical infrastructure as we have today with DHS.
    So if the expectation is we will do this quickly, then we 
will not do it well. But I argue that we are really trying to 
take a very comprehensive look to put as many good security 
practices out there that are cost-effective, that are 
measurable and implementable by all aspects, not just the 
private sector, but by state and local governments as well.
    This is an extremely complex issue. As DHS matures in its 
organization, when we are fully staffed over the next couple of 
years and develop our capabilities, I would be happy to get 
back to you with that answer. We are peeling this onion back 
and it is becoming more complex.
    Ms. Jackson-Lee of Texas. I do understand that. Let me just 
say, it looks like the light went from green to red. Is there a 
problem there? Let me just say, if you would, Mr. Chairman, 
because I was looking for the middle light there, and it did 
not light up, so I would ask you indulgence.
    Mr. Camp. Why don't you just proceed? Thank you.
    Ms. Jackson-Lee of Texas. I would appreciate it very much, 
Mr. Chairman.
    Let me just say, there are a number of colleagues on this 
panel that are from New York, and I do want to express my 
admiration for New Yorkers in the tragedy of 9-11, and 
certainly they were very fortunate in the instance of the 
blackout. The television showed us tens of thousands of New 
Yorkers who had to walk across the Brooklyn Bridge to end their 
workday, and many other places and cities on that grid were 
experiencing the same. We can congratulate the people and the 
leadership of that area, but I would just emphasize the urgency 
of being able to respond more quickly than it seems that there 
might be an effort to do. I think this hearing is to emphasize 
the urgency. We have some serious concerns.
    I end on the question of whether or not you are even 
looking at the individuals who can contribute to the 
vulnerabilities. I mentioned this yesterday. The young people, 
individuals at home can contribute to the vulnerabilities of 
cybersecurity. Because of that, because there is so much access 
to the cyberworld, to the Internet, it is I think imperative 
that we have sense of urgency and that we realize that any day 
something could happen that could be a catastrophe. I would 
hope that we would be able to have you before our committee 
again responding to the sense of urgency that I have just 
enunciated.
    Mr. Liscouski. May I respond? I would like to articulate 
that DHS clearly does have a sense of urgency about what we are 
doing. And if I have given you any indication that we don't, I 
apologize, because we are acting in an urgent way all of the 
time. We are continuously working at the most urgent 
requirements that we have. As I indicated yesterday, outreach 
and awareness program at all levels of government and the 
private sector and the civilian sector are clearly within our 
focus. I agree with you 100 percent that we have to educate all 
citizens of this country to what they can contribute to the 
effort to protect our homeland. Everyone here does have a 
responsibility for that. That is exactly the message we are 
trying to put out there. So I appreciate your support in that.
    Mr. Camp. Thank you.
    Ms. Slaughter may inquire.
    Ms. Slaughter. Thank you, Chairman Camp.
    One of the question, if I heard you respond correctly to 
Ms. Lee, was that you are not yet fully staffed in order to get 
the CIP finished. Is that correct?
    Mr. Liscouski. Ma'am, we are staffing as we speak. We are 
in the process of recruiting the best talent that we can. Part 
of that effort requires reaching out to the private sector 
where we can do that, and that requires us to get security 
clearances.
    Ms. Slaughter. How many professionals do you have now?
    Mr. Liscouski. To give you a ball park, in my office alone 
I believe we are probably in the number of around 200 and some-
odd folks.
    Ms. Slaughter. How many do you need?
    Mr. Liscouski. Correct me if I am wrong. I would have to go 
back to an exact number, I think what we are staffing up for in 
fiscal year 2004 is, within the Infrastructure Protection 
Office, approximately roughly 450 to 500 people.
    Ms. Slaughter. So you are only about half way there?
    Mr. Liscouski. For fiscal year 2003 we are pretty much on 
target. We are moving right along.
    Ms. Slaughter. Do the people that you hire already 
understand their own sectors and have the technical expertise 
in exactly what you need?
    Mr. Liscouski. That is precisely what we are hiring. It is 
technical expertise in those sectors, ma'am, yes.
    Ms. Slaughter. That is really disconcerting. I am 
disappointed that more than a month later we still don't know 
what happened on the power failure, just as I am disappointed 
that 2 years later we still don't know who mailed the anthrax. 
But let me just say something about pre-blackout. I was at 
Niagara Falls when this occurred. The first thing that we heard 
was that there had been a lightning strike at Niagara Falls. It 
was the most beautiful day we had all summer. But most of the 
events I would bet that contributed to it, occurred from noon 
to about 4:13 p.m. I think that is about the time our cell 
phones all went out, in any case. The generation and the 
transmission and the operating events all went down effective 
later in the day. The investigators I think are looking at what 
happened from 8 a.m. on that day, but we have not yet gotten 
any information on that. Is your office at all interested in 
that? Are you looking at that?
    Mr. Liscouski. Ma'am, as part of the Security Working Group 
we are looking at all aspects. We are working very closely with 
our other working group partners, sharing information. So we 
are interested in all aspects of the power outage.
    Ms. Slaughter. What concerns me is what Sheila Jackson-Lee 
had said. It could happen again any day, and the fact that we 
don't know why it happened on August 14 is very troubling to 
this point. Since the country seems to be willing to spend 
anything, do anything, go anywhere, the fact that we are still 
at this point, so to speak, in the dark I think is really quite 
troubling. We all understand that the grid had probably been 
neglected.
    As a matter of fact, according to the Brookings 
Institution, the Bush administration ignores the major critical 
infrastructure in the private sector. In testimony before the 
committees on September 4, 2003, a witness from Brookings gave 
DHS ``not a passing grade'' on critical infrastructure 
protection. That was September 4, right after the blackout. At 
a recent Council on Foreign Relations homeland security event, 
former senior national security officials and senior state-
level homeland security officials were asked to grade DHS on 
critical infrastructure protection, and the grades ranged from 
a D to a gentleman's C to another D to absent.
    I wonder if you would care to respond to what appears to be 
a very negative assessment of what is going on at DHS and if 
you feel that part of that is because you are not yet staffed 
up or what are the problems.
    Mr. Liscouski. Yes, I would be happy to respond to it. 
Without knowing the specifics of those criticisms, I will just 
respond in a general way as well. I think perhaps there may be 
a lack of understanding of how complex this problem really is. 
I don't think anybody has ever done this before in the context 
of the federal government, or anywhere, frankly, at the 
magnitude that DHS is doing that.
    So we accept if there are valid, and there clearly are I am 
sure valid criticisms out there. We would like to learn how to 
do this better and we welcome those opportunities to learn how 
to do that better. You will find my management style is not one 
of arrogance or suggesting we know how to do it. In fact, if 
anything, we are looking to steal the best ideas from anybody 
that wants to tell us how to do these things so we can get the 
job done a lot better, and we are moving aggressively to do 
that.
    And if we are at a C or a D right now, well, I am not 
suggesting I agree with that, but I would also suggest that we 
are doing a lot of work and we do need to do a lot more. I 
don't deny that for a moment.
    Ms. Slaughter. I have a lot of friends in the utility 
business who would like to give you some ideas on what they 
think.
    Mr. Liscouski. I would be happy to hear from them.
    Ms. Slaughter. They believe very strongly that the 
deregulation of electricity which required them to go out of 
generation of energy, and the fact that the people who were 
responsible for transmission lines did not keep them up and 
there was no incentive for them to do so, or actually were not 
told to do it specifically, which means to me that if we had it 
once, we are very likely to have it again.
    Mr. Liscouski. If I could just respond to that. That really 
sounds like a regulation issue and DHS is not a regulatory 
authority.
    Ms. Slaughter. I understand that, but nonetheless if you 
said you want to learn all aspects of it and find out what you 
think happened, that might be something that you might also 
have to look into.
    Mr. Liscouski. Thank you.
    Ms. Slaughter. Thank you.
    Mr. Camp. Thank you.
    Ms. Christian-Christensen may inquire.
    Mrs. Christensen. Thank you, Mr. Chairman.
    Welcome back, Mr. Assistant Secretary. Welcome, Ms. Swink. 
I thank you, Mr. Liscouski, for remembering not only the 
states, but the territorial people in your comments.
    Sorry for being late, but I did have a chance to look 
through your written testimonies. Assistant Secretary, I was 
impressed with the part of your testimony that talks about the 
DHS's responses that you described to the August 14 blackout. 
How much of that response happened just because the people on 
the ground knew what they were doing, or the people involved 
knew what they were doing from past experience? And how much do 
you think happened because there is a Department of Homeland 
Security? In other words, could we have done just as well in 
responding without the department being there? Do you 
understand the question?
    Mr. Liscouski. Yes, ma'am.
    Mrs. Christensen. How much of the response was really 
because we have an IAIP and a DHS?
    Mr. Liscouski. I would say it is all because we have IAIP. 
But practically speaking, and without being too glib, I do 
attribute our ability to respond well is because DHS does 
exist. The function that IAIP represented was a good 
coordination point, as I described earlier in how events 
unfolded and what role IAIP played in that. Initially, as the 
blackout was becoming known to the community at large and came 
to our attention, IAIP coordinated with the sectors, the 
private sector, our federal partners, DOE, to determine exactly 
what was going on. We were able to do that fairly quickly, 
within an hour and actually even less, to understand what 
events were occurring and provide that information to the 
Secretary and subsequently to the White House very quickly to 
understand situational awareness.
    The real discriminator in terms of what IAIP has provided 
to this effort that would not have existed if DHS not around 
was really the ability to look forward to the next step. I 
think clearly the capacity that DOE has and the experience that 
the folks have there, I readily admit that they would be able 
to adequately and ably handle this type of event. They are a 
tremendously experienced and talented group of professionals. 
But the distinction there is the fact that looking at the next 
event, in the context of without knowing if this was a 
terrorist event, and even with knowing that it was a terrorist 
event, DHS's responsibility was to look at what the next steps 
might be and how this event, how the blackout might have been 
exploited by terrorists or those who might have used this as an 
opportunity to conduct some sort of act.
    We immediately progressed to that next level of thinking. 
The staff that I have working for me get paid to do that. We 
have scenarios based upon cyber events and electrical events, 
and other types of outages that we would say, okay, how could 
these events be exploited by terrorist groups? What do we know 
about the intelligence function? We were able to answer those 
questions and quickly put plans in place to prepare in the 
event that those scenarios were carried out. I think that is an 
incredible unique opportunity that the federal government has 
and that the American public has available to them by the 
creation of the DHS.
    Mrs. Christensen. Okay. You partly answered my next 
question, so I will ask a question to Ms. Swink. Moving to more 
information, technology dependent, and I hope this question was 
not asked already, smart grid is among the leading proposals to 
improve the capacity and reliability of the power grid. This 
would include replacing electro-mechanical switches with 
digital ones, and introducing real-time computer monitoring of 
the power lines. Would such changes increase the cyber-
vulnerabilities of the power grid? If so, how should we balance 
the increase vulnerability with increased power grid 
performance and reliability?
    Ms. Swink. With business as usual, I would say that it 
would increase the vulnerabilities. But because of a lot of 
good work being done in the government labs, as well as the 
private sector, a much better understanding of how those new 
systems and devices need to be designed with authentication 
procedures, cryptography, immediate recognition of assaults by 
viruses, et cetera, we are well on the way of having the tools 
and mechanisms to build that system so that it is responsive 
and not vulnerable.
    Mrs. Christensen. So you think that because we are much 
more aware of some of the vulnerabilities, we will be able to 
address some of what might have otherwise been increased 
vulnerabilities?
    Ms. Swink. Yes.
    Mrs. Christensen. Okay. I guess I could ask this to either 
one. Well, my time is up. I will wait for the next panel.
    Thank you, Mr. Chairman.
    Mr. Camp. Thank you.
    As this is a joint hearing held with the Cyber 
Subcommittee, I will turn the gavel over now to Congressman 
Sessions.
    I want to thank both of you for your attendance here today 
and for your very insightful testimony, and I appreciate your 
being here. We will move to our second panel. I want to thank 
you again.
    Again, I will turn the panel over to Congressman Sessions. 
This is a joint hearing with the cyber subcommittee, and he 
will chair this second panel in today's joint hearing.
    Mr. Sessions. [Presiding.] I thank the gentleman.
    Local governments are responsible for coordinating the 
states's response to a wide range of emergencies and disasters, 
both natural and manmade. Local law enforcement, fire, public 
works and emergency medical agencies and personnel are being 
trained in how to properly respond to potential terrorist 
incidents. The blackouts tested the training and response 
capabilities of our first responders.
    Colonel McDaniel is here today before us and he will 
provide an overview of the events that occurred in Michigan 
during the blackout. Also today we have Mr. Robert Dacey, 
Director of Information Security Issues for the Government 
Accounting Office. GAO has made numerous recommendations over 
the last few years related to information-sharing functions 
that have been transferred to the Department of Homeland 
Security.
    One significant area concerns the federal government's 
critical infrastructure protection efforts, which has been 
focused on the sharing of information on incidents, threats and 
vulnerabilities and the providing of warnings related to 
critical infrastructures both within the federal government and 
between the federal government and state and local governments 
and the private sector. Today, we are prepared to hear from Mr. 
Dacey, and he will offer recommendations for strengthening the 
information-sharing and other critical infrastructure 
protection capabilities.
    At this time, I would like to begin with Colonel Michael 
McDaniel from the State of Michigan.

   STATEMENT OF COLONEL MICHAEL McDANIEL, ASSISTANT ADJUTANT 
         GENERAL, HOMELAND SECURITY, STATE OF MICHIGAN

    CoLonel McDaniel. Thank you, Chairman Sessions, Chairman 
Camp, members of the committee, for this opportunity to testify 
before you here today.
    My name is Colonel Michael McDaniel. I serve as the 
Assistant Adjutant General for Homeland Security for the 
Michigan National Guard, and as such I also serve as the 
governor's adviser on homeland security to Michigan's Governor 
Jennifer Granholm.
    Based on my understanding of the focus of this committee's 
interest, my narrative of events of August 14 through 16, 2003 
will focus on the interdependencies of the infrastructure, the 
responses thereto and the communications between state, local 
and federal agencies. I will then briefly discuss some of the 
issues that surfaced during our response to the blackout and 
potential resolution of them.
    As you all know, on Thursday August 14, 2003 in the late 
afternoon approximately at 4:15 p.m., a massive power outage 
struck the power grid in the Midwest and Northeast U.S., as 
well as the Province of Ontario, causing blackouts from New 
York to Michigan. Within minutes, much of southeast Michigan 
and mid-Michigan was without power, including the major 
metropolitan areas of Detroit, Ann Arbor and Lansing.
    I will briefly outline some of the major complications from 
the blackout. In much of southeast and mid-Michigan, the lack 
of electrical power resulted in widespread traffic signals not 
functioning, and limited telephone communications. Radio and 
television stations reported broadcasting difficulties, with 
several small stations not operating at all. Gas stations were 
unable to supply people's needs for their cars and for their 
portable generators, as without electricity those gasoline 
pumps were inoperable. The auto industry in Michigan was also 
directly impacted by the loss of power, shutting down 
operations for the majority of 3 days.
    The Ambassador Bridge in Detroit, the busiest commercial 
land port in the United States, with 16,000 tractor-trailer 
trucks crossing daily, was also affected. This resulted in 
approximately a 4-mile backup of traffic for almost 24 hours on 
the United States side. I would just emphasize that it was the 
IT systems for the Canadian Customs that was shut down and not 
functioning. The U.S. Customs system at the bridge was working.
    Many other computer systems were not functioning, however, 
including the Law Enforcement Information Network, or LEIN 
system. The Detroit Board of Water and Sewer, which is the 
oversight board for the nation's second or third largest water 
system, reported its system was not functioning correctly. It 
had a boiled water advisory which was not lifted until late 
Monday, August 18. The state's response in brief. As of 6 p.m., 
Governor Granholm had reported to the state emergency operation 
center. I would note that the Governor spoke directly with 
Department of Homeland Security Secretary Tom Ridge 
approximately 1 hour after the blackout began. As the 
dimensions of the emergency became clear, the federal DHS 
called every hour for briefings. The FEMA representative was 
also present and working from the state's EOC from August 15, 
the next day, onward. The state of emergency was not rescinded 
until a few days later.
    Briefly, the lessons learned. In Michigan, we are 
monitoring, investigating or resolving the following issues. 
First, the communications between federal and state agencies. I 
think it is safe to say there was full and robust communication 
between the appropriate federal and state agencies, but I would 
make a couple of suggestions for improvement. First, we were 
giving reports to the Department of Homeland Security directly, 
to FEMA or the EP&R directorate within DHS, and then to FEMA 
Region 5. To a large degree this was redundant information.
    Secondly, all of those communications were being made by 
telephone or facsimile machine. And given the intermittent 
outages of commercial telephone service elsewhere in the state, 
as well as in the Lansing area for the first 8 hours, a backup 
system needs to be instituted that is not reliant on commercial 
lines or on portable generators.
    Secondly, the communications between state and local 
agencies worked very well. I would go so far as to brag a 
little bit and say they worked flawlessly. I think this was in 
large part because we had a substantial investment in the State 
of Michigan over the last 12 years of approximately $220 
million to create a statewide 800 megahertz digital trunk radio 
system. As a result, there were no interruptions in the system 
anywhere as the control system in all 180 towers have their own 
independent generators.
    I would note a couple of points, however. The state had to 
issue bonds to fund such a large expenditure. The IRS has 
ruled, however, that because these are state bonds, only 5 
percent of the members of the system can be non-state agencies. 
We do have a number of federal agencies who have radios on the 
system, including FBI, Bureau of Alcohol, Tobacco and Firearms, 
and the U.S. Forest Service. However, because of that 5 
percent, we are limited in the degree to which we can request 
and ask the federal agencies to come on that system. 
Consideration should be given to creation of an exception to 
the IRS bonding restriction to promote interoperability of 
communications between state, as well as non-state agencies.
    I would also like to talk briefly about interdependent 
infrastructure. We had questions from Congressmen Dicks and 
Lucas about the critical infrastructure protection and coming 
up with systems and inventories of those. I would just say that 
everybody has their own list of critical infrastructure 
protection, but what we need to do is have a process whereby 
those lists are not just inventoried and compiled and 
harmonized, but we need to have a strategic assessment.
    The Office of Domestic Preparedness has asked the states to 
do that, and we are in the process of doing that. A strategic 
needs assessment of the state is to be done no later than 
December 31. All states have to do the same process. At that 
time I think we will have the next step in a critical 
infrastructure protection that is truly a national plan, not 
just a federal plan or a state plan.
    Lastly, I would just mention the sufficiency of funds for 
state emergency operations centers. In some regards, the 
Department of Homeland Security has done very well in getting 
us funds for equipment and getting those down to the state. 
However, I would note that there was a fiscal year 2002 
supplemental appropriation for statewide emergency operation 
center upgrades and modifications and we have still not had an 
answer or received funding on that.
    I thank the committee for this opportunity to testify. I 
welcome any questions you have after Mr. Dacey.
    [The statement of Colonel McDaniel follows:]

           PREPARED STATEMENT OF COLONEL MICHAEL C. McDANIEL

    Thank you, Chairman Thornberry, Chairman Camp, and Members of the 
Committee for the opportunity to testify today before your committee.
    My name is Colonel Michael C. McDaniel, and I serve as the 
Assistant Adjutant General for Homeland Security for the Michigan 
National Guard. As such, I serve as the Homeland Security Advisor to 
Michigan's Governor, Jennifer M Granholm.
    Based on my understanding of the focus of this committee's 
interests, my narrative of the events of 1416 August, 2003 will focus 
on the interdependencies of our infrastructure, and the communications 
between state, local, and federal agencies. I will then discuss some of 
the issues that surfaced during our response to the blackout, and 
potential resolution of them.
    On Thursday, August 14,2003, at approximately 4:15 p.m., a massive 
power outage struck the Niagara-Mohawk power grid in the Northeast US 
and Ontario causing blackouts from New York to Michigan. Within 
minutes, much of southeast Michigan and mid-Michigan was without power, 
including the major metropolitan areas of Detroit, Ann Arbor, and 
Lansing.
    Approximately 60 percent of Michigan's entire population, or more 
than 2.2 million households, was affected by the outage, requiring 
state agencies and local governments to utilize extensive emergency 
protective measures in order to insure their health, safety and 
welfare.
    Collectively, the State of Michigan and local governments expended 
$20.4 million on emergency measures to save lives, protect public 
health, and prevent damage to public and private property.
    The Emergency Management Division of the Michigan State Police 
began to immediately monitor conditions in Lansing and around the 
state, including the state's nuclear power plants. Within minutes, when 
it was clear that there was a widespread outage, the state's Emergency 
Operations Center (EOC) was formally activated, and state agencies 
began to monitor state and national conditions.
    Below, I will briefly outline some of the major complications from 
the blackout:
         In much of southeast and mid-Michigan, the lack of 
        electric power resulted in widespread traffic signals not 
        functioning and limited telephone communications. Radio and 
        television stations reported broadcasting difficulties, with 
        several small stations not operating at all.
         Many facilities lacked sufficient alternative energy 
        sources. Portable generators were needed at hospitals and other 
        public facilities, including the state mental institution.
         The Fermi II nuclear plant in Monroe County was shut 
        down as a precaution. It returned to full power production and 
        was reconnected to the power grid late Thursday, 21 August.
         Marathon Refinery, Michigan's largest refining 
        facility, lost power and had to shut down. One unit did not 
        shut down properly and began venting partially processed 
        hydrocarbons. Because of the tank's location, the city of 
        Melvindale (with the assistance of the Michigan State Police) 
        decided to evacuate 30,000 residents and shut down Interstate 
        75 for several hours until the situation was controlled. The 
        Marathon Refinery was inoperable as a result of the loss of 
        electricity and water, and out of production for approximately 
        10 days.
         Gas stations were unable to supply peoples' needs for 
        their cars and portable generators, as without electricity the 
        pumps were inoperable.
         The auto industry was also directly impacted by the 
        loss of power, shutting down operations forthe majority of 
        three days.
         The Ambassador Bridge in Detroit, the busiest 
        commercial landport in the United States with 16,000 tractor-
        trailers crossing daily, was also affected. Interestingly, both 
        the bridge and U.S. Customs had their computers interrupted 
        only momentarily until their back-up systems activated. 
        Canadian customs, however, lost their computer datalink, and 
        thus their ability to verify trucking manifests electronically. 
        As a result they were forced to visually and manually inspect 
        the manifests and, if warranted, the freight itself. This 
        resulted in an approximately four-mile backup of traffic for 
        almost 24 hours on the U.S. side.
         Many computer systems were not functioning, including 
        the Law Enforcement Information Network (LEIN).
         Metropolitan Detroit Airport was closed and all 
        flights canceled until midnight on August 14.
         The Detroit Board of Water and Sewers, oversight board 
        of the nation's second largest watersystem, reported that its 
        system was not functioning correctly. It issued a boiled water 
        advisory for its entire service area. A number of public water 
        issues arose from the blackout. First, there is a need for 
        generators and for an automatic activation switches for these 
        generators. Second, much of the system's gauges and switches 
        rely on telephone lines, or telemetry, which is used to receive 
        information on the system's capabilities. Last, there was no 
        system to notify all of the customers of the boiled water 
        advisory, as notification was dependent on the public media. It 
        became clear, on the morning of August 15, that the largest 
        problem was the lack of potable water. Public and private 
        entities delivered hundreds of thousands of gallons of water to 
        those affected sites, but a boiled water advisory was not 
        lifted until Monday, August 18.

The State's Response
    As of 6:00 p.m., Governor Granholm and her senior staff had 
reported to the state Emergency Operations Center (EOC). The Governor 
had been briefed by the Emergency Management Division of the Michigan 
State Police (MSP), and all state agency representatives, and she first 
advised the citizens of conditions and our efforts via public media, at 
approximately 10:00 p.m. The MSP had positioned 50 state troopers on 
stand-by for mobilization, if needed to maintain order in blackout 
areas. Little to no looting was reported, and crime rates were at or 
below average. The Michigan National Guard also had troopers ready on 
stand-by.
    I would note that the Governor spoke with Department of Homeland 
(DHS) Secretary Tom Ridge approximately one hour after the blackout 
began. As the dimensions of the emergency became clear, the federal DHS 
called every hour for briefings.
    The State of Michigan has always had a great working relationship 
with FEMA Region V, and this working relationship was very evident 
during this emergency. Region V had activated their Regional Operating 
Center (ROC), and was in close and constant telephone contact. A FEMA 
representative was also present and working from the State EOC, from 
August 15 onward.
    The state of emergency was not rescinded until August 22, 2003.

Emergency Protective Measures Reimbursement
    On August 27,2003 the State applied to FEMA for federal 
reimbursement under the Stafford Act' for actions taken by local or 
state agencies to remove or reduce immediate threats to public health, 
safety, welfare, or private property when those measures are used in 
the public interest. As of September 15, we have not received any 
response from FEMA. This is not an inordinately long period of time, 
but Michigan and other states are watching to see if the placement of 
FEMA within the Emergency
    Preparedness and Response Directorate (EP&R) of DHS will prolong 
the application process. I would note that the Undersecretary for EP&R 
has assured the state emergency management directors that it will not.

Lessons Learned
    In Michigan, we are monitoring, investigating, or resolving the 
following issues:

(A) Communications between federal and state agencies. There was full 
and robust communication between the appropriate federal and state 
agencies. DHS and FEMA were in regular, consistent contact with the 
State EOC. The State Department of Environmental Quality, Public 
Service Commission and National Guard were communicating with the 
Environmental Protection Agency, the Department of Energy, and the 
National Guard Bureau, respectively. Two suggestions for improvement, 
however, can be made. First, the reports given to DHS and FEMA Region V 
were redundant information. While the ``operations tempo'' of the 
emergency response was such that this was not a hindrance, this 
redundancy should be eliminated as the reorganization of federal 
agencies within DHS is completed. Second, all communication was by 
telephone or facsimile machine. Given the intermittent outages of 
commercial telephone service elsewhere in the state, a backup system 
needs to be instituted that is not reliant on commercial lines. I would 
note that there is a wireless system between FEMA Region V and the 
State EOC. Perhaps this capability can be expanded.

(B) Communications between state agencies and between state and local 
agencies. Internal communications, both within a state agency and 
between employees of the state and a local agency, worked flawlessly. 
The State of Michigan, over the last 12 years has spent in excess of 
$220 million to create a statewide 800 Mhz digital trunk radio system. 
It is the believed to be the largest radio system, in terms of land 
mass covered, in the nation that meets APSCO 25 (Association of Public 
Safety Communications Officials) standards. This system provides full 
interoperability, of course, as all members are on the same system. 
There are at the present time 374 different public agencies which use 
the Michigan Public Safety Communication System as their primary radio 
communications, and another 90 agencies that use the system for 
emergency management purposes only. The member agencies include all 
state agencies, as well as counties, townships, tribes, and federal 
agencies (the FBI, U.S. Customs, Bureau of A TF and Forest Service). 
There are currently more than 11,000 radios on the system.
    There were no interruptions to the system anywhere during the 
blackout because the control center and all antennae have independent 
generators. Four of the five counties as well as many municipalities 
within those counties in the declared emergency area are now 
considering joining the Michigan Public Safety Communications System.
    During FY 2003 the DHS administered an equipment grant program to 
promote interoperable communications between local governmental 
agencies. The states expect to learn the grant recipients and amounts 
awarded in the near future. This program, by providing a specific 
financial incentive to pursue interoperability, has been well-received 
by the States. This program and its results should be monitored closely 
and considered for potential expansion.
    Because the state had to issue bonds to fund such a large 
expenditure, the Internal Revenue Service (IRS) has ruled that with 
state bonds only 5 percent of the members of the system can be non-
state entities, or, in this case, federal or tribal members. While far 
less than 5 percent of the radios on the system are used by federal 
agencies, true interoperability compels their participation on the 
system. We need to find means to encourage federal participation on the 
MPSCS, thus consideration should be given to creation of an exception 
to the IRS bonding restriction to promote interoperability of 
communications between state and non-state agencies.

(C) Interdependent Infrastructure. The above narrative illustrates the 
ripple effect of an impact on one sector for the rest of the nation's 
infrastructure. The facilities, systems, and functions that comprise 
our critical infrastructures are highly sophisticated and complex. We 
are only now beginning to study the degree that our systems work 
together in processes that are highly interdependent. In one oft-cited 
example, e-commerce depends on electricity as well as information and 
communications. Assuring electric service requires operational 
transportation and distribution systems to guarantee the delivery of 
fuel necessary to generate power. Such interdependencies have developed 
over time and are the product of operational processes that have fueled 
unprecedented efficiency and productivity.
    Given the dynamic nature of the systems, we need not only to model 
but also a concerted, joint state/federal effort to identify and 
prioritize not just the systems, but their critical components, their 
interdependencies, and the state and federal agencies that both 
regulate and rely on them. In the past, different state and federal 
agencies have inventories and prioritized the critical infrastructure. 
This process is ongoing, it is a vital step for every operational plan 
for protection and security, and those priority lists are driving our 
efforts.

(D) Sufficiency of funds for state Emergency Operations Centers. 
Deficiencies in the state Emergency Operations Center become obvious 
after spending 36 straight hours there. The FY 2002 Supplemental 
Appropriation provided approximately $51 million nationwide 
specifically for Emergency Operation Center upgrades and modifications. 
This amount is insufficient to properly upgrade the Emergency 
Operations Center for every state and territory. For example the State 
of Michigan had requested $9.5 million for this purpose, which would 
include all design, engineering, construction, and project management 
costs for the State EOC, and an alternate EOC in the metro Detroit 
area. A decision on the grants is long overdue, particularly 
considering that some state, somewhere in the nation, is facing an 
emergency, albeit usually natural emergencies, such as floods, fires 
and hurricanes, almost every day.
    I thank the Committee for the opportunity to testify, and I welcome 
any questions you may have.

    Mr. Sessions. Colonel McDaniel, thank you so much. Your 
request to us concerning the tax implications will be not only 
acknowledged by this committee, but we will also provide you 
back in writing what we intend to do as far as referring that. 
We have several members, including the gentlewoman from 
Washington, who sit on the Ways and Means Committee and would 
be able to address that properly.
    Thank you so much.
    Director Dacey, you are recognized.

STATEMENT OF MR. ROBERT DACEY, DIRECTOR, INFORMATION SECURITY, 
                   GENERAL ACCOUNTING OFFICE

    Mr. Dacey. Chairman Sessions, Chairman Camp, and members of 
the subcommittee, I am pleased to be here today to discuss the 
Department of Homeland Security's information- sharing 
responsibilities, particularly as they relate to critical 
infrastructure protection, or CIP, and the challenges and key 
management issues that the department faces in implementing 
those responsibilities. As you requested, I will briefly 
summarize my written statement.
    The Homeland Security Act of 2002 brought together 22 
diverse organizations and created a new Cabinet-level 
department to help prevent terrorist attacks against the United 
States, reduce the vulnerability to terrorist attacks, and 
minimize damage and assist in recovery from attacks if they 
should occur. Achieving the complex mission of the department 
will require the ability to effectively share a variety of 
information among its own entities and with other federal 
agencies, state and local governments, the private sector and 
others.
    For example, the department will need to be able to access, 
receive and analyze law enforcement information, intelligence 
information and other threat incident and vulnerability 
information from federal and non-federal sources; to administer 
the Homeland Security Advisory System and provide specific 
warning information and advice on appropriate protective 
measures and countermeasures; to share information both 
internally and externally with agencies in law enforcement on 
such things as goods and passengers in- bound to the United 
States and individuals who are known or suspected terrorists or 
criminals; and to share information among emergency responders 
in preparing for and responding to terrorist attacks and other 
emergencies.
    GAO has made numerous recommendations over the last several 
years related to information-sharing functions that have been 
transferred to the Department of Homeland Security. A number of 
actions have been taken or are underway to improve information-
sharing, such as the department's recent announcement of the 
creation of the U.S. Computer Emergency Response Team, or CERT, 
to provide in part a coordination center that links public and 
private response capabilities.
    However, further efforts are needed to address several 
information-sharing challenges concerning the government's CIP 
efforts. These challenges include developing a comprehensive 
and coordinated national CIP plan to facilitate information-
sharing that clearly delineates the roles and responsibilities 
of federal and non-federal entities, defines interim objectives 
and milestones, sets time frames for achieving them and 
establishes performance measures.
    Two, developing fully productive information-sharing 
relationships within the federal government and between the 
federal government and the state and local governments, the 
private sector and others.
    Three, improving the federal government's capabilities to 
analyze incident, threat and vulnerability information and 
share appropriate, timely and useful warnings and other 
information concerning cyber and physical threats.
    And four, providing appropriate incentives for non- federal 
entities to increase information sharing with the federal 
government and to enhance other CIP efforts.
    Success of homeland security also relies on establishing 
effective systems and processes within the department to 
facilitate information-sharing. Through our prior work we have 
identified several critical success factors and other key 
management issues that the department should consider as it 
establishes systems and processes for information sharing. For 
example, the department should continue its efforts to develop 
and implement an enterprise architecture to integrate the many 
existing systems and processes required to support its mission 
and to guide the department's investments in new systems to 
effectively support homeland security in the coming years.
    Two, to implement effective system acquisition and 
investment management processes to appropriately select, 
control and evaluate IT projects. And third, to implement 
effective information security to protect the sensitive 
information that the department maintains and to develop 
secure, available communication networks to safely transmit 
information.
    Other key management issues include developing a 
performance focus, integrating staff from different 
organizations and ensuring the department has properly skilled 
staff.
    Mr. Chairman, this concludes my statement. I would be happy 
to answer any questions that you have.
    [The statement of Mr. Dacey follows:]

   PREPARED STATEMENT OF MR. ROBERT F. DACEY, DIRECTOR, INFORMATION 
                  SECURITY, GENERAL ACCOUNTING OFFICE

 INFORMATION SHARING RESPONSIBILITIES, CHALLENGES, AND KEY MANANGEMENT 
                                 ISSUES

    Messrs. Chairmen and Members of the Subcommittees:
    I am pleased to be here today to discuss the challenges that the 
Department of Homeland Security (DHS) faces in integrating its 
information gathering and sharing functions, particularly as they 
relate to fulfilling its critical infrastructure protection (CIP) 
responsibilities. CIP involves activities that enhance the security of 
the cyber and physical public and private infrastructures that are 
essential to our national security, national economic security, and/or 
national public health and safety. The Homeland Security Act of 2002 
brought together 22 diverse organizations and created DHS to help 
prevent terrorist attacks in the United States, reduce the 
vulnerability of the United States to terrorist attacks, and minimize 
damage and assist in recovery from attacks that do occur. To accomplish 
this mission, the act established specific homeland security and CIP 
responsibilities for the department and directed it to coordinate its 
efforts and share information among its own entities and with other 
federal agencies, state and local governments, the private sector, and 
others.
    In my testimony today, I will summarize our analysis of information 
sharing as an integral part of fulfilling DHS's mission and CIP 
responsibilities. I will then discuss our related prior analyses and 
recommendations for improving the federal government's information 
sharing efforts. Last, I will discuss the key management issues that 
DHS should consider in developing and implementing effective 
information sharing processes and systems.
    In preparing this testimony, we relied on prior GAO reports and 
testimonies on combating terrorism, critical infrastructure protection 
(CIP), homeland security, information sharing, information technology 
(IT), and national preparedness, among others. These prior reports and 
testimonies included our review and analysis of the National Strategy 
for Homeland Security, the National Strategy to Secure Cyberspace, the 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets, the National Strategy for Combating 
Terrorism,\1\ the Homeland Security Act of 2002,\2\ and other relevant 
federal policies. Our work for today's testimony was performed in 
September 2003 in accordance with generally accepted government 
auditing standards.
---------------------------------------------------------------------------
    \1\ The White House, The National Strategy for Homeland Security 
(Washington, D.C.: July 2002); The National Strategy to Secure 
Cyberspace (Washington, D.C.: February 2003); The National Strategy for 
the Physical Protection of Critical Infrastructures and Key Assets 
(Washington, D.C.: February 2003); and The National Strategy for 
Combating Terrorism (Washington, D.C.: February 2003).
    \2\ Public Law 107-296.

Results in Brief
The Homeland Security Act of 2002 and other federal policy, including 
the National Strategy for Homeland Security, assign responsibilities to 
DHS for coordinating and sharing information related to threats of 
domestic terrorism, within the department and with and between other 
federal agencies, state and local governments, the private sector, and 
other entities. For example, to accomplish its missions, the new 
department must (1) access, receive, and analyze law enforcement 
information, intelligence information, and other threat, incident, and 
vulnerability information from federal and nonfederal sources; (2) 
analyze this information to identify and assess the nature and scope of 
terrorist threats; and (3) administer the Homeland Security Advisory 
System and provide specific warning information and advice on 
appropriate protective measures and countermeasures. Further, DHS must 
share information both internally and externally with agencies and law 
enforcement on such things as goods and passengers inbound to the 
United States and individuals who are known or suspected terrorists and 
criminals. It also must share information among emergency responders in 
preparing for and responding to terrorist attacks and other 
emergencies.

We have made numerous recommendations over the last several years 
related to information sharing functions that have been transferred to 
DHS. One significant area concerns the federal government's CIP 
efforts, which is focused on the sharing of information on incidents, 
threats, and vulnerabilities, and the providing of warnings related to 
critical infrastructures both within the federal government and between 
the federal government and state and local governments and the private 
sector. Although improvements have been made, further efforts are 
needed to address the following critical CIP challenges:

 developing a comprehensive and coordinated national plan to 
facilitate CIP information sharing that clearly delineates the roles 
and responsibilities of federal and nonfederal CIP entities, defines 
interim objectives and milestones, sets timeframes for achieving 
objectives, and establishes performance measures;

 developing fully productive information sharing relationships 
within the federal government and between the federal government and 
state and local governments and the private sector;

 improving the federal government's capabilities to analyze 
incident, threat, and vulnerability information obtained from numerous 
sources and share appropriate, timely, useful warnings and other 
information concerning both cyber and physical threats to federal 
entities, state and local governments, and the private sector; and

 providing appropriate incentives for nonfederal entities to 
increase information sharing with the federal government and enhance 
other CIP efforts.
In addition, we recently identified challenges in consolidating and 
standardizing watch list structures and policies, which are essential 
to effectively sharing information on suspected terrorists and 
criminals.\3\
---------------------------------------------------------------------------
    \3\ Watch lists are automated databases that contain various types 
of data on individuals, from biographical data--such as a person's name 
and date of birth--to biometric data such as fingerprints.
---------------------------------------------------------------------------
The success of homeland security also relies on establishing effective 
systems and processes to facilitate information sharing among and 
between government entities and the private sector. Through our prior 
work, we have identified critical success factors and other key 
management issues that DHS should consider as it establishes systems 
and processes to facilitate information sharing among and between 
government entities and the private sector. These success factors 
include establishing trust relationships with a wide variety of federal 
and nonfederal entities that may be in a position to provide 
potentially useful information and advice on vulnerabilities and 
incidents. As part of its information technology management, DHS should 
continue to develop and implement an enterprise architecture to 
integrate the many existing systems and processes required to support 
its mission and to guide the department's investments in new systems to 
effectively support homeland security in the coming years. Other key 
management issues include ensuring that sensitive information is 
secured, developing secure communications networks, integrating staff 
from different organizations, and ensuring that the department has 
properly skilled staff.

Information Sharing Is Integral to Fulfilling DHS's Mission
With the terrorist attacks of September 2001, the threat of terrorism 
rose to the top of the country's national security and law enforcement 
agendas. As stated by the President in his National Strategy for 
Homeland Security in July 2002, our nation's terrorist enemies are 
constantly seeking new tactics or unexpected ways to carry out their 
attacks and magnify their effects, such as working to obtain chemical, 
biological, radiological, and nuclear weapons. In addition, terrorists 
are gaining expertise in less traditional means, such as cyber attacks. 
In response to these growing threats, Congress passed and the President 
signed the Homeland Security Act of 2002 creating the DHS. The overall 
mission of this new cabinet-level department includes preventing 
terrorist attacks in the United States, reducing the vulnerability of 
the United States to terrorist attacks, and minimizing damage and 
assisting in recovery from attacks that do occur. To accomplish this 
mission, the act established specific homeland security 
responsibilities for the department and directed it to coordinate its 
efforts and share information within DHS and with other federal 
agencies, state and local governments, the private sector, and other 
entities. This information sharing is critical to successfully 
addressing increasing threats and fulfilling the mission of DHS.

Threats, Incidents, and the Consequences of Potential Attacks Are 
Increasing
DHS's responsibilities include the protection of our nation's publicly 
and privately controlled resources essential to the minimal operations 
of the economy and government against the risks of physical as well as 
computer-based or cyber attacks. Over the last decade, physical and 
cyber events, as well as related analyses by various entities, have 
demonstrated the increasing threat to the United States.
    With the coordinated terrorist attacks against the World Trade 
Center in New York City and the Pentagon in Washington, D.C., on 
September 11, 2001, the threat of terrorism rose to the top of the 
country's national security and law enforcement agendas. Even before 
these catastrophic incidents, the threat of attacks against people, 
property, and infrastructures had increased concerns about terrorism. 
The terrorist bombings in 1993 of the World Trade Center in New York 
City and in 1995 of the Alfred P. Murrah Federal Building in Oklahoma 
City, which killed 168 people and wounded hundreds of others, prompted 
increased emphasis on the need to strengthen and coordinate the federal 
government's ability to effectively combat terrorism domestically. The 
1995 Aum Shinrikyo sarin nerve agent attack in the Tokyo subway system 
also raised new concerns about U.S. preparedness to combat terrorist 
incidents involving weapons of mass destruction.\4\ However, as clearly 
demonstrated by the September 11, 2001, incidents, a terrorist attack 
would not have to fit the definition of weapons of mass destruction to 
result in mass casualties, destruction of critical infrastructures, 
economic losses, and disruption of daily life nationwide.
---------------------------------------------------------------------------
    \4\ A weapon of mass destruction is a chemical, biological, 
radiological, or nuclear agent or weapon.
---------------------------------------------------------------------------
U.S. intelligence and law enforcement communities continuously assess 
both foreign and domestic terrorist threats to the United States. Table 
1 summarizes key physical threats to homeland security.

             Table 1: Physical Threats to Homeland Security
------------------------------------------------------------------------
                  Threat                             Description
------------------------------------------------------------------------
Chemical weapons                            Chemical weapons are
                                             extremely lethal and
                                             capable of producing tens
                                             of thousands of casualties.
                                             They are also relatively
                                             easy to manufacture, using
                                             basic equipment, trained
                                             personnel, and precursor
                                             materials that often have
                                             legitimate dual uses. As
                                             the 1995 Tokyo subway
                                             attack revealed, even
                                             sophisticated nerve agents
                                             are within the reach of
                                             terrorist groups.
------------------------------------------------------------------------
Biological weapons                          Biological weapons, which
                                             release large quantities of
                                             living, disease-causing
                                             microorganisms, have
                                             extraordinary lethal
                                             potential. Like chemical
                                             weapons, biological weapons
                                             are relatively easy to
                                             manufacture, requiring
                                             straightforward technical
                                             skills, basic equipment,
                                             and a seed stock of
                                             pathogenic microorganisms.
                                             Biological weapons are
                                             especially dangerous
                                             because we may not know
                                             immediately that we have
                                             been attacked, allowing an
                                             infectious agent time to
                                             spread. Moreover,
                                             biological agents can serve
                                             as a means of attack
                                             against humans as well as
                                             livestock and crops,
                                             inflicting casualties as
                                             well as economic damage.
------------------------------------------------------------------------
Radiological weapons                        Radiological weapons, or
                                             ``dirty bombs,'' combine
                                             radioactive material with
                                             conventional explosives.
                                             The individuals and groups
                                             engaged in terrorist
                                             activity can cause
                                             widespread disruption and
                                             fear, particularly in
                                             heavily populated areas.
------------------------------------------------------------------------
Nuclear weapons                             Nuclear weapons have
                                             enormous destructive
                                             potential. Terrorists who
                                             seek to develop a nuclear
                                             weapon must overcome two
                                             formidable challenges.
                                             First, acquiring or
                                             refining a sufficient
                                             quantity of fissile
                                             material is very difficult--
                                             though not impossible.
                                             Second, manufacturing a
                                             workable weapon requires a
                                             very high degree of
                                             technical capability--
                                             though terrorists could
                                             feasibly assemble the
                                             simplest type of nuclear
                                             device. To get around these
                                             significant though not
                                             insurmountable challenges,
                                             terrorists could seek to
                                             steal or purchase a nuclear
                                             weapon.
------------------------------------------------------------------------
Conventional means                          Terrorists, both domestic
                                             and international, continue
                                             to use traditional methods
                                             of violence and destruction
                                             to inflict harm and spread
                                             fear. They have used
                                             knives, guns, and bombs to
                                             kill the innocent. They
                                             have taken hostages and
                                             spread propaganda. Given
                                             the low expense, ready
                                             availability of materials,
                                             and relatively high chance
                                             for successful execution,
                                             terrorists will continue to
                                             make use of conventional
                                             attacks.
------------------------------------------------------------------------
------------------------------------------------------------------------

SOURCE: NATIONAL STRATEGY FOR HOMELAND SECURITY

In addition to these physical threats, terrorists and others with 
malicious intent, such as transnational criminals and intelligence 
services, pose a threat to our nation's computer systems. As dramatic 
increases in computer interconnectivity, especially in the use of the 
Internet, continue to revolutionize the way much of the world 
communicate and conducts business, this widespread interconnectivity 
also poses significant risks to the government's and our nation's 
computer systems and, more importantly, to the critical operations and 
infrastructures they support. For example, telecommunications, power 
distribution, water supply, public health services, national defense 
(including the military's warfighting capability), law enforcement, 
government services, and emergency services all depend on the security 
of their computer operations. If not properly controlled, the speed and 
accessibility that create the enormous benefits of the computer age 
also allow individuals and organizations to inexpensively eavesdrop on 
or interfere with these operations from remote locations for 
mischievous or malicious purposes.
Government officials are increasingly concerned about cyber attacks 
from individuals and groups with malicious intent, such as crime, 
terrorism, foreign intelligence gathering, and acts of war. According 
to the FBI, terrorists, transnational criminals, and intelligence 
services are quickly becoming aware of and are using information 
exploitation tools such as computer viruses, Trojan horses, worms, 
logic bombs, and eavesdropping sniffers that can destroy, intercept, 
degrade the integrity of, or deny access to data.\5\ In addition, the 
disgruntled organization insider is a significant threat, since these 
individuals often have knowledge that allows them to gain unrestricted 
access and inflict damage or steal assets without possessing a great 
deal of knowledge about computer intrusions. As greater amounts of 
money are transferred through computer systems, as more sensitive 
economic and commercial information is exchanged electronically, and as 
the nation's defense and intelligence communities increasingly rely on 
commercially available IT, the likelihood increases that cyber attacks 
will threaten vital national interests. Table 2 summarizes the key 
cyber threats to our infrastructure.
---------------------------------------------------------------------------
    \5\ Virus: a program that ``infects'' computer files, usually 
executable programs, by inserting a copy of itself into the file. These 
copies are usually executed when the ``infected'' file is loaded into 
memory, allowing the virus to infect other files. Unlike the computer 
worm, a virus requires human involvement (usually unwitting) to 
propagate. Trojan horse: a computer program that conceals harmful code. 
A Trojan horse usually masquerades as a useful program that a user 
would wish to execute. Worm: an independent computer program that 
reproduces by copying itself from one system to another across a 
network. Unlike computer viruses, worms do not require human 
involvement to propagate. Logic bomb: in programming, a form of 
sabotage in which a programmer inserts code that causes the program to 
perform a destructive action when some triggering event occurs, such as 
terminating the programmer's employment. Sniffer: synonymous with 
packet sniffer. A program that intercepts routed data and examines each 
packet in search of specified information, such as passwords 
transmitted in clear text.

  Table 2: Cyber Threats to Critical Infrastructure Observed by the FBI
------------------------------------------------------------------------
                  Threat                             Description
------------------------------------------------------------------------
Criminal groups                             There is an increased use of
                                             cyber intrusions by
                                             criminal groups who attack
                                             systems for purposes of
                                             monetary gain.
------------------------------------------------------------------------
Foreign intelligence services               Foreign intelligence
                                             services use cyber tools as
                                             part of their information
                                             gathering and espionage
                                             activities.
------------------------------------------------------------------------
Hackers                                     Hackers sometimes crack into
                                             networks for the thrill of
                                             the challenge or for
                                             bragging rights in the
                                             hacker community. While
                                             remote cracking once
                                             required a fair amount of
                                             skill or computer
                                             knowledge, hackers can now
                                             download attack scripts and
                                             protocols from the Internet
                                             and launch them against
                                             victim sites. Thus, while
                                             attack tools have become
                                             more sophisticated, they
                                             have also become easier to
                                             use.
------------------------------------------------------------------------
Hacktivists                                 Hacktivism refers to
                                             politically motivated
                                             attacks on publicly
                                             accessible Web pages or e-
                                             mail servers. These groups
                                             and individuals overload e-
                                             mail servers and hack into
                                             Web sites to send a
                                             political message.
------------------------------------------------------------------------
Information warfare                         Several nations are
                                             aggressively working to
                                             develop information warfare
                                             doctrine, programs, and
                                             capabilities. Such
                                             capabilities enable a
                                             single entity to have a
                                             significant and serious
                                             impact by disrupting the
                                             supply, communications, and
                                             economic infrastructures
                                             that support military
                                             power--impacts that,
                                             according to the Director
                                             of Central Intelligence,a
                                             can affect the daily lives
                                             of Americans across the
                                             country.
------------------------------------------------------------------------
Insider threat                              The disgruntled organization
                                             insider is a principal
                                             source of computer crimes.
                                             Insiders may not need a
                                             great deal of knowledge
                                             about computer intrusions
                                             because their knowledge of
                                             a victim system often
                                             allows them to gain
                                             unrestricted access to
                                             cause damage to the system
                                             or to steal system data.
------------------------------------------------------------------------
Virus writers                               Virus writers are posing an
                                             increasingly serious
                                             threat. Several destructive
                                             computer viruses and
                                             ``worms'' have harmed files
                                             and hard drives, including
                                             the Melissa Macro Virus,
                                             the Explore.Zip worm, the
                                             CIH (Chernobyl) Virus,
                                             Nimda, and Code Red.
------------------------------------------------------------------------

SOURCE: FEDERAL BUREAU OF INVESTIGATION UNLESS OTHERWISE INDICATED.

A PREPARED STATEMENT OF GEORGE J. TENET, DIRECTOR OF CENTRAL 
                    INTELLIGENCE, BEFORE THE SENATE SELECT COMMITTEE ON 
                    INTELLIGENCE, FEB. 2, 2000.

As the number of individuals with computer skills has increased, more 
intrusion or ``hacking'' tools have become readily available and 
relatively easy to use. A hacker can literally download tools from the 
Internet and ``point and click'' to start an attack. Experts also agree 
that there has been a steady advance in the sophistication and 
effectiveness of attack technology. Intruders quickly develop attacks 
to exploit vulnerabilities discovered in products, use these attacks to 
compromise computers, and share them with other attackers. In addition, 
they can combine these attacks with other forms of technology to 
develop programs that automatically scan the network for vulnerable 
systems, attack them, compromise them, and use them to spread the 
attack even further.
Along with these increasing threats, the number of computer security 
incidents reported to the CERT' Coordination Center \6\ has 
also risen dramatically from just under 10,000 in 1999 to about 82,000 
in 2002, and to over 76,000 for the first and second quarters of 2003. 
And these are only the reported attacks. The Director of CERT Centers 
stated that he estimates that as much as 80 percent of actual security 
incidents goes unreported, in most cases because (1) the organization 
was unable to recognize that its systems had been penetrated or there 
were no indications of penetration or attack or (2) the organization 
was reluctant to report. Figure 1 shows the number of incidents 
reported to the CERT Coordination Center from 1995 through the first 
half of 2003.
---------------------------------------------------------------------------
    \6\ The CERT' Coordination Center (CERT' CC) 
is a center of Internet security expertise at the Software Engineering 
Institute, a federally funded research and development center operated 
by Carnegie Mellon University. 
[GRAPHIC] [TIFF OMITTED] T9793.001

According to the National Security Agency, foreign governments already 
have or are developing computer attack capabilities, and potential 
adversaries are developing a body of knowledge about U.S. systems and 
methods to attack these systems. Since the terrorist attacks of 
September 11, 2001, warnings of the potential for terrorist cyber 
attacks against our critical infrastructures have also increased. For 
example, in February 2002, the threat to these infrastructures was 
highlighted by the Special Advisor to the President for Cyberspace 
Security in a Senate briefing when he stated that although to date none 
of the traditional terrorists groups, such as al Qaeda, have used the 
Internet to launch a known assault on the United States' 
infrastructure, information on water systems was discovered on 
computers found in al Qaeda camps in Afghanistan.\7\ Also, in his 
February 2002 statement for the Senate Select Committee on 
Intelligence, the director of central intelligence discussed the 
possibility of cyber warfare attack by terrorists.\8\ He stated that 
the September 11 attacks demonstrated the nation's dependence on 
critical infrastructure systems that rely on electronic and computer 
networks. Further, he noted that attacks of this nature would become an 
increasingly viable option for terrorists as they and other foreign 
adversaries become more familiar with these targets and the 
technologies required to attack them.
---------------------------------------------------------------------------
    \7\ ``Administrative Oversight: Are We Ready for A Cyber Terror 
Attack?'' Testimony before the Senate Committee on the Judiciary, 
Subcommittee on Administrative Oversight and the Courts, by Richard A. 
Clarke, Special Advisor to the President for Cyberspace Security and 
Chairman of the President's Critical Infrastructure Protection Board 
(Feb. 13, 2002).
    \8\ Testimony of George J. Tenet, Director of Central Intelligence, 
before the Senate Select Committee on Intelligence, Feb. 6, 2002.
---------------------------------------------------------------------------
Since September 11, 2001, the critical link between cyberspace and 
physical space has also been increasingly recognized. In his November 
2002 congressional testimony, the Director, CERT Centers at Carnegie-
Mellon University, noted that supervisory control and data acquisition 
(SCADA) systems and other forms of networked computer systems have been 
used for years to control power grids, gas and oil distribution 
pipelines, water treatment and distribution systems, hydroelectric and 
flood control dams, oil and chemical refineries, and other physical 
systems, and that these control systems are increasingly being 
connected to communications links and networks to reduce operational 
costs by supporting remote maintenance, remote control, and remote 
update functions.\9\ These computer-controlled and network-connected 
systems are potential targets for individuals bent on causing massive 
disruption and physical damage, and the use of commercial, off-the-
shelf technologies for these systems without adequate security 
enhancements can significantly limit available approaches to protection 
and may increase the number of potential attackers.
---------------------------------------------------------------------------
    \9\ Testimony of Richard D. Pethia, Director, CERT Centers, 
Software Engineering Institute, Carnegie Mellon University, before the 
House Committee on Government Reform, Subcommittee on Government 
Efficiency, Financial Management and Intergovernmental Relations, Nov. 
19, 2002.
---------------------------------------------------------------------------
Not only is the cyber protection of our critical infrastructures 
important in and of itself, but a physical attack in conjunction with a 
cyber attack has also been highlighted as a major concern. In fact, the 
National Infrastructure Protection Center (NIPC) has stated that the 
potential for compound cyber and physical attacks, referred to as 
``swarming attacks,'' is an emerging threat to the U.S. critical 
infrastructure.\10\ As NIPC reports, the effects of a swarming attack 
include slowing or complicating the response to a physical attack. For 
example, cyber attacks can be used to delay the notification of 
emergency services and to deny the resources needed to manage the 
consequences of a physical attack. In addition, a swarming attack could 
be used to worsen the effects of a physical attack. For example, a 
cyber attack on a natural gas distribution pipeline that opens safety 
valves and releases fuels or gas in the area of a planned physical 
attack could enhance the force of the physical attack.
---------------------------------------------------------------------------
    \10\ National Infrastructure Protection Center, Swarming Attacks: 
Infrastructure Attacks for Destruction and Disruption (Washington, 
D.C.: July 2002).

INFORMATION SHARING IS CRITICAL TO MEETING DHS'S MISSION

As our government and our nation has become ever more reliant on 
interconnected computer systems to support critical operations and 
infrastructures and as physical and cyber threats and potential attack 
consequences have increased, the importance of sharing information and 
coordinating the response to threats among stakeholders has increased. 
Information sharing and coordination among organizations are central to 
producing comprehensive and practical approaches and solutions to 
combating threats. For example, having information on threats and on 
actual incidents experienced by others can help an organization 
identify trends, better understand the risk it faces, and determine 
what preventive measures should be implemented. In addition, 
comprehensive, timely information on incidents can help federal and 
nonfederal analysis centers determine the nature of an attack, provide 
warnings, and advise on how to mitigate an imminent attack. Also, 
sharing information on terrorists and criminals can help to secure our 
nation's borders.
    The Homeland Security Act of 2002 created DHS with the primary 
responsibility of preventing terrorist attacks in the United States, 
reducing the vulnerability of the United States to terrorist attacks, 
and minimizing damage and assisting in recovery from attacks that do 
occur. To help DHS accomplish its mission, the act establishes, among 
other entities, five under secretaries with responsibility over 
directorates for management, science and technology, information 
analysis and infrastructure protection, border and transportation 
security, and emergency preparedness and response.
As part of DHS's responsibilities, the act includes several provisions 
specifically related to coordinating and sharing information within the 
department and among other federal agencies, state and local 
governments, the private sector, and other entities. It also includes 
provisions for protecting CIP information shared by the private sector 
and for sharing different types of information, such as grand jury and 
intelligence information. Other DHS responsibilities related to 
information sharing include
 requesting and receiving information from other federal 
agencies, state and local government agencies, and the private sector 
relating to threats of terrorism in the United States;
 distributing or, as appropriate, coordinating the distribution 
of warnings and information with other federal agencies, state and 
local governments and authorities, and the public;
 creating and fostering communications with the private sector;
 promoting existing public/private partnerships and developing 
new public/private partnerships to provide for collaboration and mutual 
support; and
 coordinating and, as appropriate, consolidating the federal 
government's communications and systems of communications relating to 
homeland security with state and local governments and authorities, the 
private sector, other entities, and the public.
Each DHS directorate is responsible for coordinating relevant efforts 
with other federal, state, and local governments. The act also 
established the Office for State and Local Government Coordination to, 
among other things, provide state and local governments with regular 
information, research, and technical support to assist them in securing 
the nation. Further, the act included provisions as the ``Homeland 
Security Information Sharing Act'' that requires the President to 
prescribe and implement procedures for facilitating homeland security 
information sharing and establishes authorities to share different 
types of information, such as grand jury information; electronic, wire, 
and oral interception information; and foreign intelligence 
information. In July 2003, the President assigned these functions to 
the Secretary of Homeland Security.\11\
---------------------------------------------------------------------------
    \11\ The White House, Executive Order 13311--Homeland Security 
Information Sharing (Washington, D.C.: Jul. 29, 2003).
---------------------------------------------------------------------------
The following sections illustrate how DHS will require successful 
information sharing within the department and between federal agencies, 
state and local governments, and the private sector to effectively 
carry out its mission.

     Information Analysis and Infrastructure Protection Directorate

The Information Analysis and Infrastructure Protection Directorate 
(IAIP) is responsible for accessing, receiving, and analyzing law 
enforcement information, intelligence information, and other threat and 
incident information from respective agencies of federal, state, and 
local governments and the private sector, and for combining and 
analyzing such information to identify and assess the nature and scope 
of terrorist threats. IAIP is also tasked with coordinating with other 
federal agencies to administer the Homeland Security Advisory System to 
provide specific warning information along with advice on appropriate 
protective measures and countermeasures.\12\ Further, IAIP is 
responsible for disseminating, as appropriate, information analyzed by 
DHS within the department, to other federal agencies, to state and 
local government agencies, and to private-sector entities.
---------------------------------------------------------------------------
    \12\ The Homeland Security Advisory System uses five levels 
(Severe, High, Elevated, Guarded, and Low) to inform federal, state, 
and local government agencies and authorities, the private sector, and 
the public of the nation's terrorist threat conditions.

The Homeland Security Act of 2002 makes DHS and its IAIP directorate 
also responsible for key CIP functions for the federal government. CIP 
involves activities that enhance the security of our nation's cyber and 
physical public and private infrastructure that are critical to 
national security, national economic security, and/or national public 
health and safety. Information sharing is a key element of these 
activities. Over 80 percent of our nation's critical infrastructures 
are controlled by the private sector. As part of its CIP 
responsibilities, IAIP is responsible for
(1) developing a comprehensive national plan for securing the key 
resources and critical infrastructure of the United States and
(2) recommending measures to protect the key resources and critical 
infrastructure of the United States in coordination with other federal 
agencies and in cooperation with state and local government agencies 
and authorities, the private sector, and other entities.
Federal CIP policy has continued to evolve since the mid-1990s through 
a variety of working groups, special reports, executive orders, 
strategies, and organizations. In particular, Presidential Decision 
Directive 63 (PDD 63) issued in 1998 established CIP as a national goal 
and described a strategy for cooperative efforts by government and the 
private sector to protect the physical and cyber-based systems 
essential to the minimum operations of the economy and the government. 
To accomplish its goals, PDD 63 established and designated 
organizations to provide central coordination and support. These 
included the Critical Infrastructure Assurance Office (CIAO), an 
interagency office established to develop a national plan for CIP, and 
NIPC, which was expanded to address national-level threat assessment, 
warning, vulnerability, and law enforcement investigation/response. The 
Homeland Security Act of 2002 transferred these and certain other CIP 
entities and their functions (other than the Computer Investigations 
and Operations Section of NIPC) to DHS's IAIP directorate.
Federal CIP policy, beginning with PDD 63 and reinforced through other 
strategy documents, including the National Strategy for Homeland 
Security issued in July 2002, called for a range of activities intended 
to establish a partnership between the public and private sectors to 
ensure the security of our nation's critical infrastructures. To ensure 
coverage of critical infrastructure sectors, this policy identified 
infrastructure sectors that were essential to our national security, 
national economic security, and/or national public health and safety. 
For these sectors, which now total 14, federal government leads (sector 
liaisons) and private-sector leads (sector coordinators) were to work 
with each other to address problems related to CIP for their sector. In 
particular, they were to (1) develop and implement vulnerability 
awareness and education programs and (2) contribute to a sectoral plan 
by
 assessing the vulnerabilities of the sector to cyber or 
physical attacks;
 recommending a plan to eliminate significant vulnerabilities;
 proposing a system for identifying and preventing major 
attacks; and
 developing a plan for alerting, containing, and rebuffing an 
attack in progress and then, in coordination with the Federal Emergency 
Management Agency as appropriate, rapidly reconstituting minimum 
essential capabilities in the aftermath of an attack.
CIP policy also called for sector liaisons to identify and assess 
economic incentives to encourage the desired sector behavior in CIP. 
Federal grant programs to assist state and local efforts, legislation 
to create incentives for the private sector and, in some cases, 
regulation are mentioned in CIP policy.
Federal CIP policy also encourages the voluntary creation of 
information sharing and analysis centers (ISACs) to serve as mechanisms 
for gathering, analyzing, and appropriately sanitizing and 
disseminating information to and from infrastructure sectors and the 
federal government through NIPC. Their activities could improve the 
security posture of the individual sectors, as well as provide an 
improved level of communication within and across sectors and all 
levels of government. While PDD 63 encouraged the creation of ISACs, it 
left the actual design and functions of the ISACs, along with their 
relationship with NIPC, to be determined by the private sector in 
consultation with the federal government. PDD 63 did provide suggested 
activities, which the ISACs could undertake, including
 establishing baseline statistics and patterns on the various 
infrastructures;
 serving as a clearinghouse for information within and among 
the various sectors;
 providing a library for historical data for use by the private 
sector and government; and
 reporting private-sector incidents to NIPC.
As we reported in our April 8, 2003,\13\ testimony, table 3 shows the 
sectors identified in federal CIP policy, the lead agencies for these 
sectors, and whether or not an ISAC has been established for the 
sector.
---------------------------------------------------------------------------
    \13\ U.S. General Accounting Office, Information Security Progress 
Made, But Challenges Remain to Protect Federal Systems and the Nation's 
Critical Infrastructures, GAO-03-564T (Washington, D.C.: Apr. 8, 2003).

                              Table 3: Lead Agencies and ISAC Status by CIP Sector
----------------------------------------------------------------------------------------------------------------
   Sectors Sectors identified by PDD 63             Designated lead agency                ISAC established
----------------------------------------------------------------------------------------------------------------
Information and telecommunications                            Homeland Security*
  Information technology                                                           x
  Telecommunications                                                               x
  Research and education networks                                                  x
----------------------------------------------------------------------------------------------------------------
Banking and finance                                                     Treasury   x
----------------------------------------------------------------------------------------------------------------
Water                                            Environmental Protection Agency   x
----------------------------------------------------------------------------------------------------------------
Transportation                                                Homeland Security*
  Aviation
  Surface transportation                                                           x
  Maritime                                                                         prospective
  Trucking                                                                         x
----------------------------------------------------------------------------------------------------------------
Emergency services**                                          Homeland Security*
  Emergency law enforcement                                                        x
  Emergency fire services                                                          x
----------------------------------------------------------------------------------------------------------------
Government **                                                 Homeland Security*
  Interstate                                                                       x
----------------------------------------------------------------------------------------------------------------
Energy                                                                    Energy
  Electric power                                                                   x
  Oil and gas                                                                      x
----------------------------------------------------------------------------------------------------------------
Public health                                          Health and Human Services
----------------------------------------------------------------------------------------------------------------
Sectors identified by the National
 Strategy
for Homeland Security
----------------------------------------------------------------------------------------------------------------
Food                                                                               x
  Meat and poultry                                                   Agriculture
  All other food products                              Health and Human Services
----------------------------------------------------------------------------------------------------------------
Agriculture                                                          Agriculture
----------------------------------------------------------------------------------------------------------------
Chemical industry and hazardous materials        Environmental Protection Agency
  Chemicals                                                                        x
----------------------------------------------------------------------------------------------------------------
Defense industrial base                                                  Defense
----------------------------------------------------------------------------------------------------------------
Postal and shipping                                            Homeland Security
----------------------------------------------------------------------------------------------------------------
National monuments and icons                                            Interior
----------------------------------------------------------------------------------------------------------------
Other communities that have established
 ISACs
----------------------------------------------------------------------------------------------------------------
Real estate                                                                        x
----------------------------------------------------------------------------------------------------------------

* THE LEAD AGENCIES PREVIOUSLY DESIGNATED BY PDD 63 WERE (FROM TOP TO 
                    BOTTOM) THE DEPARTMENT OF COMMERCE, DEPARTMENT OF 
                    TRANSPORTATION, DEPARTMENT OF JUSTICE/FEDERAL 
                    BUREAU OF INVESTIGATION, AND THE FEDERAL EMERGENCY 
                    MANAGEMENT AGENCY.

** PDD 63 IDENTIFIED AS CRITICAL SECTORS (1) EMERGENCY LAW ENFORCEMENT 
                    AND (2) EMERGENCY FIRE SERVICES AND CONTINUITY OF 
                    GOVERNMENT. IN THE NATIONAL STRATEGY FOR HOMELAND 
                    SECURITY, EMERGENCY LAW ENFORCEMENT AND EMERGENCY 
                    FIRE SERVICES ARE BOTH INCLUDED IN AN EMERGENCY 
                    SERVICES SECTOR. ALSO, CONTINUITY OF GOVERNMENT, 
                    ALONG WITH CONTINUITY OF OPERATIONS, IS LISTED AS A 
                    SUBCOMPONENT UNDER THE GOVERNMENT SECTOR.

The Interstate ISAC shown in table 3 was established by the National 
Association of State Chief Information Officers (NASCIO) and is 
intended to provide a mechanism for informing state officials about DHS 
threat warnings, alerts, and other relevant information, and for state 
officials to report information to DHS. According to a NASCIO official, 
currently, there are limited resources available to provide suggested 
ISAC activities. For example, there is not a watch operation, although 
notifications can be sent out to members at any time and some states 
have their own watch centers. He also stated that NASCIO's efforts have 
focused on working with DHS to develop an intergovernmental approach, 
similar to other federal and state efforts such as law enforcement task 
forces, where state and federal agencies share resources and 
responsibilities.
As called for by the National Strategy for Homeland Security, on 
February 14, 2003, the President also released the National Strategy to 
Secure Cyberspace and the complementary National Strategy for the 
Physical Protection of Critical Infrastructures and Key Assets. These 
two strategies identify priorities, actions, and responsibilities for 
the federal government (including lead agencies and DHS) as well as for 
state and local governments and the private sector. These two 
strategies also emphasize the importance of developing mechanisms for 
the public and private sectors to share information about 
vulnerabilities, incidents, threats, and other security data. For 
example, the National Strategy to Secure Cyberspace calls for the 
development of a National Cyberspace Security Response System. To be 
coordinated by DHS, this system is described as a public/private 
architecture for analyzing and warning, managing incidents of national 
significance, promoting continuity in government systems and private-
sector infrastructures, and increasing information sharing across and 
between organizations to improve cyberspace security. The system is to 
include governmental and nongovernmental entities, such as private-
sector ISACs. The strategies also encourage the continued establishment 
of ISACs and efforts to enhance the analytical capabilities of existing 
ISACs.
As we reported in April 2003, according to a DHS official, the 
department is continuing to carry out the CIP activities of the 
functions and organizations transferred to it by the Homeland Security 
Act of 2002.\14\ Further, this official stated that the department is 
taking actions to enhance those activities as it integrates them within 
the new department and is continuing previously established efforts to 
maintain and build relationships with other federal entities, including 
the FBI and other NIPC partners, and with the private sector.
---------------------------------------------------------------------------
    \14\ GAO-03-564T.
---------------------------------------------------------------------------
To fulfill its mission, the IAIP directorate will need to ensure 
effective information sharing with other federal entities. For example, 
information sharing with the recently formed Terrorist Threat 
Integration Center (TTIC) is a central function of the directorate. 
TTIC was created to merge and analyze terrorist-related information 
collected domestically and abroad to enhance coordination, facilitate 
threat analysis, and enable more comprehensive threat assessments. DHS 
is providing staff to work at TTIC, and the center is to provide DHS 
with a comprehensive assessment of threat information that will guide 
the department's response to any potential attacks.
To help implement its cybersecurity responsibilities, in June 2003, DHS 
created the National Cyber Security Division within IAIP, and on 
September 15, 2003, DHS announced the appointment of the first director 
of the division. According to DHS, this division will identify, 
analyze, and reduce cyber threats and vulnerabilities; disseminate 
threat warning information; coordinate incident response; and provide 
technical assistance in continuity of operations and recovery planning. 
Building on capabilities transferred to DHS from the CIAO, the NIPC, 
the Federal Computer Incident Response Center (FedCIRC), and the 
National Communications System, the division is organized around three 
units designed to:
 identify risks and help reduce the vulnerabilities to 
government's cyber assets and coordinate with the private sector to 
identify and help protect America's critical cyber assets;
 oversee a consolidated Cyber Security Tracking, Analysis, & 
Response Center, which will detect and respond to Internet events; 
track potential threats and vulnerabilities to cyberspace; and 
coordinate cybersecurity and incident response with federal, state, 
local, private-sector and international partners; and
 create, in coordination with other appropriate agencies, 
cybersecurity awareness and education programs and partnerships with 
consumers, businesses, governments, academia, and international 
communities.
Also, on September 15, 2003, DHS announced the creation of the U.S. 
Computer Emergency Response Team (US--CERT)--a partnership between the 
National Cyber Security Division and CERT/CC. According to DHS, it will
 improve warning and response time to security incidents by 
fostering the development of detection tools and using common 
commercial incident and vulnerability reporting protocols--with the 
goal to reduce the response time to a security event to an average of 
30 minutes by the end of 2004;
 increase the flow of critical security information throughout 
the Internet community;
 provide a coordination center that, for the first time, links 
public and private response capabilities to facilitate communication 
across all infrastructure sectors;
 collaborate with the private sector to develop and implement 
new tools and methods for detecting and responding to vulnerabilities; 
and
 work with infrastructure owners and operators and technology 
experts to foster the development of improved security technologies and 
methods to increase cybersecurity at all levels across the nation.
In its announcement, DHS also stated that the US--CERT is expected to 
grow to include other partnerships with private-sector security vendors 
and other domestic and international CERT organizations. These groups 
will work together to coordinate national and international efforts to 
prevent, protect, and respond to the effects of cyber attacks across 
the Internet.

The Directorate of Border and Transportation Security
According to the act, the Border and Transportation Security 
Directorate (BTS) is responsible for, among other things, (1) 
preventing the entry of terrorists and the instruments of terrorism 
into the United States; (2) securing the borders, territorial waters, 
ports, terminals, waterways, and air, land, and sea transportation 
systems, including managing and coordinating those functions 
transferred to the department; (3) carrying out immigration enforcement 
functions; (4) establishing and administering rules for granting visas, 
and (5) administering customs laws. A number of federal entities are 
under its responsibility, such as the Transportation Security 
Administration, U.S. Customs Service, the border security functions of 
the Immigration and Naturalization Service (INS), Animal and Plant 
Health Inspection Service, and the Federal Law Enforcement Training 
Center.
To successfully protect the borders and transportation systems of the 
United States, BTS faces the challenge of sharing information across 
the various organizations under its responsibility. According to the 
National Strategy for Homeland Security, to successfully prevent the 
entry of contraband, unauthorized aliens, and potential terrorists, DHS 
will have to increase the level of information available on inbound 
goods and passengers to the border management component agencies under 
the BTS. For example, the strategy discusses the need to increase the 
security of international shipping containers--noting that 50 percent 
of the value of U.S. imports arrives via 16 million containers. To 
increase security, U.S. inspectors will need shared information so that 
they can identify high-risk containers. In addition, protecting our 
borders from the entry of unauthorized aliens and potential terrorists 
will require the sharing of information between various law enforcement 
and immigration services. For example, we recently reported on the use 
of watch lists as important tools to help secure our nation's 
borders.\15\ These lists provide decision makers with information about 
individuals who are known or suspected terrorists and criminals so that 
these individuals can be prevented from entering the country, 
apprehended while in the country, or apprehended as they attempt to 
exit the country.
---------------------------------------------------------------------------
    \15\ U.S. General Accounting Office, Information Technology: 
Terrorist Watch Lists Should Be Consolidated to Promote Better 
Integration and Sharing, GAO-03-322 (Washington, D.C: Apr. 15, 2003).

The Emergency Preparedness and Response Directorate
According to the act, the Emergency Preparedness and Response 
Directorate (EPR) ensures that the nation is prepared for, and able to 
recover from, terrorist attacks, major disasters, and other 
emergencies. In addition, EPR is responsible for building a 
comprehensive national incident management system with federal, state, 
and local governments and authorities to respond to such attacks and 
disasters. This project will require developing an extensive program of 
information sharing among federal, state, and local governments. 
Further, EPR is to develop comprehensive programs for developing 
interoperable communications technology and helping to ensure that 
emergency response providers acquire such technology. Among the 
functions transferred to EPR are the Federal Emergency Management 
Agency, the Integrated Hazard Information System of the National 
Oceanic and Atmospheric Administration, and the Metropolitan Medical 
Response System.
Information sharing is important to emergency responders to prepare for 
and respond to terrorist attacks and other emergencies. For example, if 
a biological attack were to occur, it would be important for health 
officials to quickly and effectively exchange information with relevant 
experts directly responding to the event in order to respond 
appropriately. To support this type of exchange, the Centers for 
Disease Control and Prevention (CDC) created the Epidemic Information 
Exchange (Epi-X), a secure, Web-based communications network that 
serves as an information exchange between CDC, state and local health 
departments, poison control centers, and other public health 
professionals. According to CDC, Epi-X's primary goals include 
informing health officials about important public health events, 
helping them respond to public health emergencies, and encouraging 
professional growth and the exchange of information. CDC has also 
created an emergency operations center to respond to public health 
emergencies and to allow for immediate secure communication between 
CDC, the Department of Health and Human Services, federal intelligence 
and emergency response officials, DHS, and state and local public 
health officials.

Information Sharing Challenges
We have made numerous recommendations over the last several years 
related to information sharing functions that have been transferred to 
DHS. One significant area of our work concerns the federal government's 
CIP efforts, which is focused on sharing information on incidents, 
threats, and vulnerabilities and providing warnings related to critical 
infrastructures both within the federal government and between the 
federal government and state and local governments and the private 
sector. Although improvements have been made in protecting our nation's 
critical infrastructures and continuing efforts are in progress, 
further efforts are needed to address the following critical CIP 
challenges that we have identified:
 developing a comprehensive and coordinated national plan to 
facilitate CIP information sharing, which clearly delineates the roles 
and responsibilities of federal and nonfederal CIP entities, defines 
interim objectives and milestones, sets timeframes for achieving 
objectives, and establishes performance measures;
 developing fully productive information sharing relationships 
within the federal government and between the federal government and 
state and local governments and the private sector;
 improving the federal government's capabilities to analyze 
incident, threat, and vulnerability information obtained from numerous 
sources and share appropriate timely, useful warnings and other 
information concerning both cyber and physical threats to federal 
entities, state and local governments, and the private sector; and
 providing appropriate incentives for nonfederal entities to 
increase information sharing with the federal government.
In addition, we recently identified challenges in consolidating and 
standardizing watch list structures and policies, which are essential 
to effectively sharing information on suspected criminals and 
terrorists.

A Complete and Coordinated National CIP Plan Needs to Be Developed
An underlying issue in the implementation of CIP is that no national 
plan to facilitate information sharing yet exists that clearly 
delineates the roles and responsibilities of federal and nonfederal CIP 
entities, defines interim objectives and milestones, sets time frames 
for achieving objectives, and establishes performance measures. Such a 
clearly defined plan is essential for defining the relationships among 
all CIP organizations to ensure that the approach is comprehensive and 
well coordinated. Since 1998, we have reported on the need for such a 
plan and made numerous related recommendations.
In September 1998, we reported that developing a governmentwide 
strategy that clearly defined and coordinated the roles of federal 
entities was important to ensure governmentwide cooperation and support 
for PDD 63.\16\ At that time, we recommended that the Office of 
Management and Budget (OMB) and the Assistant to the President for 
National Security Affairs ensure such coordination.
---------------------------------------------------------------------------
    \16\ U.S. General Accounting Office, Information Security: Serious 
Weaknesses Place Critical Federal Operations and Assets at Risk, GAO/
AIMD-98-92 (Washington, D.C.: Sept. 23, 1998).
---------------------------------------------------------------------------
In January 2000, the President issued Defending America's Cyberspace: 
National Plan for Information Systems Protection: Version 1.0: An 
Invitation to a Dialogue as a first major element of a more 
comprehensive effort to protect the nation's information systems and 
critical assets from future attacks. The plan proposed achieving the 
twin goals of making the U.S. government a model of information 
security and developing a public/private partnership to defend our 
national infrastructures. However, this plan focused largely on federal 
cyber CIP efforts, saying little about the private-sector role.
In September 2001, we reported that agency questions had surfaced 
regarding specific roles and responsibilities of entities involved in 
cyber CIP and the timeframes within which CIP objectives were to be 
met, as well as guidelines for measuring progress.\17\ Accordingly, we 
made several recommendations to supplement those we had made in the 
past. Specifically, we recommended that the Assistant to the President 
for National Security Affairs ensure that the federal government's 
strategy to address computer-based threats define
---------------------------------------------------------------------------
    \17\ U.S. General Accounting Office, Combating Terrorism: Selected 
Challenges and Related Recommendations, GAO-01-822 (Washington, D.C.: 
Sept. 20, 2001).18GAO-02-474.
---------------------------------------------------------------------------
 specific roles and responsibilities of organizations involved 
in CIP and related information security activities;
 interim objectives and milestones for achieving CIP goals and 
a specific action plan for achieving these objectives, including 
implementing vulnerability assessments and related remedial plans; and
 performance measures for which entities can be held 
accountable.
In July 2002, we issued a report identifying at least 50 organizations 
that were involved in national or multinational cyber CIP efforts, 
including 5 advisory committees; 6 Executive Office of the President 
organizations; 38 executive branch organizations associated with 
departments, agencies, or intelligence organizations; and 3 other 
organizations.18 Although our review did not cover organizations with 
national physical CIP responsibilities, the large number of 
organizations that we did identify as involved in CIP efforts presents 
a need to clarify how these entities coordinate their activities with 
each other. Our report also stated that PDD 63 did not specifically 
address other possible critical sectors and their respective federal 
agency counterparts. Accordingly, we recommended that the federal 
government's strategy also
 include all relevant sectors and define the key federal 
agencies' roles and responsibilities associated with each of these 
sectors, and
 define the relationships among the key CIP organizations.
In July 2002, the National Strategy for Homeland Security called for 
interim cyber and physical infrastructure protection plans that DHS 
would use to build a comprehensive national infrastructure plan. 
Implementing a well-developed plan is critical to effective 
coordination in times of crises. According to the strategy, the 
national plan is to provide a methodology for identifying and 
prioritizing critical assets, systems, and functions, and or sharing 
protection responsibility with state and local governments and the 
private sector. The plan is also to establish standards and benchmarks 
for infrastructure protection and provide a means to measure 
performance. The plan is expected to inform DHS on budgeting and 
planning for CIP activities and how to use policy instruments to 
coordinate between government and private entities to improve the 
security of our national infrastructures to appropriate levels. The 
strategy also states that DHS is to unify the currently divided 
responsibilities for cyber and physical security. According to the 
department's November 2002 reorganization plan, the Assistant Secretary 
for Infrastructure Protection is responsible for developing a 
comprehensive national infrastructure plan.
As discussed previously, in February 2003, the President issued the 
interim strategies--The National Strategy to Secure Cyberspace and The 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets (hereafter referred to in this testimony 
as the cyberspace security strategy and the physical protection 
strategy). These strategies identify priorities, actions, and 
responsibilities for the federal government, including federal lead 
departments and agencies and the DHS, as well as for state and local 
governments and the private sector. Both define strategic objectives 
for protecting our nation's critical assets. The physical protection 
strategy discusses the goals and objectives for protecting our nation's 
critical infrastructure and key assets from physical attack. The 
cyberspace security strategy provides a framework for organizing and 
prioritizing the individual and concerted responsibilities of all 
levels of government to secure cyberspace.
According to the physical protection strategy, across government, there 
are inconsistent methodologies to prioritize efforts to enhance 
critical infrastructure protection. This problem is compounded with 
ineffective communication among the federal, state, and local 
governments that has resulted in untimely, disparate, and at times 
conflicting communication between those who need it most. DHS has been 
given a primary role in providing cross-sector coordination to improve 
communication and planning efforts and serves as the single point of 
coordination for state and local governments on homeland security 
issues. To fulfill its role as the cross-sector coordinator, DHS will 
partner with state and local governments and the private sector to 
institute processes that are transparent, comprehensive, and results-
oriented. This effort will include creating mechanisms for 
collaborative national planning efforts between the private and public 
sectors and for consolidating the individual sector plans into a 
comprehensive plan that will define their respective roles, 
responsibilities, and expectations.
The cyberspace security strategy is the counterpart to the physical 
protection strategy and provides the framework for organizing and 
prioritizing the individual and concerted responsibilities of all 
levels of government to secure cyberspace. DHS serves as the focal 
point for managing cybersecurity incidents that could affect the 
federal government or the national information infrastructure and, 
thus, plays a central role in executing the initiatives assigned in 
this strategy. While the cyberspace security strategy mentions the 
responsibility of DHS in creating a comprehensive national plan for 
securing resources and key infrastructures, much of the strategy's 
emphasis remains on coordinating and integrating various plans with the 
private sector.
Neither strategy (1) clearly indicates how the physical and cyber 
efforts will be coordinated; (2) defines the roles, responsibilities, 
and relationships among the key CIP organizations, including state and 
local governments and the private sector; (3) indicates time frames or 
milestones for their overall implementation or for accomplishing 
specific actions or initiatives; nor (4) establishes performance 
measures for which entities can be held responsible. Until a 
comprehensive and coordinated plan is completed that unifies the 
responsibilities for cyber and physical infrastructures; identifies 
roles, responsibilities, and relationships for all CIP efforts; 
establishes time frames or milestones for implementation; and 
establishes performance measures, our nation risks not having a 
consistent and appropriate information sharing framework to deal with 
growing threats to its critical infrastructure.

Better Information Sharing on Threats and Vulnerabilities Must Be 
Implemented
Information sharing is a key element in developing comprehensive and 
practical approaches to defending against potential cyber and other 
attacks, which could threaten the national welfare. Information on 
threats, vulnerabilities, and incidents experienced by others can help 
identify trends, better understand the risks faced, and determine what 
preventive measures should be implemented. However, as we have reported 
in recent years, establishing the trusted relationships and 
information-sharing protocols necessary to support such coordination 
can be difficult. In addition, the private sector has expressed 
concerns about sharing information with the government and the 
difficulty of obtaining security clearances. Both the Congress and the 
administration have taken steps to address information sharing issues 
in law and recent policy guidance, but their effectiveness will largely 
depend on how DHS implements its information sharing responsibilities.
A number of activities have been undertaken to build information-
sharing relationships between the federal government and the private 
sector, such as InfraGard, the Partnership for Critical Infrastructure 
Security, efforts by the CIAO, and efforts by lead agencies to 
establish ISACs. For example, the InfraGard Program, which provides the 
FBI and NIPC with a means of securely sharing information with 
individual companies, has expanded substantially. InfraGard membership 
has increased from 277 in October 2000 to almost 9,400 in September 
2003. Members include representatives from private industry, other 
government agencies, state and local law enforcement, and the academic 
community.
As stated above, PDD 63 encouraged the voluntary creation of ISACs to 
serve as the mechanism for gathering, analyzing, and appropriately 
sanitizing and disseminating information between the private sector and 
the federal government through NIPC. In April 2001, we reported that 
NIPC and other government entities had not developed fully productive 
information-sharing relationships but that NIPC had undertaken a range 
of initiatives to foster information-sharing relationships with ISACs, 
as well as with government and international entities. We recommended 
that NIPC formalize relationships with ISACs and develop a plan to 
foster a two-way exchange of information between them.
In response to our recommendations, NIPC officials told us in July 2002 
that an ISAC development and support unit had been created, whose 
mission was to enhance private-sector cooperation and trust so that it 
would result in a two-way sharing of information. As shown previously 
in table 3, as of April 2003, DHS reported that there are 16 current 
ISACs, including ISACs established for sectors not identified as 
critical infrastructure sectors. DHS officials also stated that they 
have formal agreements with most of the current ISACs.
In spite of progress made in establishing ISACs, additional efforts are 
needed. All sectors do not have a fully established ISAC, and even for 
those sectors that do, our recent work showed that participation may be 
mixed, and the amount of information being shared between the federal 
government and private-sector organizations also varies. Specifically, 
as we reported in February 2003, the five ISACs we recently reviewed 
showed different levels of progress in implementing the PDD 63 
suggested activities.\19\ For example, four of the five reported that 
efforts were still in progress to establish baseline statistics, which 
includes developing a database on the normal levels of computer 
security incidents that would be used for analysis purposes. Also, 
while all five reported that they served as the clearinghouse of 
information (such as incident reports and warnings received from 
members) for their own sectors, only three of the five reported that 
they are also coordinating with other sectors. Only one of the five 
ISACs reported that it provides a library of incidents and historical 
data that was available to both the private sector and the federal 
government, and although three additional ISACs do maintain a library, 
it was available only to the private sector. Table 4 summarizes the 
reported status of the five ISACs in performing these and other 
activities suggested by PDD 63.
---------------------------------------------------------------------------
    \19\ U.S. General Accounting Office, Critical Infrastructure 
Protection: Challenges for Selected Agencies and Industry Sectors, GA-
03-233 (Washington, D.C.: Feb. 28, 2003).

                                          Table 4: ISACs' Progress in Performing Activities Suggested by PDD 63
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                                           ISAC Information Technology
            Activity                Telecommunications      Electricity                                                            Energy       Water
--------------------------------------------------------------------------------------------------------------------------------------------------------
Establish baseline                In progress             In progress      Yes                                                  In progress  In progress
statistics
--------------------------------------------------------------------------------------------------------------------------------------------------------
Serve as clearinghouse            Yes                     Yes              Yes                                                  Only within  Only within
within and among                                                                                                                own sector   own sector
sectors
--------------------------------------------------------------------------------------------------------------------------------------------------------
Provide library to                In progress             Yes              Available only                                       Available    Available
private sector and                                                         to private                                            only         only
government                                                                 sector                                               to private   to private
                                                                                                                                sector       sector
--------------------------------------------------------------------------------------------------------------------------------------------------------
Report incidents                  Yes                     Yes              Yes                                                  No           Yes
to NIPC
--------------------------------------------------------------------------------------------------------------------------------------------------------

Source: ISACs.

As also noted in our February 2003 report, some in the private 
sector expressed concerns about voluntarily sharing information with 
the government. Specifically, concerns were raised that industry could 
potentially face antitrust violations for sharing information with 
other industry partners, have their information subject to the Freedom 
of Information Act (FOIA), or face potential liability concerns for 
information shared in good faith. For example, the IT, energy, and the 
water ISACs reported that they did not share their libraries with the 
federal government because of concerns that information could be 
released under FOIA. And, officials of the energy ISAC stated that they 
have not reported incidents to NIPC because of FOIA and antitrust 
concerns.
The recently established ISAC Council may help to address some of these 
concerns. According to its chairman, the mission of the ISAC Council is 
to advance the physical and cybersecurity of the critical 
infrastructures of North America by establishing and maintaining a 
framework for interaction between and among the ISACs. Activities of 
the council include establishing and maintaining a policy for inter-
ISAC coordination, a dialog with governmental agencies that deal with 
ISACs, and a practical data and information sharing protocol (what to 
share and how to share). In addition, the council will develop 
analytical methods to assist the ISACs in supporting their own sectors 
and other sectors with which there are interdependencies and establish 
a policy to deal with matters of liability and anti-trust. The chairman 
also reported that the council held an initial meeting with DHS and the 
White House in June 2003 to, among other things, understand mutual DHS 
and ISAC expectations.
There will be continuing debate as to whether adequate protection is 
being provided to the private sector as these entities are encouraged 
to disclose and exchange information on both physical and cybersecurity 
problems and solutions that are essential to protecting our nation's 
critical infrastructures. The National Strategy for Homeland Security 
includes ``enabling critical infrastructure information sharing'' in 
its 12 major legislative initiatives. It states that the nation must 
meet this need by narrowly limiting public disclosure of information 
relevant to protecting our physical and cyber critical infrastructures 
in order to facilitate the voluntary submission of information. It 
further states that the Attorney General will convene a panel to 
propose any legal changes necessary to enable sharing of essential 
homeland security related information between the federal government 
and the private sector.
Actions have already been taken by the Congress and the administration 
to strengthen information sharing. For example, the USA PATRIOT Act 
promotes information sharing among federal agencies, and numerous 
terrorism task forces have been established to coordinate 
investigations and improve communications among federal and local law 
enforcement.\20\ Moreover, the Homeland Security Act of 2002 includes 
provisions that restrict federal, state, and local government use and 
disclosure of critical infrastructure information that has been 
voluntarily submitted to DHS. These restrictions include exemption from 
disclosure under FOIA, a general limitation on use to CIP purposes, and 
limitations on use in civil actions and by state or local governments. 
The act also provides penalties for any federal employee who improperly 
discloses any protected critical infrastructure information. In April 
2003, DHS issued for comment its proposed rules for how critical 
infrastructure information volunteered by the public will be protected. 
At this time, it is too early to tell what impact the act will have on 
the willingness of the private sector to share critical infrastructure 
information.
---------------------------------------------------------------------------
    \20\ The Uniting and Strengthening America by Providing Appropriate 
Tools Required to Intercept and Obstruct Terrorism (USA PATRIOT) Act, 
Public Law No. 107-56, October 26, 2001.
---------------------------------------------------------------------------
Information sharing among federal, state and local governments also 
needs to be improved. In August 2003 we reported the results of our 
survey of federal, state, and city government officials' perceptions of 
the effectiveness of the current information-sharing process.\21\ 
Performed primarily before DHS began its operations, our survey 
identified some notable information-sharing initiatives, but also 
highlighted coordination issues and other concerns that many of the 
surveyed entities had with the overall information-sharing process. For 
example, the FBI reported it had significantly increased the number of 
its Joint Terrorism Task Forces and, according to our survey, 34 of 40 
states and 160 of 228 cities stated that they participated in 
information-sharing centers. However, although such initiatives may 
increase the sharing of information to fight terrorism, none of the 
three levels of government perceived the current information-sharing 
process as effective, particularly when sharing information with 
federal agencies. Respondents reported that information on threats, 
methods, and techniques of terrorists was not routinely shared; and the 
information that was shared was not perceived as timely, accurate, or 
relevant. Further, 30 of 40 states and 212 of 228 cities responded that 
they were not given the opportunity to participate in national policy 
making on information sharing. Federal agencies in our survey also 
identified several barriers to sharing threat information with state 
and city governments, including the inability of state and city 
officials to secure and protect classified information, the lack of 
federal security clearances, and a lack of integrated databases.
---------------------------------------------------------------------------
    \21\ U.S. General Accounting Office, Homeland Security: Efforts to 
Improve Information Sharing Need toBe Strengthened, GAO-03-760 
(Washington, D.C.: Aug. 27, 2003).
---------------------------------------------------------------------------
The private sector has also expressed its concerns about the value of 
information being provided by the government. For example, in July 2002 
the President for the Partnership for Critical Infrastructure Security 
stated in congressional testimony that information sharing between the 
government and private sector needs work, specifically, in the quality 
and timeliness of cybersecurity information coming from the 
government.\22\ In March 2003 we also reported that the officials from 
the chemical industry noted that they need better threat information 
from law enforcement agencies, as well as better coordination among 
agencies providing threat information.\23\ They stated that chemical 
companies do not receive enough specific threat information and that it 
frequently comes from multiple government agencies. Similarly, in 
developing a vulnerability assessment methodology to assess the 
security of chemical facilities against terrorist and criminal attacks, 
the Department of Justice observed that chemical facilities need more 
specific information about potential threats in order to design their 
security systems and protocols. Chemical industry officials also noted 
that efforts to share threat information among industry and federal 
agencies will be effective only if government agencies provide specific 
and accurate threat information. Threat information also forms the 
foundation for some of the tools available to industry for assessing 
facility vulnerabilities. The Justice vulnerability assessment 
methodology requires threat information as the foundation for 
hypothesizing about threat scenarios, which form the basis for 
determining site vulnerabilities.
---------------------------------------------------------------------------
    \22\ Testimony of Kenneth C. Watson, President, Partnership for 
Critical Infrastructure Security, beforethe Subcommittee on Oversight 
and Investigation of the Energy and Commerce Committee, U.S. House of 
Representatives, July 9, 2002.
    \23\ U. S. General Accounting Office, Homeland Security: Voluntary 
Initiatives Are Under Way at ChemicalFacilities, but the Extent of 
Security Preparedness is Unknown, GAO-03-439 (Washington D.C.: Mar.14, 
2003).
---------------------------------------------------------------------------
The Homeland Security Act, the National Strategy for Homeland Security, 
the National Strategy to Secure Cyberspace, and the National Strategy 
for the Physical Protection of Critical Infrastructures and Key Assets 
all acknowledge the importance of information sharing and identify 
multiple responsibilities for DHS to share information on threats and 
vulnerabilities. In particular:
 The Homeland Security Act authorizes the IAIP Under Secretary 
to have access to all information in the federal government that 
concerns infrastructure or other vulnerabilities of the United States 
to terrorism and to use this information to fulfill its 
responsibilities to provide appropriate analysis and warnings related 
to threats to and vulnerabilities of critical information systems, 
crisis management support in response to threats or attacks on critical 
information systems, and technical assistance upon request to private-
sector and government entities to respond to major failures of critical 
information systems.
 The National Strategy for Homeland Security specifies the need 
for DHS to work with state and local governments to achieve ``seamless 
communication'' among all responders. This responsibility includes 
developing a national emergency communication plan to establish 
policies and procedures to improve the exchange of information. 
Ensuring improved communications also involves developing systems that 
help prevent attacks and minimize damage. Such systems, which would be 
accessed and used by all levels of government, would detect hostile 
intents and help locate individual terrorists as well as monitor and 
detect outbreaks.
 The cyberspace security strategy encourages DHS to work with 
the National Infrastructure Advisory Council and the private sector to 
develop an optimal approach and mechanism to disclose vulnerabilities 
in order to expedite the development of solutions without creating 
opportunities for exploitation by hackers. DHS is also expected to 
raise awareness about removing obstacles to sharing information 
concerning cybersecurity and infrastructure vulnerabilities between the 
public and private sectors and is encouraged to work closely with ISACs 
to ensure that they receive timely and actionable threat and 
vulnerability data and to coordinate voluntary contingency planning 
efforts.
 The physical protection strategy describes DHS's need to 
collaborate with the intelligence community and the Department of 
Justice to develop comprehensive threat collection, assessment, and 
dissemination processes that are distributed to the appropriate entity 
in a timely manner. It also enumerates several initiatives directed to 
DHS to accomplish to create a more effective information-sharing 
environment among the key stakeholders, including establishing 
requirements for sharing information; supporting state and local 
participation with ISACs to more effectively communicate threat and 
vulnerability information; protecting secure and proprietary 
information deemed sensitive by the private sector; implementing 
processes for collecting, analyzing, and disseminating threat data to 
integrate information from all sources; and developing interoperable 
systems to share sensitive information among government entities to 
facilitate meaningful information exchange.
 The National Strategy for Homeland Security also describes 
DHS's need to engage its partners around the world in cooperative 
efforts to improve security. It states that DHS will increase 
information sharing between the international law enforcement, 
intelligence, and military communities.

Analysis and Warning Capabilities Need to Be Improved
Analysis and warning capabilities should be developed to detect 
precursors to attacks on the nation so that advanced warnings can be 
issued and protective measures implemented. Since the 1990s, the 
national security community and the Congress have identified the need 
to establish analysis and warning capabilities to protect against 
strategic computer attacks against the nation's critical computer-
dependent infrastructures. Such capabilities need to address both cyber 
and physical threats and involve (1) gathering and analyzing 
information for the purpose of detecting and reporting otherwise 
potentially damaging actions or intentions and (2) implementing a 
process for warning policymakers and allowing them time to determine 
the magnitude of the related risks.
In April 2001,\24\ we reported on NIPC's progress and impediments in 
developing analysis and warning capabilities for computer-based 
attacks, which included the following: \25\
---------------------------------------------------------------------------
    \24\ GAO-01-323.
    \25\ Pursuant to the Homeland Security Act of 2002, the functions 
of NIPC (except for computerinvestigations and operations) were 
transferred over to DHS from the FBI.
---------------------------------------------------------------------------
 Lack of a generally accepted methodology for analyzing 
strategic cyber-based threats. For example, there was no standard 
terminology, no standard set of factors to consider, and no established 
thresholds for determining the sophistication of attack techniques. 
According to officials in the intelligence and national security 
community, developing such a methodology would require an intense 
interagency effort and dedication of resources.
 Lack of industry-specific data on factors such as critical 
system components, known vulnerabilities, and interdependencies. Under 
PDD 63, such information is to be developed for each of eight industry 
segments by industry representatives and the designated federal lead 
agencies. In September 2001, we reported that although outreach efforts 
had raised awareness and improved information sharing, substantive, 
comprehensive analysis of infrastructure sector interdependencies and 
vulnerabilities had been limited.
Another challenge confronting the analysis and warning capabilities of 
our nation is that, historically, our national CIP attention and 
efforts have been focused on cyber threats. As we also reported in 
April 2001, although PDD 63 covers both physical and cyber threats, 
federal efforts to meet the directive's requirements have pertained 
primarily to cyber threats since this is an area that the leaders of 
the administration's CIP strategy view as needing attention. However, 
the terrorist attacks of September 11, 2001, have increased the 
emphasis of physical threats. In addition, in July 2002, NIPC reported 
that the potential for concurrent cyber and physical (``swarming'') 
attacks is an emerging threat to the U.S. critical infrastructure. 
Further, in July 2002, the director of NIPC also told us that NIPC had 
begun to develop some capabilities for identifying physical CIP 
threats. For example, NIPC had developed thresholds with several ISACs 
for reporting physical incidents and, since January 2002, has issued 
several information bulletins concerning physical CIP threats. However, 
NIPC's director acknowledged that fully developing this capability 
would be a significant challenge. The physical protection strategy 
states that DHS will maintain a comprehensive, up-to-date assessment of 
vulnerabilities across sectors and improve processes for domestic 
threat data collection, analysis, and dissemination to state and local 
governments and private industry.
The administration and the Congress continue to emphasize the need for 
these analysis and warning capabilities. The National Strategy for 
Homeland Security identified intelligence and warning as one of six 
critical mission areas and called for major initiatives to improve our 
nation's analysis and warning capabilities. The strategy also stated 
that no government entity was then responsible for analyzing terrorist 
threats to the homeland, mapping these threats to our vulnerabilities, 
and taking protective action. The Homeland Security Act gives such 
responsibility to the new DHS. For example, the IAIP Under Secretary is 
responsible for administering the Homeland Security Advisory System, 
and is to coordinate with other federal agencies to provide specific 
warning information and advice to state and local agencies, the private 
sector, the public, and other entities about appropriate protective 
measures and countermeasures to homeland security threats.
An important aspect of improving our nation's analysis and warning 
capabilities is having comprehensive vulnerability assessments. The 
National Strategy for Homeland Security also states that comprehensive 
vulnerability assessments of all of our nation's critical 
infrastructures are important from a planning perspective in that they 
enable authorities to evaluate the potential effects of an attack on a 
given sector and then invest accordingly to protect it. The strategy 
states that the U.S. government does not perform vulnerability 
assessments of the nation's entire critical infrastructure. The 
Homeland Security Act of 2002 states that the DHS's IAIP Under 
Secretary is to carry out comprehensive assessments of the 
vulnerabilities of key resources and critical infrastructures of the 
United States.
Another critical issue in developing effective analysis and warning 
capabilities is to ensure that appropriate intelligence and other 
threat information, both cyber and physical, is received from the 
intelligence and law enforcement communities. For example, there has 
been considerable public debate regarding the quality and timeliness of 
intelligence data shared between and among relevant intelligence, law 
enforcement, and other agencies. Also, as the transfer of NIPC to DHS 
organizationally separated it from the FBI's law enforcement activities 
(including the Counterterrorism Division and NIPC field agents), it 
will be critical to establish mechanisms for continued communication to 
occur. Further, it will be important that the relationships between the 
law enforcement and intelligence communities and the new DHS are 
effective and that appropriate information is exchanged on a timely 
basis. The act gives DHS broad statutory authority to access 
intelligence information, as well as other information relevant to the 
terrorist threat and to turn this information into useful warnings. For 
example, DHS is to be a key participant in the multiagency TTIC \26\ 
that began operations on May 1, 2003. According to a White House fact 
sheet, DHS's IAIP is to receive and analyze terrorism-related 
information from the TTIC.\27\ Although the purpose of TTIC and the 
authorities and responsibilities of the FBI and Central Intelligence 
Agency (CIA) counterterrorism organizations remain distinct, in July 
2003, the TTIC Director reported that initiatives are under way to 
facilitate efforts within the intelligence community to ensure that DHS 
has access to all information required to execute its mission. He also 
reported other progress, such as updates to a TTIC-sponsored Web site 
that provides terrorism-related information. For example, the Web site 
is to increasingly include products tailored to the needs of state and 
local officials, as well as private industry.
---------------------------------------------------------------------------
    \26\ The center was formed from elements of the Department of 
Homeland Security, the FBI's Counterterrorism Division, the Director of 
Central Intelligence's Counterterrorist Center, and the Department of 
Defense.
    \27\ The White House, Fact Sheet: Strengthening Intelligence to 
Better Protect America (Washington, D.C.: Jan. 28, 2003).
---------------------------------------------------------------------------
In addition, according to NIPC's director, as of July 2002, a 
significant challenge in developing a robust analysis and warning 
function is the development of the technology and human capital 
capacities to collect and analyze substantial amounts of information. 
Similarly, the Director of the FBI testified in June 2002 that 
implementing a more proactive approach to preventing terrorist acts and 
denying terrorist groups the ability to operate and raise funds require 
a centralized and robust analytical capacity that did not then exist in 
the FBI's Counterterrorism Division.\28\ He also stated that processing 
and exploiting information gathered domestically and abroad during the 
course of investigations require an enhanced analytical and data mining 
capacity that was not then available. According to DHS's reorganization 
plans, the IAIP Under Secretary and the chief information officer (CIO) 
of the department are to fulfill their responsibilities as laid out by 
the act to establish and uses a secure communications and IT 
infrastructure. This infrastructure is to include data-mining and other 
analytical tools in order to access, receive, analyze, and disseminate 
data and information.
---------------------------------------------------------------------------
    \28\ Testimony of Robert S. Mueller, III, Director Federal Bureau 
of Investigation, before theSubcommittee for the Departments of 
Commerce, Justice, and State, the Judiciary, and Related Agencies, 
Committee on Appropriations, U.S. House of Representatives, June 21, 
2002.

Additional Incentives Are Needed to Encourage Increased Information 
Sharing Efforts
PDD 63 stated that sector liaisons should identify and assess economic 
incentives to encourage sector information sharing and other desired 
behavior. Consistent with the original intent of PDD 63, the National 
Strategy for Homeland Security states that, in many cases, sufficient 
incentives exist in the private market for addressing the problems of 
CIP. However, the strategy also discusses the need to use all available 
policy tools to protect the health, safety, or well-being of the 
American people. It mentions federal grant programs to assist state and 
local efforts, legislation to create incentives for the private sector, 
and, in some cases, regulation. The physical protection strategy 
reiterates that additional regulatory directives and mandates should 
only be necessary in instances where the market forces are insufficient 
to prompt the necessary investments to protect critical infrastructures 
and key assets. The cyberspace security strategy also states that the 
market is to provide the major impetus to improve cybersecurity and 
that regulation will not become a primary means of securing cyberspace.
Last year, the Comptroller General testified on the need for strong 
partnerships with those outside the federal government and that the new 
department would need to design and manage tools of public policy to 
engage and work constructively with third parties.\29\ We have also 
previously testified on the choice and design of public policy tools 
that are available to governments.\30\ These public policy tools 
include grants, regulations, tax incentives, and regional coordination 
and partnerships to motivate and mandate other levels of government or 
the private sector to address security concerns. Some of these tools 
are already being used, such as in the water and chemical sectors.
---------------------------------------------------------------------------
    \29\ U.S. General Accounting Office, Homeland Security: Proposal 
for Cabinet Agency Has Merit, But Implementation Will Be Pivotal to 
Success, GAO-01-886T (Washington, D.C.: June 25, 2002).
    \30\ U.S. General Accounting Office, Combating Terrorism: Enhancing 
Partnerships Through a National Preparedness Strategy, GAO-02-549T 
(Washington, D.C.: Mar. 28, 2002).
---------------------------------------------------------------------------
Without appropriate consideration of public policy tools, private-
sector participation in sector-related information sharing and other 
CIP efforts may not reach its full potential. For example, we reported 
in January 2003 \31\ on the efforts of the financial services sector to 
address cyber threats, including industry efforts to share information 
and to better foster and facilitate sectorwide efforts. We also 
reported on the efforts of federal entities and regulators to partner 
with the financial services industry to protect critical 
infrastructures and to address information security. We found that 
although federal entities had a number of efforts ongoing, Treasury, in 
its role as sector liaison, had not undertaken a comprehensive 
assessment of the potential public policy tools to encourage the 
financial services sector in implementing information sharing and other 
CIP-related efforts. Because of the importance of considering public 
policy tools to encourage private-sector participation, we recommended 
that Treasury assess the need for public policy tools to assist the 
industry in meeting the sector's goals. In addition, in February 2003, 
we reported on the mixed progress five ISACs had made in accomplishing 
the activities suggested by PDD 63. We recommended that the responsible 
lead agencies assess the need for public policy tools to encourage 
increased private-sector CIP activities and greater sharing of 
intelligence and incident information between the sectors and the 
federal government.
---------------------------------------------------------------------------
    \31\ U.S. General Accounting Office, Critical Infrastructure 
Protection: Efforts of the Financial Services Sector to Address Cyber 
Threats, GAO-03-173 (Washington, DC,: Jan. 30, 2003).
---------------------------------------------------------------------------
The President's fiscal year 2004 budget request for the new DHS 
includes $829 million for information analysis and infrastructure 
protection, a significant increase from the estimated $177 million for 
fiscal year 2003. In particular, the requested funding for protection 
includes about $500 million to identify key critical infrastructure 
vulnerabilities and support the necessary steps to ensure that security 
is improved at these sites. Although the funding also includes almost 
$300 million for warning advisories, threat assessments, a 
communications system, and outreach efforts to state and local 
governments and the private sector, additional incentives may still be 
needed to encourage nonfederal entities to increase their CIP efforts.

Consolidating and Standardizing Watch List Structures and Policies
We recently reported on the terrorist and criminal watch list systems 
maintained by different federal agencies.\32\ These watch lists are 
important information-sharing tools for securing our nation's borders 
against terrorists. Simply stated, watch lists can be viewed as 
automated databases that are supported by certain analytical 
capabilities. These lists contain various types of data, from 
biographical data--such as a person's name and date of birth--to 
biometric data such as fingerprints. Nine federal agencies,\33\ which 
before the establishment of DHS spanned five different cabinet-level 
departments,\34\ currently maintain 12 terrorist and criminal watch 
lists. These lists are also used by at least 50 federal, state, and 
local agencies.
---------------------------------------------------------------------------
    \32\ GA-03-322.
    \33\ The nine agencies are the State Department's Bureau of 
Intelligence and Research and Bureau of Consular Affairs; the Justice 
Department's Federal Bureau of Investigation, Immigration and 
Naturalization Service, U.S. Marshals Service, and the U.S. National 
Central Bureau for Interpol; the Department of Defense's Air Force 
Office of Special Investigations; the Transportation Department's 
Transportation Security Administration; and the Treasury Department's 
U.S. Customs Service. Of these, the Immigration and Naturalization 
Service, the Transportation Security Administration, and the U.S. 
Customs Service have been incorporated into the new DHS.
    \34\ These departments are the Departments of State, Treasury, 
Transportation, Justice, and Defense.
---------------------------------------------------------------------------
According to the National Strategy for Homeland Security, in the 
aftermath of the September 11th attacks, it became clear that vital 
watch list information stored in numerous and disparate databases was 
not available to the right people at the right time. In particular, 
federal agencies that maintained information about terrorists and other 
criminals had not consistently shared it. The strategy attributed these 
information-sharing limitations to legal, cultural, and technical 
barriers that resulted in the watch lists being developed in different 
ways, for different purposes, and in isolation from one another. To 
address these limitations, the strategy provides for developing a 
consolidated watch list that would bring together the information on 
known or suspected terrorists contained in federal agencies' respective 
lists.
As we reported, we found that the watch lists include overlapping but 
not identical sets of data, and that different policies and procedures 
govern whether and how these data are shared with others. As a general 
rule, we found that this information sharing is more likely to occur 
among federal agencies than between federal agencies and either state 
and local governments agencies or private entities. Among other things, 
we also found that the extent to which such information sharing is 
accomplished electronically is constrained by fundamental differences 
in the watch lists' systems architecture. Also, differences in 
agencies' cultures have been and remain one of the principal 
impediments to integrating and sharing information from watch lists and 
other information. We recommended that the Secretary of DHS, in 
collaboration with the heads of other departments and agencies that 
have or use watch lists, lead an effort to consolidate and standardize 
the federal government's watch list structures and policies to promote 
better integration and information sharing. DHS generally agreed with 
our findings and recommendations.

Effective Systems and Processes Need to Be Established to Facilitate 
Information Sharing
The success of homeland security relies on establishing effective 
systems and processes to facilitate information sharing among 
government entities and the private sector. In May 2003, the CIO of DHS 
stated that a key goal to protecting our nation is to put in place 
mechanisms that provide the right information to the right people in a 
timely manner. He further stated that with the use of IT, homeland 
security officials throughout the United States will have a more 
complete awareness of threats and vulnerabilities, as well as knowledge 
of the personnel and resources available to conquer those threats. We 
have identified critical success factors to information sharing that 
DHS should consider. Also, in addition to the need to develop 
technological solutions, key management issues that DHS must overcome 
to achieve success include
 integrating existing IT resources of 22 different agencies,
 making new IT investments,
 ensuring that sensitive information is secured,
 developing secure communications networks,
 developing a performance focus,
 integrating staff from different organizations and ensuring 
that the department has properly skilled staff, and
 ensuring effective oversight.
Addressing these issues will be critical to establishing the effective 
systems and processes required to facilitate information sharing within 
the new department.

Success Factors for Sharing Information
In October 2001, we reported on information sharing practices of 
organizations that successfully share sensitive or time-critical 
information.\35\ We found that these practices include:
---------------------------------------------------------------------------
    \35\ U.S. General Accounting Office, Information Sharing: Practices 
That Can Benefit Critical Infrastructure Protection, GAO-02-24 
(Washington, D.C.: Oct. 15, 2001).
---------------------------------------------------------------------------
 establishing trust relationships with a wide variety of 
federal and nonfederal entities that may be in a position to provide 
potentially useful information and advice on vulnerabilities and 
incidents;
 developing standards and agreements on how shared information 
will be used and protected;
 establishing effective and appropriately secure communications 
mechanisms; and
 taking steps to ensure that sensitive information is not 
inappropriately disseminated.
Among the organizations we studied, we found some very good models to 
learn from and build on. For example, CERT/CC is charged with 
establishing a capability to quickly and effectively coordinate 
communication between experts in order to limit damage, responding to 
incidents, and building awareness of security issues across the 
Internet community. In this role, CERT/CC receives Internet security-
related information from system and network administrators, technology 
managers, and policymakers and provides them with this information 
along with guidance and coordination to major security events. Further, 
the Agora is a Seattle-based regional network that at the time of our 
study had over 600 professionals representing various fields, including 
information systems security; law enforcement; local, state, and 
federal governments; engineering; IT; academics; and other specialties. 
Members work to establish confidential ways for organizations to share 
sensitive information about common problems and best practices for 
dealing with security threats. They develop and share knowledge about 
how to protect electronic infrastructures, and they prompt more 
research specific to electronic information systems security.
In addition, we have previously reported on several other key 
considerations in establishing effective information sharing, 
including:
 identifying and agreeing on the types of information to be 
collected and shared between parties,
 developing standard terms and reporting thresholds,
 balancing varying interests and expectations, and
 determining the right format and standards for collecting data 
so that disparate agencies can aggregate and integrate data sets.
Some efforts have already taken place in these areas. For example, NIPC 
obtained information-sharing agreements with most ISACs, which included 
specific reporting thresholds for physical and cyber incidents. Also, 
incident reporting thresholds have been publicly issued. It will be 
important for DHS to incorporate these considerations into its 
information-sharing efforts.

Developing Technological Solutions
Developing and implementing appropriate technological solutions can 
improve the effectiveness and efficiency of information sharing. We 
have previously reported on the lack of connectivity and 
interoperability between databases and technologies important to the 
homeland security effort.\36\ Databases belonging to federal law 
enforcement agencies and INS, for example, are not connected, and 
databases between state, local, and federal governments are not always 
connected. The technological constraints caused by different system 
architectures that impede the sharing of different agencies' watch 
lists illustrate the widespread lack of interoperability of many 
federal government information systems.
---------------------------------------------------------------------------
    \36\ GAO-02-811T
---------------------------------------------------------------------------
New technologies for data integration and interoperability could enable 
agencies to share information without the need for radical structural 
changes. This would allow the component agencies of DHS to work 
together yet retain a measure of autonomy, thus removing some barriers 
hindering agencies from embracing change. In August 2002, we reported 
on various existing technologies that could be more widely implemented 
to facilitate information sharing.\37\ We reported that Extensible 
Markup Language (XML) is useful for better information sharing. XML is 
a flexible, nonproprietary set of standards for annotating or 
``tagging'' information so that it can be transmitted over a network 
such as the Internet and readily interpreted by disparate computer 
systems. If implemented broadly with consistent data definitions and 
structures, XML offers the promise of making it significantly easier 
for organizations and individuals to identify, integrate, and process 
information that may be widely dispersed among systems and 
organizations. For example, law enforcement agencies could potentially 
better identify and retrieve information about criminal suspects from 
any number of federal, state, and local databases.
---------------------------------------------------------------------------
    \37\ U.S. General Accounting Office, National Preparedness: 
Technology and Information Sharing Challenges, GAO-02-1048R 
(Washington, D.C.: Aug. 30, 2002).
---------------------------------------------------------------------------
We also reported that various technologies could be used to protect 
information in shared databases. For example, data could be protected 
through electronically secured entry technology (ESET). ESET would 
allow users of separate databases to cross check or ``mine'' data 
securely without directly disclosing their information to others, thus 
allowing agencies to collaborate as well as address their needs for 
confidentiality or privacy. Such technology could, for example, allow 
an airline to cross check a passenger or employee against data held by 
government agencies in a single-step process without actually 
disclosing the data to the airline. In checking an individual, the 
airline would not receive any data from the agencies' databases; 
rather, it would receive a ``yes or no'' type of response and/or a 
referral for further action. Additionally, appropriate authorities 
could automatically be notified.
We noted that intrusion detection systems could be used to prevent 
unauthorized users from accessing shared information. Intrusion 
detection uses normal system and network activity data as well as known 
attack patterns. Deviations from normal traffic patterns can help to 
identify potential intruders.
We also observed the need to simplify the process of analyzing 
information to more efficiently and effectively identify information of 
consequence that must be shared. Great emphasis has been placed upon 
data mining and data integration, but the third and perhaps most 
crucial component may be data visualization. The vast amount of 
information potentially available to be mined and integrated must be 
intelligently analyzed, and the results effectively presented, so that 
the right people have the right information necessary to act 
effectively upon such information. This may involve pinpointing the 
relevant anomalies.
    Before DHS was established, the Office of Homeland Security had 
already begun several technological initiatives to integrate terrorist-
related information from databases from different agencies responsible 
for homeland security. These included (1) adopting meta-data standards 
for electronic information so that homeland security officials 
understood what information was available and where it could be found 
and (2) developing data-mining tools to assist in identifying patterns 
of criminal behavior so that suspected terrorists could be detained 
before they could act.
To address these technological challenges, the Homeland Security Act 
emphasized investments in new and emerging technologies to meet some of 
these challenges and established the Science and Technology 
Directorate, making it responsible for establishing and administering 
research and development efforts and priorities to support DHS 
missions.

Improving Information Technology Management
Improving IT management will be critical to transforming the new 
department. DHS should develop and implement an enterprise 
architecture, or corporate blueprint, to integrate the many existing 
systems and processes required to support its mission. This 
architecture will also guide the department's investments in new 
systems to effectively support homeland security in the coming years. 
Other key IT management capacities that DHS will need to establish 
include investment and acquisition management processes, effective IT 
security, and secure communications networks.

An Enterprise Architecture
Effectively managing a large and complex endeavor requires, among other 
things, a well-defined and enforced blueprint for operational and 
technological change, commonly referred to as an enterprise 
architecture. Developing, maintaining, and using enterprise 
architectures is a leading practice in engineering both individual 
systems and entire enterprises. Enterprise architectures include 
several components, including a (1) current or ``as is'' environment, 
(2) target or ``to be'' environment, and (3) transition plan or 
strategy to move from the current to the target environment. 
Governmentwide requirements for having and using architectures to guide 
and constrain IT investment decision making are also addressed in 
federal law and guidance.\38\ Our experience with federal agencies has 
shown that attempts to transform IT environments without enterprise 
architectures often result in unconstrained investment and systems that 
are duplicative and ineffective. Moreover, our February 2002 report on 
the federal agencies' use of enterprise architectures found that their 
use of enterprise architectures was a work in progress, with much to be 
accomplished.\39\
---------------------------------------------------------------------------
    \38\ U.S. General Accounting Office, Business Systems 
Modernization: Longstanding Management and Oversight Weaknesses 
Continue to Put Investments at Risk, GAO-03-553T (Washington, D.C.: 
Mar. 31, 2003).
    \39\ U.S, General Accounting Office, Information Technology: 
Enterprise Architecture Use across theFederal Government Can Be 
Improved, GAO-02-6 (Washington, D.C.: Feb. 19, 2002).
---------------------------------------------------------------------------
DHS faces tremendous IT challenges because programs and agencies have 
been brought together in the new department from throughout the 
government, each with their own information systems. It will be a major 
undertaking to integrate these diverse systems to enable effective 
information sharing among themselves, as well as with those outside the 
department.
The Office of Homeland Security has acknowledged that an enterprise 
architecture is an important next step because it can help identify 
shortcomings and opportunities in current homeland-security-related 
operations and systems, such as duplicative, inconsistent, or missing 
information. Furthermore, the President's homeland security strategy 
identifies, among other things, the lack of an enterprise architecture 
as an impediment to DHS's systems interoperating effectively and 
efficiently. Finally, the CIO of DHS has stated that the most important 
function of his office will be to design and help implement a national 
enterprise architecture that will guide the department's investment in 
and use of IT. As part of its enterprise development efforts, the 
department has established working groups comprising state and local 
CIOs to ensure that it understands and represents their business 
processes and strategies relevant to homeland security. In addition, 
OMB, in its current review of DHS's redundant IT for consolidation and 
integration, has taken an initial first step to evaluate DHS's 
component systems.\40\ According to an official in the office of the 
CIO, DHS has compiled an inventory of systems that represents its 
current enterprise architecture and will soon have a draft of its 
future enterprise architecture. In addition, this official anticipates 
having a preliminary road map of the plan to transition to the future 
enterprise architecture in September 2003 and estimates that DHS will 
have the plan itself by next winter.
---------------------------------------------------------------------------
    \40\ Office of Management and Budget, Reducing Redundant IT 
Infrastructure Related to HomelandSecurity, Memorandum for the Heads of 
Selected Departments and Agencies, July 19, 2002, M-02-12.
---------------------------------------------------------------------------
In June 2002, we recommended that the federal government develop an 
architecture that defined the homeland security mission and the 
information, technologies, and approaches necessary to perform the 
mission in a way that was divorced from organizational parochialism and 
cultural differences.\41\ Specifically, we recommended that the 
architecture describe homeland security operations in both (1) logical 
terms, such as interrelated processes and activities, information needs 
and flows, and work locations and users; and (2) technical terms, such 
as hardware, software, data, communications, and security attributes 
and performance standards. We observed that a particularly critical 
function of a homeland security architecture would be to establish 
protocols and standards for data collection to ensure that data being 
collected were usable and interoperable and to tell people what they 
needed to collect and monitor.
---------------------------------------------------------------------------
    \41\ GAO-02-811T.
---------------------------------------------------------------------------
    The CIO Council, OMB, and GAO have collaborated to produce guidance 
on the content, development, maintenance, and implementation of 
architectures that could be used in developing an architecture for 
DHS.\42\ In April, we issued an executive guide on assessing and 
improving enterprise architecture management that extends this 
guidance.\43\
---------------------------------------------------------------------------
    \42\ See Chief Information Officer Council, A Practical Guide to 
Federal Enterprise Architecture, Version 1.0, (Washington, D.C.: Feb. 
2001).
    \43\ U.S. General Accounting Office, Information Technology: A 
Framework for Assessing and Improving Enterprise Architecture 
Management (Version 1.1), GAO-03-584G (Washington, D.C.: April 2003).

Investment and Acquisition Management Processes
The Clinger-Cohen Act, federal guidance, and recognized best practices 
provide a framework for organizations to follow to effectively manage 
their IT investments. This involves having a single, corporate approach 
governing how an organization's IT investment portfolio is selected, 
controlled, and evaluated across its various components, including 
assuring that each investment is aligned with the organization's 
enterprise architecture. The lack of effective processes can lead to 
cost, schedule, and performance shortfalls, and in some cases, to 
failed system development efforts. We have issued numerous reports on 
investment and acquisition management challenges at agencies now 
transferred into DHS, including INS.
INS has had long-standing difficulty developing and fielding 
information systems to support its program operations. Since 1990, we 
have reported that INS managers and field officials did not have 
adequate, reliable, and timely information to effectively carry out the 
agency's mission. For example, INS's benefit fraud investigations have 
been hampered by a lack of integrated information systems.\44\ Also, 
INS's alien address information could not be fully relied on to locate 
many aliens who were believed to be in the country and who might have 
knowledge that would assist the nation in its antiterrorism 
efforts.\45\ Contributing to this situation was INS's lack of written 
procedures and automated controls to help ensure that reported changes 
of address by aliens are recorded in all of INS's automated databases. 
Our work has identified weaknesses in INS's IT management capacities as 
the root cause of its system problems, and we have made recommendations 
to correct the weaknesses. INS has made progress in addressing our 
recommendations.
---------------------------------------------------------------------------
    \44\ U.S. General Accounting Office, Immigration Benefit Fraud: 
Focused Approach Is Needed to Address Problems, GAO-02-66 (Washington, 
D.C.: Jan. 31, 2002).
    \45\ U.S. General Accounting Office, Homeland Security: INS Cannot 
Locate Many Aliens Because It Lacks Reliable Address Information, GAO-
03-188 (Washington, D.C.: Nov. 21, 2002).
---------------------------------------------------------------------------
In his written statement for a May 2003 hearing before the House 
Government Reform Committee, the DHS CIO stated that IT investments, 
including mission-specific investments, are receiving a departmentwide 
review. Benefits envisioned from this capital investment and control 
process include integrating information and identify and eliminating 
duplicate applications, gaps in information, and misalignments with 
business goals and objectives.
Sound acquisition management is also central to accomplishing the 
department's mission. One of the largest federal departments, DHS will 
potentially have one of the most extensive acquisition requirements in 
government. The new department is expected to acquire a broad range of 
technologies and services from private-sector companies.
Moreover, DHS is faced with the challenge of integrating the 
procurement functions of many of its constituent programs and missions. 
Inherited challenges exist in several of the incoming agencies. For 
example, Customs has major procurement programs under way that must be 
closely managed to ensure that it achieves expectations. Despite some 
progress, we reported that Customs still lacks important acquisition 
management controls.\46\ For its new import processing system, Customs 
has not begun to establish process controls for determining whether 
acquired software products and services satisfy contract requirements 
before acceptance, nor to establish related controls for effective and 
efficient transfer of acquired software products to the support 
organization responsible for software maintenance. Agreeing with one of 
our recommendations, Customs continues to make progress and plans to 
establish effective acquisition process controls.
---------------------------------------------------------------------------
    \46\ U.S. General Accounting Office, Customs Service Modernization: 
Management Improvements Needed on High-Risk Automated Commercial 
Environment Project, GAO-02-545 (Washington, D.C.: May 13, 2002).
---------------------------------------------------------------------------
Getting the most from its IT investment will depend on how well the 
department manages its acquisition activities. High-level attention to 
strong system and service acquisition management practices is critical 
to ensuring success.

Information Security Challenges
The Federal Information Security Management Act of 2002 (FISMA) 
requires federal agencies to provide information security protections 
commensurate with the risk and magnitude of the harm resulting from 
unauthorized access, use, disclosure, disruption, modification, or 
destruction of information collected or maintained by or on behalf of 
the agency, and information systems used or operated by an agency or by 
a contractor of an agency or other organization on behalf of an 
agency.\47\ Further, the Homeland Security Act specifically requires 
DHS to establish procedures to ensure the authorized use and the 
security and confidentiality of information shared with the department, 
including information on threats of terrorism against the United 
States; infrastructure or other vulnerabilities to terrorism; and 
threatened interference with, attack on, compromise of, or 
incapacitation of critical infrastructures or protected systems by 
either physical or computer-based attack. However, establishing an 
effective information security program may present significant 
challenges for DHS, which must bring together programs and agencies 
from throughout the government and integrate their diverse 
communications and information systems to enable effective 
communication and information sharing both within and outside the 
department.
---------------------------------------------------------------------------
    \47\ Title III--Federal Information Security Management Act of 
2002, E-Government Act of 2002, P.L. 107--347, December 17, 2002. This 
act superseded an earlier version of FISMA that was enacted as Title X 
of the Homeland Security Act of 2002.
---------------------------------------------------------------------------
Since 1996, we have reported that poor information security is a 
widespread problem for the federal government, with potentially 
devastating consequences.\48\ Further, we have identified information 
security as a governmentwide high-risk issue in reports to the Congress 
since 1997--most recently in January 2003.\49\ Although agencies have 
taken steps to redesign and strengthen their information system 
security programs, our analyses of information security at major 
federal agencies have shown that federal systems were not being 
adequately protected from computer-based threats, even though these 
systems process, store, and transmit enormous amounts of sensitive data 
and are indispensable to many federal agency operations. For the past 
several years, we have analyzed audit results for 24 of the largest 
federal agencies,\50\ and our latest analyses, of audit reports issued 
from October 2001 through October 2002, continued to show significant 
weaknesses in federal computer systems that put critical operations and 
assets at risk.\51\ In particular, we found that all 24 agencies had 
weaknesses in security program management, which is fundamental to the 
appropriate selection and effectiveness of the other categories of 
controls and covers a range of activities related to understanding 
information security risks, selecting and implementing controls 
commensurate with risk, and ensuring that the controls implemented 
continue to operate effectively. In addition, we found that 22 of the 
24 agencies had weaknesses in access controls--weaknesses that can make 
it possible for an individual or group to inappropriately modify, 
destroy, or disclose sensitive data or computer programs for purposes 
such as personal gain or sabotage, or in today's increasingly 
interconnected computing environment, can expose an agency's 
information and operations to attacks from remote locations all over 
the world by individuals with only minimal computer and 
telecommunications resources and expertise. In April 2003,\52\ we also 
reported that many agencies still had not established information 
security programs consistent with requirements originally prescribed by 
government information security reform legislation \53\ and now 
permanently authorized by FISMA.
---------------------------------------------------------------------------
    \48\ U.S. General Accounting Office, Information Security: 
Opportunities for Improved OMB Oversight of Agency Practices, GAO/AIMD-
96-110 (Washington, D.C.: Sept. 24, 1996).
    \49\ U.S. General Accounting Office, High-Risk Series: Protecting 
Information Systems Supporting the Federal Government and the Nation's 
Critical Infrastructures, GAO-03-121 (Washington, D.C.: January 2003).
    \50\ U.S. General Accounting Office, Information Security: Serious 
Weaknesses Place Critical FederalOperations and Assets at Risk, GAO/
AIMD-98-92 (Washington, D.C.: Sept. 23, 1998); Information Security: 
Serious and Widespread Weaknesses Persist at Federal Agencies, GAO/
AIMD-00-295 (Washington, D.C.: Sept. 6, 2000); Computer Security: 
Improvements Needed to Reduce Risk to CriticalFederal Operations and 
Assets, GAO-02-231T (Washington, D.C.: Nov. 9, 2001), and Computer 
Security: Progress Made, but Critical Federal Operations and Assets 
Remain at Risk, GAO-02-303T (Washington,D.C.: Nov. 19, 2002).
    \51\ GAO-03-303T.
    \52\ GAO-03-564T.
    \53\ Title X, Subtitle G--Government Information Security Reform, 
Floyd D. Spence National Defense Authorization Act for Fiscal Year 
2001, P.L.106-398, October 30, 2000.
---------------------------------------------------------------------------
Considering the sensitive and classified information to be maintained 
and shared by DHS, it is critical that the department implement federal 
information security requirements to ensure that its systems are 
appropriately assessed for risk and that adequate controls are 
implemented and working properly. Federal information security 
guidance, such as that issued by the National Institute of Standards 
and Technology (NIST), can aid DHS in this process. For example, NIST 
has issued guidance to help agencies perform self-assessments of their 
information security programs, conduct risk assessments, and use 
metrics to determine the adequacy of in-place security controls, 
policies, and procedures.\54\ In addition, as we have previously 
reported, agencies need more specific guidance on the controls that 
they need to implement to help ensure adequate protection.\55\ 
Currently, agencies have wide discretion in deciding which computer 
security controls to implement and the level of rigor with which to 
enforce these controls. Although one set of specific controls will not 
be appropriate for all types of systems and data, our studies of best 
practices at leading organizations have shown that more specific 
guidance is important.\56\ In particular, specific mandatory standards 
for varying risk levels can clarify expectations for information 
protection, including audit criteria; provide a standard framework for 
assessing information security risk; help ensure that shared data are 
appropriately protected; and reduce demands for limited resources to 
independently develop security controls. Responding to this need, FISMA 
requires NIST to develop, for systems other than national security 
systems, (1) standards to be used by all agencies to categorize all of 
their information and information systems based on the objectives of 
providing appropriate levels of information security according to a 
range of risk levels; (2) guidelines recommending the types of 
information and information systems to be included in each category; 
and (3) minimum information security requirements for information and 
information systems in each category.
---------------------------------------------------------------------------
    \54\ National Institute of Standards and Technology, Security Self-
Assessment Guide for Information Technology Systems, NIST Special 
Publication 800-26, November 2001; Risk Management Guide for 
Information Technology Systems--Recommendations of the National 
Institute of Standards and Technology, Special Publication 800-30, 
January 2002; Security Metrics Guide for Information Technology 
Systems, NIST Draft Special Publication 800-55 (October 2002).
    \55\ GAO-03-121.
    \56\ U.S. General Accounting Office, Information Security 
Management: Learning From Leading Organizations, GAO/AIMD-98-68 
(Washington, D.C.: May 1998).
---------------------------------------------------------------------------
DHS has identified implementing its information security program as a 
year-one objective. In continuing these efforts, it is important that 
DHS consider establishing processes to annually review its information 
security program and to collect and report data on the program, as 
required by FISMA and OMB.

Secure Communications Networks
The Homeland Security Information Sharing Act, included in the Homeland 
Security Act of 2002, provides for the President to prescribe and 
implement procedures for federal agencies to share homeland security 
and classified information with others, such as state and local 
governments, through information sharing systems. Provisions of the act 
depict the type of information to be shared as that which reveals a 
threat of actual or potential attack or other hostile acts. Grand jury 
information; electronic, wire, or oral information; and foreign 
intelligence information are all included in these provisions. The 
National Strategy for Homeland Security also refers to the need for 
states to use a secure intranet to increase the flow of classified 
federal information to state and local entities. According to the 
strategy, this network would provide a more effective way to share 
information about terrorists. The strategy also refers to putting into 
place a ``collaborative classified enterprise environment'' to allow 
agencies to share information in their existing databases.
To ensure the safe transmittal of sensitive, and, in some cases, 
classified, information vertically among everyone from intelligence 
entities, including the CIA, to local entities, such as those involved 
in emergency response and law enforcement, as well as horizontally 
across the same levels of government, requires developing and 
implementing communications networks with adequate security to protect 
the confidentiality, integrity, and availability of the transmitted 
information. Furthermore, these communications networks must be 
accessible to a variety of parties, from federal agencies to state and 
local government entities and some private entities.
Secure networks for sharing sensitive information between state and 
federal entities have been implemented and are being used. For example, 
the National Law Enforcement Telecommunication System (NLETS) links all 
states and many federal agencies to the FBI's National Crime 
Information Center (NCIC) network for the exchange of criminal justice 
information. Another law enforcement system called the Regional 
Information Sharing System (RISS) links thousands of local, state, and 
federal agencies to Regional Organized Crime Information Centers. 
Information sharing networks for the purpose of sharing sensitive 
information with some federal agencies also exist within the 
intelligence community. Other agencies are also engaged in efforts to 
provide homeland security networking and information management support 
for crisis management activities. Department of Defense officials have 
also stated that the Army National Guard's network GuardNet, which was 
used to communicate among the states and the District of Columbia 
during the September 11 terrorist attacks, is being considered for 
homeland security mission support. For several years, the states have 
also been working on efforts to establish an information architecture 
framework for government information systems integration.
There also appear to be many new efforts under way to implement secure 
networks. In addition, according to the recently published the 
cyberspace security strategy, DHS intends to develop a national 
cyberspace security response system, the Cyber Warning Information 
Network (CWIN), to provide crisis management support to government and 
nongovernment network operation centers. CWIN is envisioned as 
providing private and secure network communications for both government 
and industry for the purpose of sharing cyber alert and warning 
information. Moreover, the National Communications System, one of the 
22 entities that were merged into the DHS, has implemented a pilot 
system, the Global Early Warning Information System (GEWIS), which will 
measure how critical areas of the Internet are performing worldwide and 
then use that data to notify government, industry, and allies of 
impending cyber attacks or possible disturbances.
It was also recently reported that the Justice Department and the FBI 
are expanding two existing sensitive but unclassified law enforcement 
networks to share homeland security information across all levels of 
government. When fully deployed, their Antiterrorism Information 
Exchange (ATIX) will provide law enforcement agencies at all levels 
access to information. Law enforcement agencies also can use ATIX to 
distribute security alerts to private-sector organizations and public 
officials who lack security clearances. Users, who will have different 
access levels on a need-to-know basis, will include a broad range of 
public safety and infrastructure organizations, including businesses 
that have homeland security concerns and duties. They will have access 
to a secure E-mail system via a secure Intranet, which the FBI and DHS 
will use to deliver alerts to ATIX users. The FBI and other federal 
agencies, including DHS, will link to ATIX via Law Enforcement Online, 
the bureau's system for sensitive-but-unclassified law enforcement data 
that provides an encrypted communications service for law enforcement 
agencies on a virtual private network. The second Department of Justice 
and FBI network, the Multistate Antiterrorism Regional Information 
Exchange System, will enable crime analysts working on terrorism 
investigations to quickly check a broad range of criminal databases 
maintained by federal, state, and local agencies.
DHS reportedly is establishing secure videoconferencing links with 
emergency operations centers in all 50 states, as well as two 
territories and the District of Columbia. Also, the DHS CIO has stated 
that a major initiative in implementing the department's IT strategy 
for providing the right information to the right people at all times is 
establishing the DHS Information Sharing Network Pilot project. 
Moreover, he sets 2005 as a milestone for DHS to build a ``network of 
networks.'' However, at this time, we do not have information on these 
projects or the extent to which they will rely on existing networks. It 
is also not clear how the DHS ``network of networks'' architecture will 
work with the state architecture being developed by the National 
Association of State CIOs.

Managing Performance
As we have previously reported,\57\ the new department has the 
challenge of developing a national homeland security performance focus, 
which relies on related national and agency strategic and performance 
planning efforts of the Office of Homeland Security, OMB, and the other 
departments and agencies. Indeed, the individual planning activities of 
the various component departments and agencies represent a good start 
in the development of this focus. However, our past work on 
implementation of the Government Performance and Results Act (GPRA) has 
highlighted ongoing difficulty with many federal departments and 
agencies setting adequate performance goals, objectives, and targets. 
Accordingly, attention is needed to developing and achieving 
appropriate performance expectations and measures for information 
sharing and in ensuring that there is linkage between DHS's plans, 
other agencies' plans, and the national strategies regarding 
information sharing. Ensuring these capabilities and linkages will be 
vital in establishing comprehensive planning and accountability 
mechanisms that will not only guide DHS's efforts but also help assess 
how well they are really working.
---------------------------------------------------------------------------
    \57\ U.S. General Accounting Office, Major Management Challenges 
and Program Risks: Department of Homeland Security, GAO-03-102 
(Washington, D.C.: January 2003).
---------------------------------------------------------------------------
As we previously reported,\58\ one of the barriers that the new 
department faces in establishing effective homeland security is 
interagency cooperation, which is largely attributed to ``turf'' issues 
among the 22 component agencies subsumed by the new department. Strong 
and sustained commitment of agency leaders would provide performance 
incentives to managers and staff to break down cultural resistance and 
encourage more effective information sharing pertaining to homeland 
security. Moreover, agency leaders have a wide range of tools at their 
disposal for enforcing and rewarding cooperative efforts, including 
performance bonuses for senior executives and incentive award programs 
for staff.
---------------------------------------------------------------------------
    \58\ GAO-02-1048R.
---------------------------------------------------------------------------
Our studies of other cross-cutting federal services with similar 
``turf'' problems have also shown that agency performance plans, which 
are required by GPRA, offer a good avenue for developing incentives to 
cooperate. Specifically, agencies can set up goals in their performance 
plans for participation in cross-cutting programs and report on their 
progress in meeting these goals to the Congress. The Congress could 
also build similar incentives into budget resolutions.
Shared programmatic goals and metrics would also encourage cooperation 
and coordination. Agencies subsumed by DHS should all participate in 
the development of goals, milestones, and metrics to measure progress 
and success, and such indicators should be clearly articulated and 
endorsed by senior management. Such goals and metrics must be carefully 
chosen since how performance is measured greatly influences the nature 
of the performance itself; poorly chosen metrics may lead to unintended 
or counterproductive results. However, visible, clearly articulated and 
carefully chosen shared goals and metrics can effectively overcome 
``turf'' issues. Developing metrics to measure the success of these 
activities is critical to ensuring a successful effort. Similar 
indicators more directly related to information sharing could be 
developed.

Emphasizing Human Capital
Human capital is another critical ingredient required for ensuring 
successful information sharing for homeland security. The cornerstones 
to effective human capital planning include leadership; strategic human 
capital planning; acquiring, developing, and retaining talent; and 
building results-oriented organizational cultures. The homeland 
security and intelligence communities must include these factors in 
their management approach in order to benefit from effective 
collaboration in this critical time.
As we have previously reported, the governmentwide increase in homeland 
security activities has created a demand for personnel with skills in 
areas such as IT, foreign language proficiencies, and law enforcement, 
without whom critical information has less chance of being shared, 
analyzed, integrated, and disseminated in a timely, effective 
manner.\59\ We specifically reported that shortages in staffing at some 
agencies had exacerbated backlogs in intelligence and other 
information, adversely affecting agency operations and hindering U.S. 
military, law enforcement, intelligence, counterterrorism, and 
diplomatic efforts.\60\
---------------------------------------------------------------------------
    \59\GAO-02-1122T.
    \60\ U.S. General Accounting Office, Foreign Languages: Human 
Capital Approach Needed to Correct Staffing and Proficiency Shortfalls, 
GAO-02-375 (Washington, D.C.: January 2002).
---------------------------------------------------------------------------
We have also previously reported that some of the agencies that moved 
into DHS have long-standing human capital problems that will need to be 
addressed. One of these challenges has been the ability to hire and 
retain a talented and motivated staff. For example, we reported that 
INS has been unable to reach its program goals in large part because of 
such staffing problems as hiring shortfalls and agent attrition.\61\ We 
also reported that several INS functions have been affected by the lack 
of a staff resource allocation model to identify staffing needs.\62\ We 
concluded then that it was likely that increased attention to the 
enforcement of immigration laws and border control would test the 
capacity of DHS to hire large numbers of inspectors for work at our 
nation's border entry points. Moreover, we reported that other agencies 
being integrated into DHS were also expected to experience challenges 
in hiring security workers and inspectors. For example, we reported 
that the Agriculture Department, the Customs Service, INS, and other 
agencies were all simultaneously seeking to increase the size of their 
inspections staffs.\63\
---------------------------------------------------------------------------
    \61\ U.S. General Accounting Office, Immigration Enforcement: 
Challenges to Implementing the INSInterior Enforcement Strategy, GAO-
02-861T (Washington, D.C.: June 19, 2002).
    \62\ U.S. General Accounting Office, Immigration and Naturalization 
Service: Overview of RecurringManagement Challenges, GAO-02-168T 
(Washington, D.C.: Oct. 17, 2001).
    \63\ GAO-03-260.
---------------------------------------------------------------------------
    To overcome its significant human capital shortfalls, DHS must 
develop a comprehensive strategy capable of ensuring that the new 
department can acquire, develop, and retain the skills and talents 
needed to prevent and protect against terrorism. This requires 
identifying skill needs; attracting people with scarce skills into 
government jobs; melding diverse compensation systems to support the 
new department's many needs; and establishing a performance-oriented, 
accountable culture that promotes employee involvement and empowerment. 
In February, the DHS CIO acknowledged the lack of properly skilled IT 
staff within the component agencies. Challenges facing DHS in this 
area, he stated, include overcoming political and cultural barriers, 
leveraging cultural beliefs and diversity to achieve collaborative 
change, and recruiting and retaining skilled IT workers. He 
acknowledged that the department would have to evaluate the talent and 
skills of its IT workforce to identify existing skill gaps. He further 
stated that a critical component of DHS's IT strategic plan would 
address the actions needed to train, reskill, or acquire the necessary 
skills to achieve a world-class workforce. He committed to working 
closely with the department's Chief Human Capital Officer and with the 
Office of Personnel Management to achieve this goal. He set July 2003 
as a milestone for developing a current inventory of IT skills, 
resources, and positions and September 2003 as the targeted date for 
developing an action plan.

                            ----------------

Ensuring Institutional Oversight
It is important to note that accountability is also a critical factor 
in ensuring the success of the new department. The oversight entities 
of the executive branch--including the inspectors general, OMB, and the 
Office of Homeland Security--have a vital role to play in ensuring 
expected performance and accountability. Likewise, congressional 
committees and GAO, as the investigative arm of the legislative branch, 
with their long-term and broad institutional roles, also have roles to 
play in overseeing that the new department meets the demands of its 
homeland security mission.

                             --------------

In summary, information sharing with and between all levels of 
government and the private sector must become an integral part of 
everyday operations if we are to be able to identify terrorist threats 
and protect against attack. As such, information sharing is an 
essential part of DHS's responsibilities and is critical to achieving 
its mission. To implement these responsibilities, DHS will need to 
develop effective information sharing systems and other information 
sharing mechanisms. The department will also need to develop strategies 
to address other challenges in establishing its organization and 
information architecture and in developing effective working 
relationships, cooperation, and trust with other federal agencies, 
state and local governments, and the private sector.
Messrs. Chairmen, this concludes my statement. I would be happy to 
answer any questions that you or members of the subcommittees may have 
at this time.

Contacts and Acknowledgements
For information about this statement, please contact Robert Dacey, 
Director, Information Security Issues, at (202) 512-3317, or William 
Ritt, Assistant Director, at (202) 512-6443. You may also reach them by 
E-mail at [email protected] or [email protected]. Individuals who made key 
contributions to this testimony include Mark Fostek, Sophia Harrison, 
and Barbarol James.
Initial Blackout Timeline
_______________________________________________________________________

August 14, 2003 Outage
Sequence of Events
U.S./Canada Power Outage Task Force
September 12, 2003
_______________________________________________________________________

This is an outline of significant physical and electrical events that 
occurred in a narrow window of time, before and during the cascade that 
led to the blackout of August 14, 2003. This outline reviews events 
beginning at approximately noon on that day, to provide a "picture" of 
the sequence of events and how the grid situation evolved over the 
afternoon. It focuses chiefly on events that occurred on major 
transmission facilities (230 kilovolts and greater) and at large power 
plants.
This outline does not attempt to present or explain the linkages 
between the sequences of events that are described. Determining those 
linkages will require additional intensive analysis over the weeks to 
come. In the coming weeks, our experts will continue to analyze data 
from:

 the thousands of transmission line events that occurred on the 
138 kV system and on lower voltage lines over the severnl hours before 
and during the grid's collapse
 the hundreds of events related to power plant internctions 
with the grid during this period
 the conditions and operntions on the grid before noon. Many 
things happened well before noon--including reactive power and voltage 
problems and flow patterns across several states--that may be relevant 
in a causal sense to the blackout.
 any actions taken, or not taken, by system operators prior to 
or during the outage.

The U.S. Canada Power Outage Task Force investigation is looking at all 
of the above factors and more in order to refine these data and dig 
deeper into what happened and why.
This timeline is not intended to indicate and should not be assumed to 
explain why the blackout happened, only to provide an early picture of 
what happened. It is not intended to indicate and should not be assumed 
to assign fault or culpability for the blackout. Determining the 
specific causes of these failures requires a thorough and professional 
investigation, which the bi-national investigative team has undertaken. 
The above concerns and explanations will be addressed in future reports 
prepared by the investigative team and issued by the Joint U.S.lCanada 
Task Force.

Note: The information in this report is based on what is known about 
the August 14, 2003 blackout as of September 11, 2003, and is subject 
to change based on further investigation of this event.

[GRAPHIC] [TIFF OMITTED] T9793.002

[GRAPHIC] [TIFF OMITTED] T9793.003

[GRAPHIC] [TIFF OMITTED] T9793.004

[GRAPHIC] [TIFF OMITTED] T9793.005

[GRAPHIC] [TIFF OMITTED] T9793.006

[GRAPHIC] [TIFF OMITTED] T9793.007

[GRAPHIC] [TIFF OMITTED] T9793.008

[GRAPHIC] [TIFF OMITTED] T9793.009

[GRAPHIC] [TIFF OMITTED] T9793.010

[GRAPHIC] [TIFF OMITTED] T9793.011

[GRAPHIC] [TIFF OMITTED] T9793.012

[GRAPHIC] [TIFF OMITTED] T9793.013

[GRAPHIC] [TIFF OMITTED] T9793.014

    Mr. Sessions. I thank the gentleman for his testimony.
    At this time I would yield to the gentleman from Michigan, 
Mr. Camp, for such time as he may consume.
    Mr. Camp. I thank the Chairman for yielding.
    Colonel McDaniel, it was certainly a trying time for all of 
us in Michigan. I want to thank you for your role in what I 
know were difficult days. My question was, in your role as 
homeland security adviser to the governor and as adjutant 
general for homeland security, what do you think, from your 
perspective, and also from the perspective of the State of 
Michigan, what do you think are the most important factors we 
should weigh as a committee in terms of how to prevent 
something like this from happening again, and also how to deal 
with it? You mentioned some of that in your testimony, but what 
do you think are the most critical things we ought to think 
about?
    Colonel McDaniel. Thank you very much for this opportunity.
    I am not sure that I can give you any real direction at 
this point on how to prevent it from happening again without 
really knowing the causes of it. Certainly, though, there are a 
number of lessons that we can take a way from it. First of all 
is the old military truism that no operational plan survives 
the first contact with the enemy. I think it was very important 
that we had a state response plan in place, that we had 
exercised that plan on a number of occasions, that everybody 
knew their role, and that therefore even though we had, 
frankly, new players in some of the roles, that everybody was 
able to step right in and work that plan because we had already 
exercised it earlier this year.
    Secondly, the issue of communications is always going to be 
one that has to, no matter what the event is, communications is 
always going to be a key factor, no matter what way it goes. So 
I think that having some sort of redundant communication system 
is really vitally important. Thirdly, we are still in the early 
stages of having the states and the Department of Homeland 
Security work together, and that is a role that we need to 
really, really flesh out the skeleton of that plan, I think.
    Mr. Camp. How well did the states communicate with each 
other during that time? And also, the Canadian provinces? And 
did the federal government have any role in facilitating that?
    Colonel McDaniel. There really was not much communications 
between states at that point. I really think that when you look 
at this type of event, that that is the role for the Department 
of Homeland Security or the Department of Energy. We need to 
focus on the response, on the consequence management. I think 
that they can do the 30,000-foot view and say, first of all, is 
this manmade or is natural? If it is manmade, is it 
intentional? If it is not, is it still ongoing? What are the 
parameters? What other resources need to be brought to bear? 
They can do that overall view, and we can focus on what our 
state resources are and what other resources might be 
necessary.
    Mr. Camp. What affect did the blackout have on fire, 
police, medical emergency personnel that you could discuss, and 
were there telecommunications problems particularly?
    Colonel McDaniel. Right. As I indicated briefly in my 
testimony, Mr. Chairman, there were a number of problems that 
we had. Number one, traffic signals not functioning is one of 
those problems that we should have taken care of years ago. I 
think that that really highlights an important need, because 
right there you have first responders diverted from where they 
might be needed to doing a fairly mundane traffic control 
function.
    Secondly, it was interesting to see that a lot of first 
responders at our local units were relying upon cell phones 
that did not have an adequate radio system, and a number of 
cell towers did not have backup systems that worked.
    If I could just follow up briefly, almost every type of 
critical infrastructure that should have a generator did have 
some sort of generator. However, getting back to my comment 
about the plans not surviving first contact, they had not 
tested those generators under load, so we had a lot of 
generators that just didn't work. They might have fired them up 
before, but they never tested them under a load and actually 
had them producing electricity. If this had continued, I think 
we would have had a problem with the amount of energy necessary 
for those generators. We were starting to get calls from both 
hospitals and some of the utilities wanting to know if we could 
help them find kerosene diesel, whatever they needed for their 
generators.
    Mr. Camp. Thank you for your testimony. I appreciate you 
coming out and helping the committee understand some of the 
concerns that went on during August. I appreciate that very 
much.
    Colonel McDaniel. Thank you for the opportunity.
    Mr. Camp. Thank you.
    Mr. Sessions. The gentlewoman from the Virgin Islands, Ms. 
Christensen, is now recognized.
    Mrs. Christensen. Thank you, Mr. Chairman, and I want to 
thank the panelists. As we suspected, this would have been a 
really good test of our ability to deal with a terrorist 
attack, even though the at least to date it has not been shown 
to do that. Mr. McDaniel, a number of states like yours, as 
well as industries, have made significant progress in 
comprehensively assessing their own critical infrastructure 
vulnerabilities. What leadership role, if any, has the 
Department of Homeland provided in terms of guidance and 
assistance in those efforts? Or have you been doing it pretty 
much on your own without a framework and without the guidance?
    Colonel McDaniel. No. Thank you for that question, because 
it is a good news-bad news sort of thing. We are still working 
towards that common goal. In some respects, it was last summer, 
July of 2002, that the Department of Homeland Security 
sponsored a critical infrastructure evaluation workshop put on 
by the Rand Corporation for all of the states which was very 
well received. They have given us technical support. They have 
given us coordination. So early on it was recognized that we 
needed a common framework in terms of how we would evaluate our 
critical infrastructure.
    However, the bad news end of it is we are not there yet. 
The Assistant Secretary for the Department of Homeland Security 
pointed out that they recognized certain infrastructure that 
they believed were critical and needed protection during Iraqi 
Freedom-Liberty Shield. I would say only that those critical 
infrastructure that they identified and made known to the state 
may or may not have been the same ones that the states had 
identified. So this is still an ongoing process that needs to 
be worked through. As I said earlier, we are in the process of 
doing our strategic needs assessment sponsored by the Office of 
Domestic Preparedness. I think that is a vital first step 
towards coming up with a truly national plan for the protection 
of critical infrastructure.
    Mrs. Christensen. Thank you.
    Mr. Dacey, I was interested in some of your comments and 
some of the parts of the report that talked about the private 
sector. Traditionally, that sector is resistant to increased 
governmental regulation, of course, and argues that market 
incentives will drive needed changes. Do you think that the 
market would, in the absence of another terrorist attack, 
increase security practices for the industry? And if not, what 
incentives do you think are needed to drive the industry to 
invest in increased security?
    Mr. Dacey. What we have said at the General Accounting 
Office is essentially that when the CIP effort started in 1998, 
there was a call for an assessment by sector of what were the 
appropriate public policy tools, if any, that were necessary to 
get the cooperation and participation of the private sector. I 
think what we have said consistently is that needs to happen. 
In looking at several of the sectors earlier this year when we 
reported, there really had not been extensive efforts taking 
place to perform that assessment. That could range anywhere 
from providing research and development, from providing 
education and awareness grants, tax incentives, or regulation.
    So we don't really say which of those should be done, but 
really that an analysis needs to be performed to consider what 
would be the appropriate incentives for those sectors to 
increase their participation in the program. I think also part 
of that is there is a need for the department to clearly state 
what their expectations are and the level of security, and send 
them to the private sector to determine whether or not they can 
meet those standards or expectations. I think that needs to 
happen as well to identify if there is any difference between 
the two.
    Mrs. Christensen. Thank you.
    Thank you, Mr. Chairman.
    Mr. Sessions. I thank the gentlewoman.
    The gentleman from Pennsylvania is now recognized.
    Mr. Weldon. Thank you, Mr. Chairman. Let me thank you both 
for coming in. I want to focus my comments and questions 
basically on one area of the GAO report, because GAO reports 
typically become very important tools for Members of Congress, 
especially in the context of going back and looking at how we 
deal with threats and the approaches that are used. I really 
have a problem with the section of the report starting on page 
30, Analysis and Warning Capabilities Need to be Improved. I 
agree with that statement. But on page 33, Mr. Dacey, you allow 
the FBI and its Director to present the case that somehow 
technology was not available prior to 9-11 to do data-mining 
and data analysis.
    Let me tell you something, I am not going to sit here and 
let that happen, because the facts just don't bear that out. In 
July when I chaired the House Defense R&D Subcommittee, on July 
30, 1999, after looking at the Army's extensive LEWA you know 
what the LEWA is, their CERT down at Fort Belvoir. The Army 
developed a capability that was cutting-edge, and that was to 
not just do information dominance on their systems, but to also 
use those systems, using tools like those developed by Battelle 
Labs, Starlight and Spires and others, to do data-mining and 
data analysis. They were on cutting-edge of that in the late 
1990s, in 1997, 1998, and 1999. We put additional money in to 
allow them to accomplish that.
    In July of 1999, I wrote to Deputy Secretary of Defense 
John Hamre. I said, ``John, you have to look at this capability 
because it has tremendous implications for us to monitor 
external threats and to bring that together and assimilate 
it.'' He went down. He agreed with me. I had done some test 
work with him on an assessment of a person who was involved in 
the ending of the Yugoslavian war. From that, we put together a 
briefing in 1999 that I have a copy of, that basically outlined 
a national operations and analysis hub, a national data-mining 
center that would bring together all 33 classified systems of 
the federal government, all 33 classified systems. John Hamre 
said, ``Congressman, I agree with you. I will pay for it. But 
you have to get the other agencies, the FBI, and the CIA, to 
agree, and that is a tremendous turf battle.''
    So John Hamre suggested to me that I convene a meeting in 
my office with his counterparts from the CIA and the FBI. In 
the fall of 2000, I did that. I had Deputy Secretary of Defense 
John Hamre, the deputy head of the FBI and the deputy director 
of the CIA in my office for an hour. We went over this 
initiative. We said we have to have better access to coordinate 
intelligence information so that we can see the bigger picture 
of what is occurring. And the CIA and the FBI, that are now 
trying to take credit for it in 2002 in saying there was no 
capability, in 2000 said, ``We don't need it; we don't need 
that capability.''
    So it is important that GAO go back for the record, and I 
am going to ask unanimous consent to put this documentation in 
the record.
    Mr. Sessions. Without objection, it will be accepted into 
the record.
    Information is in the committee files.
    Mr. Weldon. As well as news articles that ran in 1999 and 
2000 that the GAO should have been aware of, that it was a 
major priority of this Congress that we establish an 
integration of data-mining and data analysis to avoid what 
happened on September 11, 2001. If we had done that back in 
1999, if we had done that in 2000, we would have had a 
capability to pull the pieces together that in your report the 
FBI director in 2002 says, ``Enhanced analytical data- mining 
capacity that was not then available.'' That is wrong. Raytheon 
had that capability. Busity Visioneering had it. The Army was 
using it down at the Fort Belvoir LEWA Center, and so was 
Special Forces, Special Operations Command down in Florida. 
They set up a mini-version of this analysis capability. In 
fact, before 9-11, they had a complete profile of al Qaeda, a 
complete profile by doing the data analysis that the FBI and 
the CIA say we don't need.
    I think it is important because these agencies now want to 
rewrite history. They want to have us believe that they 
couldn't have done things before 9-11 because the technology 
wasn't there. That is wrong. And in the record, I will put the 
facts to bear out before the comments of the head of the CIA or 
the FBI. The fact that you put that in the GAO report, this 
becomes like a Bible, like ``oh, well, that is the case; there 
was no technology.'' I would ask you for the record to correct 
that, and I will give you all the documentation to back that 
up.
    Mr. Dacey. I appreciate that. I will go back to check 
through our records as well, but I believe that references the 
fact not that it wasn't available, but that they did not have 
that capacity.
    Mr. Weldon. No, what he said in the record, which was not 
refuted by the GAO, was it was not available. And I would also 
ask you to put in the record in two successive defense bills, 
language that we inserted that called for a national 
collaborative information analysis capability in 2 successive 
years. I mean, the GAO had to know that. It is a part of the 
record of defense authorization bills that we pass each year. I 
want to show the fact that the Congress as far back as 1999 and 
2000 was clearly aware of what you are saying is a top priority 
now. We knew this was the case, not after 9-11, before 9-11.
    Mr. Dacey. Right. And our work related to that was before 
9-11 where we identified that these needs need to be filled and 
they didn't have them at the time.
    Mr. Weldon. I just would ask you to correct for the record 
the fact that the Congress did not allow the FBI to try to 
rewrite history to make it appear as though there was no 
technology available. Those software systems by Battelle were 
done back in the mid-to late-1990s. They were clearly available 
to the FBI and the CIA before 2002. For the director to say 
that they weren't available is just technically inaccurate.
    Thank you.
    Mr. Sessions. I would like to inquire upon you, Colonel 
McDaniel, at the time you gave your original testimony you 
talked about at the border on the Canadian side, at what would 
be the equivalent of the United States Customs was not online 
and able to process, yet the United States Customs, at least 
that bridge there in Michigan was able to process those things. 
Was this off of generators? Was this off a well- executed plan? 
Was this off a backup? Or did they simply not go down?
    Colonel McDaniel. They switched to generators, the U.S. 
Customs and the bridge itself. It is a privately owned bridge. 
Those two systems switched to generators themselves, and so 
there was a momentary blip. I just talked to them 2 days ago to 
confirm this. They held their breath to make sure the commuter 
systems didn't knock out. They didn't. Everything was ready to 
go and continued.
    That bridge is obviously the auto industry's biggest in 
terms of free trade, and with the auto industry and the parts 
going back and forth, that is the most crucial crossing that we 
have. So it turned out, of course, the auto industry was down 
because of the loss of power as well. If not, though, again, it 
is the cascading effects that I tried to indicate in my written 
testimony that could have been worse there.
    Mr. Sessions. The things which you have done within the 
State of Michigan to be in preparation for this event and many 
others, did it include this specific type of circumstance or 
was this something that was reasonably new and you treated as a 
real live exercise?
    Colonel McDaniel. First of all, we absolutely did treat it 
as a real live exercise. Everybody in the state emergency 
operations center realized that it was a great opportunity to 
make sure that the plan worked. This was included in the plan. 
This was one of the potential events that might have occurred 
as a result of the millennium changeover that people were 
worried about, so that everybody was fairly ready. We could 
just pull the plan off the shelf and dust it off a little bit. 
So we were prepared for this potential event.
    Mr. Sessions. At the time that you talked about the 
communications plans and the things that you felt that the 
communication was good back and forth, did within the State of 
Michigan, did you ever receive an indication before the 
blackouts occurred that there was a problem that you should be 
prepared or was that held within the power plants or did they 
communicate back and forth?
    Colonel McDaniel. My understanding, and of course you are 
getting outside my area of expertise, but my understanding is 
that there were events that afternoon prior to the outage. We 
were not aware of those low-voltage type events at the state 
EOC, at the emergency management division of the state police 
or at the National Guard or at the governor's office. We were 
not aware of those events, and I do not believe the Public 
Service Commission, our regulatory agency for utilities was 
either. If we had been, it may have made a difference. I would 
be speculating to say that, but we could at least use some form 
of communication to the general public if we knew that was 
happening, rather than try and jerry-rig a system for getting 
the message out to the public after the fact. What we do is, 
Michigan State University is right there. It is large enough 
that it has its own power plant, not just generators, so that 
they can generate. They have a turbine hooked up to the boiler, 
in essence, so they generate enough power that we can send out 
a TV signal to the other TV signal receivers outside of the 
affected area and get the message out from the governor that 
way. But for having that system in place and having it almost 
immediately available, we may not have been able to get the 
message out to the general public as easily as we did. 
Certainly, I think that there should be some sort of emergency 
alert system that is in place, that is working from DHS down to 
the public, as well as to the state agencies themselves. Within 
the last week or so, I received a letter from the director of 
NOAA that went out to all the state homeland security advisers 
indicating that NOAA was going to be the primary agency to get 
the message out to the general public. I have not seen any 
acknowledgement of this as of yet from the Department of 
Homeland Security.
    Mr. Sessions. Can you give me a sense of what happened on 
the ground in Michigan in terms of people's TVs going out, TV 
stations going out, radios going out, telephones going out? Was 
there a time frame or a timing delay that could have caused a 
lot of panic and chaos between the time that the TV station 
came on from the university?
    Colonel McDaniel. This was early enough in the afternoon 
that it was still certainly daylight out, so the people had 
plenty of time to respond and prepare for the evening hours and 
try to stock up at the stores, if they had not done that 
already. However, there was an immediate loss of electricity. 
For the radio and TV stations, there was a loss momentarily 
until the ones that had backup generators worked. Obviously, a 
lot of people did not have old-fashioned phones. Everybody's 
phone is portable, a hand-held device which requires 
electricity these days, or a cell device, and not all of those 
towers worked. So there were a number of instances where the 
communication systems were more reliant on electricity than we 
believed that they would be. Again, even those radio and TV 
stations that had generators, the generators didn't work 
because they had never been tested. So they weren't ready to 
work under load. They weren't the right capacity generator. And 
then the other problem, as I said, was 24 hours later they were 
staring to run out of power. Both TV and radio, as well as the 
telephone companies, were calling as well.
    Mr. Sessions. It seems, at least to this member that 
perhaps part of our emergency preparedness plan should be, 
please, if you are a consumer, turn off anything that you don't 
reasonably need except a TV or a radio or something else. Did 
that becomes a glaring point to you and the people in Michigan 
at the time that this occurred because of the load factor?
    Colonel McDaniel. Absolutely. I apologize. I meant to 
mention that before, both in terms of the use of electricity 
and the use of water. This was a very hot day in the summer 
where the usage on the Detroit water system was almost a 
billion gallons a day. The system, even after it came back up 
on generators, could only handle about 400 million gallons per 
day. If we had had a method, if we had some sort of warning 
that this was going to happen, and could have gotten out to 
decrease your electricity, decrease your water use ahead of 
time, it probably would have made it easier for the system to 
come back on.
    Mr. Sessions. Had you seen brown-outs that had been 
occurring? I think we have gotten used to hearing the term 
``brown-outs'' or rolling brown periods that have occurred. Was 
that seen at all a day or two or hours before?
    Colonel McDaniel. No, there was no indication like that.
    Mr. Sessions. No indication at all?
    Thank you.
    Mr. Dacey, you have heard a great deal of testimony today 
from any number of witnesses and I believe that probably you 
have a bird's eye view of a lot of the things that we have 
talked about that you have studied before today. Could you have 
seen this coming? Could you have seen the response? Was this 
predictable with how these things happen, not that the event 
happened, but the response? And what would be your analysis of 
that, because from this member's perspective, I was generally 
pleased with the lack of chaos that was exhibited all across 
the power grid, where it went down, by people. I felt like that 
elected officials and others were prepared and that they really 
did a good job.
    What would be your evaluation from looking at it now if you 
had gone back and were offering as just a prediction?
    Mr. Dacey. In terms of whether the whole process could have 
been foreseen, I guess that gets back to some of the earlier 
discussion. I think we are making progress based upon Mr. 
Liscouski's testimony in really identifying some of the 
vulnerabilities in these infrastructures. We heard other 
testimony about the states doing efforts as well. I think that 
is critical, as well as the interdependencies, which we talked 
about earlier today. Because until we fully understand those, 
it is going to be very difficult to understand what are the 
implications, what happens next. I think just based upon a 
personal perspective, not based upon our security work, I was 
very pleased that nothing more serious happened than did. But 
in terms of again, projecting that, I don't know if that would 
have been possible. We are now discussing some of the kind of 
things though that may have contributed in terms of the 
capacity of our transmission lines. Those are all really a part 
of a vulnerability analysis and assessment that needs to be 
done across all of the infrastructures to decide what are 
critical points in those infrastructures. Do we have weaknesses 
or vulnerabilities? What is the cost to fix those, and how are 
you going to pay for those? I think that is the critical lesson 
to learn here in the process and that needs to be done. Again, 
there are efforts in that direction, but there is ways to go.
    Mr. Sessions. I thank the gentleman.
    At this time, the Chairman would like to not only thank 
both of you for being here today, but in particular Colonel 
McDaniel, I note from your resume that you have spent 18 years 
with the Michigan National Guard. This member is not only proud 
of your service, but also the other men and women who serve in 
the Guard, all across this great nation. You are a shining 
example of the type of people who serve this great nation. I 
want to thank you for your service, not only today and to the 
State of Michigan, but also to this nation for that which you 
do.
    So I would like to thank both panels at this time for their 
participation.
    The chair notes that some members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 10 days for members to submit written questions to these 
witnesses and to place their responses in the record.
    There being no further business, I again thank the members 
of both the Cyber Security, Science Research and Development 
Subcommittee and the Infrastructure and Border Security 
Subcommittee and to our witnesses today.
    The hearing is now adjourned.
    [Whereupon, at 5:29 p.m., the subcommittee was adjourned.]

                            A P P E N D I X

                   Material Submitted for the Record

 Questions and Responses Submitted for the Record by James R. Langevin

                           September 4, 2003

    There has been widespread concern in the industry and on the local 
level that DHS is not putting nearly enough effort into sharing 
information outside the Department. The Undersecretary for Information 
Analysis and Infrastructure Protection has not made any indication as 
to what priority DHS places on infrastructure protection. California 
and New York were the first states to identify their critical 
infrastructure, and several smaller states are following suit. Critical 
infrastructure typically includes the electrical grid, water supply, 
communications/telephone lines and bridges or tunnels. Unfortunately, 
once states have accomplished this, there has not been much support 
from DHS on what the next step is.

Question: a. What role has the Department of Homeland Security played 
in providing information, promoting information exchange across 
sectors, or assisting with solutions for problems common to critical 
infrastructure industry? Has this role been sufficient? Could it be 
improved? If so, how? In particular, do you believe that those who need 
to know have the proper information regarding potential threats, so 
that they can allocate resources and improve protection in the right 
places?
McCarthy Response:
    The Department is addressing the issue of information sharing 
through two mechanisms: the Information Analysis & Infrastructure 
Protection Directorate, and the Department's Office of the Private 
Sector Liaison.
    The Information Analysis & Infrastructure Protection Directorate 
(IAIP) has taken the lead on promoting information sharing across 
sectors. Its overall goal is to provide the private sector with 
``actionable intelligence''--timely, accurate information that can help 
apprehend terrorists and prevent their attacks. To that end, the IAIP 
recently established the National Cyber Security Division (NCSD), a 24 
x 7 cyber ``watchdog'' that will provide analysis, alerts, and 
warnings, as well as improving information sharing. In the life span of 
the Department, the NCSD is relatively young, but we look forward to 
its continued growth and progress in the days and months to come.
    The Office of the Private Sector Liaison is another key component 
to strengthening the public-private partnerships. Through Albert 
Martinez-Fonts, the Liaison's office provides businesses with a direct 
line into the Department. It acts both as an advocate for the private 
sector, by informing the Secretary of its concerns, and as a 
clearinghouse, by directing businesses to the appropriate agency or 
directorate. With so many of our critical infrastructures owned and 
operated by private entities, this office will play a pivotal role in 
ensuring that both sides know exactly what is at stake.
    One of the Liaison's main services is coordinating with ISACs, 
trade associations, and businesses whenever there is a change in the 
threat level. The Liaison provides guidelines and suggestions to 
private sector entities, so they may properly respond to the changes. 
Additionally, the Liaison clarifies liability and compliance issues to 
those businesses affected by new homeland security laws or regulations. 
Over time, it is expected that both the IAIP and the Office of the 
Private Sector Liaison will experience increased efficiency.

Orszag Response:
    Private-sector representatives regularly tell me that they do not 
receive useful guidance or information from the Department of Homeland 
Security. That is part of a broader problem: The Department has been 
moving much too slowly to spur homeland security activity in the 
private sector. As my co-authors and I discuss in Protecting the 
American Homeland, designing appropriate incentives for private firms 
to undertake homeland security investments is among the most difficult 
challenges in the homeland security area. In the two years since 
September 11th, we have failed to move aggressively enough in tackling 
this challenge.

Watson Response:
    To date, DHS has not established an efficient, comprehensive 
mechanism to communicate changes in homeland security alert warning 
levels. However, by absorbing the National Communications System (NCS) 
and continuing to support its associated Telecom ISAC work, DHS has 
provided daily updates and periodic summaries of relevant information 
affecting most critical infrastructure sectors. These reports are 
informative and include links or contact information so that recipients 
can follow up to learn more details as required. In addition, DHS 
forwards information from Telecom ISAC members, government agencies, 
and other ISACs regarding new threats, anomalous activity, or 
advisories of immediate concern to critical infrastructure owners and 
operators. The cooperation across the leading ISACs has improved 
steadily over the last year, and the DHS/NCS effort has been a major 
part of that cooperation. Until DHS puts together a comprehensive 
information sharing strategy and architecture in collaboration with the 
private sector, the existing solution will continue to be inadequate, 
serving neither the private nor public sector well.
    Even though DHS has promoted information exchange across sectors by 
hosting meetings of the ISAC Council (ad hoc council of the leadership 
of the 10 largest industry ISACs), and meets regularly with the 
critical infrastructure Sector Coordinators to learn of sector and 
cross-sector requirements that require DHS assistance, it has not 
developed a comprehensive architecture describing the functions, 
relationships, and mechanisms for information sharing in coordination 
with the critical sectors. I would encourage a much more robust effort 
by DHS with Sector Coordinators, ISAC entities, and those representing 
critical infrastructure operations to develop and implement a full-
function architecture. An attempt by DHS to independently craft a 
comprehensive approach without the commitment of the private sector 
that manages most of the critical infrastructures is doomed to failure.
    Has DHS assisted with solutions? It is probably too early to answer 
this completely. DHS has established a dialog with Sector Coordinators 
and the ISACs, hosted the Homeland Security Standards Panel of the 
American National Standards Institute (ANSI HSSP), and is beginning to 
help in the development of sophisticated modeling and public-private 
exercises to determine requirements and then develop solutions.
    Has this role been sufficient? By what measure? If the question is 
whether DHS efforts have been sufficient to solve critical 
infrastructure problems, the answer is no. If the question is whether 
DHS has met expectations given the short life of the department, its 
learning curve, and the as-yet undefined set of requirements from 
industry, the answer is a qualified yes.
    Even though the Marsh Commission (President's Commission on 
Critical Infrastructure Protection) clearly identified the problem five 
years ago, and Federal government and industry stakeholders had 
accomplished a great deal since, the very act of reorganizing all the 
Federal agencies involved in critical infrastructure protection, 
installing an entirely new set of leaders, and refining requirements 
through three new national strategy documents has brought early 
progress nearly to a halt. DHS has done very well to work through this 
turmoil to get things moving again.
    Could DHS's role in information sharing be improved? Absolutely.
    Industry Sector Coordinators must be expeditiously identified for 
those new sectors added in the National Strategy for Homeland Security. 
The role of Sector Coordinator must be defined, promoted, and 
socialized at all levels of government and the critical infrastructure 
industries. The Sector Coordinators should be a first point of contact 
for information. An effort should be made to tailor homeland security 
alert levels to sectors or regions, rather than confuse everyone by 
publishing a one size fits all color code that few can use practically. 
Before being absorbed by DHS, the Critical Infrastructure Assurance 
Office (CIAO) developed and conducted Project Matrix, which 
methodically identified critical assets and dependencies within and 
across all Federal departments and agencies. What has become of Project 
Matrix? If its methodology was sound, could it be used by critical 
infrastructure sectors in a similar way?
    Sectors generally have extensive knowledge of their critical 
assets, but not of their critical dependencies on other sectors, or 
detailed knowledge of others' dependencies on them. This knowledge 
deficit could be partially remediated by modeling interdependencies and 
conducting exercises designed to highlight interdependencies, identify 
regional stakeholders, resulting in comprehensive cross-sector 
contingency plans. Sector Coordinators and their representatives should 
be involved in the creation, design, development, and leadership of 
these exercises and models, rather than simply be invited as observers 
or last-minute add-on participants.
    Do the right people have enough information regarding potential 
threats to properly allocate resources? Resource allocation is part of 
risk management decisions. I think DHS has the correct strategy here. 
Specifically, stakeholders need to understand the nature of critical 
vulnerabilities in sectors and the scope of potential impacts if 
exploited; consider these vulnerabilities in the context of 
intelligence, understanding threat and adversary capabilities; then 
make judgments on what protective actions should be prioritized. More 
structured engagement with the private sector on identification of 
critical vulnerabilities needs to be developed. This is more about 
getting the right people together from each sector in organized effort 
than about a simulation task.
    Except for a few specific instances, when industry stakeholders are 
given access to government classified information on threats, the 
information is insufficient to be actionable. In those instances when 
DHS learns of specific information that could help a single sector or 
company defend itself, it has been very proactive in getting that 
information to the right people as soon as possible. Rather than 
attempt to learn more about who or why someone or some group might 
target American critical infrastructures, I recommend greater efforts 
in vulnerability and interdependency analysis in order to get at the 
how and what could be done. Industry should lead in development of 
defense-in-depth technologies and procedures, with support and 
coordination provided by the government. The greatest progress toward a 
secure critical infrastructure can be made by hardening infrastructure 
protocols and implementing industry best practices. This is why I 
repeatedly stress the importance of research, modeling, and exercises.

    Question: b. One issue that has been raised is the private sector 
not sharing information on vulnerabilities with each other or 
government due to FOIA concerns. How do you think we can work around 
this stumbling block? One suggestion is to set up a national center to 
monitor critical infrastructure where information could be sent 
confidentially (would classification help); another is to strengthen 
the information sharing and analysis centers' and their relationship to 
DHS. What do you see as the advantages and disadvantages to either of 
these approaches? Is there a better way to spur sharing relationships 
so that the right people can be talking about these problems before 
they happen rather than after?

    McCarthy Response:
    The GMU CIP Project held an ISAC Conference on August 11, 2003. The 
overall topic was ``Information Sharing and Analysis Centers: Defining 
the Business Case.'' Participants included representatives from almost 
every critical sector, the ISACs, and members of federal and state 
governments. The result of this conference is a White Paper, including 
findings and recommendations, which is attached to this document.
    One of the questions the Conference strove to answer was ``What is 
government's role and responsibility to promote ISAC functionality and 
growth?'' Overall, industry looks to government for cooperation in 
information sharing. The relationship should be embodied by a dynamic, 
two-way process: ISACs can share operational information, while the 
government provides timely intelligence and data analysis. This 
collaborative process would strengthen the ISAC relationship with 
government, and perhaps encourage more meaningful sharing on both 
sides.

    Orszag Response:
    I share the concern that extant rules on disclosure, including FOIA 
and FACA, may limit the degree of useful information sharing that 
occurs between the private sector and the government. However, I lack 
sufficient expertise in the area to provide specific recommendations to 
you.

    Watson Response:
    Industry is encouraged by the inclusion in the Homeland Security 
Act of a specific exemption to FOIA for critical infrastructure 
information (CII) voluntarily shared with DHS. With that provision, one 
obstacle to sharing vulnerability information with the Federal 
government has been removed. Additional barriers such as anti-trust, 
liability, relevance, applicability, fairness, and competitive issues 
need to be addressed as well.
    Follow-on efforts must be made with the 50 states and foreign 
governments to ensure that non-Federal jurisdictions can protect 
information from American companies as well, or they should only obtain 
CII information from DHS where it is protected as CII..
    The idea of a national critical infrastructure information center, 
as opposed to strengthening and coordinating with the various ISACs, 
has both advantages and disadvantages. On the positive side, it would 
provide a single clearinghouse for all critical infrastructure 
information, simplifying the job of government in knowing whom to 
contact or where to go. On the negative side, it would add a 
bureaucratic layer, potentially dramatically slowing the flow 
information into and from the Federal government. Such a center would 
require special expertise from each of the critical sectors, access to 
industry ISACs, robust, secure communications capabilities with DHS and 
other relevant Federal departments and agencies, and equally robust, 
secure, and rapid communications capabilities with state and local 
governments and first responders. It could also create a target and a 
vulnerability due to the centralization of its information. Sensitive 
information is often compartmentalized and not centralized.
    There is no one size fits all solution. Sector Coordinators, in 
collaboration with DHS, should establish the information sharing 
mechanisms preferred by each sector. Industry is deriving value from 
the existing ISACs, and I believe they will continue to evolve, 
maturing into reliable, timely clearinghouses of great benefit to their 
sectors. Because of the heterogeneous nature of the sectors, any 
universal approach will not achieve the full goals intended by the 
original recommendations of the original President's Commission. As 
such, I do not support the idea of a Super ISAC beyond the current 
cooperative model developed through collaboration by the sectors and 
DHS. DHS has a legitimate need for certain information. The more 
specifically DHS can state information requirements, the more likely 
the department would receive it. DHS should be identifying the 
categories of information they would like to see for specific critical 
DHS functions from the private sector and then let the private sector 
determine if and what information can be provided. Again, a more 
structured approach communicated to the private sector would go a long 
way.
    The National Infrastructure Advisory Council (NIAC) will be 
submitting recommendations to the President soon on Vulnerability 
Disclosure Guidance and Enhancing Information Sharing. The NIAC 
includes key critical infrastructure corporate, state and local 
leaders, and has been very inclusive of Sector Coordinators and the 
ISACs as it has developed its guidance. The National Security 
Telecommunications Advisory Committee (NST AC) will also be submitting 
recommendations to the President on Barriers to Information Sharing. I 
respectfully advise the Committee to review these recommendations to 
develop appropriate public policy.
    c. Mr. McCarthy, one of your graduate students recently received a 
fair amount of national notoriety for mapping the fiber-optic network 
that connects every business and industrial sector in the American 
economy.

        Question: i) Could you discuss that project and it's potential 
        impact in further detail? ``What was the response it received 
        from national security officials and owners of critical 
        infrastructure? Did the DHS comment on it?
        Question: ii) In light of this achievement, has DHS been able 
        to produce a comprehensive national critical infrastructure and 
        key asset list, database, or map? If so, can you describe its 
        progress? In your estimation, how long would it take for DHS to 
        perform a comprehensive national assessment of critical 
        infrastructure and compile a comprehensive national list ? What 
        impediments exist to getting this done? What would it take for 
        the DHS to produce an "integrated critical infrastructure and 
        key asset geospatial database" as envisioned in the National 
        Strategy for the Physical Protection of Critical 
        Infrastructures and Key Assets? Once it was completed, what 
        would be the best use of such a database?

    McCarthy Response:
    i) Sean Gorman, a graduate student in George Mason University's 
School of Public Policy has spent the past four years mapping the 
nation's fiber-optic network and the industrial sectors that are linked 
to it. The map was created by mining publicly available information and 
combining it with mathematics to create a geospatial representation of 
our nation's communications infrastructure. This project is the basis 
for Mr. Gorman's PhD thesis.
    This experience has taught us how to do this kind of research and 
how to reach out to various government agencies, make it available to 
them, and also expand our understanding and the body of knowledge. 
Meetings with appropriate stakeholders allowed the research project to 
set up some guidelines of what would be a good idea to publish and what 
wouldn't, and to set up a structure to look at what was and wasn't 
sensitive.
    The research itself is focused on methods used to further the 
research community's understanding in the areas of Spatial Small Worlds 
and Network Theory. A by-product of this research is information that 
may be useful to government agencies in protecting our homeland; this 
portion of the research has been shared with the appropriate agencies. 
As soon as the project was proposed, the need to study these systems in 
terms of their impact to our National Security, National Economic 
Security, Public Health and Safety, and Public Confidence was apparent. 
This research has as an objective to evaluate these systems to 
understand their:
        Reliability--stability of existing systems and parts of systems
        Redundancy--alternatives identified in advance of disruption
        Resiliency--how fast can it systems can be restored after 
        disruption
        Vulnerability--economic, social, and societal impact of system 
        disruptions
    All of these questions need to be answered in order to manage 
priorities in directing safety activities in any diverse and spatial 
distributed system. Sources of potential disruption are natural 
disaster (floods, hurricanes, tornadoes, earthquakes, etc.), 
technological problems including (fires, short circuits, etc.) or 
terrorist attack. While each of these types of potential disruptions 
are important, the need to better understand the probability and 
implications of deliberate attacks has only recently become an area of 
serious academic research. This kind of work is vital to managing the 
Nation's critical information infrastructure assets.
    ii) Mr. Gorman's work, although comprehensive, deals with only one 
small piece of the nation's key assets and critical infrastructures. 
Robert Liscouski, DHS Assistant Secretary for Infrastructure 
Protection, has pointed out that it could take years to create a 
comprehensive risk assessment database.. There are thirteen defined 
critical infrastructures, plus five key asset categories. The issue is 
not one of specific impediments or delays, but rather that the process 
is necessarily complex if it is to be comprehensive. Such a project 
will require intense, prolonged focus to be complete and accurate.

 Responses to Questions for the Record submitted by the Honorable Jim 
                                 Turner

                           September 4, 2003

For all witnesses:
Question: 1. In your opinion, which of our critical infrastructure 
sectors pose the greatest national security concern, in terms of risk 
of attack, vulnerability to attack, and potential consequences? Please 
rank--in relative order starting with the highest concern--the top five 
critical infrastructure sectors that you believe pose the greatest 
risk. Briefly discuss the reasons for your selections and rankings.

McCarthy Response:
    It is impracticable to quantify which critical infrastructure is 
most important, or ``of greatest national security concern.'' One key 
aspect of the criticality of a particular infrastructure, or set of 
infrastructures, may arise from physical aspects of siting, 
collocation, uniqueness and shortages of equipments, volatility of 
infrastructure components or materials, or the logistical or supply 
chain impact of loss of a critical path process. These aspects of 
criticality are loosely identifiable from geographic or spatial 
economic analyses in conjunction with interruption of service actions. 
Other key aspects of criticality of particular infrastructures, or sets 
of infrastructures, may result from interdependency between systems, 
cascading effects due to disruptions moving through interdependent 
infrastructure configurations, or system conditions reaching states of 
threshold failure. This would be the case where one infrastructure 
system fails because another infrastructure did not deliver its 
anticipated inputs, due to a lack of capacity or unfulfilled demand. 
With so many variables to consider, and so much data to weigh and 
process, I cannot say with any confidence that any infrastructure is 
any more critical or vulnerable than any other. The focus should be on 
maintaining robust systems for all critical infrastructures.

Orszag Response:
    Although I am hesitant to select five sectors and then rank them, 
one sector clearly warrants immediate attention: the chemical industry. 
It is now more than two years after September 11th and more than a full 
year after Secretary Ridge wrote in the Washington Post that voluntary 
efforts were not sufficient to provide the proper level of security in 
the chemical industry. Yet nothing has happened to force chemical 
facilities to move beyond voluntary efforts. The continue lack of 
adequate security measures at the nation's chemical facilities, as 
vividly demonstrated in a recent 60 Minutes expose, is astonishing.

Watson Response:
    I do not believe there is a single sector that is most critical. 
The PCCIP (Marsh Commission) got it right when it identified eight 
sectors as critical to the operation of government and the well-being 
of our citizens, their dependence on computer networks, and their 
interdependence. Successfully attacking any of the critical 
infrastructures would have cascading effects on multiple others. The 
problem, and the risk, is that these dependencies are still poorly 
understood. I do believe that the sector definitions need to be refined 
the original eight may accurately identify the most critical industry 
areas, but the sector definitions do not necessarily agree with how 
industry understands and organizes itself. For example, 
telecommunications (or communications) and IT are very different 
industries, but were grouped as a single sector by the PCCIP. Also, 
electric power and oil and gas were identified as two sectors by the 
PCCIP, but most energy companies produce and provide both forms of 
energy.
    Criticality must also be defined. Is it important to know what the 
immediate effects of a sector specific outage are on other sectors, or 
the long-term impact, if sustained? Does criticality include financial 
impact, cost of recovery, and effect on consumer confidence, or is it 
simply limited to the ability to conduct business in the affected 
sector?
    A strong argument can be made that telecommunications is the most 
critical infrastructure, since it typically is the one other critical 
infrastructure sectors cannot work around. For electric power, backup 
generators can be employed for a time; water tanks can be provisioned; 
but no viable alternative to telecom is typically available. However, 
in terms of attack, many focus on transportation and IT because they 
are the infrastructures that can most easily be converted into 
offensive weapons.
    All that said, the NIAC Interdependency and Risk Assessment Working 
Group submitted its final report to NIAC members October 14, 2003. That 
report included results of a survey of Sector Coordinators and key 
infrastructure owners and operators regarding their top dependencies. 
Respondents were asked to list the top three sectors on which they 
depend, and the top three sectors that depend on them. In terms of 
short-term dependencies, the overall top three were 1) 
telecommunications and IT, 2) electricity, and 3) transportation. 
However, adding long-term impacts broadens the list of critical 
dependencies. Without financial services, business comes to a grinding 
halt in a matter of days. Without safe food, clean drinking water, and 
available health care, public health also reaches a crisis in days. 
Without emergency police, fire, and medical services, the ability to 
respond and contain emergencies is severely impacted. Long-term impacts 
of transportation failures are far more severe than the short term.

Rauscher Response:
    With brief reflection on which of the nation's critical 
infrastructure sectors poses the greatest national security concern, 
one could identify the financial sector--because it has been the target 
of past attacks, or the communications sector--because of it's vital 
role in the operations of all sectors, or the energy sector--because of 
its foundational role as enabler for all other sectors. However, with 
the stakes being what they are, considerably more discussion is needed. 
My most useful guidance to the Committee is a review of the underlying 
method of identifying where the real greatest concern is.
    Ranking infrastructure sectors is difficult, and can be misleading 
without specifying prioritizing parameters. By definition, each 
critical infrastructure sector is inherently critical. Also, each 
sector has direct and indirect dependencies on the other sectors. In 
fact, there are intricate webs of dependencies threaded throughout 
these sectors. In addition to this complexity, some dependencies are 
new or are otherwise not well understood.
    The question of which infrastructure sectors are at most risk of 
attack is deferred to those responsible to gather and process the 
information that can support such insights. Vulnerabilities and 
consequences are addressed below.
    Which critical infrastructure sector poses the greatest national 
security concern, in terms of vulnerability to attack? The sector that 
poses the greatest national security concern is the one that does not 
have a comprehensive list of its vulnerabilities based on the intrinsic 
attributes of its basic building blocks, and does not have a systematic 
framework for effectively covering these vulnerabilities. An impact on 
anyone sector can have a domino effect on all of the other sectors
    All of our critical national infrastructure sectors have 
vulnerabilities. Furthermore, there are vulnerabilities that cannot be 
removed--they will exist and we must learn how to address them while 
they remain in our midst. With the current, extensive discussion on 
``vulnerabilities'', clarification is helpful regarding the use of this 
term. A ``vulnerability'' is an opening, or a soft area, or 
susceptibility. Vulnerabilities are intrinsic attributes of the 
building blocks that make up our infrastructure. For example, the 
Federal Communications Commission (FCC) Network Reliability and 
Interoperability Council (NRIC) Physical Security Focus Group 
identified eight building blocks, or ingredients, that make up the 
communications infrastructure: Power (internal systems), Environment, 
Hardware, Software, Network, Payload, Policy, and Human.
    Each of these ingredients has intrinsic vulnerabilities. For 
example, Environments can be accessed or destroyed, People can be 
deceived or fatigued, Policies have unintended side effects, and 
Hardware semiconductor materials can be overstressed by electromagnetic 
energy or fail in extreme temperatures.
    As Superman had a vulnerability to kryptonite, so the building 
blocks of our infrastructure have attributes that we must first 
identify, and then learn to protect appropriately. For example, the 
NRIC effort previously mentioned required an unprecedented level of 
industry engagement and collective expertise to systematically identify 
the vulnerabilities in each ingredient. This process then produced 
world class, voluntary, Best Practices guidance for preventing the 
future exercise of such vulnerabilities, or for mitigating the impact 
of a future attack. Furthermore, because the intrinsic attributes of 
these ingredients are commonly known, this vulnerability framework is 
effective in avoiding disclosure of sensitive information.
    The crucial concept is not so much to identify which sector has the 
greatest vulnerability, but to identify which sector has the greatest 
vulnerability that is remaining unaddressed. There are surface 
vulnerabilities that exist in a configuration or combination of 
ingredients. These can sometimes be removed by a reconfiguration or 
replacement of one ingredient with another. However, it is a 
misperception to think that all vulnerabilities can be removed. They 
must be identified, their nature understood, and then addressed through 
protective or other appropriate means to prevent their exercise by 
threats, or ameliorate their impact, if successfully reached with a 
threat.
    Which critical infrastructure sector poses the greatest national 
security concern, in terms of potential consequences and far-reaching 
impact on other sectors? The nature and target of any future attack 
will determine which critical infrastructure sector, once disrupted, 
would have the greatest potential consequences. Obviously, the sector 
targeted could have some direct consequences from a successful attack. 
However, the nature of the attack would determine the extent. For 
example, the detonation of a primitive explosive device near a 
communications network node could temporarily cripple communications 
support for other sectors' critical facilities in that immediate area, 
but broader regional traffic could be rerouted. A different attack on 
the same sector could attempt to spread a virus throughout an entire 
national network. Another scenario is one in which a compromised sector 
is deliberately unharmed while it is being used to unleash havoc on 
another.
    Without consideration for what vulnerability analysis is underway 
and what protective measures are in place, the following sectors 
present the highest potential risk to national security:
    Energy
    Information and Communications
    Banking and Finance
    Transportation
    Postal and Shipping
    This priority scheme is based on (a) the ease at which problems 
propagate within the sector, (b) the extent of other sectors' 
dependencies on it, and (c) the potential impact of a sector's loss of 
crucial functionality.

Question: 2. Do current efforts by the Administration and the 
Department of Homeland Security match the gravity and seriousness of 
the threats we face in the critical infrastructure sectors you 
identify? What more should be done to address the risks in the sectors 
you identify?

McCarthy Response:
    Although the Department is still in its formative stages, it is 
doing a remarkable job of ramping up projects and setting its agenda in 
order to face the critical infrastructure threat. For example, the DHS 
recently tapped the CIP Project to do a Mitigation Priority Analysis in 
the wake of Hurricane Isabel. We have been asked to evaluate the 
telecommunications, transportation, water, and energy sectors in the 
National Capital Region. Specifically, we will study how the four 
critical sectors prepared, reacted to, and recovered from the 
hurricane. This project will help identify the kinds of risks and 
vulnerabilities faced by these sectors, and provide guidance on how to 
address them.
    Another example of the Department's evolving schema is the recent 
development of the USCERT (Computer Emergency Response Team). It is a 
partnership between the NCSD and Carnegie Mellon's CERT/Coordination 
Center (CERT/CC), which will work with the private sector to improve 
warning and response mechanisms to cyber incidents. In addition, the 
USCERT will collaborate with the private sector to develop and 
implement new detection and response tools.
    These projects are excellent examples of the intelligence and 
initiative at work in the Department, even in this early stage of 
development. Of course there is more to do, but the Department is 
dealing with an enormous learning curve--bringing together old agencies 
with new ones, balancing security needs with efficiency, and 
anticipating the unanticipated are not easy tasks. But as the 
groundwork is laid for further growth, I am confident that the 
Department will rise to the challenge that Congress and the nation have 
put in front of it.

Orszag Response:
    As I stated in testimony before the 9--11 Commission on November 
19, 2003, the general lack of action in strengthening market incentives 
to undertake homeland security investments more than two years after 
the September 11th attacks is simply unacceptable. In my opinion, the 
Department of Homeland Security bears primary responsibility for this 
lack of action.

Watson Response:
    The Administration agreed with the Marsh Commission regarding the 
most critical infrastructure sectors, and studied the issue further, 
identifying additional critical sectors in the National Strategy for 
Homeland Security. That strategy is supported by national physical and 
cyber security strategies, which articulate the gravity and seriousness 
of the threats to critical infrastructures. I believe DHS understands 
the seriousness of this issue, but has been hampered by internal churn 
caused by simultaneously merging 22 Federal agencies, identifying and 
training new leaders and employees at all levels, sorting out real 
stakeholders from pretenders, and having to conduct day-to-day 
operations while reorganizing and hiring. Rather than try to determine 
which sector is most important, it would be far more effective to 
address cross-sector dependencies, considering all the identified 
critical infrastructure sectors. This is why I stressed the importance 
of computer modeling and tabletop exercises in my testimony.

Rauscher Response:
    My observations of the efforts of the Administration and the 
Department of Homeland Security, related to the protection of our 
critical national infrastructure sectors, is that:
    1. Critical infrastructure protection has been identified as a 
vital component of the Homeland Security strategy
    2. There is a concerted effort to advance the National Strategy for 
Homeland Security
    3. The Department of Homeland Security has begun to provide 
national coordination for infrastructure protection
    4. The Department of Homeland Security has also begun to implement 
creative, new technologies and capabilities in their approach
    A brief discussion of each of these areas, as related to the 
communications sector, follows.
    1. Critical infrastructure protection has been identified as a 
vital component of the Homeland Security strategy
    The President's National Strategy for Homeland Security underscores 
that critical infrastructure protection is vital to protecting the 
nation. For the communications infrastructure sector, this stated 
policy is and continues to be addressed in several notable ways.
    First, the government-industry partnership-based National 
Communications System (NCS) National Coordinating Center for 
Telecommunications (NCC) and Telecom-ISAC (Information Sharing and 
Analysis Center) trusted environment and functions have been integrated 
into the Directorate of Information Analysis and Infrastructure 
Protection (IAIP).
    Second, the President's National Security Telecommunications 
Advisory Committee (NSTAC) has been repositioned to within DHS and 
continues to advance policy guidance on several critical subject areas 
regarding critical infrastructure protection, including, for example, 
matters of concern with the banking and finance sector.
    Third, the joint government-industry Network Security Information 
Exchange (NSIE) continues to maintain dialogue on classified subject 
matter, other sensitive information, and on special subjects of 
concern. In addition, there are various other activities in which DHS 
exhibits its commitment of critical infrastructure protection.
    In summary, protection of the communications sector is the stated 
policy of the Administration and DHS and this policy has been acted 
upon with the necessary private industry cooperation. To ensure a 
continued strong protection program for the communications sector, the 
Administration and DHS should continue to work closely with private 
industry, and specifically, support the trusted environment of the NCC 
and Telecom-ISAC.
    2. Advancing the National Strategy for Homeland Security
    A basic learning from the September 11, 2001 Al Qaeda Attack was 
that the then existing methods of defending against terrorism were 
inadequate. This is a primary motivation behind the restructuring that 
has taken place under the new department.
    If a defensive strategy is based primarily on threat knowledge, 
then those vulnerabilities targeted by the known threats will likely be 
protected well. Speed and focus are the hallmarks of this approach, 
enabling efficient deployment of resources. However, this approach may 
leave some ``cockpit doors'' unaddressed. On the other hand, the 
systematic vulnerability approach covers all vulnerabilities--
independent of whether historic or fresh threat information is 
available. While this approach takes longer, it yields a substantially 
higher degree of confidence because it protects all vulnerabilities, 
and thus is prepared for any permutation of attack method. It is the 
only approach that can help us be as prepared and as secure as 
possible. It is the only approach that can let us sleep well at night.
    Given the complexity of many of our sectors, it is vital that such 
a very disciplined approach be followed. One further motivation for a 
systematic vulnerability approach is articulated in the President's 
National Strategy for Homeland Security: ``Terrorism depends on 
surprise.'' The sophisticated terrorists of the twenty-first century 
conduct surveillance and patiently plan. We cannot afford to take 
shortcuts that would leave our coverage of the unexpected wanting. This 
contrasting discussion of the two approaches does not suggest the 
selection of one over the other, but rather the deployment of both. It 
is best to see these two approaches as complimentary, where the 
vulnerability identification and protection functions are guided 
primarily on a vulnerability approach, and the threat intelligence and 
risk dissemination functions are guided primarily by the traditional 
means.
    The progress of the DHS IAIP Protective Security Division has 
mostly been along the lines of applying threat-based approaches. 
Although there have been numerous enhancements in this area, it is not 
enough. It is however, the best first step, in that it allows for a 
speedy, effective focus, and immediate efficient use of limited 
resources. The Protective Security Division plans to supplement its 
enhanced threat-based strategy with one of systematic vulnerability 
assessment, and to partner closely with private industry as it advances 
this strategy. It is vital that this course be maintained.
    From my unique position of having led the communications industry's 
top experts in the development of over two hundred and fifty Homeland 
Security Best Practices during the past two years, I have made a 
straightforward--yet strikingly critical--observation: Formal training 
directly enables or limits abilities to solve particular problems. 
Careful consideration should be given to the various disciplines 
available and the nature of the challenges being faced. Specifically, 
law enforcement professionals are often highly trained in methods of 
processing threat and risk information. Computer ``science'' training 
offers proficiency in translating logic ad other functionality into 
automated processes, but is actually based very little on fundamental 
scientific approaches to problem solving. However, it is the classical 
training of the engineer and scientist to do thorough, systematic, 
``cover-all-bases'' procedures. In critical infrastructure protection, 
it is essential that DHS fully utilize the appropriate compliment of 
disciplines, paying particular attention to include industry-
experienced engineers and scientists when comprehensive and systematic 
approaches are required. While the careful, systematic, thorough work 
of the engineer and scientist is often slower, it is absolutely 
essential.
    In summary, one of the critical roles for DHS is to draw the 
distinction between the protection methods of the past and the new 
methods needed for the future challenges of terrorism. It is vital that 
DHS implement its plans to augment the traditional threat-based 
approach with a systematic vulnerability-based approach.
    3. Provide national coordination for infrastructure protection.
    With the NCS integrated into the 1A1P, and as such the NCC and 
Telecom-ISAC also, DHS is providing important coordination within the 
communications sector and increasingly important coordination among 
other sectors. In preparation for an emergency, and during an emergency 
response, cross-industry and government-industry coordination is 
essential.
    The Department of Homeland Security also disseminates threat 
information through its trusted stakeholder channels. In addition to 
Daily Reports, DHS provides special notices and alerts. The 
communications sector also benefits from periodic DHS briefings to the 
Telecom-ISAC and its coordination between infrastructure sectors. 
During the August 2003 Power Blackout, the Telecom-ISAC received 
updates on anticipated regional power recovery timeframes from the 
Electricity Sector ISAC that enabled the communications network 
operators to more effectively manage logistics for, and deploy, limited 
resources.
    DHS also recognizes its need to receive counsel and advice from 
private industry. The communications sector is very complex, as there 
is a host of technological, competitive, regulatory, legal, and other 
issues in play. DHS appropriately relies on experts from service 
provider, network operator and equipment supplier perspectives. The NCS 
has been an active participant in the NRIC Homeland Security Best 
Practices work.
    4. Implement creative, new technologies and capabilities in their 
approach
    In order to meet the riveting challenges of our post-September 11 
world, capabilities need to be augmented to embrace new technologies 
and capabilities. It is essential that DHS be open to new approaches, 
and to be capable of effectively screening through options to find 
those that should be implemented. One example is DHS' continued 
engagement of the Wireless Emergency Response Team (WERT), which was 
formed on September 11, 2001, to use advanced wireless technology to 
support traditional Search and Rescue efforts. Another example is 
Wireless Priority Service (WPS), which provides priority access for the 
wireless air interface for first responders and others with national 
security and emergency preparedness responsibilities. However, while 
the capabilities of WPS are currently available for one wireless 
technology platform, half of the potential capacity for providing this 
essential service remains undeveloped. In the absence of additional 
funding and/or direction by Congress, this capacity will remain 
untapped until the end of FY05.
    In addition to including new capabilities, it is encouraging to see 
expanded outreach raising the awareness of existing NCS programs, such 
as the Government Emergency Telecommunications System (GETS), 
Telecommunications Service Priority (TSP), and SHAred RESources 
(SHARES) High Frequency (HF) Radio Program (SHARES), which allow for 
landline priority service access, determine pre-emergency priority 
restoration status, and provide a emergency message handling system by 
bringing together existing HF radio resources, respectively.
    An area where new approaches are desperately needed across all 
sectors is cyber security. In addition to strengthening reactionary 
measures--such as our cyber threat detection and response 
capabilities--an appropriate portion of this attention needs to be 
given for longerterm fixes that address the roots of all these 
problems. What are often referred to as ``vulnerabilities'' in the 
cyber community are usually the manifestations of software design 
errors. Bold, new, robust paradigms for software programming languages 
and compilers are needed.
    The frontier of new possibilities is vast. To optimize the 
effectiveness and economics of critical infrastructure protection, DHS 
must remain vigilant regarding applicable new technologies and 
capabilities.

    Question: 3. In your opinion, is the DHS Directorate of Information 
Analysis and Infrastructure Protection (I AlP) optimally organized to 
address the critical infrastructure sectors of greatest national 
security concern? Does it have adequate access to intelligence? Does it 
have relevant sector-specific technical expertise? Is it adequately 
staffed? Is its relationship with other relevant federal agencies--for 
example the DOE and EPA--on security matters clearly and well defined? 
Is the IAIP directorate sufficiently transparent to state and local 
officials and to owners of critical infrastructure?

McCarthy Response:
    I am not privy to the Department of Homeland Security's 
intelligence data or hiring practices, and therefore unable to comment 
on this question.

Orszag Response:
    I do not have the relevant expertise to respond to this question. 
My colleagues (James Steinberg, Ivo Daalder, or Michael O'Hanlon) would 
be better qualified to answer it.

Watson Response:
    It's too early to tell whether DHS/IAIP is optimally organized. The 
organization is maturing and leaders are still making changes as they 
see needs. Almost all intra-government efforts are not transparent 
outside of the government. It's also too early to tell whether it is 
adequately staffed or has developed effective relationships with other 
relevant Federal agencies. I do not have visibility into IAIP's access 
to intelligence, so cannot comment on its adequacy. IAIP has offered to 
house sector experts from each critical infrastructure, because they 
realize they do not have sufficient industry expertise. To date, the 
railroads have responded by seating two sector representatives within 
the
    CSTARC. Regarding transparency, our experience to date is that DHS 
has been relatively opaque to state, local, and industry, it has been 
extraordinarily difficult to find people within DHS to discuss specific 
issues like interdependency modeling, exercises, and strategy, but I 
attribute this primarily to reorganization churn.

Rauscher Response:
    The Department of Homeland Security Directorate of Information 
Analysis and Infrastructure Protection's organizational structure is 
critical to its being able to fulfill its role in supporting the 
protection of the nation's critical infrastructure. The form of this 
organizational structure should follow its functional priorities. For 
the communications infrastructure, these priorities are to establish 
and maintain trusted dialogue with the vast and diverse industry 
members, provide speedy dissemination of relevant threat information to 
these industry members, support emergency coordination within. the 
communications sector, and facilitate emergency preparedness and 
response coordination across sectors. In addition to these priorities, 
the communications industry may look to the DHS IAIP to support special 
needs from time to time. It is important for its structure to be 
flexible to speedily and effectively address these concerns when they 
arise.
    It is vital for the IAIP to have immediate access to intelligence 
on physical and cyber threats. Such information is vital to trusted 
representatives of key communications companies to use to better 
protect their networks and other critical facilities. In order for this 
information to be useful, it needs to be transferred in a timely 
fashion and with appropriate details in order for it to be leveraged 
for effective critical infrastructure protection purposes. Currently, 
the DHS IAIP NCS provides daily reports, and, from time to time, 
special information reports and alerts, to the communications industry. 
Communications companies throughout the industry use this information 
to adjust their physical and cyber security protective procedures. For 
example, an alert detailing a specific threat can be used to guide the 
review of specific industry-agreed NRIC Best Practices. The 
communications industry also provides information back through the 
trusted environment of the NCS NCC and Telecom-ISAC. Critical 
infrastructure information sharing processes should be continuously 
improved with methods of better identifying data relevant to specific 
infrastructure concerns and strengthened with updated safeguards 
against leaks.
    The IAIP cannot establish nor maintain needed expertise for the 
communications sector without close partnership with private industry. 
The nation's public communications infrastructure includes many 
networks consisting of thousands of network nodes that are operated by 
scores of distinct companies. The NCS Telecom-ISAC, NSTAC and the NRIC 
have provided coordination for cross-industry and government-to-
industry responses, national policy guidance, and detailed Best 
Practices, respectively.
    IAIP staffing level requirements will fluctuate substantially 
depending on the partnership architecture implemented. For example, the 
nation's communication's infrastructure is largely privately owned and 
operated. Strategies that have little, or ineffective dependence on 
private industry, and attempt to duplicate industry expertise will be 
much larger than necessary and an unnecessary expense. Also, because 
such a staff will not have day-to-day responsibilities for operating 
actual networks, such a strategy will result in unpreventable latency 
and limitations in the development of expertise. On the other hand, the 
NCS NCC has effectively implemented a partnership strategy with the 
communications industry since well before September 11, 2001. As a 
benchmark, the NCC staffing level needs have been raised due to a 
number of factors, including: a higher national priority for the 
reliability and security of the nation's public networks, a recognition 
for greater coordination among critical infrastructure sectors, and 
expanded industry membership.

For Peter Orszag's Response:
    4. In your book, ``Protecting the American Homeland: One Year On,'' 
you state that, ``[Presidential Decision Directive]-63 designated key 
agencies to oversee the protection of critical national infrastructure, 
but many observers complained that the resultant apparatus was 
ineffective. Although the Office of Homeland Security now has broad 
supervision over this issue, it still needs closer attention.'' Could 
you elaborate on this lack of effectiveness and what you mean by 
``closer attention''?

Orszag Response:
    ``Closer attention'' means grappling with the tradeoffs inherent in 
moving beyond a laissezfaire approach to homeland security. That 
approach will not work, but it is easy to go astray in devising 
alternatives--either by imposing excessive costs on the private sector 
or by failing to provide sufficient incentives for protection. The 
Department must exercise more leadership in how the nation should 
approach that difficult tradeoff.

    Question: 5. In your book, ``Protecting the American Homeland: One 
Year On,'' you state that, ``The Administration's strategy leaves out 
several key priorities for action. . .[including] major infrastructure 
in the private sector, which the Bush Administration largely ignores. . 
. In early 2003, the Department of Homeland Security issued a strategy 
document for protecting critical infrastructure, but the document 
lacked the types of specific policy steps that are now overdue'' What 
specific policy steps would you recommend that the DHS take?

Orszag Response:
    Protecting the American Homeland identifies the specific steps that 
my co-authors and I believe are appropriate for protecting private-
sector assets in the United States from terrorist attack.

For Mr. McCarthy and Mr. Watson
    Question: 6. In your opinion, are the DHS and the White House 
providing comprehensive leadership to improve information sharing with 
state and local officials and with owners of critical infrastructure? 
Please discuss the effectiveness of measures already taken to improve 
information sharing, including Freedom of Information Act (FOIA) 
exemptions. Please discuss other measures that you believe the 
government should undertake to increase information sharing with 
critical infrastructure owners and with state and local officials?

McCarthy Response:
    This Administration is making great strides in engaging state and 
local governments, as well as owners and operators of critical 
infrastructures, in conversations about security, reliability, and 
performance. For example, our current Mitigation Priority Analysis 
project depends on inputs from a myriad of regional entities: the 
state/city governments of DC, Maryland, and Virginia; county 
governments, like Montgomery (MD), Arlington (VA), and Fairfax (VA); 
and the businesses that run the four sectors that are being studied, 
like PEPCO, Dominion Virginia Power, Metro, and various water 
processing plants. This is an important foray into establishing 
critical infrastructure processes on a regional level, as well as 
national.
    The Administration has also addressed industry's concerns that 
sensitive, proprietary information remain private, even if shared with 
the government. In April, DHS released its draft Critical 
Infrastructure Information (CII) regulations. These regulations, once 
adopted, will allow owners of critical infrastructures to share certain 
information with the Department with assurances that such information 
can only be accessed by specific individuals. The information will be 
protected, and not subject to outside access through the Freedom of 
Information Act (FOIA) process. This is a first step, but an essential 
one, towards private sector information sharing.
    The Department of Homeland Security is not the only agency 
concerned with keeping sensitive information from prying eyes. Other 
agencies have "lead" status with certain industries, and have 
established similar regulations concerning sensitive information. For 
example, after the 9-11 attacks, the Federal Energy Regulatory 
Commission (FERC) removed from its reading room detailed maps and other 
information about electric power facilities and natural gas pipelines. 
Although exempt from FOIA procedures, this information had 
traditionally been open and available to anyone who requested it. In 
February, 2003, FERC ruled that individuals wanting access to this 
information would have to apply for it. The application requirements 
include identification information, and take the need/purpose of the 
information into account. Access is granted on a case-by-case basis, 
and only to individual applicants.
    Establishing a trusted relationship with industry can be a delicate 
process. Both DHS and the White House are laying the critical 
foundation to ensure that information sharing can be a positive 
experience for all involved.

Watson Response:
    As stated above, DHS has reached out to the ISACs and the ISAC 
Council to establish information sharing mechanisms. The FOIA exemption 
in the law creating DHS removes a barrier to information to be shared 
by the private sector with DHS. (There is still an issue with sharing 
similar information at the state and local level where CII protection 
does not exist.) It is too early to assess whether these measures have 
been effective. Cross-sector and public-private information sharing is 
nearly as new to industry as it is to the Federal government, and we 
are developing mechanisms together. To date, DHS leaders have been very 
receptive to industry ideas regarding organization, protocols, contact 
lists, and frequency of communications.
    One additional step that could be taken would be for DHS to sponsor 
research into real-time data sharing. Current ISAC and government 
efforts are limited to e-mail, phone, and webbased message traffic, 
which will always lag behind actual threats. The only way to get ahead 
of the curve is to establish real-time data sharing. The time between 
vulnerability disclosure and live exploitation is decreasing 
dramatically, as is the time to maximum infection rate of a new worm or 
virus. Sometimes, filtering traffic at specific ports is the only 
interim defensive measure possible until vendors can develop software 
patches or signature updates for antivirus and intrusion detection 
programs. As these times approach zero, the only way defenders will 
have time to implement filters or block access will be real-time 
visibility of inbound and outbound traffic. Several companies, Federal 
agencies, and the CERT/CC have capabilities in this area, and the IT-
ISAC is prototyping a multi-company and cross-ISAC capability. I 
believe both the sectors and the Federal government would benefit 
greatly from a comprehensive national capability to see real-time 
traffic in order to implement interim defensive actions in advance of 
attacks on critical infrastructure networks. Such a research project 
must include a consideration of privacy, protecting individuals, and 
companies' private, proprietary information should be built in to any 
real-time traffic sharing scheme.
    One of the greatest barriers to information sharing is the lack of 
coordination of requests for information from multiple jurisdictions. 
DHS has not demonstrated sufficient intradepartment coordination, and 
has provided little to no leadership to the states. Since September 11, 
2001, the private sector has encountered a flurry of state-by-state, 
municipality-by-municipality, and county-by-county information 
requests. These requests on industry have become unsustainable, and if 
left uncoordinated will lead to grossly inefficient and idiosyncratic 
security programs. Companies are diverting valuable resources in order 
to respond to state, municipal, and county inquiries. Thus, there is a 
compelling argument for Federal leadership and partnership with states, 
municipalities and counties in the formation of regularized inquiries 
to avoid inefficient duplication by multiple governmental entities. 
However, this should not be interpreted as a call for Federalization of 
security, but rather, should be viewed as a call for coordination among 
Federal, State, and local municipalities in regards to assembling and 
protecting information necessary to protect critical infrastructure 
information (CII) within DHS.
    For example, it appears that earlier this year, DHS requested that 
states compile a list of their critical infrastructures. States were 
compelled to respond to the DHS request, for the state's response would 
help determine the amount of discretionary DHS funding the state would 
be allocated to improve emergency preparedness and response. However, 
the Emergency Response division within DHS did not coordinate the 
request with the IAIP division. An unfortunate oversight, for much of 
the information being requested of the states had already been 
compiled, and therefore protected under FOIA, by independent agencies 
that have now been subsumed by DHS. Therefore, I would argue that 
regardless of what governmental entity or authority seeks CII, industry 
should submit its CII only to DHS. The Federal law now provides DHS 
with the requisite authority to exempt CII from Federal FOIA 
disclosure. Most state and local governments have FOIA laws or 
information access laws that are not as stringent or broad enough to 
protect CII, which is most troubling. In addition, by having DHS as the 
main repository and clearing house for CII, Federal, state and local 
governments will not have to make duplicative requests to provide 
information that is already being held and protected by DHS. The 
administrative burdens placed on industry to provide duplicative 
information can be averted simply by having Federal, state, and local 
governments obtain the CII they require from DHS. DHS can than 
disseminate the information under the Federal law to other Federal, 
state, and local governments ensuring the protection of the provided 
CII. Finally, any Federal agency that has or will acquire CII through 
governmental request should send such CII information immediately to 
DHS for retention, as DHS has the proper legal authority to protect CII 
from disclosure.
    Section 214 of the Homeland Security Act does not preempt state law 
and that the proposed rules under section 29.8(g) mirror the provisions 
of section 214. I do not advocate preemption, since a statutory change 
to section 214 would be required. Rather, it seeks DHS rules that would 
require DHS to become the CII repository for Federal, state, and local 
governments and that all requests for CII be first made to DHS by 
Federal, state, and local governments. In addition, DHS should require 
Federal, state, and local governments to make their initial CII inquiry 
to DHS, before seeking such information independently from the private 
sector. Under this proposal, State and local governments could still 
solicit information from individual companies. If the information was 
not currently held by DHS, the company would consider the request and 
respond accordingly to the Federal, state, or local government 
requestor. Of course, if the information had already been provided to 
DHS, industry would refer the Federal, state, or local government 
requestor back to DHS.

    Question: 7. Do you believe that industry Information Sharing and 
Analysis Centers (ISACs) will be in a position to create a business 
case for traditional national defense or national security objectives? 
Why or why not? Are ISACs the best organizations to lead sector-based 
industry efforts to share critical infrastructure information? What is 
the role of the federal government in supporting industry ISACs? Is the 
federal government doing enough to support ISAC efforts?

McCarthy Response: Reference separate attachment on symposium summary
Information is in committee files.

Watson Response:
    First, it is important to remember that ISACs, as a generic group, 
do not represent the sectors. Again, there is no one size fits all 
solution for every sector. I do not believe ISACs should be in the 
traditional national defense or national security business, but should 
be a part of an overall assessment of threat that could be used for 
defending the country. Only when analysis indicates that industry 
sectors are the target of an attack on the United States should ISACs 
be involved in defensive efforts, and even then, it is the affected 
companies that must take defensive action, not the ISACs. I believe the 
ISACs are the best organizations to lead sector based industry efforts 
to share critical infrastructure information, but they are not the only 
sources of such information. Key owners and operators will have some 
information they can provide directly to other companies and 
governments to augment that coordinated by ISACs. Critical 
infrastructure owners and operators that do not belong to an ISAC may 
have information of which neither government nor ISACs are aware. As 
ISACs mature and information-sharing mechanisms become more robust, the 
ISACs will evolve into a more central role in critical infrastructure 
information sharing.
    The Federal role in supporting ISACs is primarily participation as 
a full partner in the process. I recommend three areas for improvement 
in the Federal government's role as partner to industry:
    a) Improve timeliness and quality of threat information shared with 
industry ISACs. Information is flowing from government to industry, but 
because of sanitization and classification requirements, information 
from government is usually hours or days later than that flowing from 
industry to government on the same threats. In addition, specifics 
regarding threat organizations, intents, and targets, are not often 
shared.
    b) Provide feedback to industry on the value of information 
provided by ISACs to government, and details on how that information is 
being protected by government. ISACs have been providing threat, 
vulnerability, countermeasures, and best practice information, along 
with analysis, to government, but in most cases it seems to go into a 
black hole. Feedback regarding usefulness would be valuable in 
prioritizing ISAC efforts. Transparency regarding steps taken to 
protect industry information would encourage more sharing from industry 
to government.
    c) Coordinate requests for industry information. Currently, ISACs 
and other industry organizations receive multiple requests daily from 
the Federal government, many from separate DHS organizations, for 
similar or identical data. Industry organizations cannot scale 
resources to respond to all these requests, and have little 
understanding of the intended use of the information requested. Also, 
industry receives little information regarding the protection of the 
information. DHS should consolidate Federal requests of industry 
information, provide to industry the intended use of the information, 
the steps to be taken to protect it, and benefit (feedback) to the 
industry organization providing the information.

Question: 8. When attempting to prioritize limited resources, how 
important is it to have in place a comprehensive national critical-
infrastructure risk-and-vulnerability assessment? To the extent that 
you are aware, please describe DHS' progress to date to produce such 
and assessment, including a prioritized national list, database, and 
geospatial map of critical infrastructures and key assets. What more 
should be done to speed progress on such an initiative? In your 
estimation, and in light of assessments that have already been done by 
states and industry, how quickly could a rough draft of a comprehensive 
national assessment of critical infrastructure be completed?

McCarthy Response:
    A comprehensive assessment of critical infrastructure risk will 
take years to complete. Certainly, a tool like this will assist in 
setting critical infrastructure priorities, but it is not the only one. 
One prime alternative is the National Capital Region (NCR) Urban Area 
Security Initiative (UASI) Project. The overall intent of this effort 
is to use the National Capital Region as a real world laboratory 
exercise to evaluate and propose future methods of critical 
infrastructure protection activities. George Mason plays an important 
role in Critical Infrastructure Protection Oversight, collaborating 
with university, industry, and government partners. Together, we will 
conduct an analysis of each critical infrastructure sector, with a 
focus on assessing vulnerabilities.
    I do not have data on exactly what critical asset lists the 
Department does or does not have; understandably such information 
should be kept under lock and key. What I do know is that until such 
time as a comprehensive risk assessment can be completed, the 
Department must continue to think ``outside the box.'' It must rely on 
creative and innovative projects like the NCR project to help set 
priorities and allocate the resources accordingly.

Watson Response:
    A single, comprehensive national critical infrastructure risk and 
vulnerability assessment would not only be cumbersome, but a very 
dangerous target list. Most of it would also grow quickly out of date. 
Understanding regional cross-sector dependencies would help regional 
stakeholders make resource decisions, but a national list would have 
little value beyond the Ooh factor and braggadocio. At the national 
level, strategy, policy, and doctrine are most useful. Operational 
action must occur at the regional, operational level, and local, 
tactical level of defense. Use military planning as a model. Military 
units develop and maintain defensive plans that cover their specific 
bases, stations, units, taskforces, and ships. Every level of command 
develops plans and procedures appropriate to its area of influence 
(reach) and area of interest (threat). Neither the military service 
headquarters nor the Joint Chiefs of Staff get involved in specific 
unit planning. Rather, the Services and JCS provide strategy, policy, 
and doctrine, on which local commanders base their decisions. This is a 
good model for critical infrastructure protection planning, and 
supports my argument for regional exercises to identify key 
stakeholders and local cross-sector dependencies, and to develop cross-
sector regional contingency plans. In the cyber dimension, planning 
must be global, since there are no borders in cyberspace. Therefore, 
cyber elements of regional exercises should be global, not regional or 
local.
    In addition, the network elements most vulnerable at any given time 
are a function of what the threats are, a scenario which changes daily. 
For example, if current threat analysis suggested that nuclear power 
plants were being targeted, the list of telecommunications, emergency 
service facilities and other infrastructures most vulnerable would be 
significantly different than if certain water facilities were the 
target. As such, any list being generated is static, being compiled in 
the absence of specific threat scenarios and even at its best, would 
not be particularly meaningful for any significant period of time.

Question: 9. What progress has been made by states and industries to 
comprehensively assess critical infrastructure risks? Has the DHS done 
enough, in your opinion, to 1) provide sufficient leadership, guidance, 
and assistance to states and industry; and 2) leverage work already 
done by states and industry as it seeks to produce its own 
comprehensive national assessment?

McCarthy Response:
    We are aware that many states are currently in the initial stages 
of evaluating their risk status and levels of preparedness. The 
Department has contributed heavily to these efforts, as much as a young 
organization could reasonably be expected to contribute. It is equally 
important for states and industry to assume responsibility for action 
on these fronts. The Department also appears to have established strong 
working ties into the various state and industry efforts, and those 
contacts are likely to lead to a more informed national assessment.
Watson Response:
    Several critical infrastructure sectors have completed sector-wide 
risk assessments, and indeed some of these have been doing so for 
several years. I recommend asking the Sector Coordinators about sector-
specific risk assessments. The states are beginning to make 
assessments. Notable among these are New York and New Jersey, following 
the terrorist attacks of 9/11/2001. DHS is still too new to provide 
comprehensive guidance, but the priorities outlined in the Marsh 
Commission report and the three national strategies (Homeland Security, 
Physical Infrastructures, and Cyber Security), have provided sufficient 
direction for industries and states to get to work on assessments and 
contingency plans. Again, I believe a comprehensive national assessment 
would be largely useless, except in the cyber dimension.

 Questions and Responses from Denise Swink, Acting Director, Office of 
  Energy Assurance submitted by Rick A. Dearborn, Assitant Secretary, 
              Congressional and Intergovernmental Affairs

                     Hearing on September 17, 2003

    Question: 1. Subsequent to the blackout of August 14,2003, have 
your investigations revealed any possibility that a cyberattack caused 
part or all of the power grid failure? If so, please elaborate.
    Answer: 1. A great deal of work has been done in this area 
including interviews with key personnel at sites where the outage 
related events began. As stated in the U.S. Canada Power System Outage 
Task Force Interim Report: Causes of the August 14th Blackout in the 
United States and Canada, no evidence has been identified indicating 
that malicious actors are responsible for, or contributed to, the 
outage. There is also no evidence suggesting that viruses and worms 
prevalent across the Internet at the time of the outage had any 
significant impact on power generation and delivery systems. However, 
as discussed in response to Question 2, the Task Force Security Working 
Group (SWG) has concerns with respect to: the possible failure of alarm 
software; links to control and data acquisition software; and the lack 
of a system or process for some operators to view adequately the status 
of electric systems outside their immediate control.

    Question: 2. Have your investigations revealed the failure of some 
computer monitoring systems at electric power facilities either before 
or during the blackout of August 14th? If so, please elaborate.
    Answer: 2. As discussed in the interim report, SWG analysis 
suggests that failure of a software program--not linked to malicious 
activity--may have contributed significantly to the power outage of 
August 14,2003. Specifically, key personnel may not have been aware of 
the need to take preventive measures at critical times because an alarm 
system was malfunctioning. The SWG continues to work closely with the 
operators of the affected system to determine the nature and scope of 
the failure, and whether similar software failures could create future 
system vulnerabilities.
    Analysis of information derived from interviews with operators 
suggests that, in some cases, visibility into the operations of 
surrounding areas was lacking. Some companies appear to have had only a 
limited understanding of the status of the electric systems outside 
their immediate control. This may have been, in part, the result of a 
failure to use modem dynamic mapping and data sharing systems.

    Question: 3. How can the Congress, federal agencies, and state and 
local governments best work together to coordinate the necessary 
upgrades and protections to computer systems at electric power 
facilities so that we lessen the threat of a cyberattack?
    Answer: 3. The nation's electric power facilities, in large part, 
belong to private companies. These companies must comply with numerous 
Federal and State statutory and regulatory requirements, and are 
closely regulated by Federal and State regulation bodies. However, 
these same companies are reluctant to apply cyber security guidelines 
and recommendations that have a questionable business case in light of 
a poorly defined threat. The threat in cyberspace is very difficult to 
define and is a point of controversy in the cyber security arena.
    In order to persuade private sector companies to invest in cyber 
security, it is necessary for all concerned parties to work 
cooperatively to make a sufficient business case for these expenses. 
Better analysis/definition of the threat in an unclassified form is 
necessary in order to promote the adoption of upgrades and protections 
necessary to lessen the threat of a cyber attack.

    Question: 4. This month, the American Society of Civil Engineers 
(ASCE) released a Progress Report on its 2001 Report Card on America's 
Infrastructure. In this report, the ASCE examined current status and 
trends in the nation's deteriorating infrastructure. In their 
assessment, the Energy infrastructure received a D+. Roads and Bridges 
received a D+/C; Transit a C-; Drinking Water a D; Wastewater a D; Dams 
a D; and Hazardous Waste a D+. Does the poor state of a number of our 
infrastructure sectors have serious negative implications for the 
security of those sectors against potential terrorist attack? What is 
the relationship between reliability and security when it comes to 
critical infrastructure protection?
    Answer: 4. The state of our infrastructure does play a role in our 
ability to protect against a potential terrorist attack and to respond 
to an actual terrorist attack. The better the condition of our 
infrastructure, the better our ability will be to protect against and 
respond to a terrorist attack. It is important to have a robust 
infrastructure with an appropriate level of redundancy that can 
withstand an attack and still have capacity to meet critical needs and 
support an emergency response. Additionally, advance planning, good 
information systems, and well rehearsed infrastructure management 
techniques can aid in our response to an attack.
    The relationship between reliability and security is vital for 
critical infrastructure protection. Private sector companies are driven 
by both legal requirements and the business case that supports a 
particular decision. The reliability of the services provided by 
various sectors is the foundation that helps these companies avoid 
regulatory penalties and provide customer satisfaction and public 
confidence in their operations. Therefore, the aging state of most of 
these critical infrastructures forces the companies that own and 
operate them to balance their limited resources between maintaining the 
infrastructure and protecting it. Since the cyber threat is poorly 
defined and the need to maintain operational reliability is an easily 
defined business case, limited resources are made available to the 
protection of the infrastructure, especially the cyber part of the 
infrastructure. This situation is further complicated by a general lack 
of understanding by the private and public sectors regarding the 
interdependencies of the critical infrastructures. For example, 
decisions on the appropriate security level for a bridge should include 
consideration of vital energy or telecommunications carried by that 
bridge in addition to the bridge's role in the transportation system.
    Criticality of assets is very different depending on the approach 
you take to defining the criteria.

                        Questions for the Record

 House Select Committee on Homeland Security Hearing: "Implications of 
     Power Blackouts for the Nation's Cyber-security and Critical 
        Infrastructure Protection: The Electric Grid, Critical 
          Interdependencies, Vulnerabilities, and Readiness."

                           September 17, 2003

                     Assistant Secretary Liscouski

Question: (1) Subsequent to the blackout of August 14, 2003, have your 
investigations revealed any possibility that a cyber-attack caused part 
or all of the power grid failure? If so, please elaborate.
No. The investigation found no evidence that attackers were responsible 
for, or contributed to, the outage. AI-Qaeda claims to the contrary are 
false.

Question: (2) Have your investigations revealed the failure of some 
computer monitoring systems at electric power facilities either before 
or during the blackout of August 14th? If so, please elaborate.
Yes, a combination of human operator and non-malicious computer 
failures contributed to the August 14 power outage. The following 
timeline was derived from detailed discussions with FirstEnergy and the 
Midwest Independent Transmission System Operator (MISO). All times are 
approximate:

 
------------------------------------------------------------------------
                   Time                               Activity
------------------------------------------------------------------------
12:40 EDT                                   At the MISO, a MISO EMS
                                             engineer purposely disabled
                                             the automatic periodic
                                             trigger on the State
                                             Estimator (SE) application,
                                             which allows MISO to
                                             determine the real-time
                                             state of the power system
                                             for its region. Disabling
                                             of the automatic periodic
                                             trigger, a program feature
                                             that causes the SE to run
                                             automatically every 5
                                             minutes, is a necessary
                                             operating procedure when
                                             resolving a mismatched
                                             solution produced by the
                                             SE. The EMS engineer
                                             determined that the
                                             mismatch in the SE solution
                                             was due to the SE model
                                             depicting Cinergy's
                                             Bloomington-Denois Creek
                                             230-kV line as being in
                                             service, when it had
                                             actually been out of
                                             service since 12:12 EDT.
------------------------------------------------------------------------
13:00 EDT                                   After making the appropriate
                                             changes to the SE model and
                                             manually triggering the SE,
                                             the MISO EMS engineer
                                             achieved two valid
                                             solutions.
------------------------------------------------------------------------
13:30 EDT                                   The MISO EMS engineer went
                                             to lunch. He forgot to re-
                                             engage the automatic
                                             periodic trigger.
------------------------------------------------------------------------
14:40 EDT                                   An operations engineer
                                             discovered that the SE was
                                             not solving. He went to
                                             notify an EMS engineer.
------------------------------------------------------------------------
14:41 EDT                                   FirstEnergy's server running
                                             the AEPR software failed to
                                             the backup server. Control
                                             room staff remained unaware
                                             that the AEPR software was
                                             not functioning properly.
------------------------------------------------------------------------
14:44 EDT                                   An MISO EMS engineer, after
                                             being alerted by the
                                             operations engineer,
                                             reactivated the automatic
                                             periodic trigger and, for
                                             speed, manually triggered
                                             the program. The SE program
                                             again showed a mismatch.
------------------------------------------------------------------------
14:54 EDT                                   FirstEnergy's backup server
                                             failed. AEPR continued to
                                             malfunction. The Area
                                             Control Error (ACE)
                                             calculations and Strip
                                             Charting routines
                                             malfunctioned, and the
                                             dispatcher user interface
                                             slowed significantly.
------------------------------------------------------------------------
15:00 EDT                                   FirstEnergy used its
                                             emergency backup system to
                                             control the system and make
                                             ACE calculations. ACE
                                             calculations and control
                                             systems continued to run on
                                             the emergency backup system
                                             until roughly 15:08 EDT,
                                             when the primary server was
                                             restored.--At 15:05 EDT,
                                             FirstEnergy's Harding-
                                             Chamberlin 345-kV line
                                             tripped and locked out. FE
                                             system operators did not
                                             receive notification from
                                             the AEPR software, which
                                             continued to malfunction,
                                             unbeknownst to the FE
                                             system operators.
------------------------------------------------------------------------
15:08 EDT                                   Using data obtained at
                                             roughly 15:04 EDT (it takes
                                             about 5 minutes for the SE
                                             to provide a result), the
                                             MISO EMS engineer concluded
                                             that the SE mismatched due
                                             to a line outage. His
                                             experience allowed him to
                                             isolate the outage to the
                                             Stuart-Atlanta 345-kV line
                                             (which tripped about an
                                             hour earlier, at 14:02
                                             EDT). He took the Stuart-
                                             Atlanta line out of service
                                             in the SE model and got a
                                             valid solution.
------------------------------------------------------------------------
15:08 EDT                                   The FirstEnergy primary
                                             server was restored. ACE
                                             calculations and control
                                             systems were now running on
                                             the primary server. AEPR
                                             continued to malfunction,
                                             unbeknownst to the
                                             FirstEnergy system
                                             operators.
------------------------------------------------------------------------
15:09 EDT                                   The MISO EMS engineer went
                                             to the control room to tell
                                             the operators that he
                                             thought the Stuart-Atlanta
                                             line was out of service.
                                             Control room operators
                                             referred to their ``Outage
                                             Scheduler'' and informed
                                             the EMS engineer that their
                                             data showed the Stuart-
                                             Atlanta line was ``up'' and
                                             that the EMS engineer
                                             should depict the line as
                                             in service in the SE model.
                                             At 15:17 EDT, the EMS
                                             engineer ran the SE with
                                             the Stuart-Atlanta line
                                             ``live.'' The model again
                                             mismatched.
------------------------------------------------------------------------
15:29 EDT                                   The MISO EMS Engineer asked
                                             MISO operators to call the
                                             PJM Interconnect to
                                             determine the status of the
                                             Stuart-Atlanta line. MISO
                                             was informed that the
                                             Stuart-Atlanta line had
                                             tripped at 14:02 EDT. The
                                             EMS engineer adjusted the
                                             model, which by that time
                                             had been updated with the
                                             15:05 EDT Harding-
                                             Chamberlin 345-kV line
                                             trip, and came up with a
                                             valid solution.
------------------------------------------------------------------------
15:32 EDT                                   FirstEnergy's Hanna-Juniper
                                             345-kV line tripped and
                                             locked out. The AEPR
                                             continued to malfunction.
------------------------------------------------------------------------
15:41 EDT                                   The lights flickered at
                                             FirstEnergy's control
                                             facility, because the
                                             facility had lost grid
                                             power and switched over to
                                             its emergency power supply.
------------------------------------------------------------------------
15:42 EDT                                   A FirstEnergy dispatcher
                                             realized that the AEPR was
                                             not working and informed
                                             technical support staff of
                                             the problem.
------------------------------------------------------------------------


Question: (3) In your written testimony you state that, "We have 
conducted vulnerability assessments at electric power facilities, we 
have a protection strategy for key components, and we are working with 
industry and federal partners to determine the best way to implement 
that strategy." Could you describe for me what this protection strategy 
is for situations where a vulnerability assessment determines that a 
power facility might be subject to a cyber attack? I realize that there 
will be differences specific to each facility, but if you could 
generally elaborate on the strategy please.
The statement addressed the conduct of physical security 
vulnerabilities at electric power facilities and strategies the Office 
of Infrastructure Protection (IP) is devising for those facilities and 
other key components of the electric power infrastructure. 
Specifically, the National Cyber Security Division (NCSD) is examining 
critical infrastructures and associated key facilities, assets, 
physical plant, and control networks with a focus on their dependencies 
on cyber systems.
Regardless of whether a specific vulnerability is a physical- or cyber-
induced, IP's strategy is to identify vulnerabilities, correlate those 
vulnerabilities to the known threat environment, and provide 
appropriate technical and other assistance to mitigate risks. IP shares 
identified vulnerabilities with the infrastructure owners and operators 
and, if requested, technical assistance. Mitigation actions range from 
advice about rewriting software code to improving physical security 
weaknesses.

Question: (4) How can the Congress, federal agencies, and state and 
local governments best work together to coordinate the necessary 
upgrades and protections to computer systems at electric power 
facilities so that we lessen the threat of a cyber attack?
IP believes that Homeland Security Presidential Directive-7, Critical 
Infrastructure Identification, Prioritization, and Protection, which 
President Bush signed on December 17, 2003, establishes the necessary 
national framework to guide federal infrastructure protection policy 
and programs. Specifically, it clarifies federal roles and 
responsibilities and describes interfaces with state and local 
authorities and the private sector. IP is moving swiftly to implement 
HSPD-7, which we believe will make a visible and measurable improvement 
in infrastructure protection. Key to that effort is a National Plan for 
Critical Infrastructure and Key Resource Protection that integrates 
both physical and cyber security measures in one planning framework.

Question: (5) There is widespread acknowledgement of the importance of 
creating a comprehensive national critical infrastructure risk 
assessment in order to prioritize DHS efforts and manage spending. 
Carrying out comprehensive risk assessments, in general, is also 
mandated by Section 201 of the Homeland Security Act. In testimony 
before the full Committee on September 10, 2003, Governor Gilmore 
commented several times on the lack of an overriding homeland security 
strategy, based on a thorough threat, vulnerability, and consequence 
assessment, to drive priorities and DHS actions. In response to a 
question from Congressman Shays; Governor Gilmore remarked that the 
Administration has written a number of strategies but that none of them 
were based on an adequate risk assessment.
On September 17, 2003 you testified before the joint hearing of the 
Subcommittee on Infrastructure and Border Security and the Subcommittee 
on Cybersecurity, Science, and Research and Development. Congresswoman 
Sanchez and Congresswoman Jackson-Lee questioned you in detail on the 
progress and status of such a comprehensive risk assessment. In 
response, you stated that, ``I would be surprised, frankly, if we had 
that done in the next five years,'' and that ``there will be no 
timeline in which we will say we are finished.''Given the importance of 
comprehensive risk assessments and the requirements of the Homeland 
Security Act to develop a comprehensive national plan for securing the 
key resources and critical infrastructure of the U. S., does the DHS 
plan to publish at a certain point in time a document containing a 
comprehensive risk assessment of critical infrastructure, which would 
aid in the prioritization of protective measures?
Yes. IP expects to publish a plan by the end of September 2004. In the 
meantime, since March of last year, IP has on two occasions shared a 
comprehensive national risk assessment with the States. Moreover, the 
IAIP Directorate conducts assessments on every occasion in which the 
Secretary elevates the threat level. In these cases, IP provides 
guidance on setting priorities for protective measures. IP's first 
effort, which also featured the implementation of actions based on our 
risk assessment, took place during Operation LIBERTY SHIELD. The second 
was in response to the Congressional requirement to allocate grant 
funding based on identified threats and vulnerabilities. Results from 
both assessments were briefed to Congressional leadership.
Risk assessment is the cornerstone of IP's risk-managed, threat-driven 
operating model. Vulnerability assessments and threat assessments are 
part of this model. IP examines and addresses vulnerabilities across 
the Nation's infrastructure by using a five-step risk management 
methodology that measures the national risk profile in the context, and 
absence, of threat information. The major steps of the risk management 
methodology include:

        - Identifying critical infrastructure
        - Assessing vulnerabilities
        - Normalizing, analyzing, and prioritizing protective measures 
        .
        - Implementing protective programs
        - Measuring effectiveness through performance metrics

The threat environment is dynamic. So, IP uses this methodology across 
and within sectors so that when credible and actionable threat 
information is known, the Office can assess the sector-specific and 
cross-sector impacts using existing vulnerability assessment 
information. This allows IP to quickly prioritize protective measures 
across and within sectors, and implement these measures quickly, to 
reduce the overall risk posed by the threat.

Question: (6) The DHS has indicated that it will ''provide core 
expertise in critical infrastructure sectors'' and that it would 
organize along critical infrastructure sector lines. It is important 
for us to understand the progressthat has been made in staffing up the 
Office of Infrastructure Protection and integrating the organizations 
that it inherited. In your testimony, you indicated that the 
Infrastructure Protection Office currently has roughly 200 employees, 
staffing up to 450-500 people in 2004. Please provide a current 
detailed organizational chart of the Office of IP that indicates key 
functions and the number of employees by function. Please also provide 
a detailed list of currently staffed positions (by function and title; 
it is not necessary to provide individual names) as well as a list of 
open positions that you will fill by 2004.
Please also provide a detailed list of employees (by title; do not 
indicate individual names) in your office with particular technical 
expertise in each of the critical infrastructure sectors. Please 
organize this list by the CIP sectors indicated in the The National 
Strategy for the Physical Protection of Critical Infrastructures and 
Key Assets. Within each sector, please indicate title, level of 
education, predecessor federal agency (EPA, 000, etc. as appropriate) 
and years of relevant experience in that sector. Also please indicate 
open positions and expected hiring for 2004.

[GRAPHIC] [TIFF OMITTED] T9793.015

[GRAPHIC] [TIFF OMITTED] T9793.016


IP possesses significant technical expertise that it is applying to 
address infrastructure threats and vulnerabilities. The Infrastructure 
Coordination Division serves as the focal point for infrastructure 
expertise and leads efforts to monitor and coordinate with each of the 
thirteen infrastructure sectors. In the coming months, ICD will 
formally establish a National Infrastructure Coordination center, where 
analysts will be assigned to monitor each of the thirteen 
infrastructure sectors
---------------------------------------------------------------------------
    \1\ Notes: ``Open Positions'' based on FY04 authorized staffing 
level of 364 FTE; Total headcount increases to 376 when the 12 NCS 
detailees are included (which is beyond the current NCS authorized 
level of96); Large number of open positions in PSD is driven by need to 
establish field organization; All data accurate as of 3-19-04

(6b) Please provide summary statistics (actual number of personnel as 
well as a percent of total Infrastructure Protection Office employees) 
---------------------------------------------------------------------------
for personnel along the following lines--

                i) Professional vs. administrative
                ii) Contractor vs. DHS employee
                iii) Detailee vs. DHS employeeivy Technical expert vs. 
                other
                v) Advanced degree vs. bachelors degree or lower

Category 1: Professional
Professional staff: 192 (93.2%), Administrative staff: 14 (6.8%)

Category 2: Government v. Contractor
Government FTE: 206 (63.1%), Onsite Contractor: 120 (36.9%)
Category 3: Detailees
DHS Employee FTE: 178 (86.4%), Detailees from other agencies: 28 
(13.6%)
Category 4: Technical Expert
Technical Expert: 146 (70.9%), Other: 60 (29.1%)
Category 5: Advanced Degrees
At this time, there are 49 employees with advanced degrees in the 
Office of Infrastructure Protection.

Question: (7) Please provide a comprehensive list and brief description 
of all programs that the Office of IP has in place and initiatives that 
it is pursuing to increase critical infrastructure protection.
The attached inventory of IP programs provides a high level summary of 
key selected programs.

Question: (8) During the September 17, 2003 hearing, Congressman Lucas 
asked whether the ``DHS relies too heavily on voluntary private sector 
action to improve their infrastructure protection.'' You responded that 
you ``do not believe the voluntary approach in the private sector [to 
critical infrastructure protection] is the inappropriate approach.'' Do 
you believe, however, that the federal government should be doing more 
in any particular sectors? In particular, can you provide a more 
detailed answer to Mr. Lucas' question in light of an October 2002, 
letter to the Washington,Post, in which Secretary Ridge and former EPA 
administrator Whitman stated that for chemical facilities, ``voluntary 
efforts alone are not sufficient to provide the level of assurance 
Americans deserve.'' Please respond to comments by Patrick Wood, 
chairman of the FERC, who stated in the Wall Street Journal in an 
article on the August, 2003, blackout that, ``We cannot simply let 
markets work. We must make markets work''

IP has not seen the full transcript of Mr. Wood's comments and is 
unaware of the full context in which they were written. IP's philosophy 
is to work with industry advisory groups and private-sector standard-
setting organizations to foster development of standards that will be 
voluntarily adopted by industry and, ultimately, by individual owners 
and operators. If IP judges that voluntary standards prove inadequate 
to meet pressing security concerns, the Office will consider additional 
steps to improve the protection of our Nation's infrastructures. For 
now, the programs IP has developed and is implementing will enhance the 
security and resiliency of the Nation's critical infrastructures and 
assets by providing practical, actionable advice and with tools and 
methodologies to improve security at little or no cost.

Question: (9) In the absence of a comprehensive critical-infrastructure 
risk assessment from the DHS, can you let the committee know, in your 
opinion, which of our critical infrastructure sectors pose the greatest 
national security concern? Rank--in relative order starting with the 
highest concern the top five critical infrastructure sectors that you 
believe pose the greatest risk. Briefly discuss the reasons for your 
selections and rankings. In each of the sectors you describe, what has 
the private sector done since 9/11 to increase protection? What key 
initiatives have the Administration and the DHS pursued to improve 
protection and since when?
Security considerations preclude an answer in this response. IP would 
welcome the opportunity to address this matter before the committee in 
closed session.
(10) In past testimony and reports, the General Accounting Office (GAO) 
has identified a number of significant CIP challenges, including:

                 Clear delineation of CIP roles and 
                responsibilities for federal, state, local, and private 
                sector actors; clarification of how CIP entities will 
                coordinate their activities
                 Clear definition of interim objectives and 
                milestones
                 Clear timeframes for achieving objectives
                 Establishment of performance metrics
                 Improvement in analytical and warning 
                capabilities
Please provide a detailed list of what significant interim objectives 
and milestones the DHS Infrastructure Protection Office has in place to 
improve critical infrastructure protection? [Q00605] What firm 
timeframes does the Office of IP have in place for these objectives?
IP has completed a number of actions not addressed here and is 
continuing to develop and implement guidelines and milestones for the 
CIP framework. This framework formulates a clear CIP plan, policies, 
priorities, and measures. In order to do so, the Office is forging 
partnerships with the key Federal, State, local, and industry 
stakeholders that will be crucial to our success. To drive and sustain 
this effort, IP is pursuing a systematic, risk management-based 
approach to identify, evaluate, and measure each of the critical 
infrastructures against a common and consistent set of factors. Some 
key objectives and milestones include:

1. Formulate a clear CIP plan, policies, priorities, and measures by--
                 Completing implementation of a DHS program 
                office to handle foreign acquisition, control, or 
                influence over critical infrastructure (2nd Quarter 
                2004)
                 Completing implementation of the Critical 
                Infrastructure Information (PCII) program for protected 
                CII voluntarily submitted by industry (4th Quarter 
                2004)

2. Clarifying ambiguous roles, responsibilities, and authorities with 
respect to CIP by--
                 Circulating the National Plan for Critical 
                Infrastructure and Key Resources Protection to key 
                Federal, State, and local critical protection 
                stakeholders (4th Quarter 2004)
                 Completing training for all State homeland 
                security advisors and relevant Federal officers on 
                their roles and responsibilities for infrastructure 
                protection (4th Quarter 2004)

3. Developing nationwide critical infrastructure and key asset registry 
by
                 Identifying and validating inventory of all 
                critical infrastructure and key asset databases across 
                federal, state, and local jurisdictions and the private 
                sector (3rd Quarter 2004)
                 Evaluating, setting priorities for, and 
                consolidating all critical asset databases into a 
                single database (3rd Quarter 2004)

4. Producing vulnerability assessments by sector, region, and 
localities by--
                 Completing vulnerability assessments for the 
                top 50 sites identified under HSPD #7, paragraph 7(a) 
                (4th Quarter 2004)

5. Mapping threats to vulnerabilities by--
                 Developing pilot risk assessment software to 
                analyze economic consequence and loss of life for 
                attacks against specific infrastructure targets and 
                develop and disseminate risk assessment briefings for 
                the first 500 of 1,000 critical facilities (3rd Quarter 
                2004)

6. Employing risk mitigation methodology to set priorities for 
protective actions and distribution of funds by--
                 Collecting and evaluating protection and risk 
                assessment methodologies used by the private sector; 
                Federal, State, and local governments; and national 
                laboratories to assess gaps in current infrastructure 
                protection methodologies and developing plan to 
                mitigate gaps in current methodologies (3rd Quarter 
                2004)
                 Deploying the first 25-30 Protective Security 
                Advisors to train infrastructure owners and operators 
                to identify vulnerabilities and ensure appropriate 
                protective measures are taken (4th Quarter 2004)

7. Establishing comprehensive overview of the status of physical and 
cyber infrastructure by--
                 Identifying and modeling widespread cyber 
                disruption scenarios (2nd Quarter 2004)
                 Developing and piloting geospatial analysis 
                tools and capabilities for the telecommunications and 
                energy infrastructures (3rd Quarter 2004)

8. Issuing timely, effective warnings for specific, imminent threats 
by--
                 Implementing Emergency Notification Service to 
                automatically alert appropriate constituents of DHS 
                alerts, warnings, and information bulletins (2nd 
                Quarter 2004)
                 Expanding coverage of the Critical 
                Infrastructure Warning Information Network (CWIN) 
                across government and industry CIP community to at 
                least 100 total nodes (4th Quarter 2004)

9. Building partnerships with industry and other non-governmental 
groups by--
                 Redesigning the Information Sharing and 
                Analysis Center (ISAC) model in partnership with the 
                ISAC Council and sector coordinators (3rd Quarter 2004)

10. Enhancing our ability to measure success and performance of our 
national infrastructure protection program--
                 Conducting industry-wide survey for 
                establishing baseline security measures that is 
                sponsored by the American Society for Industrial 
                Security in coordination with the Office of 
                Infrastructure Protection (3rd Quarter 2004)
                 Designing, develoing, and distributing metrics 
                and feedback mechanisms for all CI sectors and key 
                assets (4t Quarter 2004)
What performance metrics does the Office of IP have in place to measure 
its progress against objectives, milestones, and timeframes?
IP tracks progress of the objectives and milestones listed above on a 
monthly basis. Moreover, the Office is in the process of developing a 
Performance Measurement System that tracks both program efficiency and 
effectiveness. Underlying this system will be measurement methodologies 
that are statistically and scientifically valid and defendable. IP's 
goal is to use metrics to not only measure historical progress, but to 
prompt actions and behaviors that improve the protection and security 
of our nation's infrastructures.

Question: (11) A number of states and industries have made significant 
progress in comprehensively assessing their own critical infrastructure 
vulnerabilities? What leadership role, if any, has the DHS played in 
providing leadership, guidance, and assistance to states and industry 
in these efforts? Has the DHS intelligently leveraged the work already 
done by states and industry to assess CI vulnerabilities as it seeks to 
perform its own comprehensive CI risk assessment?
In October 2003, the Office provided analyses and recommendations in 
two sets of sector-specific reports: the Potential Indicators of 
Terrorist Activities Report and the Characteristics and 
CommonVulnerabilities Report. Eight categories were selected for 
special attention during Operation LIBERTY SHIELD, and IP designed a 
comprehensive national plan to increase the protection of America's 
citizens and specific infrastructure within the United States during 
Operation Iraqi Freedom. As part of LIBERTY SHIELD, Secretary Ridge 
asked State governors to provide additional protection for 145 specific 
assets that fell within one of the those same eight categories:

                 Chemical Facilities
                 Nuclear Power Plants
                 Nuclear Spent Fuel Storage Facilities . 
                Petroleum Facilities
                 Liquefied Natural Gas Storage Facilities . 
                Railroad Bridges
                 Subways
                 Highway Tunnels

Using the above eight LIBERTY SHIELD-designated categories as a 
starting point, DHS has developed a Buffer Zone Protection Plan (BZPP) 
template for each. These plans were prepared to assist in better 
integrating federal, state, and local as well as private sector 
security planning and were distributed throughout the protective 
security community. BZPPs are designed to identify site-specific 
vulnerabilities, describe the types of terrorist tactics and activities 
that likely would be successful in exploiting those vulnerabilities, 
and recommend preemptive and protective actions to mitigate 
vulnerabilities so that terrorists are no longer able to successfully 
exploit them. As previously referenced in response to 0.00600, IP works 
with private industry to promote voluntary cooperation to protect 
critical infrastructures; this initiative offers an illustrative 
example of our philosophy in practice.

Question: (12) To date, are you aware of how many states have performed 
comprehensive critical-infrastructure risk analyses? How many of the 
risk assessments performed by states has the Infrastructure Protection 
Office collected? What has the Infrastructure Protection Office done, 
if anything, to integrate the assessments conducted by the states into 
the comprehensive risk assessment efforts of the DHS?
All of the states and territories completed their assessments by the 
end of last year. All of the inputs are being integrated into our risk 
assessment processes. Once completed, IP will start an iterative 
process with the states and territories to improve the quality and 
usefulness of the entire risk assessment effort.

Question: (13) Does the DHS have insights into what methodology the 
states are primarily using for their risk assessments? What guidance 
has the DHS provided to states on what methodology they should be 
using? Are you familiar with the Department of Defense's CARVER 
methodology, which was used by California in its assessment of its 
critical infrastructure vulnerabilities? Do you have an opinion on 
whether the CARVER methodology is the most thorough standard that 
states should be following? If not, what methodology does the DHS 
recommend that states be following?
IP is currently compiling and reviewing the submissions and inputs from 
the states on methodologies they are using to examine vulnerabilities. 
The Office is familiar with CARVER and believes it is a useful 
methodology. There are other acceptable methodologies developed by the 
government and by private industry. In the end, applying common 
principles to the process of identifying vulnerabilities, correcting 
them, and measuring performance is more important than the actual 
methodology used.

Question: (14) How is the DHS Office of IP organized to coordinate with 
private sector ISACs? Are ISACs the best organizations to lead sector-
based industry efforts to share critical infrastructure information? 
What role do you see for the ISACs going forward? Is the federal 
government doing enough to support ISAC efforts? Do you see role for 
federal funding of the ISACs?
1The Infrastructure Coordination Division is the focal point for 
collaboration with the private sector ISACs. HSPD-7 reaffirmed the 
relationship between the ISAC community and the federal government. IP 
is collaborating with the ISAC Council to develop a framework that 
allows us to move forward as a community. The ISACs offer a primary 
means to support two-way information sharing between the owners and 
operators of facilities in an individual sector and across the thirteen 
infrastructure sectors. IP is satisfied with its current effort with 
the ISACs, but is actively looking for ways to expand and improve 
information sharing capabilities with the critical infrastructure 
sectors. In addition to the ISACs, IP is working closely with the 
Sector-Specific Agencies and Sector CoordinatorslSector Leadership for 
each critical infrastructure sector to improve information sharing and 
operational coordination. Consistent with the provisions of HSPD-7, IP 
sees strong, trusted working relationships between all these entities--
DHS, Sector-Specific Agencies, Sector Coordinators, and ISACs--as a 
cornerstone of an effective national risk management approach to 
protect critical infrastructures.
AIP continues to support the work of the critical infrastructure 
sectors and their ISACs, including financial support for sector-
specific and cross-sector desktop exercises, cross-sector studies, and 
joint meetings.

Question: (15) This month, the American Society of Civil Engineers 
(ASCE) released a Progress Report on its 2001 Report Card on America's 
Infrastructure. In this report, the ASCE examined current status and 
trends in the nation's deteriorating infrastructure. In their 
assessment, the Energy infrastructure received a D+; Roads and Bridges 
received a D+/C; Transit a C-; Drinking Water a D; Wastewater a D; Dams 
a D; and Hazardous Waste a D+. Does the poor state of a number of our 
infrastructure sectors have serious negative implications for the 
security of those sectors against potential terrorist attack? What is 
the relationship between reliability and security when it comes to 
critical infrastructure protection?
The report cited is but one factor in our evaluation of the security of 
our national infrastructure which is, in many ways, a different issue 
than its reliability. In general, the more fragile an infrastructure, 
the nearer it is to the limits of its inherent resiliency and 
sustainability. It follows that a less robust infrastructure is more 
vulnerable to attack, is less likely to recover, and therefore poses a 
higher risk than a healthy one. The interplay between the security 
situation at specific facilities and the net overall effect on the 
entire infrastructure is a complex one, not susceptible to a broad 
response. For example, bridges may be vulnerable, but an attack on all 
at once would be an unlikely scenario. This is obviously a sensitive 
subject and we would ask that this report and its implications be 
discussed more fully in a classified environment.
United States Gengeral Accounting Office
Washington, DC 20548

December 8, 2003
The Honorable Dave Camp
Chairman, Subcommittee on Infrastrucutre
  and Border Security
Select Committee on Homeland Security
House of Representatives

The Honorable Mac Thornberry
Chairman, Subcommittee on Cybersecurity,
  Science, and Research and Development
Select Committee on Homeland Security
House of Representatives

    Subject: Posthearing Questions from the September 17, 2003, Hearing 
on ``Implications of Power Blackouts for the Nation's 
                Cybersecurity and Critical
                  Infrastructure Protection: The Electric Grid, 
                Critical Interdependencies,
                  Vulnerabilities, and Readiness''

    As requested in your letter of November 5, 2003, this letter 
provides our responses for the record to the questions you posed to 
GAO. At the subject hearing, we discussed the challenges that the 
Department of Homeland Security (DHS) faces in integrating its 
information gathering and sharing functions, particularly as they 
relate to fulfilling the department's responsibilities for critical 
infrastructure protection (CIP).

    Question: GAO released a report on information sharing in August of 
this year. It found that ``no level of government perceived the 
[information sharing] process as effective, particularly when sharing 
information with federal agencies.'' How does [this] finding relate to 
what happened during the August 2003 blackout?

    In our August 2003 report on information sharing, we identified 
initiatives that had been undertaken to improve the sharing of 
information to prevent terrorist attacks and surveyed federal, state, 
and city government officials to obtain their perceptions on how the 
current information-sharing process was working.\1\ Our survey showed 
that none of the three levels of government perceived the current 
information-sharing process to be effective when it involved the 
sharing of information with federal agencies. Specifically, respondents 
reported that information on threats, methods, and techniques of 
terrorists was not routinely shared, and the information that was 
shared was not perceived as timely, accurate, or relevant. Further, 30 
of 40 states and 212 of 228 cities responded that they were not given 
the opportunity to participate in national policy making on information 
sharing. Federal agencies in our survey also identified several 
barriers to sharing threat information with state and city governments, 
including the inability of state and city officials to secure and 
protect classified information, their lack of federal security 
clearances, and a lack of integrated databases. Further, this report 
identified some notable information-sharing initiatives. For example, 
the Federal Bureau of Investigation (FBI) reported that it had 
significantly increased the number of its Joint Terrorism Task Forces 
and, according to our survey, 34 of 40 states and 160 of 228 cities 
stated that they participated in information-sharing centers.
---------------------------------------------------------------------------
    \1\ U.S. General Accounting Office, Homeland Security: Efforts to 
Improve Information Sharing Need to Be Strengthened, GAO-03-760 
(Washington, D.C.: Aug. 27, 2003).
---------------------------------------------------------------------------
    Performed primarily before DHS began its operations and not focused 
on the federal government's CIP efforts, this report did not 
specifically relate to the impact of these information-sharing 
challenges on any specific events, including the August 2003 blackout. 
However, as indicated in our written statement for the September 17 
hearing,\2\ our past information-sharing reports and testimonies have 
identified information sharing challenges and highlighted its 
importance to developing comprehensive and practical approaches to 
defending against potential cyber and other attacks, as well as to DHS 
meeting its mission.
---------------------------------------------------------------------------
    \2\ U.S. General Accounting Office, Homeland Security: Information 
Sharing Responsibilities, Challenges, and Key Management Issues, GAO-
03-1165T (Washington, D.C.: Sep. 17,2003).

    Question: A June 2003 GAO report on federal collection of 
electricity information found significant gaps in collection for 
information needed by different federal agencies. The report does not 
mention DHS. In light of the Department's responsibilities with respect 
to the electrical component of critical infrastructure, what can you 
say about the kinds of information it needs, and whether it has the 
---------------------------------------------------------------------------
ability to obtain that information?

    With the ongoing transition (or restructuring) of electricity 
markets from regulated monopolies to competitive markets, accurate 
information on electricity trading and pricing is becoming more 
critical not only for evaluating the potential benefits and risks of 
restructuring, but also for monitoring market performance and enforcing 
market rules. Our June 2003 report focused on describing the 
information that is collected, used, and shared by key federal 
agencies--such as the Federal Energy Regulatory Commission and the 
Energy Information Administration within the Department of Energy--and 
the effect of restructuring on these agencies' collection, use, and 
sharing of this information.\3\ In the aftermath of electricity price 
spikes and other efforts to manipulate electricity markets in 
California, our work focused on the oversight of restructured 
electricity markets-not the physical security of the system's 
components. With this focus, we did not include DHS in the scope of our 
work.
---------------------------------------------------------------------------
    \3\ U.S. General Accounting Office, Electricity Restructuring: 
Action Needed to Address Emerging Gaps in Federal Information 
Collection, GAO-03-586 (Washington, D.C.: Jun. 30, 2003).
---------------------------------------------------------------------------
    However, we have made numerous recommendations over the last 
several years related to information sharing functions that have been 
transferred to DHS. One significant area concerns the federal 
government's CIP efforts, which is focused on the sharing of 
information on incidents, threats, and vulnerabilities, and the 
providing of warnings related to critical infrastructures both within 
the federal government and between the federal government and state and 
local governments and the private sector. Although improvements have 
been made, further efforts are needed to address the following critical 
CIP challenges:

         developing a comprehensive and coordinated national 
        plan to facilitate CIP information sharing that clearly 
        delineates the roles and responsibilities of federal and 
        nonfederal CIP entities, defines interim objectives and 
        milestones, sets timeframes for achieving objectives, and 
        establishes performance measures;
         developing fully productive information sharing 
        relationships within the federal government and between the 
        federal government and state and local governments and the 
        private sector;
         improving the federal government's capabilities to 
        analyze incident, threat, and vulnerability information 
        obtained from numerous sources and share appropriate, timely, 
        useful warnings and other information concerning both cyber and 
        physical threats to federal entities, state and local 
        governments, and the private sector; and
         providing appropriate incentives for nonfederal 
        entities to increase information sharing with the federal 
        government and enhance other CIP efforts.

    Regarding the kinds of information that DHS needs, the Homeland 
Security Act and other federal strategies acknowledge the importance of 
information sharing and identify multiple responsibilities for DHS to 
share information on threats and vulnerabilities for all CIP sectors. 
In particular:

         The Homeland Security Act authorizes DHS's Under 
        Secretary for Information Assurance and Infrastructure 
        Protection to have access to all information in the federal 
        government that concerns infrastructure or other 
        vulnerabilities of the United States to terrorism and to use 
        this information to fulfill its responsibilities to provide 
        appropriate analysis and warnings related to threats to and 
        vulnerabilities of critical information systems, crisis 
        management support in response to threats or attacks on 
        critical information systems, and technical assistance upon 
        request to private-sector and government entities to respond to 
        major failures of critical information systems.

    The National Strategy to Secure Cyberspace encourages DHS to work 
with the National Infrastructure Advisory Council and the private 
sector to develop an optimal approach and mechanism to disclose 
vulnerabilities in order to expedite the development of solutions 
without creating opportunities for exploitation by hackers.\4\ DHS is 
also expected to raise awareness about removing obstacles to sharing 
information concerning cybersecurity and infrastructure vulnerabilities 
between the public and private sectors and is encouraged to work 
closely with private-sector information sharing and analysis centers 
(ISACs) to ensure that they receive timely and actionable threat and 
vulnerability data and to coordinate voluntary contingency planning 
efforts.
---------------------------------------------------------------------------
    \4\ The White House, National Strategy to Secure Cyberspace 
(Washington, D.C.: February 2003).
---------------------------------------------------------------------------
         The National Strategy for the Physical Protection of 
        Critical Infrastructures and Key Assets describes DHS's need to 
        collaborate with the intelligence community and the Department 
        of Justice to develop comprehensive threat collection, 
        assessment, and dissemination processes that are distributed to 
        the appropriate entity in a timely manner.\5\ It also 
        enumerates several initiatives directed to DHS to create a more 
        effective information-sharing environment among the key 
        stakeholders, including establishing requirements for sharing 
        information; supporting state and local participation with 
        ISACs to more effectively communicate threat and vulnerability 
        information; protecting secure and proprietary information that 
        is deemed sensitive by the private sector; implementing 
        processes for collecting, analyzing, and disseminating threat 
        data to integrate information from all sources; and developing 
        interoperable systems to share sensitive information among 
        government entities to facilitate meaningful information 
        exchange.
---------------------------------------------------------------------------
    \5\ The White House, National Strategy for the Physical Protection 
of Critical Infrastructures and Key Assets (Washington, D.C.: February 
2003).
---------------------------------------------------------------------------
    Other efforts may help to identify specific information needs for 
the critical infrastructure sectors, including the electric power 
sector. For example, we are currently beginning work to determine the 
status of the ISACs in undertaking the voluntary activities suggested 
by federal CIP policy to gather, analyze, and disseminate information 
to and from infrastructure sectors and the federal government. In 
addition, according to the chairman of the recently established ISAC 
Council, the mission of the council is to advance the physical and 
cybersecurity of the critical infrastructures of North America by 
establishing and maintaining a framework for interaction between and 
among the ISACs. Council activities include establishing and 
maintaining a policy for inter-ISAC coordination, a dialog with 
governmental agencies that deal with ISACs, and a practical data and 
information sharing protocol (what to share and how to share).
    Finally, as we discuss in more detail in the response to the next 
question, Congress and the administration have taken steps to help 
improve information sharing. These include the incorporation of 
provisions in the Homeland Security Act of 2002 to restrict the use and 
disclosure of critical infrastructure information that has been 
voluntarily submitted to DHS. However, the effectiveness of such steps 
may largely depend on how DHS implements its information sharing 
responsibilities and the willingness of the private sector and state 
and local governments to share such information. It may also require 
the consideration of various public policy tools, such as grants, 
regulations, or tax incentives.

    Question: The creation of ``Critical Infrastructure Information'' 
provides companies with a mechanism to voluntarily give this 
information to the federal government. Do you think that private 
companies will avail themselves of this opportunity? Do you think that 
Critical Infrastructure Information protections are sufficient? What 
other incentives might the federal government use to obtain this 
information for homeland security purposes? Should the federal 
government require the submission of this information so as to inform 
the Department of Homeland Security of potential cross-sectoral 
weaknesses and vulnerabilities?

    The Homeland Security Act of 2002 includes provisions that restrict 
federal, state, and local governments' use and disclosure of critical 
infrastructure information that has been voluntarily submitted to DHS. 
These restrictions include exemption from disclosure under the Freedom 
of Information Act, a general limitation on use to CIP purposes, and 
limitations on use in civil actions and by state or local governments. 
The act also provides penalties for any federal employee who improperly 
discloses any protected critical infrastructure information. In April 
2003, DHS issued for comment its proposed rules for how critical 
infrastructure information volunteered by the public will be protected. 
At this time, it is too early to tell what impact the act will have on 
the willingness of the private sector to share critical infrastructure 
information or whether the protections that these provisions provide 
are sufficient.
    Regarding other incentives that the federal government might use 
and the need to require submission of critical infrastructure 
information, the National Strategy for Homeland Security states that, 
in many cases, sufficient incentives exist in the private market for 
addressing the problems of CIP.\6\ However, the strategy also discusses 
the need to use all available public policy tools to protect the 
health, safety, or well-being of the American people. It mentions 
federal grant programs to assist state and local efforts, legislation 
to create incentives for the private sector, and, in some cases, 
regulation. The National Strategy for the Physical Protection of 
Critical Infrastructures and Key Assets reiterates that additional 
regulatory directives and mandates should only be necessary in 
instances where the market forces are insufficient to prompt the 
necessary investments to protect critical infrastructures and key 
assets. The National Strategy to Secure Cyberspace also states that the 
market is to provide the major impetus to improve cybersecurity and 
that regulation will not become a primary means of securing cyberspace.
---------------------------------------------------------------------------
    \6\ The White House, National Strategy for Homeland Security 
(Washington, D.C.: July 2(02).
---------------------------------------------------------------------------
    Last year, the Comptroller General testified on the need for strong 
partnerships with those outside the federal government and stated that 
the new department would need to design and manage tools of public 
policy to engage and work constructively with third parties.\7\ We have 
also previously testified on the choice and design of public policy 
tools that are available to governments.\8\ These public policy tools 
include grants, regulations, tax incentives, and regional coordination 
and partnerships to motivate and mandate other levels of government or 
the private sector to address security concerns. Some of these tools 
are already being used, for example, in the water and chemical sectors.
---------------------------------------------------------------------------
    \7\ U.S. General Accounting Office, Homeland Security: Proposal for 
Cabinet Agency Has Merit, But Implementation Will Be Pivotal to 
Success, GAO-01-886T (Washington, D.C.: June 25, 2002).
    \8\ General Accounting Office, Combating Terrorism: Enhancing 
Partnerships Through a National Preparedness Strategy, GAO-02-549T 
(Washington, D.C.: Mar. 28, 2(02).
---------------------------------------------------------------------------
    Without appropriate consideration of public policy tools, private-
sector participation in sector-related information sharing and other 
CIP efforts may not reach its full potential. For example, we reported 
in January 2003 on the efforts of the financial services sector to 
address cyber threats, including industry efforts to share information 
and to better foster and facilitate sector-wide efforts.\9\ We also 
reported on the efforts of federal entities and regulators to partner 
with the financial services industry to protect critical 
infrastructures and to address information security. We found that 
although federal entities had a number of efforts ongoing, Treasury, in 
its role as sector liaison, had not undertaken a comprehensive 
assessment of the public policy tools that potentially could encourage 
the financial services sector to implement information sharing and 
other CIP-related efforts. Because of the importance of considering 
public policy tools to encourage private-sector participation, we 
recommended that Treasury assess the need for public policy tools to 
assist the industry in meeting the sector's goals. In addition, in 
February 2003, we reported on the mixed progress that five ISACs 
(including the Electricity ISAC) had made in accomplishing the 
activities suggested by Presidential Decision Directive (PDD) 63.\10\ 
We recommended that the responsible lead agencies assess the need for 
public policy tools to encourage increased private-sector CIP 
activities and greater sharing of intelligence and incident information 
between the sectors and the federal government.
---------------------------------------------------------------------------
    \9\ U.S. General Accounting Office, Critical Infrastructure 
Protection: Efforts of the Financial Services Sector to Address Cyber 
Threats, GAO-03-173 (Washington, DC,: Jan. 30, 2003).
    \10\ U.S. General Accounting Office, Critical Infrastructure 
Protection: Challenges for Selected Agencies and Industry Sectors, GAO-
03-233 (Washington, D.C.: Feb. 28, 2003).

    Question: In the absence of a comprehensive critical-infrastructure 
risk assessment from the DHS, can you let the committee know, in your 
opinion, which of the critical infrastructure sectors pose the greatest 
national security concern? Rank-in relative order starting with the 
highest concern--the top five critical infrastructure sectors that you 
believe pose the greatest risk. Briefly discuss the reasons for your 
selections and rankings. In each of the sectors you describe, what has 
the private sector done since 9/11 to increase protection? What key 
initiatives have the Administration and the DHS pursued to improve 
---------------------------------------------------------------------------
protection and since when?

    Much of our work on federal CIP has focused on cybersecurity and 
the overall threats and risks to critical infrastructure sectors. This 
work did not include assessments of specific sectors that would enable 
us to identify or rank which of the sectors pose the greatest national 
security concern or greatest risk. We believe that all the critical 
infrastructures are important in that, as defined by the USA PATRIOT 
Act and highlighted in the National Strategy for Homeland Security, 
they represent ``systems and assets, whether physical or virtual, so 
vital to the United States that the incapacity or destruction of such 
systems and assets would have a debilitating impact on security, 
national economic security, national public health or safety, or any 
combination of those matters.'' Further, determining which sectors pose 
the greatest risk would require not only an assessment of individual 
sector security, but also consideration of the interdependencies among 
sectors. For example, assuring electric service requires operational 
transportation and distribution systems to guarantee the delivery of 
the fuel that is necessary to generate power. Also, the devices that 
control our physical systems, including our electrical distribution 
system, transportation systems, dams, and other important 
infrastructures, are increasingly connected to the Internet. Thus, the 
consequences of an attack on our cyber infrastructure could cascade 
across many sectors.
    The administration has taken a number of steps to improve the 
protection of our nation's critical infrastructures, including issuance 
of the National Strategy to Secure Cyberspace and the complementary 
National Strategy for the Physical Protection of Critical 
Infrastructures and Key Assets. Called for by the National Strategy for 
Homeland Security, these two strategies identify priorities, actions, 
and responsibilities for the federal government, including lead 
agencies and DHS, as well as for state and local governments and the 
private sector. However, we have not undertaken an in-depth assessment 
of DHS's cyber CIP efforts that could enable us to describe what DHS or 
the private sector have done to improve protection.

    In past testimony and reports, the General Accounting Office (GAO) 
has identified a number of significant CIP challenges, including:
    i) Clear delineation of CIP roles and responsibilities for federal, 
state, local, and private sector actors; clarification of how CIP 
entities will coordinate their activities
    ii) Clear definition of interim objectives and milestones
    iii) Clear timeframes for achieving objectives
    iv) Establishment of performance metrics
    v) Improvement in analytical and warning capabilities

    Question: Please provide a detailed list of what significant 
interim objectives and milestones the DHS Infrastructure Protection 
Office has in place to improve critical infrastructure protection. What 
firm timeframes does the Office of IP have in place for these 
objectives? What performance metrics does the Office of IP have in 
place to measure its progress against objectives, milestones, and 
timeframes?

    We have made numerous recommendations over the last several years 
related to information-sharing functions that have now been transferred 
to DHS, including those related to the federal government's CIP 
efforts. As you indicate, among the challenges we have identified is 
the need for a comprehensive and coordinated national plan to 
facilitate CIP information sharing that clearly delineates the roles 
and responsibilities of federal and nonfederal CIP entities, defines 
interim objectives and milestones, sets timeframes for achieving 
objectives, and establishes performance measures. We also identified 
the need to improve the federal government's capabilities to analyze 
incident, threat, and vulnerability information obtained from numerous 
sources and share appropriate, timely, useful warnings and other 
information concerning both cyber and physical threats to federal 
entities, state and local governments, and the private sector. The 
Homeland Security Act of 2002 makes DHS and its Information Assurance 
and Infrastructure Protection directorate responsible for key CIP 
functions for the federal government, including developing a 
comprehensive national plan for securing the key resources and critical 
infrastructure of the United States.
    The National Strategy to Secure Cyberspace and the National 
Strategy for the Physical Protection of Critical Infrastructures and 
Key Assets issued in February 2003 by the President identify 
priorities, actions, and responsibilities for the federal government, 
including federal lead departments and agencies and DHS, as well as for 
state and local governments and the private sector. Both define 
strategic objectives for protecting our nation's critical assets. The 
cyberspace security strategy provides a framework for organizing and 
prioritizing the individual and concerted responsibilities of all 
levels of government to secure cyberspace. The physical protection 
strategy discusses the goals and objectives for protecting our nation's 
critical infrastructure and key assets from physical attack. However, 
as we have previously testified, neither of the strategies (1) clearly 
indicates how the physical and cyber efforts will be coordinated; (2) 
defines the roles, responsibilities, and relationships among the key 
CIP organizations, including state and local governments and the 
private sector; (3) indicates time frames or milestones for their 
overall implementation or for accomplishing specific actions or 
initiatives; or (4) establishes performance measures for which entities 
can be held responsible.
    We have not undertaken an in-depth review of the department's cyber 
CIP efforts, which would include an assessment of its progress in 
developing a comprehensive national plan that addresses identified CIP 
challenges and the development of analysis and warning capabilities.

    Question: How is the DHS Office of IP organized to coordinate with 
private sector Information Sharing and Analysis Centers (ISACs)? Are 
the ISACs the best organizations to lead sector-based industry efforts 
to share critical infrastructure information? What role do you see for 
the ISACs going forward? Is the federal government doing enough to 
support ISAC efforts? Do you see fa] role for federal funding of ISACs?

    According to an official in the Infrastructure Protection Office's 
Infrastructure Coordination Division, this division is responsible for 
building relationships with the ISACs and is currently working with 
them and the sector coordinators (private sector counterparts to 
federal sector liaisons) to determine how best to establish these 
relationships. In addition, this official said that DHS's interagency 
Homeland Security Operations Center provides the day-to-day operational 
relationship with the ISACs to share threat and warning information.
    As mentioned previously, we are currently beginning work that will 
focus on the status of ISAC efforts to implement the activities 
suggested by federal CIP policy. This work should provide more 
information about obstacles to greater information sharing, the role of 
the ISACs in sharing critical infrastructure information, and the 
assistance provided to these organizations by DHS and other federal 
lead agencies. Such federal assistance could include funding, such as 
the examples of ISAC funding that we discussed in our February 2003 
report.\11\ Specifically, the Energy ISAC reported that in the fall of 
2002, the Office of Energy Assurance (then within the Department of 
Energy and now transferred to DHS) had agreed to fund ISAC operations-
an agreement sought so that membership costs would not prevent smaller 
companies from joining. The new, cost-free Energy ISAC began operations 
and broad industry solicitation for membership in February 2003. 
Further, for the Water ISAC, the Environmental Protection Agency 
provided a grant for system development and expanded operations.
---------------------------------------------------------------------------
    \11\ GAO-03-233.

    Question: This month, the American Society of Civil Engineers 
(ASCE) released a Progress Report on its 2001 Report Card on America's 
Infrastructures. In this report, the ASCE examined current status and 
trends in the nation's deteriorating infrastructure. In their 
assessment, the Energy infrastructure received a D+. Roads and bridges 
received a D+/C. Does the poor state of a number of our infrastructure 
sectors have serious negative implications for the security of those 
sectors against potential terrorist attack? What is the relationship 
between reliability and security when it comes to critical 
---------------------------------------------------------------------------
infrastructure protection?

    The ASCE's 2003 progress report on its 2001 report card does not 
discuss the implications of deteriorating infrastructure conditions and 
security against potential terrorist attack.\12\ Further, GAO has not 
specifically assessed whether the poor state of infrastructure sectors 
may have serious negative implications for security against potential 
terrorist attack. However, the relationship between reliability and 
security may be an appropriate consideration as DHS and the critical 
infrastructure sectors identified in federal CIP policy continue their 
efforts to assess the vulnerabilities of these sectors to cyber or 
physical attacks.
---------------------------------------------------------------------------
    \12\ American Society of Civil Engineers, 2003 Progress Report: An 
Update to the 2001 Report Card, September 2003.
---------------------------------------------------------------------------
    We are sending copies of this letter to DHS and other interested 
parties. Should you or your offices have any questions on matters 
discussed in this letter, please contact me at (202) 512-3317. I call 
also be reached by e-mail at [email protected].

Sincerely yours,

Robert F. Dacey
Director, Information Security Issues

                        This is a work of the U.S. government and is 
                        not subject to copyright protection in the 
                        United States. It may be reproduced and 
                        distributed in its entirety without further 
                        permission from GAO. However, because this work 
                        may contain copyrighted images or other 
                        material, permission from the copyright holder 
                        may be necessary if you wish to reproduce this 
                        material separately.

GAO's Mission
                The General Accounting Office, the audit, evaluation 
                and investigative arm of Congress, exists to support 
                Congress in meeting its constitutional responsibilities 
                and to help improve the performance and accountability 
                of the federal government for the American people. GAO 
                examines the use of public funds; evaluates federal 
                programs and policies; and provides analyses, 
                recommendations, and other assistance to help Congress 
                make informed oversight, policy, and funding decisions. 
                GAO's commitment to good government is reflected in its 
                core values of accountability, integrity, and 
                reliability.

Obtaining Copies of GAO Reports and Testimony
                The fastest and easiest way to obtain copies of GAO 
                documents at no cost is through the Internet. GAO's Web 
                site (www.gao.gov) contains abstracts and full-text 
                files of current reports and testimony and an expanding 
                archive of older products. The Web site features a 
                search engine to help you locate documents using key 
                words and phrases. You can print these documents in 
                their entirety, including charts and other graphics.
                Each day, GAO issues a list of newly released reports, 
                testimony, and correspondence. GAO posts this list, 
                known as ``Today's Reports,'' on its Web site daily. 
                The list contains links to the full-text document 
                files. To have GAO e-mail this list to you every 
                afternoon, go to www.gao.gov and select ``Subscribe to 
                e-mail alerts'' under the ``Order GAO Products'' 
                heading.
Order by Mail or Phone
                The first copy of each printed report is free. 
                Additional copies are $2 each. A check or money order 
                should be made out to the Superintendent of Documents. 
                GAO also accepts VISA and Mastercard. Orders for 100 or 
                more copies mailed to a single address are discounted 
                25 percent. Orders should be sent to:

                U.S. General Accounting Office
                441 G Street NW, Room LM
                Washington, D.C. 20548
                To order by Phone: Voice: TDD: Fax: (202) 512-6000, 
                (202) 512-2537, (202) 512-6061

To Report Fraud, Waste, and Abuse in Federal Programs
                Contact:
                Web site: www.gao.govjfraudnetjfraudnet.htm
                E-mail: [email protected]
                Automated answering system: (800) 424-5454 or (202) 
                512-7470
Public Affairs
                Jeff Nelligan, Managing Director, [email protected] 
                (202) 512-4800
                U.S. General Accounting Office, 441 G Street NW, Room 
                7149
                Washington, D.C. 20548

                                 
