[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
       PREVENTING TERRORIST ATTACKS ON AMERICA'S CHEMICAL PLANTS

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON ECONOMIC
                        SECURITY, INFRASTRUCTURE
                     PROTECTION, AND CYBERSECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                             JUNE 15, 2005

                               __________

                           Serial No. 109-20

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html


                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
24-604                      WASHINGTON : 2006
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½0900012006


                     COMMITTEE ON HOMELAND SECURITY

                 Christopher Cox, California, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania, Vice      Edward J. Markey, Massachusetts
Chairman                             Norman D. Dicks, Washington
Christopher Shays, Connecticut       Jane Harman, California
Peter T. King, New York              Peter A. DeFazio, Oregon
John Linder, Georgia                 Nita M. Lowey, New York
Mark E. Souder, Indiana              Eleanor Holmes Norton, District of 
Tom Davis, Virginia                  Columbia
Daniel E. Lungren, California        Zoe Lofgren, California
Jim Gibbons, Nevada                  Sheila Jackson-Lee, Texas
Rob Simmons, Connecticut             Bill Pascrell, Jr., New Jersey
Mike Rogers, Alabama                 Donna M. Christensen, U.S. Virgin 
Stevan Pearce, New Mexico            Islands
Katherine Harris, Florida            Bob Etheridge, North Carolina
Bobby Jindal, Louisiana              James R. Langevin, Rhode Island
Dave G. Reichert, Washington         Kendrick B. Meek, Florida
Michael McCaul, Texas
Charlie Dent, Pennsylvania

                                 ______

   Subcommittee on Economic Security, Infrastructure Protection, and 
                             Cybersecurity

                Daniel E. Lungren, California, Chairman

Don Young, Alaska                    Loretta Sanchez, California
Lamar S. Smith, Texas                Edward J. Markey, Massachusetts
John Linder, Georgia                 Norman D. Dicks, Washington
Mark E. Souder, Indiana              Peter A. DeFazio, Oregon
Tom Davis, Virginia                  Zoe Lofgren, California
Mike Rogers, Alabama                 Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida            James R. Langevin, Rhode Island
Bobby Jindal, Louisiana              Bennie G. Thompson, Mississippi 
Christopher Cox, California (Ex      (Ex Officio)
Officio)

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Economic Security, Infrastructure Protection, and Cybersecurity     1
The Honorable Loretta Sanchez, a Representative in Congress From 
  the State of California, and Ranking Member, Subcommittee on 
  Economic Security, Infrastructure Protection, and Cybersecurity     3
The Honorable Christopher Cox, a Representative in Congress From 
  the State of California, and Chairman, Committee on Homeland 
  Security.......................................................     4
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................    18
The Honorable Mike Rogers, a Representative in Congress From the 
  State of Alabama, and Chairman, Subcommittee on Management, 
  Integration, and Oversight.....................................    17
The Honorable Peter A. DeFazio, a Representative in Congress From 
  the State of Oregon............................................    23
The Honorable Norman D. Dicks, a Representative in Congress From 
  the State of Washington........................................    21
The Honorable Bobby Jindal, a Representative in Congress From the 
  State of Louisiana.............................................    19
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island.................................    28
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas........................................    29
The Honorable Edward J. Markey, a Representative in Congress From 
  the State of Massachusetts.....................................    31
The Honorable Bill Pascrell, Jr., a Representative in Congress 
  From the States of New Jersey..................................    25
The Honorable Stevan Pearce, a Representative in Congress From 
  the State of New Mexico........................................    29

                               WITNESSES
                                Panel I

Mr. Robert Stephan, Assistant Secretary for Infrastructure 
  Protection, U.S. Department of Homeland Security:
  Oral Statement.................................................     5
  Prepared Statement.............................................     8

                                Panel II

Mr. Stephen Bandy, Manager, Corporate Safety & Security, Marathon 
  Ashland Petroleum LLC:
  Oral Statement.................................................    49
  Prepared Statement.............................................    51
Mr. Frank J. Cilluffo, Director, Homeland Security Policy 
  Institute, The George Washington University:
  Oral Statement.................................................    38
  Prepared Statement.............................................    41
Mr. Sal DePasquale, Security Specialist, CH2M Hill and University 
  of Georgia:
  Oral Statement.................................................    66
  Prepared Statement.............................................    69
Mr. Marty Durbin, Managing Director of Security and Operations, 
  American Chemistry Council:
  Oral Statement.................................................    55
  Prepared Statement.............................................    57
Mr. Allen Summers, President and CEO, Asmark Inc.:
  Oral Statement.................................................    63
  Prepared Statement.............................................    64


       PREVENTING TERRORIST ATTACKS ON AMERICA'S CHEMICAL PLANTS

                              ----------                              


                        Wednesday, June 15, 2005

                          House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Economic Security,
              Infrastructure Protection, and Cybersecurity,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 3:00 p.m., in 
Room 2118, Rayburn House Office Building, Hon. Dan Lungren 
[chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Rogers, Pearce, Jindal, 
Cox (Ex Officio), Sanchez, Markey, Dicks, DeFazio, Jackson-Lee, 
Pascrell, Langevin, and Thompson (Ex Officio).
    Mr. Lungren. The Committee on Homeland Security, 
Subcommittee on Economic Security, Infrastructure Protection 
and Cyber-security will come to order. The subcommittee is 
meeting today to hear testimony on preventing terrorist attacks 
on America's chemical plants. Welcome to this important 
hearing. We are meeting today to discuss this terrorist threat 
posed to America's chemical plants and what is being done to 
protect them in all levels of government and within the private 
sector.
    This is an issue that has received a great deal of 
attention in the media and within the halls of Congress with 
many questionable claims and figures on the numbers of chemical 
plants that are high risk, how many people these plants can 
harm and what types and quantities of chemicals present a real 
threat and what has been done to secure these sites against 
terrorism. It is impossible and would be reckless to attempt to 
oversee and legislate on national security issues based on 
misinformation or misconceptions. Thus, the purpose of today's 
hearing is to build a common understanding of what the facts 
about chemical plant security truly are so we can make informed 
policy judgments about what if any additional legislation may 
be needed in this area.
    To this end, I hope our two panels can answer two main 
questions: First, what is the universe of chemical facilities 
that pose a real risk of catastrophic terrorism, and two, 
within this universe, what is being done to reduce security 
vulnerabilities and what more needs to be done. The Department 
of Homeland Security over the past 2 years has worked 
diligently to identify high risk targets across the Nation. 
This includes the highest risk chemical plants. DHS has done 
this by modifying work started by the EPA.
    The EPA, for environmental and human safety purposes, 
requires facilities with certain quantities of certain 
chemicals to file risk management plans. It has been reported 
that based on EPA's data, there are 123 chemical facilities at 
which accidental release of chemicals could affect 1 million or 
more people. Based on the same data but using a much more 
precise methodology for assessing the realistic consequences of 
a deliberate terrorist attack, DHS has identified those 
chemical plants which could pose a high risk to surrounding 
communities. DHS's numbers, generally speaking, are 
dramatically lower than EPA's. And the GAO has testified that 
even DHS's numbers generally overstate the consequence of a 
terrorist attack on such facilities due to some very 
conservative methodological assumptions.
    We cannot get into too much detail in this open session. I 
am satisfied that the briefing for members that took place 
yesterday confirmed that the universe of chemical plants that 
could cause serious injury or death to significant numbers of 
people is very limited and that the actual consequence numbers 
are only a small fraction of the more ominous population 
affected figures we read about in the press and that the risk 
posed by these sites is not necessarily substantially different 
than those posed by large office buildings, stadiums, malls and 
other places where other people routinely gather.
    My point is not to underestimate the threat, but where does 
this threat exist with respect to all other threats. My point 
is how do we make rational risk assessment across the plane and 
how do we ensure that we don't err on the side of overhype on 
one side or underestimating on the other. Indeed, the chances 
of successfully attacking such other sites may, in fact, be 
greater than targeting chemical plants due to some unique 
complexities involved in successfully causing an optimal toxic 
release from chemical facilities. Another major 
misrepresentation is that no one has done anything to secure 
chemical plants since 9/11. As our briefing yesterday 
confirmed, and I hope our hearing today will demonstrate, 
nothing could be further from the truth, particularly with 
respect to the truly high risk facilities.
    Days after standing up as a new department, officials from 
the infrastructure protection division of DHS began visiting 
many of the higher risk chemical facilities around the Nation. 
Since then, over the past 2 years, the Department has worked to 
identify the highest risk facilities and to ensure these sites 
have completed vulnerability assessments and buffer zone 
protection plans. The Department also has actively assisted 
these sites for the implementation of protective measures to 
reduce vulnerabilities, including perimeter surveillance and 
detection systems, increased barriers and access controls and 
enhanced response and mitigation training equipment and 
capabilities.
    It is not a totally rosy picture, but the suggestion that 
nothing has been done, I think, misleads the public. Likewise, 
the chemical facilities themselves have made substantial 
investments in the areas of security with many plants 
implementing voluntary security standards under ACC's 
Responsible Care Code and similar programs. Of course, we will 
always say that more can be done or needs to be done and that 
will always be true. But the goal is here, as with all homeland 
security efforts, to prioritize risk reduction rather than risk 
elimination. We should seek to do what is possible and do that 
as effectively as possible. We cannot afford to implement 
millions of dollars of security upgrades at each and every 
facility across the United States if we are not prioritizing 
properly.
    We must use the concept of risk-based management to ensure 
our resources are targeted where they are most needed, not just 
within the chemical sector, but across all infrastructure 
sectors. I am not yet convinced that all reasonable security 
measures have been put into place at all the high risk chemical 
facilities in the country. I am convinced, however, the best 
way to accomplish this goal is by not diverting our attention 
in resources towards low priority sites. I look forward in 
working with the committee and working with the Department to 
ensure that our highest risk facilities of whatever kind or 
type are receiving the level of attention and resources they 
deserve and that they are implementing risk reduction measures 
recommended by DHS.
    I welcome our witnesses today and I look forward to their 
testimony. And at this time, I would like to recognize the 
ranking member from California for any statement she would like 
to make.
    Ms. Sanchez. Thank you, Mr. Chairman, and I thank our 
witnesses for being here today. There are just a few sectors of 
our critical infrastructure that I think have an incredible 
impact should there be a large type of attack, and I think 
chemical plants certainly fit in one of those sectors. In a 
report that was issued by the EPA in 2003, they said that there 
were 123 chemical facilities throughout the United States that 
they called toxic worst scenarios, where one million people 
would be in a vulnerable zone and at risk of exposure to a 
toxic gas cloud.
    The DHS estimates have been done in a different way and the 
estimates of the number of people that would be killed or 
seriously injured is two or three orders of the magnitude lower 
than the EPA numbers. So I know you can't be very specific 
today, but I would hope that you might try to describe a little 
what you think is the difference between the EPA and the DHS 
numbers just so we can try to understand where those 
differences lie. And I guess the biggest question for me as a 
Congress person is what role should the government play, 
because quite frankly, I have sat with a lot of people in 
industry, particularly the chemical plants and many of them 
have said to me and I have to prefix this by saying, I am not a 
real big regulation kind of a person having been in business 
myself, and having felt completely strangled by some of the red 
tape and regulation that goes on. But the industry itself, to a 
large extent, has said to me, if you don't regulate us, the 
financial incentive would probably be that none of us will go 
that way, in other words, there are a lot of people in the 
chemical industry who said put some type of regulation in 
because it will force all of us to play at the same level.
    So I guess we could view it different ways. No regulation, 
maybe some type of regulation or maybe very heavily regulated. 
I know, for example, that the nuclear power industry is heavily 
regulated. And yet when we look at the possible people 
affected, chemical plants may have a larger magnitude of people 
they can affect if something could happen and yet there is very 
little regulation on them.
    I just question what is our role with respect to chemical 
plants. Should we be doing some regulation? Maybe you could 
shed some light on that. And I guess I would just say that in 
October of 2002, then Secretary of DHS, Secretary Ridge and EPA 
administrator at that time Whitman declared, in a joint letter 
to The Washington Post, that voluntary efforts alone are not 
sufficient to provide the level of assurance that Americans 
deserve.
    I look forward to your comments and insights about what 
type of a role the government should play with respect to 
chemical plants and the industry at large.
    Mr. Lungren. I thank the gentlelady from California and the 
Chair would now recognize the chairman of the full committee, 
the gentleman from California, Mr. Cox, for any statement he 
might have.
    Mr. Cox. Thank you, Mr. Chairman. This hearing today, which 
I congratulate you for convening, reminds us when the 
Department of Homeland Security was formed by the Congress and 
began its journey 2 years ago, it was discharging one primary 
mission from this Congress, to conduct a comprehensive risk 
assessment of the Nation's critical infrastructure. When this 
is complete, the next step is to map our Nation's key 
vulnerabilities against what we know about terrorists' 
capabilities and intentions. By doing that we can prioritize 
our protective measures and thereby secure our most critical 
infrastructure from terrorist attack. That process is well 
underway, but there is still a great deal more to do.
    Since the Department of Homeland Security opened its doors 
in March of 2003, it has been pursuing an aggressive program to 
prioritize and address the security vulnerabilities at 
America's highest risk chemical facilities. To do this, the 
Department of Homeland Security has used, among other data, EPA 
data to estimate the worst-case scenarios for potential 
chemical releases resulting from national terrorist attacks at 
roughly 15,000 sites across the country. This focus has made 
sense first because the chemical industry is vitally important 
to our safety and well-being and to the conduct of our daily 
lives, not to mention to our economy and to our national 
security.
    And second, it makes sense because the lethality of a 
handful of chemicals and their proximity to large population 
centers can make certain chemical facilities highly attractive 
targets for terrorists. The key is to focus on those chemical 
plants that do pose a high risk of terrorist attack and on 
those facilities that would they be attacked, pose a high 
threat in terms of consequence. DHS and the industry must 
continue to act aggressively to deal with these risks. We have 
got to be strategic about homeland security and be guided by 
the principle of securing the highest risk sites of our 
Nation's critical infrastructure not only within the chemical 
sector but elsewhere. This is one of the main themes this 
committee has pursued that we continuously stress throughout 
this Congress and the last Congress.
    Homeland security resources must be targeted in a risk-
based fashion and that targeting has to be based on a continued 
rigorous examination of threat, vulnerability and consequence. 
The threat at every chemical plant is not the same. At some, 
particularly at smaller facilities, the risk is finite and 
manageable. At others, there is a high risk to both people and 
property and to our economy as a whole. We cannot ignore the 
explicit and bipartisan decision by the Congress in 
establishing the Department of Homeland Security as we consider 
how next to pursue this problem of chemical plant security, to 
withhold from the new Department of Homeland Security 
regulatory authority directly over critical infrastructure 
sectors. And so as we conduct these hearings, one of the 
questions that we are addressing is should we amend the 
Homeland Security Act to create such explicit regulatory 
authority.
    That bridge once crossed, raises the further question of 
whether the Department of Homeland Security should have similar 
regulatory over other infrastructure sectors in the American 
economy. I want to thank Colonel Bob Stephan from DHS to be 
here to testify today. We look forward to hearing about what 
the Department has done to secure the chemical industry thus 
far and plans for the future. I also want to thank our 
distinguished second panel of experts. I look forward to their 
testimony as well. And I yield back the balance of my time. 
Thank you, Mr. Chairman.
    Mr. Lungren. I just might say, I have to go to the floor to 
handle a couple of amendments on the PATRIOT Act. No disrespect 
to you, I will come back as quickly as possible and the 
chairman is more than able to handle that. The Chair calls the 
first panel and recognize Mr. Robert Stephan, the Assistant 
Secretary of Infrastructure Protection from the Department of 
Homeland Security, and the Acting Undersecretary for 
Information Analysis and Infrastructure Protection to testify.

     STATEMENT OF ROBERT STEPHAN, ASSISTANT SECRETARY FOR 
INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND SECURITY

    Mr. Stephan. Good afternoon, Chairman Cox, Chairman Lungren 
and Representative Sanchez and distinguished members of the 
subcommittee. It is my privilege to come before you today on 
behalf of our Secretary, Michael Chertoff, to discuss the 
Department of Homeland Security's efforts in collaboration with 
many others around the Nation to reduce the risk posed to the 
chemical sector from potential terrorist attack as well as to 
discuss the way ahead regarding the security of this critical 
infrastructure sector.
    I must begin by saying securing the chemical sector is a 
very high priority for the Department of Homeland Security. 
Reducing the risk from terrorism by implementing collaborative 
security strategies with Federal, State, local and private 
sector partners to protect the Nation's chemical infrastructure 
is what this is all about. My discussion with you will include 
a focus on the risk landscape associated with the sector and 
the important and cooperative steps that have been taken to 
close security gaps under the existing voluntary private-public 
partnership framework.
    I note that considerable progress has been made through 
this voluntary framework and further progress is, in fact, 
required. As part of Secretary Chertoff's second-stage review 
of DHS policies, operations and structure, my boss has tasked 
my team to review the current state of security and ensure we 
have the proper tools to address threats facing the chemical 
industry now and in the future. To that end, we are currently 
assessing the need for a carefully measured calibrated risk-
based regulatory regime for this sector. To close the existing 
gaps and reduce the risk across the chemical sector, the 
Federal Government should adhere to certain core principles 
regarding any proposed or contemplated regulatory structure. 
First, we must recognize that not all facilities present the 
same level of risk across the board and that the most scrutiny 
from a regulatory regime should be focused on those facilities 
that, if attacked, could endanger the greatest number of lives, 
have the greatest economic impact or present other very 
significant risk.
    Second, facilities' security should be based on reasonable, 
clear, rational, equitable, measurable performance standards. A 
regulatory framework should include enforceable performance 
standards based on the types and the severity of potential 
risks posed by terrorist threats. Facilities should have the 
flexibility in this scheme to select among appropriate site 
specific security measures that will effectively address those 
risks according to various standards.
    Third, we should recognize the progress that many 
reasonable and responsible companies have made to date in 
security. Many companies have made significant capital 
investments in security enhancements since 9/11 and we should 
build upon that very positive progress in constructing the road 
ahead. The chemical sector, as is the case of all critical 
sectors of our economy, society and government is a potential 
target for terrorist attack. While we have, at this time, no 
specific credible information indicating an immediate threat to 
the chemical sector, DHS remains concerned about the potential 
public health and economic harm and consequences should a 
successful attack be carried out.
    The chemical sector consists of widely varied and 
distributed facilities. The particular vulnerability of any 
specific facility obviously depends on the type and quantity of 
chemicals on board a site, the physical layout and locations on 
a site of sensitive targets and systems, access points, 
geographic location of the facility and various other 
variables. Therefore, each facility must have a risk assessment 
and a security plan tailored to its unique characteristics.
    In December of 2003, President Bush issued Homeland 
Security Presidential Directive Number 7 which assigned DHS the 
overall responsibility for coordinating a national effort to 
ensure the security of America's critical infrastructure and 
key resource sectors. This document additionally requires DHS 
to develop a sector specific plan for the chemical sector and 
to work with public and private sector partners to implement 
necessary protective measures aimed at reducing the 
vulnerabilities of these critical infrastructure sector and its 
components.
    In line with this guidance, a large number of security 
visits have been completed and protective measures are being 
implemented for the highest risk chemical sites in the United 
States. The Department continues to visit other chemical 
facilities on a priority basis in coordination with State 
homeland security officials, emergency managers, State and 
local law enforcement officials and various individual site 
owners and operators. DHS and the chemical sector also continue 
to build a strong partnership based on information sharing and 
collaboration.
    I am pleased to report to this committee that these efforts 
have yielded a solid information sharing background as well as 
a comprehensive approach to assessing risk for the first time 
across the sector. It is important to identify work that the 
chemical sector has done to date in close partnership with DHS 
to impact the security dilemma it faces. The owners and 
operators of this business are voluntarily undertaking a 
variety of security initiatives. In 2002, the American 
Chemistry Council developed the Responsible Care Security Code 
to help chemical companies achieve improvement in security 
performance through various means, specifically identifying, 
assessing and addressing vulnerabilities, preventing or 
mitigating incidents, enhancing training and response 
capabilities and maintaining and improving relationships with 
key stakeholders.
    A critical component of the Responsible Care Code, in our 
opinion, is the requirement for an independent third party 
verification of security enhancements as well as security 
vulnerability assessment completion. The American Chemistry 
Council estimates its members have spent more $2 billion 
following the September 11 attacks through now to deal with the 
security challenges that they face in their sector.
    In closing, at DHS a major focus of the past 2 years has 
been developing tools for assessing risk and working 
cooperatively with local jurisdictions and companies to 
implement appropriate protective measures. As we further assess 
the status of the chemical sector's largely voluntary security 
regime, we have also been evaluating whether or not the current 
scope and level of effort will be sufficient to address 
remaining gaps as well as emerging threats. In short, while 
most companies have been very eager to cooperate with the 
Department, it has become clear that the entirely voluntary 
efforts and good faith of these companies alone will not 
sufficiently address security across the entire sector.
    Based upon work done to date, we now have greater clarity, 
in fact, much greater clarity about the tasks that lie ahead, 
the tested tools we have worked collaboratively with Energy and 
with industry and a more considerable knowledge base that will 
help close potential security gaps. By exploring all available 
means to enhance the existing purely voluntary system, we can 
ensure all facilities have in place a core base of 
preparedness, that those facilities that pose the greatest risk 
are receiving more focused attention, that the Nation's 
approach to chemical sector security will be based on 
reasonable, clear, equitable and measurable and enforceable 
performance standards that reflect the diversity of the 
chemical sector and its importance to our overall national 
economy as well as the responsible security investments that 
its members have made to date.
    Since September 11, this Administration has worked in the 
partnership with stakeholders to enhance the overall security 
of the very important critical infrastructure sector. Through a 
combination of sector governance structures, information 
sharing mechanisms and processes, risk assessment and risk-
based planning approaches, programmatic initiatives, law 
enforcement enhancements and coordination, voluntary industry 
efforts, the chemical sector has demonstrated considerable 
progress in bolstering its security posture across the board, 
but has recognized that further progress is still required.
    By developing a comprehensive risk-based approach for the 
chemical sector, we expect to be able to bring closure to 
remaining important security gaps across the facility systems 
and assets most at risk.
    This concludes my prepared remarks and I would be happy to 
answer any questions that you or the committee have at this 
time.
    [The statement of Mr. Stephan follows:]

                  Prepared Statement of Robert Stephan

Introduction
    Good morning, Chairman Lungren, Representative Sanchez and 
distinguished members of the Committee. It is my privilege to come 
before you today to discuss Department of Homeland Security (DHS) 
efforts to reduce the risk posed to the chemical sector from potential 
terrorist attack, as well as to discuss the way ahead regarding the 
security of this critical infrastructure sector.
    Security of the chemical sector is vitally important: It is a very 
high priority for DHS to reduce the risk from terrorism by implementing 
collaborative security strategies with Federal, State, local, and 
private sector partners--to protect the nation's chemical 
infrastructure.
    My discussion with you today will include a focus on the risk 
landscape associated with the chemical sector and important 
collaborative steps that have been taken to close security gaps under 
the existing voluntary public-private sector partnership framework. I 
note that considerable progress has been made through voluntary 
efforts, but that further progress is required.
    As part of his Second Stage Review of DHS policies, operations and 
structure, Homeland Security Secretary Michael Chertoff tasked his team 
to review the current state of security and ensure that we have the 
proper tools to address threats facing the chemical industry, now and 
in the future. To that end, we are currently assessing the need for a 
carefully measured, risk-based regulatory regime in this sector.
    Today, I can report on his behalf that Secretary Chertoff has 
concluded that from the regulatory perspective, the existing patchwork 
of authorities does not permit us to regulate the industry effectively. 
To close the existing gaps and reduce risk across the chemical sector, 
the Federal Government should adhere to certain core principles.
    First, we must recognize that not all facilities present the same 
level of risk, and that the most scrutiny should be focused on those 
that, if attacked, could endanger the greatest number of lives, have 
the greatest economic impact or present other very significant risks. 
There are certainly many chemical facilities in the United States that 
pose relatively low risk. Second, facility security should be based on 
reasonable, clear, and equitable performance standards. The Department 
should develop enforceable performance standards based on the types and 
severity of potential risks posed by terrorists, and facilities should 
have the flexibility to select among appropriate site-specific security 
measures that will effectively address those risks. Third, we should 
recognize the progress many responsible companies have made to date. 
Many companies have made significant capital investments in security 
since 9/11 and we should build on that progress.
    This testimony will first speak to the nature of chemical sector 
vulnerability, and then will summarize the significant efforts by DHS 
and the industry since the September 11th attacks to improve security 
for the chemical sector. We will, of course, look forward to working 
with you in the coming weeks on the particulars of proposed 
legislation.

What Is the Threat to the Chemical Sector?
    The chemical sector, as with all critical infrastructure, is 
potentially a target for terrorist attack. While we have no specific, 
credible information indicating an immediate threat to the chemical 
sector, DHS remains concerned about the potential public health and 
economic harm should an attack occur. The chemical sector consists of 
widely varied and distributed facilities. The particular vulnerability 
of any specific facility obviously depends on the type and quantity of 
chemicals at a site, the physical layout, location of sensitive 
targets, access points, geographic location, and other variables. 
Therefore each facility must have a vulnerability assessment--and a 
security plan--tailored to its unique characteristics.
    DHS has identified five areas as the focus of our primary 
preparedness work with the industry: (1) access and access control; (2) 
operational security; (3) process control; (4) facility systems 
operations; and (5) local first responder and external response and 
recovery coordination. These preparedness planning variables must be 
refined with reference to potential methods of attack. These include 
perhaps most importantly: insider threats or sabotage; cyber attack; 
and attacks using explosives or other weaponry.
    DHS has established the Homeland Infrastructure Threat and Risk 
Analysis Center (HITRAC) to develop products to help inform 
infrastructure owners and operators of any threats they may potentially 
face, as well as to better inform their security planning and 
investment decisions.
    HITRAC is currently working in partnership with industry to develop 
an updated threat assessment for the chemical sector detailing 
plausible terrorist threats on a sector basis. This effort includes 
available intelligence as well as operational tactics, techniques, and 
procedures derived from study of overseas terrorist operations.

Federal Government Actions to Reduce Risk in the Chemical Sector
    In December 2003, the President issued Homeland Security 
Presidential Directive 7 (HSPD-7), Critical Infrastructure 
Identification, Prioritization, and Protection, which assigned DHS 
overall responsibility for coordinating the national effort to ensure 
the security of America's critical infrastructure and key resource 
sectors. Additionally, HSPD-7 requires DHS to develop a sector specific 
plan for the chemical sector and to work with public and private sector 
partners to implement necessary protective measures aimed at reducing 
the vulnerabilities of this critical infrastructure. Pursuant to the 
HSPD-7 guidelines, DHS has worked to improve the security of the 
chemical sector.
    A large number of security visits have been completed and 
protective measures are being implemented for a number of the highest-
consequence chemical sites in the United States--sites that could 
potentially affect in excess of 50,000 people if attacked. Most of 
these highest-consequence sites have received numerous visits by DHS 
technical advisors to assess and improve site security. The Department 
continues to visit other chemical facilities on a priority basis in 
coordination with State Homeland Security and Emergency Management 
officials, State and local law enforcement, and site owners and 
operators.

Protective Measures Implemented
    To date, the Federal government has established the following 
protective measures programs:

 Buffer Zone Protection Plans (BZPPs). BZPPs identify and 
recommend security measures and local law enforcement coordination for 
the area surrounding a facility, or ``outside the fence,'' making it 
more difficult to plan or launch an attack. DHS trains local law 
enforcement in assessing buffer zone security and validates BZPPs 
provided by State and local officials. DHS is currently distributing 
$13.6 million to State and local governments in fiscal year 2005 to 
develop BZPPs. DHS efforts are intended to:
         Improve the level of deterrence in and around the 
        facility through increased staff and community awareness, 
        increased and more efficient police presence, improved response 
        time and efficiency, etc.
         Improve the probability of detection of an attack in 
        planning or in the early stages of execution, thereby 
        preventing an attack or reducing the likelihood of success.
         Increase the time and logistical support necessary to 
        execute a successful terrorist attack, thereby increasing the 
        likelihood of detection during the planning and preparatory 
        phase.
         Increase the efficacy of both defense and response 
        measures through prior planning and coordination.
         Increase the physical assets available for both 
        defense and emergency response in the event of an attack.

 Site Assistance Visits (SAVs). SAVs are essentially ``inside-
the-fence'' vulnerability assessments of critical infrastructure 
facilities conducted by DHS in conjunction with local law enforcement. 
SAVs have been conducted at 38 of the highest-consequence chemical 
facilities. An additional 50 SAVs of high-risk chemical facilities are 
planned in fiscal year 2006. Sites are subject to SAVs for a variety of 
reasons, including:
         Determination that the facility is highly 
        consequential, that is, the loss of the facility, for any 
        reason, would have significant national or regional economic 
        and/or public health effects.
         Determination that the facility is of such complexity 
        that an SAV would be beneficial to a subsequent or concurrent 
        BZPP execution.
         Determination that the facility is under threat.
         Request by the owner/operator of a facility that is 
        sufficiently consequential to justify the visit.
         The facility meets the minimum level of 
        consequentiality, combined with the presence of an SAV team in 
        the immediate vicinity, usually performing another SAV in the 
        same community. Such visits are performed as an efficiency 
        measure.
         Proximity to a National Security Special Event.

 The Maritime Transportation Security Act (MTSA) and Port 
Security Grants. Currently, 238 chemical sites fall within the port 
system as defined by MTSA. Under the MTSA requirements, all 238 of 
these facilities have been required to: assess their vulnerabilities 
using an accepted methodology; determine gaps; plan and implement 
measures to close those gaps; and audit results. These sites also are 
required to develop and implement detailed security plans, which are 
audited by the United States. Coast Guard and the owner/operator. DHS' 
Office of Infrastructure Protection (IP) has worked closely with the 
Coast Guard to ensure that the MTSA-approved methodology is consistent 
with the overall IP approach. The effect of this effort has been to 
establish a baseline level of security at these 238 chemical 
facilities, against which the Coast Guard can make specific 
recommendations for enhanced security.
    Additionally, over the past four years, 287 Port Security Grants 
have been issued under MTSA, totaling over $100 million to facilities 
that include some of the highest-risk chemical facilities nationwide.

 Facility Security Assessments/Facility Security Plans (FSAs/
FSPs). Under MTSA, owners of chemical facilities located along 
waterways are required to complete FSAs and FSPs and submit them to the 
Coast Guard for approval. All chemical facilities subject to MTSA are 
currently operating with approved FSPs and the Coast Guard has 
completed on-site compliance inspections to verify these facilities are 
operating in accordance with their respective FSP. The Coast Guard will 
visit these and all facilities subject to MTSA annually, at a minimum, 
to ensure continued compliance.

 FBI Chemical Sector Outreach Initiative. The FBI, in 
coordination with IP, has visited more than 220 chemical facilities for 
the purposes of conducting terrorism response training, threat 
briefings, and counterterrorism awareness training.

         Tabletop exercises. As part of IP's Exercise Program, 
        tabletop exercises have been conducted at six high-consequence 
        chemical facilities. Additionally, the chemical sector was a 
        participant in Exercise TOPOFF 3, from the corporate level to 
        the individual facility level. The findings from these 
        exercises are compiled in After Action Reports, which serve as 
        a basis for taking corrective actions including upgrading 
        security plans and operating procedures, and planning future 
        exercises.

Increased Information Sharing
    Without the active participation of the chemical sector, DHS will 
not succeed in reducing the vulnerabilities and risks to the chemical 
critical infrastructure of the United States. DHS and the chemical 
sector continue to build a strong partnership based on information 
sharing and active collaboration. A number of new programs have been 
implemented, including:

         Chemical Sector Coordinating Council. Under the 
        National Infrastructure Protection Plan (NIPP), DHS and other 
        Federal agencies are working with sector asset owner/operators 
        to develop protection plans for the chemical sector as well as 
        sector-coordinating mechanisms to ensure collaboration on the 
        identification, prioritization, and coordination of sector 
        critical infrastructure protection programs. This effort also 
        facilitates the sharing of information concerning physical and 
        cyber threats, vulnerabilities, incidents, potential protective 
        measures, and best practices.
    The Chemical Sector Coordinating Council (SCC) was formed 
voluntarily by stakeholders within the chemical sector in May 2004, and 
currently comprises representatives from sixteen key stakeholder 
associations. The SCC is a single point of contact to facilitate 
organization and coordination of sector policy development, 
infrastructure protection planning, and plan implementation activities, 
including sector-wide planning, development of sector best practices, 
promulgation of programs and plans, development of requirements for 
effective information sharing, research and development, and cross-
sector coordination.
    The Chemical SCC is working closely with the Department to draft 
the nation's strategic vision for a more secure chemical sector. The 
Chemical Sector-Specific Plan, which will be completed by November 
2005, is a component of the NIPP and will provide a framework for 
government and private-sector partnership in reducing the overall risk 
of the sector to terrorist attack.

 Homeland Security Information Network-Chemical (HSIN-
Chemical). The Chemical SCC also is piloting the Homeland Security 
Information Network--Chemical (HSIN-Chemical) and will actively 
participate in the vetting of new HSIN-Chemical users. HSIN-Chemical is 
a highly secure, two-way information sharing mechanism. It allows 
private industry users in the chemical sector to receive immediate 
reports of threats to the sector directly from the Homeland Security 
Operations Center and our chemical Sector Specialists. Via the creation 
of online workgroups, industry leaders can collaborate with far flung 
members of their own company or with security managers from other 
chemical companies to coordinate response activities and share 
information. The HSIN-Chemical pilot program completed phase one on 
June 6, 2005. Phase two will reach beyond the Chemical SCC as we enroll 
security directors from dozens of large and small chemical companies, 
while continuing to make refinements to the system. In phase three, 
HSIN-Chemical will be open to all chemical company employees with a 
need for access to sensitive security information.

 Security Guidance to the Private Sector. Based on data 
gathered from SAVs and BZPPs, DHS has developed three types of security 
guidance documents. ``Characteristics and Common Vulnerabilities'' 
reports identify the common characteristics and vulnerabilities of 
chemical sites. ``Potential Indicators of Terrorist Activity'' reports 
provide information on how to detect terrorist activity near critical 
sites. ``Protective Measure'' reports identify best practices and other 
protective measures for use at specific critical infrastructure/key 
resources types. These reports have been distributed to all State 
Homeland Security Offices, with guidance to share these reports with 
the owners/operators of critical infrastructure and the law enforcement 
community within each State, as well as Captains of the Port. The 
reports are also being distributed via the Sector Coordinating Council 
structure of the NIPP. I would be happy to share this material with 
this Committee.

 National Infrastructure Coordinating Center (NICC). The 
National Infrastructure Coordinating Center (NICC) is a 24/7 operations 
center focused on the Nation's critical infrastructure. It provides 
industry an immediate point of entry for reporting suspicious incident 
and threat related information to government. The NICC is a component 
of the Homeland Security Operations Center, but its mission is to work 
with industry to both receive and disseminate threat and incident-
related information.
 Sector Specialists. The Office of Infrastructure Protection 
has Sector Specialists working closely with both industry and the 
intelligence community to improve the flow of threat and incident 
information. The Sector Specialists participate in chemical companies' 
security exercises and disaster drills; conduct sector outreach; ensure 
the sector receives necessary threat and intelligence related products; 
and inform the Department and the intelligence community of the 
sector's infrastructure protection actions and concerns.

Training
    DHS facilitates the provision of various training courses to asset 
owner/operators, state, local, and tribal governments, and local law 
enforcement agencies responsible for the protection of chemical 
facilities. Such courses include: BZPP Workshops; Terrorism Awareness 
and Prevention Training; Advanced Bomb Technician Training; 
Surveillance Detection; and First Responder/Preventer Training. DHS 
facilitates this training through several mechanisms, including using 
prepared, contractor delivered training programs that have been 
certified by DHS' Office of State and Local Government Coordination and 
Preparedness, as well as in-house instruction teams deployed from the 
Office of Infrastructure Protection, which also delivers DHS-certified 
training. To date, over 200 participants from the chemical sector have 
participated in the training courses offered, including tabletop 
exercises with three major chlorine plants.

Industry Actions to Reduce Risk in the Chemical Sector
    It also is important to identify work that the chemical sector has 
done to date, in close partnership with DHS. The owners and operators 
in the chemical sector are voluntarily undertaking a variety of 
security initiatives:

 Responsible Care Security Code. In 2002, the American 
Chemistry Council (ACC) developed the Responsible Care Security Code 
(RCSC) to help chemical companies achieve continuous improvement in 
security performance using a risk-based approach to: identify, assess, 
and address vulnerabilities; prevent or mitigate incidents; enhance 
training and response capabilities; and maintain and improve 
relationships with key stakeholders. A component of the RCSC is the 
requirement for independent third-party verification of security 
improvements and competent completion of the Security Vulnerability 
Assessment.
    In total, 150 chemical companies belong to the ACC, representing 
approximately 80-90 percent of U.S. chemical production by capacity. 
Implementation of the RCSC is mandatory for all ACC members, as well as 
members of a variety of other chemical sector industry associations, 
including the Synthetic Organic Chemical Manufacturers Association and 
the Chlorine Institute.

 Examples of Specific Actions. The ACC estimates its members 
spent $2 billion securing their sites in the 15 months following 
September 11th and an additional $1.1 billion toward security in 2004. 
These resources have been used to conduct vulnerability assessments, 
develop security plans and procedures, and make investments in physical 
and cyber security improvements for facilities of concern, including: 
tighter access controls, better surveillance, new process controls and 
equipment, enhanced crisis management and emergency response 
procedures, better information/computer security, and more stringent 
background checks. Similarly, the Chlorine Institute formulated a 
detailed chlorine-specific security regime that was made mandatory for 
all of their members.

Reducing Risks in the Chemical Sector
    Under the existing voluntary framework that governs the chemical 
sector, DHS will continue to develop and implement new programs that 
will allow the Nation to continue to make progress toward reducing risk 
in America's chemical sector. Programs currently in development 
include:

 Risk Analysis and Management for Critical Asset Protection 
(RAMCAP). RAMCAP provides chemical sector owners and operators self-
assessment tools to assess risk at chemical facilities. RAMCAP data 
will help DHS to prioritize all chemical facilities of concern in the 
United States according to relative consequence, vulnerability, and 
level of threat. Results from RAMCAP assessments will allow comparison 
of assets from across sectors, allowing for better prioritization of 
national critical infrastructure protective efforts and resources. The 
overarching RAMCAP program will substantially improve information 
included in the National Asset Database, asset prioritization, 
comparative risk analysis, and owner/operator awareness of the 
vulnerabilities and consequences at their sites.

 Consultation & Assistance Program (CAP). The CAP program is a 
new initiative being launched in conjunction with several private 
sector partners, the American Chemistry Council, the Chlorine 
Institute, and the Synthetic Organic Chemical Manufacturer Association. 
Under the CAP program, DHS protective security advisors will visit more 
than 1,000 chemical facilities in fiscal year 2006.

Closing Gaps: The Path Forward
    At DHS, a major focus of the past two years has been developing 
tools for assessing risk and working cooperatively with local 
jurisdictions and companies to implement appropriate protective 
measures. As we further assess the status of the chemical sector's 
largely voluntary security regime, we also have been evaluating whether 
or not the current scope and level of effort will be sufficient to 
address remaining gaps and emerging threats. In short, while most 
companies have been eager to cooperate with the Department, it has 
become clear that the entirely voluntary efforts of these companies 
alone will not sufficiently address security for the entire sector. 
Based upon work done to date, however, we now have greater clarity 
about the tasks ahead, tested tools and a more considerable knowledge-
base that will help close potential security gaps.
    By exploring all available means to enhance the existing, purely 
voluntary system, we can ensure that: (1) all facilities have in place 
a core base of preparedness; (2) those facilities that pose the 
greatest threat are receiving the more focused attention that a risk-
based regulatory regime will bring; and (3) that the nation's approach 
to chemical sector security will be based on reasonable, clear, 
equitable and enforceable performance standards that reflect the 
diversity of the chemical sector.

Conclusion
    The effort to counter the threat and mitigate the risk associated 
with a terrorist attack on the Nation's chemical sector continues to be 
one of the Department's most important priorities.
    Since September 2001, this Administration has worked in partnership 
with stakeholders to enhance the overall security of the chemical 
sector. Through a combination of sector governance structures, 
information sharing mechanisms, risk assessment and risk-based planning 
approaches, programmatic initiatives, local law enforcement 
enhancements, and voluntary industry efforts, the chemical sector has 
demonstrated considerable progress in bolstering its aggregate security 
posture, but further progress is needed. By developing a comprehensive, 
risk-based plan for the chemical sector we expect to close remaining 
security gaps in this vitally important area.
    This concludes my prepared remarks. I would be happy to answer any 
questions you may have at this time.

    Mr. Cox. [Presiding.] Thank you very much for your 
testimony. I want to pick up where I left off in my opening 
statement and talk to you about how we can prioritize our 
efforts in this area and indeed across other infrastructure 
sectors. Can you describe for the committee the methodology 
that you use, for example, to compare the number of fatalities 
that would result from a terrorist attack on a chemical plant 
on a particular site with the number of fatalities that would 
result from an attack on a football stadium, at a shopping mall 
or office building.
    Second, to what extent do you take into account the 
economic consequence and how do you mix those apples and 
oranges in your analysis in order to prioritize where we place 
our efforts?
    Mr. Stephan. For the most part, over the last 2 years, we 
have had to rely on a more subjective set of criteria than we 
think is appropriate given the tasks that we were given by the 
Congress in the Homeland Security Act and by our first boss, 
Secretary Ridge and now Secretary Chertoff. Recognizing that, 
we have made considerable investment in terms of time, 
government employees, resources to crack the code on the risk 
assessment methodology and analysis process. And I am happy to 
report that working our way through in priority order first 
through the nuclear energy sector and now with the chemical 
sector and shortly to follow many others across the top tier of 
consequences, vulnerabilities and threats we face, we have 
worked collaboratively with industry to develop a vulnerability 
assessment tool known as RAMCAP, at the risk of creating yet 
another government acronym, Risk Analysis and Management For 
Critical Asset Protection, again, cooperatively developed 
between DHS, our industry partners as well as the scientific 
and lab community of the United States of America.
    I think we have cracked the code in technology. It is 
finally catching up to the tasks that were handed to us by 
virtue of the Homeland Security Act. Having said that, I think 
we now have a more scientific way to get at consequences, first 
and foremost, public health and safety consequences, economic 
consequences, consequences in terms of national security and 
defense and so on in terms of the things that homeland security 
presidential directive number 7 would push us to.
    Working through that methodology sector by sector is our 
plan over the next year or so, but we are now prepared in 
partnership with industry to roll out this particular 
vulnerability assessment methodology and its associated Web-
based tools across the entire width and breadth of the chemical 
sector to get to the answers I think you are requiring of me.
    Mr. Cox. When we are talking about deaths, we are talking 
about consequence, and it is one kind of consequence and there 
are economic consequences as well. Off the top, we can discern 
the difference between the consequence of killing all of the 
people at RFK who are watching a baseball game and the 
consequence of killing an equal number of people if that were 
possible by then destroying a significant chemical facility 
because the chemical facility would have an additional 
consequence, that is a purely economic one that would be more 
indirect with the loss of a stadium, for example.
    So even within the consequence box, which is one of only 
three we have to be looking at here, there are rather dramatic 
potential differences across sectors. I am still not clear--let 
me get one thing straight on the public record if I might. What 
are we talking about in terms of range of consequence from the 
smallest chemical facility to the largest chemical facility in 
terms of potential casualties for human death in terms of 
consequence? There have been some media reports that have said 
hundreds of thousands and even millions. My understanding is 
and I think our ranking member alluded to this as well, it is 
very different than that. Can you quantify that for us?
    Mr. Stephan. Yes, sir, absolutely. We use as a base line 
the EPA's risk management program numbers. What those numbers 
are intended to produce basically from a safety perspective, a 
point on the map which represents the epicenter of the facility 
of concern. They calculate the potential population affected by 
an accidental--
    Mr. Cox. I want this more precisely and also watch the 
clock and let my colleagues ask questions. You are taking the 
most significant potential loss of life at the most vulnerable 
chemical facility in the United States of America, what are the 
casualties in terms of human loss of life that would result in 
your best estimate?
    Mr. Stephan. Our best estimate based on the incredible 
modeling we have done, the highest risk facility in the United 
States would produce under 10,000 potential fatalities and less 
than 40,000 people that would demonstrate some effects in terms 
of anywhere from a near death experience from exposure to 
inhalation of a toxic chemical to a minor skin blemish caused 
by irritation through contact with a chemical. Number of orders 
of magnitude--
    Mr. Cox. I think I know what we are talking about here, but 
we plucked from the universe of chemical plants the worst case. 
Now what is the range? On the low end of the scale, what is the 
minimum consequence from the least vulnerable plant?
    Mr. Stephan. Sir,--
    Mr. Cox. Is it possible to destroy a plant and have nothing 
in terms of consequence on the human casualty side but for the 
explosion itself and the casualties you would expect from 
detonation?
    Mr. Stephan. Yes, that is correct. Depending on the type of 
chemical we are talking about, you could have a fire ball on 
site inside the plant perimeter that may cause casualties among 
the workforce and the emergency responder force on site, but it 
would not produce a toxic situation beyond the fence line.
    Mr. Cox. I think where that leads us rather rapidly and we 
also know that there is a curve here that is pretty steep and 
there are a whole lot of these smaller facilities and there are 
a very few of the big ones that really concern us. It focuses I 
think rather rapidly on the need to discern one vulnerability 
from another. If I have a subsequent round and there is time, 
we might talk about what we know about terror capabilities and 
intentions and tactics and how we knit that together with how 
we might spend our money. I yield my time at this point. I 
don't see a light, but it has got to be expired. So I yield 
back my time and recognize the ranking member, the gentlelady 
from California, Ms. Sanchez for questions.
    Ms. Sanchez. Thank you, Mr. Chairman. And thank you for 
being before us. On April 11 of this year, I asked Mr. Chertoff 
during his appearance before this committee whether he thought 
that IAIEP needed to have regulatory authority and he answered 
that in the case of the area of chemical plants, the President 
had indicated if we didn't get an industry norm for them to do 
it on their own, that this was an area where you might seek 
some of that authority.
    And in recent news articles I have read, it seems that is 
where you are headed. I guess, what is the type of authority, 
regulatory authority would you be looking for? Could you give 
me some instances what that might look like?
    Mr. Stephan. In terms of any specific aspects of a 
regulatory regime, I do not have a set of solutions that have 
been vetted and approved by Secretary Chertoff and pushed 
beyond him at this point, but I would like to stress that 
anything we come up with in terms of regulatory regime has to 
be risk based and has to lead to a set of performance standards 
that has built in flexibility to recognize the important work 
that the private sector has done up to this point yet is enough 
to close the gaps that remain amongst the critical subset of 
things that we consider to be high risk in this sector based on 
threats, vulnerabilities and consequences.
    Any type of security regulatory regime has to look at 
certain general principles or concepts. We have to have an 
agreed upon accredited methodology for doing risk assessments. 
We have to build security plans based on those risk 
assessments. We have to implement protective measures that can 
be measured in terms of effectiveness. There has to be some 
kind of auditing function that goes along with all of that. At 
the end of the day, there has to be a compliance and 
enforcement mechanism built in. Anything we would seek would 
have to build in the appropriate combinations of those things 
in order to be effective.
    Ms. Sanchez. Over the time that we have had this committee, 
both as a select committee and as a standing committee, one of 
my biggest concerns has been that the Department overall, DHS, 
has, in some--and I characterize this from confused, chaotic, 
it has been a struggle to merge these 22 different pieces of 
the government and put them under one label. What do you think 
is standing up? If we were to give you regulatory authority, 
don't you think that would be just one more added piece of the 
puzzle that would be difficult for this Department to absorb 
and to stand up, given all the problems we have had over the 
last 2 years?
    Mr. Stephan. If we are talking about a very sweeping, 
across-the-board regulatory regime that put an iron clad fist 
upon the chemical sector, the answer would be yes, but that is 
not at all what we are proposing here. We are proposing a 
measured calibrated form of regulatory regime based upon risk, 
based upon the foundation of the good work that has taken place 
through other things like the Maritime Transportation Security 
Act, the work of the Responsible Care Code industry group. All 
of those things I think would serve to limit the focus of the 
request for authority that we would come to you with eventually 
and hopefully on a very tight time line into the future.
    Ms. Sanchez. What type of a time line do you think we would 
have in being able to sit down with you and begin to review 
what type of authority you might want because certainly this 
committee would have some say over we would grant that or not?
    Mr. Stephan. We would like to begin those discussions 
within the coming weeks.
    Ms. Sanchez. My other question would be with respect to 
this whole issue what the EPA say are these 123 catastrophic 
situations and what DHS has with respect to a smaller amount 
with respect to in particular loss of life.
    Mr. Stephan. Sure. There is a difference because they look 
at it from a safety perspective and we look at it from a 
security perspective. Inside their cone of people, that might 
be potentially impacted, every one of those people has to 
figure into somebody's response plan in terms of the police 
departments, the fire departments, the HAZMAT guys. Every one 
of those, say if there is 12 million people inside that cone 
has to be accounted for, that is the real difference. From a 
safety perspective, those people have to be built into a rescue 
and recovery and response operation. And that is fine for the 
EPA's way of doing business and the missions they have been 
tasked. For us, we have to drill in on risk and figure out what 
we think using the best that science can buy us at this time, 
what are the real number of people within that overall cone of 
potential impact or effect are going to be fatalities or really 
going to be casualties based on wind direction, wind speed, 
meteorological effects at the time of the release. And when you 
get into the math and science, the numbers come way down from 
everybody inside this hypothetical circle having some kind of 
impact based on the release.
    Ms. Sanchez. I am having a difficult time understanding 
what the difference is between what the EPA says we need to 
worry about this pocket of people, even if it is the most outer 
person that might be somewhat technically affected versus what 
you just said--this is our answer to let us stop a terrorism 
attack. What if a terrorism thing does happen and how do we 
respond to it? We have first responders under the Department of 
Homeland Security. I guess I am having difficulty understanding 
what the difference is between how you view it versus what the 
EPA would view it as.
    Mr. Stephan. To put into simplest terms I can, our model 
builds in real effects, meteorological effects, wind effects, 
so on and so forth, that are going to carry this plume 
somewhere and actually affect a much smaller percentage of 
people within that overall circle. The EPA is assuming that the 
wind can blow from any direction. We don't know what it is 
going to be at any given day or any given time. So every single 
person in there isn't necessarily going to be a casualty.
    That is what is misleading in the press. Those are not 
casualty figures. Those are people that might be touched if the 
wind was blowing in their direction, this great composite 
universe around this 360-degree circle and every one of those 
people has to be built into a safety response plan or protocol. 
We know the wind is going to blow a certain way at a certain 
speed and meteorological impacts are going to impact the way 
that cloud leaves that facility and goes over a populated area. 
And the wind can't possibly blow 360 degrees across the entire 
diameter of the circle at any given time. So you are narrowing 
yourself down in terms of the number of folks we have to worry 
about from a security perspective.
    Ms. Sanchez. Thank you, Mr. Chairman.
    Mr. Cox. Thank the gentlelady. The gentleman from Alabama, 
the chairman of the Subcommittee on Management, Immigration and 
Oversight is recognized for five minutes.
    Mr. Rogers. Thank you, Mr. Chairman. I want to follow up on 
the line of questioning from Ms. Sanchez. And you talked about 
your anticipation of a proposed regulatory scheme in the not 
too distant future. And you talked a little bit about how 
cooperative the relationship has been between DHS and your 
private sector partners. Do you believe that your private 
sector partners agree there has to be some regulatory proposals 
tendered to the Congress?
    Mr. Stephan. Based upon my discussions with my private 
sector colleagues, the majority of the folks that are giving 
voluntary adherence to the Responsible Care Security Code would 
support some type of regulatory authority given to DHS to help 
take care of remaining security problems within that sector. 
The outliers in terms of those that are not members, 
involuntary adherence to that Code, is a mixed bag, to be quite 
honest with you, sir.
    Mr. Rogers. You talked in your initial statement about that 
you have taken several steps between DHS and the private sector 
to work toward closing these gaps. Can you give us some 
practical examples of those steps that you have taken?
    Mr. Stephan. We have done various things. We have set up a 
sector governance structure. For me, one of the most important 
things we can do is help gel unity of effort that brings 
together private, public sector partners to attack a problem. 
We formed sector coordinating councils that involve Federal 
departments and agencies, State and local governments as well 
as the private sector. So we have some leadership across the 
board looking at this problem. We have set up information 
sharing mechanisms in cooperation with the private sector. Some 
they have begun voluntarily on their own. We have pushed our 
information into those systems. We are working to integrate the 
chemical sector into our homeland security information sharing 
network which provides realtime feedback on a Web-based system, 
kind of an instant messaging approach, able to send them threat 
information, receiving information back through them, and 
overall holding security conversations via e-mail in a 
protected fashion.
    That is another example. We have made numerous site visits 
inside the fences. In the colloquial terms, we have to take a 
look at vulnerabilities in partnership with them and giving 
them things to consider in terms of security enhancements. We 
have worked extensively through our buffer zone protection plan 
to work with State and local law enforcement officials to make 
sure they understand what the security posture of the facility 
itself is and what they are going to be expected to do in terms 
of a response to prevent or the response to respond to an 
attack after the fact to make sure they have the equipment, 
training, protocols down pat and the information connectivity 
with the private sector owners and operators in those 
jurisdictions. A lot of collaboration we have pushed building 
upon, of course, the greater foundation that had been set up by 
many companies in the private sector.
    Mr. Rogers. I asked that because later in your statement, I 
was confused as to whether you have developed a sector specific 
plan for the chemical sector or is it still a work in progress.
    Mr. Stephan. We have a draft document and it is a work in 
progress anticipated to be complete in late November of this 
year.
    Mr. Rogers. And finally, you made reference to the fact 
that you anticipate there will be the need for third party 
audits or review of assessments. Who would you envision doing 
those reviews?
    Mr. Stephan. Again, the details on that, we do not have 
these completely fleshed out and I don't have anything that has 
been cleared by my boss, but we would want to take a look how 
the system under Responsible Care Code is working, how the 
system under the Coast Guard's leadership in terms of the MTSA 
legislation, various ways to do those audits, we want to be 
able to do them most effectively and most efficiently as we can 
using the good groundwork that has been laid out already.
    Mr. Rogers. Thank you, Mr. Chairman. I yield back.
    Mr. Cox. The gentleman from Mississippi, the ranking member 
of the full committee, Mr. Thompson, is recognized for 5 
minutes.
    Mr. Thompson. Thank you very much, Mr. Chairman. Nice 
seeing you again. One of the things we have grappled with as a 
committee is this whole jurisdiction of chemical plant 
inspection, and I want to kind of limit it to security. At one 
point, Secretary Ridge and Secretary Whitman indicated jointly 
that chemical plants should voluntarily work out security plans 
and they were going to work with them and the Department 
probably needed to supervise that. Can you tell me, is that 
still the thinking of the Department or if it is not, where we 
are at this point?
    Mr. Stephan. Kind of a confluence of two things is 
happening. It always has been the administration's position, 
going back at least 2 years, a voluntarily code is not 
necessarily going to get us to the point we are going to be 
able to close all the almost important gaps from a risk-based 
perspective across the sector. What is different in that 
position today and why we would like to re-engage with Congress 
in a partnership to figure out the right solution here in terms 
of regulatory framework.
    Of course, we have been engaged over the past couple of 
years in several attempts to do just that. What we want to 
bring to the table this time is a better way to do it, because 
I think technology is with us. We have now risk assessment 
tools that have been developed between us and the private 
sector and we are ready to go so we can, once and for all, have 
a good agreed-upon methodology that is going to lead us to 
criticality determination.
    The second part of all of this is 2 years ago, the 
Responsible Care Security Code was just being established, 
being implemented and getting off the ground. We now know where 
the limits of that code lie realistically. We did not know that 
2 years ago. We are better now in terms of tools, technologies 
and an actual knowledge base to come to you in an accelerated 
amount of time in the near future with a proposed regulatory 
framework that would be the right framework, no more no less 
than is absolutely needed we think to close remaining security 
gaps across the sector.
    Mr. Thompson. Do I understand now that you see DHS's 
responsibility is for chemical plant security?
    Mr. Stephan. Based on Homeland Security Presidential 
Directive Number 7, the President has given us the overall task 
of basically coordinating leadership for security in the 
chemical sector between Federal Government, State and local 
government and the private sector.
    Mr. Thompson. When you say coordinating leadership, do you 
see that as having direct authority for making it happen and 
supervising that authority?
    Mr. Stephan. We have authority to make certain things 
happen on a voluntary basis in terms of putting into effect 
vulnerability assessment methodologies that we agree are the 
right thing, but they are voluntarily based. Information 
sharing networks that are voluntarily based, we do not have a 
regulatory authority in any way, shape or form, outside of the 
United States Coast Guard under the MTSA legislation that would 
force the private sector to enter into any kind of arrangement 
or cooperative relationship with the government that it does 
not want to.
    Mr. Thompson. Do you see at any point in time that you and/
or the Secretary might come to this committee or to Congress 
and ask for that authority?
    Mr. Stephan. We are proposing at this point in time over 
the next several weeks in an accelerated manner to figure out 
the principles we think should guide a measured regulatory 
framework for the chemical sector and work with you all and 
your colleagues in the Senate to develop a legislative proposal 
that would put that into effect.
    Mr. Thompson. In laymen's terms, are you saying yes or no?
    Mr. Stephan. I believe I said yes.
    Mr. Thompson. Thank you very much.
    Mr. Cox. The ultimate laymen's terms. The gentleman from 
Louisiana, Mr. Jindal, is recognized for 5 minutes.
    Mr. Jindal. Thank you, Mr. Chairman. I wanted to focus my 
questions in two different areas. First, I want to get a better 
understanding of this risk-based regulatory approach. I know it 
is early and you are coming to us before you have all the 
specifics in place. I am curious if you could describe how that 
would work, and specifically, how would a risk-based approach 
to the chemical industry, how would that compare and evaluate 
and weight risks with external industries, other soft targets 
outside the chemical industry? Does the Department intend to 
adopt this risk-based approach across the entire national 
infrastructure that it is being asked to protect?
    Mr. Stephan. The first part of the answer is under 
Secretary Chertoff's leadership, everything we are doing in the 
Department of Homeland Security is following a risk-based 
approach across all of our mission areas, the critical 
infrastructure protection mission area being one of those. We 
intend to apply a risk-based approach now with much more 
sophisticated tools and technology at our fingertips than we 
had 2 years ago when we began all of this business. So we have 
a better chance of getting it right and making sure that we put 
the right kinds of things in place across the board, given the 
unique circumstances of the individual critical infrastructure 
sectors that are identified in HSPD-7. So the answer is yes, we 
want to use a risk-based approach across our critical 
infrastructure protection mission area.
    Mr. Jindal. Would it be fair to say that a low risk 
chemical facility may actually be less of a target or less of a 
risk than a soft target like a shopping center or a sports 
arena? Would that be a fair comparison?
    Mr. Stephan. I am not in a position at this point to make 
that bold a comparison. The risks are going to be based on 
consequences, which include public health and safety, economic 
dimensions, psychological dimensions and national security 
dimensions. They will be coupled with vulnerabilities and with 
threat assessments to form that critical nexus of criticality, 
what is critical, what is not. As we use that approach, figure 
out the right tool based on that approach for each sector 
ultimately within the next year or so. Because now the 
technology is with us, we will be able to make those 
qualitative assessments across the sectors between the apples 
and oranges that we have not been able to make at this point. 
Where we are with today's technology is now we can, for the 
first time, do this with respect to the chemical sector and we 
intend to deploy that in partnership with the chemical sector 
in very short order.
    Mr. Jindal. The risk based regulatory regime you are 
talking about, do you expect it is going to apply across the 
entire industry or do you think the new regulations will be 
targeted towards those high risk facilities?
    Mr. Stephan. We need to target a regulatory regime based 
upon risk and that means the most high risk facilities. What we 
have to do now and the heavy work that lays before us is 
defining the exact criteria, putting a box around what we mean 
by the chemical sector, first and foremost, defining a 
threshold above which the regulatory structure would apply. Two 
key initial steps.
    Mr. Jindal. And the testimony has been helpful. I am trying 
to understand, I come from a State with a large chemical 
industry with both low and high risk facilities. And I am 
trying to imagine a regulatory regime that would be applicable 
across both ends of that spectrum. One last point of 
questioning. In your experience up to date with the voluntary 
efforts with the high risk facilities, have you found the 
industry and individual facilities to be cooperative? Have they 
be doing everything the Department has asked? And I don't need 
a name. Have there instances where they have not been 
cooperating or not been willing to do what the Department has 
asked?
    Mr. Stephan. The general rule of thumb is the industry has 
been very cooperative. When we go on--here is no facility, for 
example, that has not allowed us or granted us permission to 
enter their site and take a look around. The formality of the 
site assessment visit and the joint vulnerability work we have 
been able to do with industry has varied from site to site to 
site as we engaged in this process with them.
    So I say it is generally very good, although it is not a 
100 percent system that allows me to come back to you and say I 
think they are doing a very effective job in this facility 
across the board or these 20 facilities across the board in 
this risk category. I cannot do that.
    Mr. Jindal. I thank you for your testimony. It is my intent 
to work with you and it is certainly my desire to protect my 
constituents at home. We want to make sure we are not 
vulnerable. At the same time, we want to make sure we maintain 
the economic viability.
    Mr. Stephan. We share that goal with you.
    Mr. Cox. Gentleman's time has expired. The gentleman from 
Washington, Mr. Dicks, is recognized for 5 minutes.
    Mr. Dicks. Mr. Chairman, I appreciated our briefing this 
morning. And as I look here at the Maritime Transportation 
Security Act, it says in your testimony, currently, 238 
chemical sites fall within the port system as defined by MTSA; 
that is correct, right?
    Mr. Stephan. Right.
    Mr. Dicks. Under the MTSA requirements all 238 of these 
facilities have been required to assess the vulnerability under 
an accepted methodology, determine gaps, plan and implement 
measures to close those gaps and audit results.
    Mr. Stephan. Correct.
    Mr. Dicks. Now if that is true, then you have got all these 
other people who don't have to audit results as of now, is that 
correct?
    Mr. Stephan. Except those under the Responsible Care Code 
regime, they do as part of the Care Code, have to do a third 
party audit. The industry reps later can go into more detail.
    Mr. Dicks. There are literally thousands of others that 
aren't doing that, isn't that correct? Not all high risk, 
obviously, but there are a lot of other companies who are not 
doing that, isn't that correct?
    Mr. Stephan. That is correct and I would defer to the 
industry reps later to provide you the exact numbers.
    Mr. Dicks. What bothers me, if you are near a port or a 
body of water, you have these very stringent requirements?
    Mr. Stephan. Correct.
    Mr. Dicks. And they have all been implemented? The Coast 
Guard visits these facilities once a year to make sure they are 
following through. It seems to me if we have demanded that of 
these people, it would be only fair to require the rest of them 
to at least have procedures that are similar to the ones that 
the MTSA have and it sounds as if you are now going to ask for 
additional authority in order to do something like that. But 
what is your comment on that?
    Mr. Stephan. Simple comment. The MTSA is a geography-based 
system. If you have a maritime approach, you fall under the 
regulatory regime that is spearheaded by the U.S. Coast Guard. 
We think a risk-based approach across the entire sector having 
to define that threshold is the way to go so we can come to you 
saying we think things are being effectively and efficiently 
done in the sector.
    Mr. Dicks. This morning we had a discussion, and in that 
discussion, you said--our assistant said that we had gone out, 
and as I understand it, done these buffer zone protection plans 
for several hundred of these facilities.
    Mr. Stephan. That is correct.
    Mr. Dicks. But in your testimony today, you say that you 
have only done, in terms of site assistance visits, only 38.
    Mr. Stephan. Correct.
    Mr. Dicks. And you are going to do another 50 this year. 
That also means as we were told, some of the companies aren't 
excited to see the Department of Homeland Security come to 
their doorstep, isn't that right, because if it wasn't that 
way, wouldn't the number of these site assistance visits be 
higher and closer to the number where you have buffer zone 
protection plans, which are apparently worked out with the 
local community?
    Mr. Stephan. The inside defense piece, or the site 
assessment visits statistics that you have there, the buffer 
zone protection plan involves the Department of Homeland 
Security working with State and local law enforcement to make 
sure that they have solid connectivity with the site and that 
they have focused on prevention preparedness response 
activities, equipment, things like that, so they can do their 
job in terms of helping bolster security preparedness of the 
facility.
    Mr. Dicks. I would like to see the site assistance visits 
number be closer to the buffer zone protection plan, because 
that would show some cooperation between the companies. I know 
some of the companies are cooperating. But as you have said, it 
is uneven. There are some of the other companies maybe who are 
not part of the group who are not being as forthcoming, isn't 
that correct?
    Mr. Stephan. Across the board, I cannot come to you and say 
it is completely even. But I must also say the great majority 
of companies are cooperating with us in allowing us site 
access. Some of them do not allow us to do a complete site 
vulnerability assessment while we are there. Some of them let 
us look around, offer some observations and then we move on to 
the next.
    Some of this is also a function of the number of people and 
the enormous nature of the mission that we have at DHS in terms 
of the 17 critical sectors, one of which is chemicals. And to 
the point here, there are pieces of risk that you have to look 
at across all these sectors. Very importantly a new program we 
are putting on the books through the help of Congress by giving 
us additional Federal employees is we are posting now 
infrastructure protection specialists that work for me in 
various high threat and industry cluster locations around the 
United States so that now, I don't have to tie up travel time 
from a guy from Federal headquarters to go out and help provide 
site assistance visit or fulfill the site visit assistance 
requirement. I can put guys on the field now that have more 
day-to-day connectivity with these folks and I think that is 
going to close some of the numbers gap that is our 
responsibility and not industry's.
    Mr. Dicks. Let me just ask you this. If in fact under the 
maritime security program and because some of these people as 
you mentioned are doing a good job and have voluntarily agreed 
to do these things, it seems to me that is why the ranking 
member said, you know, you got to have a level playing field 
here. You can't let some people off and then have others have 
to do audits and all this regulatory thing. It would seem to me 
that this thing really does cry out for Federal legislation 
that creates an approach and using a risk-based approach, I 
completely agree with the chairman on that, but you have to get 
everybody have the same kind of plan or the ones who aren't 
doing it are going to have an economic advantage over the 
companies that are in fact standing up and doing the right 
thing. They are investing billions of dollars. How can you have 
part of the industry doing that and another part not coming 
anywhere near to that? Doesn't this cry out for a Federal kind 
of solution that creates an overall requirement for all these 
companies or at least the high risk companies?
    Mr. Stephan. That is why I am here today to, in your terms, 
across the high risk components of the chemical sector make 
sure we have a level playing field. But by level playing field, 
that doesn't mean the same standards for every single facility 
across the board in that category. The standards have to be 
flexible so we can make sure that we are imposing the right 
regime on facilities based upon risk. So that X amount of 
security for a facility that on the consequence scale is fairly 
low and not spending the same amount as someone else that on 
the consequence part of the scale is very high. We have to 
achieve a balanced, measured and flexible approach because we 
don't want to destroy the economic vitality of a very important 
part of the United States' economy.
    Mr. Dicks. There seems to be a significant sector that has 
been stepping up and putting up money to improve their security 
and some others aren't. And I think you have to straighten that 
out. Thank you.
    Mr. Cox. The gentleman from Oregon, Mr. DeFazio, is 
recognized for 5 minutes.
    Mr. DeFazio. Thank you, Mr. Chairman. There is going to be 
on the subsequent panel a gentleman named Sal DePasquale who is 
going to testify, a security specialist from the University of 
Georgia. I want to see if you agree with a couple of principles 
he lays out. He says without prescriptive standards, there 
can't be self-regulation. He is criticizing the current regime 
where it is sort of--the industry out there is sort of 
freelancing on these issues. And then he says, subsequent 
security upgrades would require the following and you might 
comment on this as it would apply to high risk facilities: 
Construction of formidable property barriers, application of 
sophisticated intrusion detection systems.
    And then as he points out, the best detection system 
doesn't do much good if you can't have a pretty quick response. 
And then deployment of a trained and properly equipped security 
force response to prevent the adversary from reaching the 
target. And just in commenting on that, I would like to go back 
to the point you made, you said at the highest risk facility, 
casualties would be probably under 10,000 with 40,000 affected. 
And I would like to know of the principles he has laid out 
here, the security upgrades, are you aware that any of those 
are in place at this highest risk facility, and do you 
anticipate those would be the sorts of things you would be 
looking at in terms of regulation?
    Mr. Stephan. There is a mixture of human capital 
investments, technological investments, hardware and fencing 
type investments that need to be made, and in fact have been 
made. I am happy to report that we have had either Coast Guard 
or DHS IP representatives visit each of the facilities on the 
top tier of concern in terms of risk. Those types of things are 
being done. What I want to be able to get to is the point where 
I can say this is the right solution set for this particular 
facility and we think it is good to go. Right now, lots of 
money going out the door and lots of investments taking place 
and lots of enhancements occurring across the board. I want to 
be able to come back and look you in the eye and say we think 
we got it right at this facility.
    This was the standard, this was the set of options they 
chose to put in place against that standard and we are good to 
go with it and let us move onto the next one. I want that 
comfort level because the importance of this sector in terms of 
a critical infrastructure sector merits that kind of face to 
face between the two of us, and that is what we want to get 
you.
    Mr. DeFazio. In thinking about the chairman's comments 
where he is talking about a stadium full of people and asking 
about the casualty rates, of course it begs the question of 
what would one use to kill a stadium full of people effectively 
versus something that is installed and available for use as a 
weapon.
    In the case of 9/11, the weapons were commercial civilian 
aircraft loaded with fuel, which means they didn't bring in a 
weapon, they didn't develop a weapon, they just utilized 
something that was already available in the commercial sector 
here in the United States.
    And I think that same paradigm would apply to the potential 
for nuclear plants, most certainly, or chemical facilities; or 
facilities that aren't necessarily chemical manufacturing 
plants, but might have toxic chemicals, such as Blue Plains or 
something in this vicinity with a large concentration of 
chlorine in there.
    Could you comment on that? I mean, to me, it seems that the 
risk, they will say, ``Yes, we want to protect the stadium.'' 
But I am not sure what weapon we are talking about that would 
kill everybody in a stadium, but I do know you talked about 
essentially an already-installed weapon that could potentially, 
in a worst case, kill 10,000 people.
    Mr. Stephan. Well, sir, we are looking diligently across 
all the 17 critical infrastructure sectors that are defined by 
HSPD7. There are going to be different solutions for each of 
those infrastructure sectors based upon the risk landscape 
associated with each of those sectors.
    I think we are coming to you with the appropriate solution 
for the chemical piece, which is a very challenging problem, 
but I think there is a solution in sight there. There are other 
solutions in sight, or that will be in sight, with respect to 
those other pieces of critical infrastructure in places that 
bring lots of Americans together on a frequent basis.
    So at this point--I don't like the term ``apples and 
oranges,'' but we are using a systematic approach to walk 
through these sectors one by one and come back to you with the 
appropriate solutions in hand, based upon the risk landscape 
associated with each of these potential target sets.
    Mr. DeFazio. Okay.
    Thank you, Mr. Chairman.
    Mr. Cox. The gentleman's time has expired.
    The gentleman from New Jersey, Mr. Pascrell, is recognized 
for 5 minutes.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Mr. Chairman, more than 3 years have passed since 9/11, and 
Congress has yet to address the need to secure our Nation's 
chemical plants. I am glad our committee has finally broken 
this unconscionable streak and has made this issue a priority.
    New Jersey alone has 100 sites where large quantities of 
highly toxic, highly volatile chemicals are stored and used. 
Any of these sites have the ability to cause significant 
numbers of fatalities and serious illnesses within the region 
as a result of a terrorist attack. The EPA has determined--not 
the newspapers, the EPA has determined that 11 of these sites--
and you know the strip I am talking about, that 2-mile strip in 
New Jersey, from exit to exit--it could poison more than 1 
million people in the event of a catastrophic chemical release. 
That is what the EPA says. So it goes without saying that it is 
vitally important that the Congress and the administration 
finally do something. I am heartened so far that our witness, 
Assistant Secretary Bob Stephan, seems to agree with that.
    Now, the first question I have is, How can we best strike a 
balance between not giving terrorists specific information 
about plants or shipments of chemicals, while at the same time 
ensuring that local emergency officials and first responders 
are prepared to respond appropriately to an event? That is my 
first question.
    Mr. Stephan. Okay, sir. I am not going to validate, to 
begin with, the numbers. I am not sure that the EPA would agree 
that a million people would be casualties in the event of an 
incident in one of those sites. I would defer to the EPA, but I 
am fairly certain they would not agree with your statement.
    Mr. Pascrell. Excuse me, Mr. Chairman. Are you telling me 
that I am getting this from the newspaper, and that is not a 
reflection of what EPA says?
    Mr. Stephan. No, sir. I am saying that often times what the 
EPA figures represent are misunderstood. I do not think--
    Mr. Pascrell. Well, we are talking about folks that are 
going to be poisoned, we are talking about folks that are going 
to inhale what goes up. We have got 70,000 chemicals in the 
State of New Jersey, 20 of them are toxic, 20 of them are 
highly volatile. These are not things that people dream up; and 
you know it better than I do. I am saying to you--or you are 
saying to me that I used hyperbole in this?
    Mr. Stephan. No, sir, not at all.
    Mr. Pascrell. What are you saying?
    Mr. Stephan. Sir, I am saying that the EPA's statistics are 
not based on numbers of exact casualties within a circle around 
a facility, they are based on safety requirements that say on 
any given day this number of people lies within this circle. 
The wind is not going to blow or the meteorological effects are 
not going to facilitate the dispersal of that agent across all 
of those people inside that circle, that is simply not going to 
happen, but everyone inside that circle needs to be accounted 
for in some local jurisdictional emergency response or 
emergency management plan.
    Mr. Pascrell. We know, Mr. Under Secretary, that weather 
conditions are going to have a lot to do with what happens. 
That is not the issue. Would you please answer the question I 
did ask?
    Mr. Stephan. Yes, sir, absolutely.
    In terms of the safety paradigm, the safety regime under 
which the EPA operates, I think, has the components that are 
properly built in that allow the dissemination of information 
appropriately, some aspects of community awareness--and there 
are specific statutes that make that a requirement--and even 
more specific information that is put in the hands of the first 
responders, police organizations, emergency management 
organizations, fire fighting organizations so that they have 
what they need to do planning and to be properly equipped and 
trained to respond to a safety-related incident at a site.
    I think we must be very careful to not take security-
related information and put it into that same kind of 
framework, because the only people that really benefit from 
that are the folks that are trying to attack us. So I am saying 
there is a difference between safety information that is 
mandated through a couple of different laws which--the names, 
unfortunately, I cannot pronounce, but they give the EPA the 
authority to do this.
    In terms of community awareness programs, State and local 
preparedness organizations and providing information to the 
first responder community, I would be dead set against any 
regime that would allow vulnerability-related information to be 
put into the hands of terrorist organizations to facilitate 
their operations they are planning against us.
    Mr. Pascrell. No one is suggesting that, but what I am 
suggesting, for instance, on a very simple basis is, you ask 
first responders to be available, you are going to train them. 
They have every right to know what they are up against; they 
have every right to know what chemical is there because they 
fight every chemical fire differently, don't they? They have to 
know this information. And we hope that there is a very close 
relationship between what you do, what the fire fighter does, 
what the police officer does, and what the EPA does.
    Now my next question is--
    Mr. Cox. The gentleman's time has expired. I would ask 
unanimous consent that the gentleman be given an additional 
minute because I think we need to finish on one point that I 
asked about and that you also asked about in your questions.
    I just want to make sure that the committee has a clear 
understanding. So I will let the gentleman proceed.
    Mr. Pascrell. Just quickly--thank you, Mr. Chairman--the 
EPA has had a long-standing role in monitoring chemical 
facilities, as you all know. Do you believe that the EPA's 
expertise warrants a strong role in any future chemical 
security legislation; and if so, how should that role be 
structured?
    Mr. Stephan. Sir, I think that the EPA has appropriately 
been given the leadership in terms of the safety regulatory 
framework. I think from a security perspective, the Department 
of Homeland Security needs to take up that responsibility for 
such a framework; and we should collaborate very, very closely, 
as we do--very, very closely with the EPA in terms of making 
sure that the safety and the security frameworks are 
coordinated very, very well together.
    Mr. Pascrell. I have 10 seconds, Mr. Chairman, I just want 
to ask this quickly.
    On the 2-mile stretch that I referred to, on a scale of one 
to five, what you have seen and what your visitation teams have 
seen would give us what? Five being the highest amount of 
security in that stretch, one being the lowest, what is your 
estimation?
    Mr. Stephan. The highest risk facilities in that particular 
stretch are abiding by the Responsible Care Code, and I think 
they are doing a good job.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Mr. Cox. Before we leave this point, I think Mr. Pascrell 
raised the same question that I raised, and I am not sure that 
the committee has a clear understanding of what is the answer 
to the question.
    Mr. Pascrell referred to a million people being poisoned. 
You pushed back a little bit in your response to that. When I 
asked the same question, the answer that I understood you to 
give was that in the worst case, based on your modeling and 
your estimates, the number of casualties would be less than 
10,000, and the number of affected people--sickness and so on, 
which would certainly fit within the definition of poisoning--
would be 40,000.
    Now, these are big numbers, but when we are trying to 
quantify risk, there is a big difference between less than 
10,000 and 100,000 or a million, so I do think that we need to 
get on the record the figures that we are talking about.
    Mr. Stephan. Sir, based on the sophisticated modeling that 
we have done multiple times over, less than 10,000 fatalities 
and less than 40,000 people impacted, from a very significant 
degree down to a very minor degree, as a result of exposure to 
an agent.
    Mr. Cox. And my understanding is that the figures that Mr. 
Pascrell is talking about are also correct figures, but what 
you are saying is that there are a million, potentially, 
affected people within this radius, and that, depending on 
meteorological conditions and so on, the way that this would 
end up affecting people would limit it to the figures that you 
provided.
    Mr. Stephan. That is correct.
    Mr. Cox. I would yield to the gentleman to make sure that 
the committee is in agreement about what the testimony is.
    Mr. Pascrell. Mr. Chairman, I do agree, but the fact is, a 
lot of the mixture of these chemicals, you can have all the 
models that you want, you can look at the weather conditions as 
many times as you want, we are talking about very, very highly 
volatile chemicals. And that is fine, we are in the business, 
that is an industry in my State and many other States; we want 
to be helpful to that industry.
    I want to know if the industries are helping themselves, 
Mr. Chairman. And what did they find when they got there? They 
should not need prodding from the Federal Government. We will 
assist. We will be partners; we should be, we want to be. We 
did it with the airlines industry. But there are certain 
responsibilities that you must have--not you must have, but the 
chemical industry must have, and I want to know if they are 
fulfilling those obligations.
    The people who live in New Jersey, and every other place 
where this happens, have a right to know that as well; don't 
you think so?
    Mr. Stephan. Yes, sir, they do. And we believe that the 
majority of the chemical industry has, in fact, taken prudent, 
responsible steps to secure their infrastructures.
    Mr. Pascrell. While we don't need hyperbole, we do not need 
underestimating, because what we do then is let our guard down. 
And we have another report coming in and another report coming 
in, and here we are 2, almost 3 years later, we are on this 
side right now, okay, 3 years later, and we have not had a very 
specific plan to deal with the problem.
    Thank you, Mr. Chairman.
    Mr. Cox. The gentleman's time has expired.
    The gentleman from Rhode Island, Mr. Langevin, is 
recognized for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman. And thank you, Mr. 
Secretary, for you testimony today. It is obvious, from your 
testimony and from the questions and answers here today, we all 
have a lot of work to do, and the sooner we get to it, the 
better. And we need to complete a risk and vulnerability 
assessment as quickly as possible.
    What I would like to ask, first of all, is, based on 
actionable intelligence, Where do you place the likelihood of a 
chemical attack on the priority list? Is it a high-risk, 
medium- or low-vulnerability likelihood that there would be a 
chemical attack?
    And based again on actionable intelligence, which do you 
feel is more likely, that terrorists would actually acquire 
chemicals to use in a terrorist attack, or it is more likely 
they would attack a chemical facility or processing facility to 
cause casualties?
    Mr. Stephan. Sir, you presented the penultimate dilemma of 
our time. Every day I come to work, my staff and I go through 
this: What is going to happen next? Where are they going to 
turn next?
    As I said in my testimony, we have no specific credible 
intelligence at this time that indicates that there is an 
immediate threat of any kind to the chemical sector, but what 
we have to do, putting ourselves in the mind of our terrorist 
adversaries, is take a look in terms of criticality, what the 
chemical sector represents and what the use of chemical weapons 
and agents as a weapon means.
    I think we are talking about the potential of significant 
public health and safety consequences, significant economic and 
financial consequences, psychological consequences and, in 
certain cases, national security consequences when we are 
talking about certain facilities that may be the single 
supplier of a critical chemical product that the Department of 
Defense and others need to do their jobs.
    So I think, given all that, what we know about the Al-
Qa`ida organization leads us to the fact that these guys want 
to try to produce mass casualties, mass effects, mass hysteria. 
Any type of critical infrastructure that poses the potential 
for a weapons of mass destruction or a weapons of mass effect 
kind of consequence is something that the President has told us 
to drill down on in HSPD7; and the chemical sector would be one 
of those things.
    Mr. Langevin. In all of those chemical facilities that you 
are familiar with and that we are looking at right now, what 
percentage of those facilities have to protect themselves--and 
maybe the most vulnerable--on their own, without the need for 
government intervention?
    Mr. Stephan. I think about--and I will let the spokesman 
later back me up on this, but somewhere around 80 to 90 percent 
of the chemical companies by volume capacity are members that 
have signed up voluntarily to the Responsible Care Code. We 
think, in the Department of Homeland Security's estimation, 
about 20 percent or so of the high-risk elements that we are 
concerned about are not voluntarily signed up to any 
Responsible Care Security Code and may or may not be taking 
appropriate precautions, making appropriate investments. There 
is just no way to determine or gauge the effectiveness of those 
measures, if they are being taken.
    Mr. Langevin. Well, in my opinion, the sooner we can give 
you the teeth, either a regulation or a law to make sure that 
they do comply, the better. So I want to thank you for your 
testimony here today, and I yield back.
    Mr. Stephan. Thank you, sir.
    Mr. Cox. The gentleman's time has expired.
    The gentlemen from New Mexico, Mr. Pearce, is recognized 
for 5 minutes.
    Mr. Pearce. Thank you, Mr. Chairman. I am still reading the 
briefs, and I will pass at this moment. Thank you.
    Mr. Cox. The gentlelady from Texas, Ms. Jackson-Lee, is 
recognized for 5 minutes.
    Ms. Jackson-Lee. Thank you very much, Mr. Chairman. I want 
to thank you and the subcommittee Chair and ranking member of 
the subcommittee for this hearing that could not be more 
crucial.
    Mr. Stephan, Assistant Secretary, welcome. I am delighted 
that there is not the word ``interim'' in front of your name. I 
understand that you are, in fact, in place, and hopefully, we 
will have an ongoing relationship.
    I wanted to travel sort of the track of Chairman Cox and my 
good friend and colleague from New Jersey, Mr. Pascrell. First 
of all, I think it is important to acknowledge--which you have 
been very fair in doing--that there is such a thing as the 
Responsible Care Code, the Security Code that a number of 
members of the industry seem to be participants in or 
signatories on. Is that correct, sir?
    Mr. Stephan. That is correct.
    Ms. Jackson-Lee. I think at the same time we need to 
acknowledge that there are standard reports, such as the U.S. 
Army report, that says, in any given area if a chemical plant 
or toxic plant was attacked in a more, if you will, densely 
populated area, you could eliminate or impact on 2.5 million 
individuals. That is an existing report, so we need to 
emphasize the danger of the potential of a terrorist attack on 
chemical plants which find themselves in a number of areas 
around the United States.
    And I might say I come from a region in Texas that is noted 
for the chemical industry. We have lived alongside of them for 
a number of years, so I think--I wanted to focus on the 
importance of this hearing and the importance of us being able 
to work together. So I would like to focus you in this area.
    Obviously, without pointing to the intelligence, do you 
feel there is a cooperative link between the Department of 
Homeland Security and the chemical industry in terms of sharing 
intelligence data? Is there a dialogue, an ability to get 
information quickly to the necessary persons responsible for 
making decisions in the industry of the respective plants? Do 
you think that is in place?
    Mr. Stephan. Yes, ma'am, I think it is absolutely in place, 
and every day we are actually working to make it better. And as 
I said, our Homeland Security Information-Sharing Network 
allows them to pass information to us in terms of strange 
activities that might be taking place inside their areas of 
concern, and us to pass national-level threat data to them. The 
FBI is integrated into this process.
    I think we have very timely--in place, overarching systems 
to get specific information, when it exists, into the hands of 
owners and operators. In addition to other things like 
indicators of potential terrorist activities, protected 
measures, recommendations, we have mechanisms in place, wires 
and pipes, to pass those things back and forth between us and 
the industry.
    Ms. Jackson-Lee. And I appreciate that, and I don't think 
we should take lightly your work which you are now doing, and 
our work, which is to save lives. And to not take lightly any 
misstep that we make--either one of us, Congress or the 
executive--can result in the loss of lives, so the importance 
of communication is important.
    I think it is also important to note that we have entrusted 
to the airline industry, to a certain extent, trying to improve 
some of the items that they failed to do after 9/11. Likewise, 
I want to find sort of that pathway that we can work with in 
terms of another industry, and this one--for example, I 
understand a number of companies, as I have said before, or you 
said, are, in fact, self-regulating or at least adhering to the 
Care act. One of them happens to be Shell, but you happen to 
have a percentage of those who are not.
    Let me follow up with these final, closing questions:
    One, help us help you get on site of those companies that 
are not complying. I don't like hearing you say they said I 
could come do a fly-by or a drop-in or drive-by; and then they 
stop us and say, You are finished. Absolutely not. For the guys 
that don't want to participate or the guys that are not giving 
you all the information that you need, absolutely there needs 
to be an emphasis on getting you where you need to be.
    So I want to know what is happening with the ones who are 
putting a hand up, Stop. And what kind of regulatory authority 
do you need to deal with the constituency, the population, that 
refuses to play the game to save lives and to allow you to do 
the full investigation.
    Mr. Stephan. What we want to do is, we want to bring those 
folks on board through a measured, calibrated approach--again, 
based on risk; and I really need to work out the details and 
clear them up through by boss in the upcoming several weeks. It 
has got to be performance based, it has got to allow us to draw 
a threshold so that we are not--and a certain amount of 
companies that represent a very low risk that do not need to be 
taking sweeping, comprehensive security measures, that they may 
or may not be doing now.
    But then there is another degree of people up here that 
represent a very high risk, in our perspective, according to 
our criteria, that do. Many, in fact, are.
    We are going to bring a package together, bring to you to 
work together a package that would delineate exactly the box 
that we want to draw around this regulatory authority. But it 
has got to be a measured, calibrated approach, performance 
based and recognizing the very valued investments that certain 
companies, and a great majority of companies, have actually 
made to date.
    Ms. Jackson-Lee. Let me thank you. I am going to want to 
ask subsequently, in writing, for a list of those that you have 
approached in the past and you have not been able to view 
extensively their particular plants; I want the actual names.
    The other thing is that I think--I hear you saying that you 
are trying to get a plan for the regulatory authority. You are 
asking for some, but you are going to be working with the vast 
industry to understand the best pathway to save lives; is that 
my understanding?
    Mr. Stephan. That is correct.
    Ms. Jackson-Lee. I thank the witness, and I yield back.
    Mr. Cox. I thank the gentlelady.
    The gentleman from Massachusetts, Mr. Markey, is recognized 
for 5 minutes.
    Mr. Markey. Can I begin first, Mr. Chairman, with a 
parliamentary inquiry? And the parliamentary inquiry would go 
to the question of when a hearing starts.
    I arrived here at 10 o'clock this morning, at the appointed 
time for this hearing. I was then told by the counsel--who is 
whispering in your rear right now--that the hearing doesn't 
start until the gavel comes down--
    Mr. Cox. If the gentleman will yield. The hearing was 
noticed for 2 o'clock; is that right?
    Mr. Markey. At 2 o'clock, rather. So I was here at 2 
o'clock; and when I arrived, I was told the committee hearing 
starts when the gavel comes down.
    I am now reading the rules of the committee, and it makes 
no such reference to the gavel coming down, it only makes 
reference to the point at which--I apologize to you--when the 
chairman gavels the hearing. I apologize to you.
    So I guess what I would say is this: Since I did come over 
here at 2 o'clock for the hearing to start, but a decision had 
been made not to start the hearing at 2:00, that the committee 
then has an obligation to all members to have the staff then 
call all members to tell them that the member is wasting their 
time in arriving on time for a prearranged hearing because, 
first of all, I wasted the 15 minutes coming over here, Mr. 
Chairman.
    And now I have had to wait an hour and a half, even though 
my intention in arriving at 2 o'clock was to be here on time 
for a hearing which you had scheduled at 2:00, which then, in 
the discretion of the Chair, you postponed until later. But it 
then leaves the minority with no notice, who has arrived on 
time, without then having been protected for having arrived at 
the time that the chairman had scheduled the hearing, but had 
not yet brought down the gavel, which the counsel tells me is 
the official beginning of the hearing, not the time that the 
chairman designated as the beginning of the hearing.
    And so, one, I wasted my time coming over for the beginning 
of the hearing, as it had been scheduled. And two, I am now 
waiting here, even though I am the third senior on the Democrat 
side, until all of the other members, who could then be here at 
a delayed time when the hearing has started, arrived here 
before me.
    So would the chairman announce what the policy is for 
notifying members as to when the chairman is going to not begin 
the hearing at the appointed time, so that the members who are 
adjusting their schedules to be here at that time are given the 
protection which they are going to need?
    Mr. Cox. I thank the gentleman for his parliamentary 
inquiry, and I will respond as follows:
    First of all, at 2 o'clock, votes began on the floor, and 
as the gentleman knows, normally it is the procedure of this 
committee and all committees to permit members to discharge 
their obligations to vote on the floor of the House. It was the 
interruption in our schedule and this committee by votes on the 
floor that necessitated the postponement of the commencement of 
this hearing until the completion of those votes on the floor.
    Second, the member from Massachusetts is an outstanding 
participant on this committee, and I understand the motivation 
behind his questions; it is one that I appreciate and share. 
Members of this committee who wish to participate, in my view, 
should be incentivized by our rules and by our practice; and as 
chairman of the full committee, that would certainly be my aim 
and my design.
    And third, when the gentleman refers to the Chair, I think 
he recognizes that while I am the chairman of the full 
committee, I was not the chairman--this is a subcommittee 
meeting--I was not the chairman who convened this meeting. But 
it is my practice in the full committee, and I would urge all 
the subcommittee chairmen to make it their practice in the 
subcommittees, to interpret the rules in such fashion that 
members are accorded the utmost degree of fairness.
    It is my practice in the full committee to use the list of 
minority members in the order of their appearance that is 
provided to me by the ranking member on the committee and by 
the minority staff. I don't get into the business of which 
minority member should be preferred over which other, because I 
think our rules can be implemented with punctilious fairness if 
they are administered by the majority and the minority in that 
way.
    So that would be my guidance for all the members on the 
committee and, in particular, for members wielding the gavel on 
subcommittees. And I hope that is satisfactory to the 
gentleman.
    I do want compliment the gentleman for his presence at 
these hearings. He is--I don't want to say anything about the 
members that aren't here, but for those members that are here, 
I want to thank you. I know other members--all members have 
pressing business, and your presence here is a testament to 
your commitment to the subject matter, and I think a compliment 
to the witnesses.
    Mr. Markey. I would like to reclaim my time just to make 
two points.
    One is that the roll calls had just gone off. And in the 
Energy and Commerce Committee, on which I have served with you, 
in most instances, the Subcommittee Chair just continues the 
statements of Members until there is approximately 5 minutes 
left to go; and so, if the hearing has started at 10:00 or 
2:00, then the Ranking Member and the Minority Member would 
then try to get their opening statements in, and then say, We 
will adjourn and then come back. And that would be the practice 
and tradition in other committees that I serve on, at least 
Natural Resources and Energy and Commerce.
    On this Committee I was told not that there would be any 
flexibility whatsoever and not that punctilious fairness would 
be the rule here, but rather punctilious rigidity, and that 
rigidity was going to be imposed upon me; and the Majority 
Counsel informed me of that, even though it seemed to me that 
that was an implementation of the letter, but not the spirit of 
how a Committee should be governed.
    And I just think that for the Minority, we have to have 
some sense of what will happen if this very same circumstance 
occurs. And saying that there should be punctilious fairness, 
yet not define what that means--and as you know, you are going 
to have to deal with that in your new position at the 
Securities and Exchange Commission--a fairness opinion that is 
issued by Goldman Sachs on a deal to which Goldman Sachs is a 
partner may not actually have fairness in it for investors; it 
may only have fairness to Goldman Sachs and for the other deal-
makers.
    So--fairness is also subject to interpretation, so I would 
wonder here, Mr. Chairman, what kind of tradition could be 
established in terms of what it means in terms of recognition 
for the minority.
    Mr. Cox. I would yield to the gentleman from Massachusetts 
for purposes of colloquy with the gentleman from Washington.
    Mr. Markey. I would be glad to yield.
    Mr. Cox. The gentleman refers to the Committee on Energy 
and Commerce presumably as a useful model; the Gentleman knows 
that I am an alum of that Committee, and that was, in fact, the 
model for our rules in this Committee. To the extent we can 
have a very clear pattern and practice that doesn't take any 
Member by surprise, that is what we are aiming for here.
    So, to reiterate, the rule is, as the Gentleman discovered, 
the Members present when a hearing commences and the gavel 
falls are recognized in order of seniority. Thereafter, Members 
are recognized in order of seniority--in order of appearance.
    Mr. Markey. May I ask, Mr. Chairman? So, for example, if 
the Democrats arrive and it is 2 o'clock, but the Majority is 
still caucusing in the next room, and the majority does not 
emerge from their caucus until 2:20, even though the hearing 
was called for 2:00, are the Members here for the appointed 
time; or is it only at the point that the chairman brings down 
the gavel?
    When does the Minority arrive? Is it strictly within the 
discretion of the Chair at that point in time, even though--the 
class has started at 2:00; if the professor doesn't arrive 
until 2:20, weren't the students there on time? Or is it the 
hearing which is actually late, not the Members?
    Mr. Cox. There are two points that I was going to make. The 
first, I have already made, which is what the rule states.
    The second is, the practice that I have followed as 
Chairman of the full Committee, that I would urge my 
Subcommittee Chairmen to follow, unless I hear an objection 
from Members, is, the order of appearance--your questions all 
go to that--and, thus, the order of recognition for Members 
should be determined on the Majority side by the Chairman, the 
person presiding over the hearing, and on the Minority side by 
the Ranking Member or the person who is Ranking at that time.
    I don't see any reason for me, as Chairman, to determine in 
which order the Minority members should be recognized since we 
all understand what the rules are, and since it would eliminate 
any potential for unfairness if the ranking member gets to 
determine the order in which Democratic Members are recognized. 
That is the procedure I followed in the full committee; I have 
found it works very well, we haven't had any complaints of this 
type. I hope we don't have any unnecessary and certainly 
unintentional bumps in the road such as this.
    But let me just return to the point that I made earlier, 
which is that I understand the Gentleman's interest in 
participating in these hearings, admire his willingness to be 
here when I observe others are not.
    I would also observe that we have some witnesses on the 
second panel that are anxious to testify, and a witness on the 
first panel that you are entitled to question for 5 minutes, at 
such time as you wish to commence.
    Mr. Markey. I am ready to begin.
    Mr. Cox. The Gentleman is recognized for 5 minutes.
    Mr. Markey. Thank you, Mr. Chairman.
    Mr. Stephan, up until now, the Bush White House has 
essentially given the chemical industry a terrorist take-home 
exam; that is, the chemical industry just gave itself its own 
grade, which obviously was a very dangerous situation for the 
Bush administration to leave our country in for the last 4 
years in terms of these very dangerous chemical facilities.
    My question to you would be, then, specifically, would the 
Bush Administration support legislation that created mandatory, 
enforceable, risk-based Federal standards for chemical 
facilities, with the highest priority being given to facilities 
that have the potential to harm the most people?
    Mr. Stephan. We are--as I said in my oral testimony 
earlier, sir, we are seeking to cooperate with Congress in 
reaching a legislative solution that would provide the 
Secretary of Homeland Security certain authorities that the 
Secretary does not have in order to implement a risk-based, 
regulatory regime in a measured, calibrated manner--
    Mr. Markey. And would you support that that legislation be 
mandatory and that the standards be enforceable?
    Mr. Stephan. That the standards be measurable and 
enforceable.
    Mr. Markey. And mandatory.
    Do you want the Congress to provide mandatory--
    Mr. Stephan. That is correct, on a risk-based model.
    Mr. Markey. With the highest priority being given to those 
that have the most potential harm to the most people?
    Mr. Stephan. That pose the greatest risk, taking into 
account threat, vulnerability and consequences.
    Mr. Markey. As you know, in the nuclear area, the Nuclear 
Regulatory Commission allows Wackenhut, a security company that 
provides protection for the nuclear power plants in our 
country, to actually do the force-on-force test for the power 
plants that Wackenhut provides the security, which, of course, 
calls into question again the terrorist take-home-exam quality 
to that.
    Would the administration support legislation that required 
the DHS to evaluate the chemical facility security using force-
on-force exercises with entities that are independent of the 
security forces that are at these chemical facilities?
    Mr. Stephan. Sir, for the record, I do not have the 
authority from my boss to go into any specific details, many of 
which are under development, in reference to specific 
authorities that would be requested to support the Secretary's 
approach to Congress.
    Mr. Markey. So you are not willing to commit to having 
force-on-force tests of the chemical facilities across the 
country?
    Mr. Stephan. Sir, I am not willing to commit or not commit 
to anything that involves a specific, prescribed regulatory--or 
aspect of this regulatory regime that is still under 
development at this point.
    Mr. Markey. Do you believe that that makes sense, to do 
force-on-force tests of the security around chemical 
facilities?
    Mr. Stephan. Sir, again, I am not going to be in a position 
at this point in time to go into any further details.
    Mr. Markey. I will then tell you that I believe, that will 
be a huge, huge loophole in the security around chemical 
facilities if there are not independent force-on-force tests 
which are given to the chemical facilities. And the fact that 
the Department of Homeland Security, at this late juncture, 4 
years after 9/11, still does not have a view on that indicates 
a very, very dangerous situation may continue to exist around 
chemical plants because without the test on security, force-on-
force, and the fact that the Department right now has no view 
on it indicates that we could very well wind up with a 
situation that is still very dangerous.
    Next question: Would the administration support legislation 
that required companies to reduce the risk their facilities 
posed by taking steps to reduce toxic chemicals or processes 
with less dangerous technologies when it is economically and 
technologically feasible for them to do so?
    Mr. Stephan. Sir, in my earlier testimony, I stated that 
the Department supports a regulatory approach that involves a 
certain set of standards based on risk. There would be 
flexibility built into such a system to allow the companies the 
ability to draw upon various options in order to meet that 
standard. As long as the standard was met, we would like to 
keep the menu of options open to the companies.
    Mr. Markey. So that would be a ``no,'' you are not going to 
have a requirement that they have to convert to less dangerous 
materials?
    Mr. Stephan. Sir, again, at this point in time, I am not 
authorized to get into any further level of detail with respect 
to the exact specifics of the regulatory regime we have 
proposed.
    Mr. Markey. And again, I would say that if you do not do 
that, then we will continue to have an unnecessarily high level 
of dangerous toxic materials in urban areas, even though the 
Department of Homeland Security would have the ability to 
mandate that they do begin a conversion process over to less 
dangerous materials.
    And finally, would the administration support having 
whistle-blower protections for anyone who is retaliated against 
for reporting chemical security flaws, so that we have at least 
as strong a standard as shareholders have in the financial 
services marketplace in terms of employees under Sarbanes-Oxley 
being able to blow the whistle on dangerous activities without 
being retaliated against?
    Would this administration support whistle-blower protection 
for chemical industry employees while security--
    Mr. Cox. The gentleman's time has expired.
    Mr. Markey. Who blows the whistle?
    Mr. Stephan. Sir, at this point in time, I am not 
authorized to make any specific comments on any specific 
aspects of the regulatory regime that we would like to work 
together with Congress on over the coming weeks.
    Mr. Markey. Again, Mr. Stephan, these are the key issues 
that you are going to have to deal with, and making an 
announcement that you are moving in this direction without 
providing the specific details will not offer real comfort to 
those who are concerned that Al-Qa`ida is targeting chemical 
facilities at the top of their list.
    Thank you, Mr. Chairman.
    Mr. Cox. The Gentleman's 15 minutes have expired.
    The Gentleman from New Mexico.
    Mr. Pearce. Thank you, Mr. Chairman.
    I am wrestling, Mr. Stephan, with the concept of risk. It 
appears that we are thinking in terms of risk as some event and 
then in the surrounding population how it is affected; is that 
an adequate description of the threat level?
    Mr. Stephan. No, sir. I would say that from Secretary 
Chertoff's perspective, risk is made up of three variables--
consequences, vulnerabilities, and threat.
    Mr. Pearce. And if you are talking about consequences, 
could you give me some other description about how those 
consequences have been--how we have been describing them, how 
we have been talking about them in the discussions?
    Mr. Stephan. Sir, consequences could mean public health and 
safety factors in terms of possible fatalities, possible 
injuries resulting from an exposure to a chemical agent in the 
context of this sector. It could be economic impact in terms 
of, does a chemical facility represent a risk because it is the 
only or unique producer of a certain component that is critical 
for some Department of Defense deployment capability, so on and 
so forth.
    It could be, Where does this particular facility lie in the 
supply chain in terms of an impact against this facility, 
impacting distribution of the chemicals produced at that 
facility across the border? It refers to psychological 
dimensions in terms of how would the American public perceive 
and react to an attack upon this type of infrastructure target 
versus another, and so on and so forth.
    Mr. Pearce. Have we had discussions then about, for 
instance, if there is some sort of manipulation of the food 
chain--here are large cheese and milk plants in the district 
that I represent--and do those discussions give equal 
consideration to problems that might be not in large population 
areas, but entered into the food chain that are then 
distributed through a supply system throughout the country?
    Are those recognized as significant threats in the same 
context that your discussion about the chemical plants have 
been recognized?
    Mr. Stephan. Yes, sir. Generally the answer to your 
question is ``yes,'' but I want to get back to the chemical 
piece.
    As we do this risk assessment and methodology in 
partnership with our private sector owners and operators, we 
are building in, in terms of the consequences piece, estimates 
of how interconnected that particular facility--of the systems 
that are onboard the facility, what that means to the rest of 
the greater world around them within the chemical sector and 
across to other sectors.
    Mr. Pearce. How many chemical facilities, if successfully 
attacked, would have consequences on the scale of 9/11?
    Mr. Stephan. Sir, I would have to get back to you with that 
kind of information. I don't have those statistics.
    Mr. Pearce. Is it a small number? In other words, you all 
have been wrestling with this concept--
    Mr. Stephan. Sir, I don't want to get into an exact number 
that I will not be able to defend.
    Mr. Pearce. I am just trying to get from my own sense here, 
if we have a great number or if it is a small number. I am not 
trying to hold your feet to any fire.
    Mr. Stephan. Using the EPA, again, the EPA Gross Potential 
Consequence Model, according to our estimations, the potential 
impacts--again, potential impacts between 50 to 500,000--we 
think there are about 260 facilities within that category. 
Again, that is based on the EPA, every single individual within 
a certain diameter circle around that facility.
    Mr. Pearce. The concern here about whether or not we can 
trust industry to have a disciplined approach to their own 
facilities, your testimony seems to indicate that Mr. Chertoff 
thinks that you don't have enough regulatory capability, but 
your testimony indicates that you may even have pretty good 
participation.
    How close can we get to full compliance if we just have 
industry working with you on a voluntary basis or on the seat-
at-the-table basis that you have been kind of exploring right 
now?
    Mr. Stephan. Sir, I believe, again, there is about 20 
percent of industry that would be important to us in terms of 
high risk that is not accounted for under the Responsible Care 
Code, or the MTSA regime. And within the Responsible Care Code, 
I think it is important that we have the ability into the 
future to measure the effectiveness of the investments that are 
being made and the enhancements that are being implemented 
across the Responsible Care Code voluntary regime.
    Mr. Pearce. Thank you, sir.
    Thank you, Mr. Chairman.
    Mr. Cox. The Gentleman from Washington is recognized for--
    Mr. Dicks. Just one quick question.
    How long is it going to take the administration to be able 
to come up with their legislative recommendation--week, 2 
weeks, a month?
    Mr. Stephan. Sir, within the coming weeks I am dedicating 
the most talented brainpower I have to figure out this 
regulatory structure and put it into the homeland security 
counsel process. So I don't have an end stage in mind, other 
than we are working aggressively now to come up with filling in 
the details of putting flesh on the bones of the skeleton.
    Mr. Dicks. Well, the sooner, the better.
    Mr. Stephan. We agree.
    Mr. Dicks. Thank you.
    Mr. Cox. Does the Gentleman from New York seek recognition?
    Mr. King. Mr. Chairman, unfortunately, I missed the other 
part of the meeting; I have had other meetings. I would be glad 
to yield my time to any of the other gentlemen if they--
    Mr. Cox. Well, if the gentleman did seek recognition, I 
would ask unanimous consent that he be recognized, but if he 
does not wish to be recognized, we would move to the next 
panel.
    Does any other member seek recognition to question Mr. 
Stephan?
    If not, I want to thank you very much for your outstanding 
testimony, your help to this Committee today.
    Mr. Stephan. Thank you, Mr. Chairman and Members.
    Mr. Cox. The witness is excused, and I call up our second 
panel for testimony.
    The Chair would welcome the second panel comprising Mr. 
Frank Cilluffo, Director of Homeland Security Policy Institute 
at the George Washington University; Mr. Stephen Bandy, Manager 
of Corporate Safety and Security at Marathon Ashland Petroleum, 
testifying on behalf of the National Petrochemical and Refiners 
Association and the American Petroleum Institute; Mr. Marty 
Durbin, Managing Director of Security and Operations at the 
American Chemistry Council; Mr. Allen Summers, President and 
CEO of Asmark Inc., testifying on behalf of the Fertilizer 
Institute; and Mr. Sal DePasquale, Security Specialist at CH2M 
Hill and the Georgia State University.
    Mr. Cox. We will begin by recognizing Mr. Cilluffo, 
Director of the Homeland Security Policy Institute at the 
George Washington University, to testify.

                  STATEMENT OF FRANK CILLUFFO

    Mr. Cilluffo. Thank you, Mr. Chairman. And Mr. Chairman, 
distinguished members of the committee, it is a privilege to 
appear before you today.
    I will be brief, not my strong suit, as I have barely had 
an unspoken thought, but I think we have had a long day.
    I think I speak for everyone when I say we all have the 
common goal of best protecting the chemical industry and, 
obviously, our Nation's citizens from the consequences of an 
attack. Where we may differ is in our philosophical beliefs on 
how we can best accomplish this mission.
    My specific focus will be on the significance of a public/
private partnership for homeland security. Such a partnership 
is not an option, but rather a necessity, as the private 
sector, as we all know, owns a vast majority of the 
infrastructures that underpin our economy and will ultimately 
play the most important role in implementing any of those 
solutions. It is a shared responsibility where we must marry up 
private sector interests with public responsibility.
    To this end, I contend we must build the business case for 
homeland security for the chemical industry, and beyond, to 
incorporate all the other critical infrastructures, because we 
can't look at this in isolation of some of the other 
infrastructures.
    We want to reduce risks and mitigate the consequences of an 
attack on our chemical sector, and ensure that we are not 
merely shifting risks or creating new ones or unforeseen ones. 
We must prioritize, as I think the chairman and the members 
have all concluded, using a risk-management-based approach, and 
execute a strategy based on an equation of vulnerabilities, 
threats and consequences. Innovation, rather than the status 
quo, should be emphasized, since the terrorists are not static 
and base their actions on our actions--in fact, base their 
actions on many of our successes.
    When faced with a public/private challenge, conventional 
wisdom is to search for an easy solution, regulations. But 
homeland security, I think, requires a more novel, nuanced 
approach if we are to actually succeed. Regulations often 
hamstring growth and innovation and lead to added expenses 
without taking industry's perspective into account.
    Most importantly, they don't always provide a practical or 
a comprehensive solution. Regulations often create a check-the-
box mentality, where industry does just enough to meet the 
requirements and are disinclined from taking or making more 
proactive homeland security investments.
    We cannot just place requirements that make us feel good. 
Instead, we must ensure that what we do matters, and that it is 
outcomes based, very carefully calibrated, as I think Assistant 
Secretary Stephan referenced.
    A successful business case for homeland security should 
include at least five key concepts, which I will now discuss: 
first, public/private coordination and information sharing.
    The Federal Government has significant expertise and, of 
course, the intelligence information on the adversaries that 
the chemical sector will need to successfully implement its 
roles and responsibilities. The chemical sector obviously owns 
the infrastructure that the government is endeavoring to 
secure--and I might note, they are as well.
    The government can provide the framework and industry, as 
experts in their field, develop standards. All information, 
from time-sensitive threat information to best practices should 
be part of a trusted information-sharing effort that flows both 
ways, top to bottom, bottom up, and horizontally. A prime 
example of this I think is FedEx's participation on the FBI's 
Joint Terrorist Task Force, an unprecedented role for industry 
and maybe something the chemical sector can learn from.
    The essential point is that each side should see that it 
has something to gain by contributing. What we absolutely 
cannot afford is a double sunken cost where the private sector 
takes the initiative to invest on its own in homeland security, 
only to have it superseded by regulations requiring yet another 
cost.
    Second, we must develop standards in metrics. The 
government needs to raise the bar and keep it high, ensuring 
that the standards by which the industry are judged are as 
clear as possible. Standards should be initiated by the private 
sector and overseen either by the Federal Government and/or 
another trusted third party. We need experts driving security, 
not the trial lawyers.
    The government should indemnify those organizations that 
meet the standard from actions above and beyond those 
identified. Hence, the government, in essence, assumes the of 
role of the insurer of last resort, as is the case for 
conventional warfare.
    In developing its own Good Housekeeping Seal of Approval, 
the Federal Government would create an industry-wide objective 
that everything across the entire spectrum in life cycle, the 
chemical cycle, would endeavor to fulfill. As the adage goes, 
what gets measured gets done. Thus, we must have metrics and 
ensure that what we are measuring actually matters, and that it 
is paying security dividends.
    Third, we have to identify the secondary benefits to 
security. Like the successful efforts to improve quality in the 
1980s and safety in the 1990s, we must embed security as part 
of the corporations' daily operations. Security and profits are 
not mutually exclusive concepts. A dollar spent on homeland 
security could mean a dollar saved, providing a double bang for 
the counterterrorist buck--forgive the bad pun.
    Fourth, we must establish incentives. I haven't heard a 
whole lot on incentives today, but I think on any CEO's wish 
list of outcomes from a proactive security strategy are lower 
insurance premiums, reduced legal liability, reduced tax 
liability, safe harbor provisions, recognition from the 
government and its private sector peers, enhanced reputation, 
and reduced incident response and recovery costs.
    Mr. Cilluffo. Beyond the government's responsibility to 
develop incentives, the private sector too has a role to play. 
The insurance industry in particular has tools at its disposal 
that could effectively induce good behavior. Just as the 
insurance industry drove to more stricter building codes and a 
focus on fire prevention rather than only responding to fires, 
so too could the insurance industry incentivize the chemical 
sector to take more proactive action. Few can argue with the 
results of the insurance industry's drive toward fire 
prevention. Countless lives saved and billions dollars of 
property damage averted was obviously a wise investment.
    Fifth, we must recognize performance. The Federal 
Government should publicly commend corporations' 
accomplishments with an award akin to the Malcolm Baldridge 
Award, something that everyone strives for which ultimately led 
to ISO 9000 standards and everyone sought to be recognized.
    Finally, and much of the discussion today, I reluctantly 
add that we can enact regulations if necessary. And here, I say 
if and only if the market is unwilling or unable to meet the 
bar, those standards, increase DHS oversight and regulation 
should be carefully considered. And I think it needs to focus 
on the high risk facilities you identified earlier.
    However, we must realize that regulating the chemical 
sector could quickly become a slippery slope for other critical 
infrastructures and sectors of the economy as well. Given the 
constantly evolving threat, we must not turn to a one size fits 
all approach and create regulations that could lose utility 
with the next Intelligence Estimate. It is always my contention 
that we should mitigate before litigate or regulate and I think 
a successful business case can help forestall most of those 
regulations.
    In closing, the chemical industry is the focus of the 
hearing, but the strategies we discussed today can be 
translated to a dozen other critical infrastructure sectors. 
Spending alone, whether government or private dollars, will not 
thwart terrorist attacks to critical infrastructure. It takes 
the collective actions and the commitment of the government and 
the private sector to constantly refine our strategies to 
secure the facilities critical to our Nation. Above all, we 
cannot afford for our slow action to lead the public to lose 
trust in our ability to secure the Nation. That is at the heart 
of today's hearing.
    Mr. Chairman, this concludes my statement and I would be 
happy to try to answer any questions you may have.
    [The statement of Mr. Cillufo follows:]

                Prepared Statement of Frank J. Cilluffo

    Chairman Cox, Chairman Lungren, Ranking Member Thompson, Ranking 
Member Sanchez, and distinguished members of the Committee, it is a 
privilege to appear before you today. The House Committee on Homeland 
Security should be commended for continually reassessing and 
reevaluating our efforts to secure the nation's critical 
infrastructure, including today's issue, the chemical industry.
    Recognizing the important roles that the private sector and the 
government play, the Committee has assembled a cross-section of the 
chemical industry as well as the Department of Homeland Security. This 
is important because Congress must understand both perspectives to 
receive a complete picture of accomplishments, and areas for 
improvement, since 9/11. My specific focus will be on the significance 
of a public-private partnership for homeland security policy. To this 
end, I will delineate how we can establish the ``business case for 
homeland security'' across the chemical industry and beyond. Each 
witness will have his own insights and recommendations regarding the 
threat and potential solutions, but we must not take our eye off the 
ball and allow our individual interests to obstruct the overall 
mission.
    We are all meeting today with the common purpose of better 
protecting citizens by ensuring that the nation is doing all it can to 
bolster security. But we have a few questions to answer. As a key 
component of the nation's critical infrastructure, what are this 
sector's roles and responsibilities? What are the federal government's 
responsibilities? What do we measure and are we measuring the right 
things? And, how much is enough? My hope is that the solutions 
discussed during today's hearing can serve as a foundation for future 
legislation and strategy as we continue to refine our tactics to fight 
the war on terrorism. We must also not limit ourselves by looking at 
the chemical industry in isolation--as many of the issues we face in 
this sector are relevant to protecting critical infrastructure writ 
large. Homeland security requires a multifaceted strategy to prevent, 
protect against and respond to 21st century threats. We need to develop 
further guidelines to help us build upon the significant progress we 
have made thus far in securing our nation's chemical sector, but we 
must consider all aspects of a solution--constantly developing new 
approaches to the problem. We cannot rely solely on yesterday's weapons 
and strategies to fight tomorrow's battles and defeating a dynamic 
network of enemies will require our own dynamic network of domestic and 
international allies that will include all levels of government, the 
private sector, communities and individuals.
    Terrorists turned commercial planes into missiles on 9/11, swiftly 
and viciously awakening the nation to the challenges before us today. 
It was eminently clear that the war on terrorism would not be anything 
like the wars of the previous century and the new enemy shares little 
in common with the previous one. Al-Qa`ida and its ilk do not exhibit 
traditional characteristics or fall under any conventional military 
definitions, representing an asymmetrical, constantly morphing threat 
that is symbolic of the challenges we now face. Terrorists targeted the 
symbols of the nation's public and private sectors on September 11, as 
they struck both the World Trade Center and Pentagon, negating the 
traditional, centuries-old security barrier of two large oceans. We now 
face an enemy consisting of a network of affiliated groups who span 
national borders and jurisdictions and use non-traditional weapons in 
battle without distinguishing between soldiers and civilians. We do not 
face an adversary that we can defeat in a conventional war on a 
traditional battlefield by going plane for plane or tank for tank, but 
one that will take the path of least resistance by constantly searching 
for our greatest vulnerabilities. They have declared war on every 
American and threaten all segments of the U.S. economy and with that, 
the global economy. Bin Laden has repeatedly said he intends to 
``[bleed] America to the point of bankruptcy.'' \1\ Recognizing the 
enemy's strategy, we must embolden the industries that underpin our 
nation's economy. We now fight a war that requires us to play both 
offense and defense, pursuing the terrorists abroad and keeping them on 
the run, while also bolstering our defense at home. Experts agree that 
an attack on the nation's chemical sector, which includes more than 
15,000 facilities engaged in the production, use, storage and 
distribution of toxic products, could have potentially catastrophic 
consequences.
---------------------------------------------------------------------------
    \1\ Statement by Osama bin Laden, November 1, 2004.
---------------------------------------------------------------------------
    Against this background, we must understand that this is not a war 
that can be solely fought and won in Washington but needs the 
innovation, hard work and input from individuals across all sectors of 
the economy. It is more than just guards, guns and gates. The thousands 
of private sector companies that own and operate the energy, banking, 
finance, agriculture, telecommunications and chemical sectors, among 
others, underpin the American economy, and all have a significant role 
to play in our strategy. Given the interdependency of all of the 
sectors, a unanimous commitment will be essential. The war on terrorism 
is the calling of our generation and we must adapt our existing 
organizations, structures and processes to meet the new threat. 
Innovation, rather than the status quo should be emphasized since the 
terrorists are not static and base their actions on our actions. And 
because of the constantly evolving threat, we must always strive to 
stay ahead of the curve. The bureaucratic structures and strategies of 
the past will not adequately meet the challenges of the future, and a 
new organizational paradigm is vital to confront emerging threats and 
enemies. We must marshal and mobilize all of the available expertise 
and latest technology in the private and public sectors as we devise 
and execute a comprehensive strategy to win the war. But we also cannot 
make the mistake of looking for new solutions through our rearview 
mirror. Rather, we need to view homeland security through a prism, 
considering every perspective and how each company, industry or 
department fits within the overall mission. We do not want to be in a 
position where we are constantly reacting to their actions--as the 
adversary adapts, finding our next greatest weakness. Thus it is 
necessary to address all potential threats in a proactive manner.
    We want to reduce the risks and mitigate the consequences of an 
attack on our chemical sector and ensure that we are not merely 
shifting risks and creating new, unforeseen risks. We must prioritize, 
using a risk management-based approach that looks at homeland security 
holistically, and execute a strategy based on an equation of 
vulnerabilities, threats and consequences. The approach can be applied 
to all levels of government and the private sector as we define and 
redefine our priorities in the years to come.
    Recognizing that the private sector owns and operates more than 85 
percent of nation's critical infrastructure, a public-private 
partnership for chemical security is both sensible and necessary. The 
government's control over the production, use, transport and 
distribution of at-risk chemicals is limited and comprehensive security 
requires the concerted investment and support of the private sector. 
The National Strategy for Homeland Security notes that ``a close 
partnership between the government and private sector is essential to 
ensuring that existing vulnerabilities to terrorism in our critical 
infrastructure are identified and eliminated as quickly as 
possible.''\2\ Further, the National Strategy for Physical Protection 
of Critical Infrastructures and Key Assets, calls for this to be a 
``shared responsibility.''\3\ I could not agree more with this 
sentiment and fervently believe we need to look at the entire supply 
chain as we refine our strategy.
---------------------------------------------------------------------------
    \2\ National Strategy for Homeland Security. The White House, July 
16, 2002.
    \3\ National Strategy for Physical Protection of Critical 
Infrastructures and Key Assets, The White House, Feb. 14, 2003.
---------------------------------------------------------------------------
    The government has made tremendous strides since 9/11 in securing 
our critical infrastructure. Key players in the chemical industry have 
also made significant advances to upgrade security--meeting both 
business and national interests. What we now need is for government and 
industry to work together to develop a playbook that they can use to 
drive planning and preparedness. A comprehensive assessment of where 
the industry is in terms of security accomplishments needs to be 
completed as we draw a roadmap for the future. This cannot and should 
not be a one-size-fits-all approach, but instead should be catered to 
the unique strengths and weaknesses of each industry.
    When addressing homeland security issues and the public-private 
relationship, conventional Washington wisdom is to search for an easy 
solution, often turning to regulation and mandating industry to comply 
with new federal requirements. But homeland security requires a more 
novel, nuanced approach if we are to succeed--one that will obligate 
the government to veer from the standard practice of pronouncing new 
``though shalts.'' Regulations often hamstring growth and innovation, 
and lead to added expenses without taking industries' costs, concerns 
and previous measures into account'simply, they do not provide a 
practical or comprehensive solution. We cannot just place requirements 
that make us feel good; instead we must ensure what we do matters. A 
December 2004 report on cybersecurity issued by this committee's 
Subcommittee on Cybersecurity, Science, and Research & Development, 
concluded that ``it is important to realize that industry may be 
incentivized to do more than government could regulate.'' \4\ I agree 
and contend that this conclusion is appropriate for the chemical 
industry as well. Regulations can create a ``check the box'' mentality, 
where industry does just enough to meet the requirements and are 
disinclined from making proactive homeland security investments.
---------------------------------------------------------------------------
    \4\ Cybersecurity for the Homeland, Report of the Activities and 
Findings by the Chairman and Ranking Member. Subcommittee on 
Cybersecurity, Science, and Research & Development, Select Committee on 
Homeland Security, U.S. House of Representatives, December 2004.
---------------------------------------------------------------------------
    We need the experts driving security, not the trial lawyers. I have 
found that industry is generally willing to participate in security 
initiatives and adopt the government's goals and mission if they are 
viewed as a partner in the policymaking process. It is up to government 
to engage the business community and articulate why such initiatives 
are mutually beneficial to both the public and private sectors. The 
government needs to set the bar and raise it high through leading by 
example and getting its own house in order. It can help drive best 
practices and standards that can then be overseen by DHS and/or a 
trusted third party. The private sector should be asked to take 
security as far as it can, but since industry will not always be able 
to reach the bar on its own, the government must work with the private 
sector to help it meet the goals it set. The government and the 
insurance industry can provide incentives/aid to industry to help meet 
those standards.
    We all understand that security and safety are tightly interwoven 
in the post-9/11 world and we need to look at chemical industry 
security using an all-hazards approach. We do not need ``satisficing,'' 
which only leads to an industry vying for the lowest common 
denominator. So as we build upon recent private and public sector 
initiatives, how can the government make a compelling business case for 
homeland security that satisfies all parties and most importantly, 
betters the security of our citizens?

The Business Case for Homeland Security
    In an April 2005 speech to business leaders at the U.S. Chamber of 
Commerce, Secretary of Homeland Security Michael Chertoff appropriately 
stated:
    ``We want to defend our country, but we also want to defend our way 
of life. . .Our goal is to create a security environment that works 
with the grain of commerce and doesn't cut against it, and that takes 
advantage of and leverages with the great American ingenuity, which is 
our principal weapon.'' \5\
---------------------------------------------------------------------------
    \5\ Transcript of address by Secretary of Homeland Security Michael 
Chertoff at the U.S. Chamber of Commerce, Washington D.C., April 29, 
2005.
---------------------------------------------------------------------------
    The government is eminently well-suited to lead in some areas while 
the private sector has its own unique strengths. What we must do is 
marry-up private sector interests with public responsibility. The 
solution will require a private-public partnership that looks at the 
entire supply chain and approaches security using a risk management 
model. We need to reduce risk while mitigating the consequences of an 
attack. A successful business case for homeland security should include 
the following:

         Public-private information sharing and delineation of 
        roles
         Analysis and assessment of threats, risks and 
        vulnerabilities
         Identification of the secondary, tertiary benefits of 
        security
         Highlighting of best practices, standards
         Oversight by government and/or trusted third party
         Carefully designed metrics that ensure progress
         Rewards and incentives for security
         Regulations, as a last resort

Cultivating public-private coordination and information sharing--We 
must begin by fostering a trusted partnership between the federal 
government and the chemical industry based on cross-sector 
communication and information sharing. We need to refine the game plan 
based on a more symbiotic relationship which ensures significant and 
timely security progress. The federal government has significant 
expertise and the best information on the adversary (including 
intentions, capabilities and modus operandi) that the chemical industry 
will need to successfully implement its roles and responsibilities. And 
the chemical industry owns the infrastructure the government is 
endeavoring to secure. The government can provide the framework and the 
industry, as the experts in their field, develop voluntary standards. 
All information, whether time-sensitive threat information, best 
practices or vulnerability assessments, should be part of a trusted 
information sharing effort. The government must properly communicate 
the threat the industry faces, keeping the sector informed of the 
latest intelligence, realizing that this changes with time and is often 
difficult to predict.
    Information should flow both ways, from top-down and bottom-up. At 
FedEx, for example, the company readily shares information with the 
government because the company's leaders feel they have a duty to 
protect the homeland. As FedEx CEO Fred Smith said to his peers in 
Chief Executive magazine: ``By taking responsibility for shoring up 
points of vulnerability in the physical and Cyberspace worlds, 
companies can truly defeat those who would harm our way of business and 
our way of life. I urge all businesses to become partners with 
government in making our companies, our country and, ultimately, our 
world more secure.'' \6\ Since action is stronger than words, I point 
to FedEx's participation on the FBI's Joint Terrorism Task Force 
(JTTF), the only such company in the nation to have such a role.
---------------------------------------------------------------------------
    \6\ Smith, Frederick W. ``Securing American and the World.'' Chief 
Executive, December 1, 2004.
---------------------------------------------------------------------------
    Those corporations that have developed best practices should then 
be encouraged to share these with the federal government as well as 
their colleagues in the industry. The government needs to ensure that 
the Freedom of Information Act (FOIA) exemptions and antitrust 
provisions passed in the 2002 Homeland Security Act remain and are 
strengthened to ensure continued information exchange. The development 
of the Homeland Security Information Network (HSIN), which serves as a 
real-time, two-way information clearinghouse for both DHS and industry 
is another important initiative. Other existing programs are in need of 
a reevaluation, however. One such program is the Protected Critical 
Infrastructure Information (PCII) Program, which lacks the protections, 
much less the incentives, that industry desires.
    In promulgating Homeland Security Presidential Directive 7 (HSPD-
7), President Bush clarified the need for cross-sector planning, 
information sharing, risk assessment and coordination. The president 
directed each federal department to engage its stakeholders as partners 
for the purpose of strengthening the security of our key industries. 
The Risk Analysis and Management for Critical Asset Protection (RAMCAP) 
initiative is a prime example of how cross-sector cooperation can make 
major headway in analyzing threats and vulnerabilities and sharing 
information. A cooperative DHS-chemical sector project begun late last 
year, RAMCAP will eventually lead to a more systematic analysis of 
terrorist threats on the nation's chemical sector and other 
infrastructure using a risk-based approach. Aspects of the project 
include the development of a Security Vulnerability Analysis (SVA) 
methodology that will provide each sector with the tools and metrics 
for the analysis of threats as well as supplementing the National Asset 
Database (NADB) with industry-specific information and screening tools. 
In short, it will help us define our greatest vulnerabilities, 
delineate the threat, and highlight best practices for the industry.
    The chemical industry has a seat at the federal government's 
homeland security table with last June's formation of the Chemical 
Sector Council, overseen by 16 associations representing the spectrum 
of the chemical industry. Sector Coordinating Councils are intended to 
bring together the critical infrastructure protection stakeholders from 
key industries together with federal, state and local agencies. The 
Chemical Sector Council identifies, prioritizes, and coordinates the 
protection of the chemical industry's infrastructure and facilitates 
information sharing for threats, vulnerabilities, incidents and best 
practices. Now that the industry groups are together, DHS should 
immediately develop a framework with these groups and identify mutually 
agreed upon incentives and timelines that would accomplish what all 
sides want: a better protected and prepared chemical industry. Such a 
partnership would provide a better investment of public and private 
dollars than regulations alone. The essential point is that each side 
should see that it has something to gain by contributing. The 
coordinating council also provides a mechanism for government-to-
industry communication that will enable one to build upon the other's 
previous work and ensure that each side's roles and expectations are 
properly communicated. What we cannot afford is a ``double sunken 
cost,'' where the private sector takes the initiative to invest on its 
own in homeland security, only to have it superseded by regulations 
requiring another cost.

Developing standards and metrics--As I previously noted, the government 
needs to raise the bar and keep it high, ensuring that the standards by 
which the industry are judged are as clear as possible. Standards 
should be initiated by the private sector and overseen by Uncle Sam 
and/or a trusted third party. Members of the American Chemistry Council 
(ACC) follow a self-initiated Responsible Care Management System, which 
requires companies to assess vulnerabilities and develop action plans, 
but the ACC includes less than 10 percent of at-risk facilities and the 
care code lacks fixed metrics and standards for quality control.\7\ 
Industry-wide, definable standards are needed to ensure the more than 
15,000 facilities currently regulated by the EPA are secure from 
terrorist attacks. Such standards and expectations must be clear for 
all actors across the supply chain from producers to transporters to 
distributors. For example, the government cannot reasonably expect the 
chemical industry to provide air defense for their facilities, a public 
good that few would argue is the responsibility of the private sector.
---------------------------------------------------------------------------
    \7\ ``Homeland Security: Federal and Industry Efforts Are 
Addressing Security Issues at Chemical Facilities, but Additional 
Action Is Needed.'' GAO-05-631.T United States Government 
Accountability Office, April 27, 2005.
---------------------------------------------------------------------------
    Standards must meet security requirements and ensure due care 
without bankrupting industry or the federal government. The government 
could then indemnify those organizations that meet the standard from 
all actions above and beyond their capabilities, hence the government 
assumes the role as the insurer of last resort, as is the case for 
conventional warfare. In developing its own ``Good Housekeeping Seal of 
Approval,'' the federal government would create an industry-wide 
objective that every chemical production, transportation and 
distribution facility would endeavor to fulfill. It is not 
inconceivable that citizens, looking to invest in socially responsible 
companies meeting a government-approved standard, ask the federal 
government for a list of those organizations taking security seriously. 
Thus the standard could provide a financial benefit to industry, with 
the market, not the government driving security. Among similarly priced 
goods, the security seal of approval could be the difference among 
consumers.
    We must have metrics to measure the needs of the chemical industry 
as well as its accomplishments. As the adage goes, ``what gets 
measured, gets done.'' However, we must ensure that what we are 
measuring actually matters and that it is actually paying security 
dividends. There must be a time component in the metrics as well, given 
that there is an imperative for action almost four years after 9/11. 
What we are measuring and the actions taken as a result must be a 
balanced approach for a given industry, company, or geography, given 
the dynamic risk, threat, and vulnerability environments.
    The standards developed should be overseen by the government and/or 
trusted third party. Currently, chemical plant security is primarily 
overseen by the EPA and DHS. The EPA regulates the 15,000 Risk 
Management Plan (RMP) facilities under the auspices of the Clean Air 
Act, but DHS now has lead responsibility for securing the nation's 
critical infrastructure. Protecting critical infrastructure is a 
security and emergency management priority and no longer strictly an 
environmental issue. We need to take a comprehensive view and defend 
against both intentional and accidental chemical incidents, requiring 
us to look at chemical plant security with the all-hazards approach to 
safety and security. Moving full authority for the development and 
oversight of standards of chemical facilities to DHS would provide the 
chemical industry with a single authority on security matters. Given 
the DHS mission and the new reality, the department is particularly 
well positioned to provide leadership in this area.

Identifying the secondary benefits to security--Like the successful 
efforts to improve quality in the 1980s and safety in the 1990s we must 
embed security as part of businesses' missions by helping industry see 
the secondary benefits of security. Just as the Ford Motor Corporation 
adopted the mission that ``Quality is job one'' in the 1980s, in a 
post-9/11 world, security should be job one for the chemical industry. 
Industry discovered collateral benefits of quality assurance and 
safety, and it is incumbent upon the federal government to stress the 
manifold benefits of security for national interests and each 
organization's bottom line. The government must emphasize the 
importance of business continuity and that addressing security issues 
will help companies preserve market share and maintain operations 
during both manmade/terrorism-related and natural disturbances. 
Organizational resiliency and the effort to standardize processes 
across the entire supply chain will have long term benefits for 
business as they seek to cope with everything from terrorist attacks to 
supply shortages to worker strikes.
    The role of Chief Security Officers and Chief Information Officers 
need to be strengthened within the organization. CSOs and CIOs should 
not be viewed as cost centers, but instead as integral components of 
the leadership team that position security as a benefit rather than an 
expense. This is an issue for the boardroom, not the backroom or the 
boiler room. Security and profits are not mutually exclusive concepts 
and there are clear economic benefits for investments in security. 
Investments in security are often considered against investing in other 
profitable parts of the organization. But it is clear that new revenue, 
new businesses, new products and other secondary benefits can be found 
through security spending. Companies can get a return on investment 
(ROI) in security and a number of companies are heeding the national 
call for homeland security'seeing the potential for security, as well 
as financial dividends. Asset visibility and tracking, standards 
development, collaboration within the supply chain and physical and 
personnel security can do a lot to secure the nation as well as improve 
organizational efficiency. For example, utilizing GPS systems and RFID 
tags to monitor chemical goods will enable industry to more predictably 
and accurately track the flow of products, find exceptions in the 
system and track security breaches--all economically significant 
improvements linked to improving security. Security upgrades such as 
digital video monitoring systems in chemical facilities can also assist 
in emergency incident management and theft reduction. The secondary 
benefits to background checks on personnel, reinforcing plant physical 
security and improving communication among supply chain parties all 
have obvious security and economic benefits and are avenues for the 
government and private sector to pursue mutual interests. A dollar 
spent on homeland security could mean a dollar saved--providing a 
double bang for the counter-terrorism buck. This concept is 
transferable to all infrastructure sectors.
    Leaders in the chemical industry should be applauded for their 
self-initiated efforts to secure the homeland. Since 9/11, over $2 
billion has been spent by ACC members alone.\8\ The 140-plus ACC member 
companies operating more than 2,040 facilities have enacted laudable, 
self-imposed security standards. Representing 90 percent of the 
nation's chemical production, the ACC has moved the ball down the 
field, but we are still too close to our own goal line. Despite their 
significant spending, ACC members only represent 7 percent of the 
nation's at-risk chemical facilities, and pending assessments, it is 
unclear how much has been accomplished industry-wide.\9\
---------------------------------------------------------------------------
    \8\ ``ACC Enhances security at 2,040 chemical facilities; Supports 
security legislation.'' American Chemistry Council, April 26, 2005: 
http://www.accnewsmedia.com/docs/2200/2131.pdf.
    \9\ ``Homeland Security: Federal and Industry Efforts Are 
Addressing Security Issues at Chemical Facilities, but Additional 
Action Is Needed.'' AO-05-631T. United States Government Accountability 
Office, April 27, 2005.
---------------------------------------------------------------------------
    Companies outside of the chemical industry have made security a 
priority. At FedEx, more than 500 law enforcement officers now place 
terrorism at the top of their list of priorities--along with 
traditional needs like theft prevention. Implied here is that the 
company sees secondary and tertiary benefits of security, among them 
improved product control, tracking and overall efficiency. But 
individual attempts by the private sector can only go so far, just as 
government-initiated programs have limited utility. Coordination is 
crucial and a symbiotic relationship between the government and private 
sector is required to get us to the next level.
    We need to develop and implement dual-use technology that shows the 
clear economic incentives of security. Recent government/shipping 
industry initiatives exemplify a viable business case for security. 
More than 9,000 importers and other shipping organizations have 
realized that they can increase efficiency, productivity and profits 
through security by engaging in the Customs-Trade Partnership Against 
Terrorism (C-TPAT) program.\10\ The program requires companies to 
bolster security by protecting their supply chains from terrorists in 
exchange for quicker processing and fewer inspections. The government 
gets the security and assurances it is looking for and the private 
sector gets greater efficiency and revenue. The National Strategy for 
Homeland Security notes that benefits of security to industry are self 
evident, making the ``internalization of. . .costs. . .not only a 
matter of sound corporate governance and good corporate citizenship but 
also an essential safeguard of economic assets for shareholders, 
employees, and the Nation.'' \11\ To this end, the government needs to 
initiate policies that do more than stress the merits of ``good 
corporate citizenship,'' and instead incentivize the chemical industry 
to secure the nation's hazardous chemicals by communicating the 
numerous benefits of security. Policy without resources is just 
rhetoric and the government needs to appeal to industry as good 
businessmen and good citizens. Society stands to benefit, not just in 
homeland security terms, but from the secondary environmental, health, 
safety and anti-crime benefits as well. The private sector could take 
much credit for these accomplishments, if the business case is adopted.
---------------------------------------------------------------------------
    \10\ Remarks by Robert C. Bonner, Supply Chain Security in a New 
Business Environment, Miami, Florida, April 21, 2005.
    \11\ National Strategy for Homeland Security. The White House, July 
16, 2002.

    Establishing incentives--As I previously testified at a July 2001 
hearing before the Joint Economic Committee, only ``through leading by 
example can the government realistically hope for the private sector to 
commit the sort of effort--in time and resources--expected of them.'' 
\12\ I stand by this statement and continue to advocate a paradigm 
where the government leads by example, getting its own house in order 
by setting standards and developing best practices. It can then provide 
incentives to the private sector to make security a priority, while 
avoiding regulation that could stifle the growth and the natural market 
flow. On any CEO's wish list of outcomes from a proactive security 
strategy are lower insurance premiums, reduced legal liability, reduced 
tax liability, safe-harbor provisions, recognition from the government 
and its private sector peers, enhanced reputation, and reduced incident 
response and recovery costs.
---------------------------------------------------------------------------
    \12\ ``Wired World: Cyber Security and the U.S. Economy.'' 
Testimony by Frank J. Cilluffo before the Joint Economic Committee of 
the U.S. Congress, June 21, 2001.
---------------------------------------------------------------------------
    Some of these wishes can already be fulfilled through proper 
utilization of the SAFETY Act, a potentially powerful liability 
elimination tool for sellers and customers of anti-terror products and 
services. The SAFETY Act is particularly relevant for the chemical 
sector, as it provides an incentive to facility owners to invest in 
their own security. Facility owners purchasing SAFETY Act certified 
technologies or services increase their security (by simple virtue of 
purchasing security tools) and decrease their liability exposure. A 
facility owner knows that it is purchasing a valid, effective product 
thanks to the rigorous evaluation process the seller must undergo 
before any SAFETY Act award is granted by DHS. And, of course, the 
owner will also receive immunity from lawsuits. DHS can assist in 
encouraging the use of the SAFETY Act by granting its benefits to more 
technologies and services--and that is something Secretary Chertoff has 
repeatedly committed to doing.
    We should consider having the federal government serve as the 
insurer of last resort, by assuming a burden above and beyond what the 
private sector and the insurance industry is able to bear. The 
government may also need to consider anti-trust exceptions that will 
encourage information sharing between competitors. These are not 
unreasonable and I believe can be accomplished if we build a solid 
business case for homeland security.
    It is important to point out that it is not just about money, but 
also information. The previously cited December 2004 subcommittee 
report on cybersecurity also lists a number of the aforementioned 
incentives as ways the government can leverage the private sector in 
promoting security. These incentives equally applicable to the chemical 
sector, as they are to cybersecurity. And as the report states, 
legislative mandates cannot be ``both a floor and a ceiling'' since in 
a free market, regulation could lead to an unprofitable (and thus 
untenable) situation.
    The private sector too has a responsibility to develop incentives. 
The insurance industry in particular has tools at its disposal that 
could effectively incentivize critical infrastructure owners and 
operators. Just as the insurance industry drove municipalities toward 
stricter building codes and a focus on fire prevention, rather than 
only responding to fires, so too could the insurance industry 
incentivize the chemical industry to take proactive action. The 
insurance industry already has a complex matrix of discounts to 
encourage good behavior of various kinds, from non-smoking to ergonomic 
shop floors. And though developing insurance models for terrorism is 
difficult (and some would say, impossible), it is possible to recognize 
that some proactive actions not only reduce losses from a terrorist 
attack, but also provide important safety and anti-crime benefits as 
well. This expected reduction in insurance claims should be passed 
along to the private sector in the form of lower premiums, which will 
in turn encourage other companies to take proactive, dual-benefit 
security measures.

Recognizing performance--For those corporations that meet the industry-
set standards, the federal government should publicly commend the 
corporations' accomplishments, provide government incentives and 
encourage private sector incentives. The DHS Homeland Security Advisory 
Council and the Council on Competitiveness should be commended for 
their calls for a homeland security award for private industry akin to 
the prestigious Malcolm Baldrige National Quality Award. A parallel 
effort should be fostered by the private sector. For the chemical 
industry, a major national organization would seem to be well 
positioned to recognize the accomplishments of its own.

Enact regulations, if necessary--If, and only if, the market is 
unwilling or unable to meet the bar, increased DHS oversight and 
regulations should be carefully considered. However, we must realize 
that regulating the chemical industry could quickly become a slippery 
slope for other sectors as well. This could lead to a situation where, 
for example, the information and telecommunications sector becomes 
regulated as a knee jerk reaction. Given the constantly evolving 
threat, we must not turn to a one-size-fits-all approach and create 
regulations that could lose utility with the next intelligence 
estimate.
    If regulations are enacted, the costs, both to the government as 
well as the chemical industry, must be considered. The costs for 
implementing regulations will be significant to both parties. For 
example, legislation proposed in the last Congress that would have 
provided DHS with regulatory oversight of the chemical industry was 
estimated to cost the federal government more than $200 million over 
the first five years.\13\ And the chemical industry must understand 
that regulations do not necessarily mean that the government will 
assume all costs. Thus it is always my contention that we should 
mitigate before regulate or litigate and a successful business case can 
and should forestall most federal regulations.
---------------------------------------------------------------------------
    \13\ Congressional Budget Office, Cost Estimate for S.944, the 
Chemical Facilities Security Act of 2003, May 10, 2004.

Conclusion
    The chemical industry is the focus of this hearing, but the 
strategies we discuss today can be translated to the dozen other 
critical infrastructure sectors. Security is not merely a challenge, it 
is an opportunity for us to put our heads together and surpass our own 
assumptions. The task is enormous, and it requires efforts on every 
front. We must learn from our successes, as well as our mistakes and 
refine our efforts accordingly. We cannot shy from this task because of 
its magnitude. We can and must overcome it. Spending alone, whether 
private or government dollars, will not thwart terrorist attacks to 
critical infrastructure. It takes the collective actions and commitment 
of the government and the private sector to secure the facilities that 
we all can agree are critical to our nation. Above all, we cannot 
afford for our slow action to lead the public to lose trust in our 
ability to secure the nation. That's at the heart of today's hearing.
    As I conclude, I would like to congratulate Chairman Cox on his 
recent nomination to head the Securities and Exchange Commission. Your 
leadership on homeland security issues and commitment to making this 
committee a permanent, standing body (no easy feat) is widely respected 
and appreciated. The SEC will be in good hands upon your confirmation. 
And I will add that you will be in a unique position to look at the 
business case for homeland security in your new capacity. Chairman 
Lungren, Ranking Member Sanchez, Ranking Member Thompson, your 
leadership and vision on the issues is also to be applauded, and I look 
forward to continuing to work with all of you and your colleagues on 
this issue and other matters that arise in the future. Mr. Chairman 
this concludes my statement. I would be happy to answer any questions 
you may have.

    Mr. Cox. I thank you for your testimony. The Chair now 
recognizes Stephen Bandy, Manager of Corporate Safety and 
Security for Marathon Ashland Petroleum, testifying on behalf 
of the National Petrochemical and Refiners Association and the 
American Petroleum Institute. And may I say, Mr. Bandy, and to 
the rest of our witnesses, the members of this committee first 
are enormously grateful for your being here.
    Second, I apologize in advance. We had a discussion about 
the interruption of this subcommittee's business by floor 
votes. We expect there will be floor votes coming up sometime 
soon. And the entire House of Representatives has a date with 
the President at the White House at 6:00. That means when we do 
go to the floor we will probably be unable to resume the 
hearing. I am hopeful we will put all of your testimony on the 
record before we go to the floor to vote. Feel free since we 
have your written testimony to give us what you really think we 
need to get because this may be your only shot.
    Mr. Dicks. We have to keep it at about 5 minutes per 
witness in order to do that.
    Mr. Cox. Mr. Bandy, thank you.

   STATEMENT OF STEPHEN BANDY, MANAGER, CORPORATE SAFETY AND 
            SECURITY, MARATHON ASHLAND PETROLEUM LLC

    Mr. Bandy. Thank you and good afternoon, Mr. Chairman, 
Ranking Member Sanchez, and Members of the Committee. I want to 
thank the Committee for holding this important hearing today 
and look forward to discussing how the refining and 
petrochemical industries are performing the critical task of 
maintaining and strengthening the security of our national 
energy infrastructure.
    Maintaining the security of our facilities has always been 
a priority at refining and petrochemical plants. Our industry 
is heavily engaged and was so before 9/11 in maintaining and 
enhancing security. The industry has long operated globally, 
often in unstable regions overseas where security is an 
integral part of providing for the world's energy and 
petrochemical needs.
    After the tragic events of 9/11, the industry, and I say 
this with special emphasis, did not wait for government 
regulations before implementing additional and far reaching 
facility securities measures to address these new threats. NPRA 
and API developed and provided industry with a peer review 
security vulnerability assessment methodology and DHS has 
endorsed this methodology and uses it to train its own 
employees. Our industry has employed the methodology to 
identify security hazards, threats and vulnerabilities, and 
evaluate and implement the best security measures possible.
    In addition to the methodology, API developed security 
guidelines for the petroleum industry. The State of New Jersey 
has recognized these States as the States accepted petroleum 
industry practices. I would like to provide copies of these to 
the committee for the record, please.
    [The information follows:]

    [GRAPHIC] [TIFF OMITTED] T4604.012
    
    Mr. Bandy. Industry has also developed a close working 
relationship with over a dozen key Federal agencies as well as 
State and local law enforcement and to exchange real-time 
intelligence data on security issues that allows them to 
respond to threats. We have held joint training exercises, 
simulating actual terrorist attacks in developing educational 
programs with governmental agencies and sharing best practices 
to enhance security operations.
    Media reports sometimes leave the impression that industry 
has not taken any new security initiatives since September 11. 
That simply is not true. With the critical information gained 
from conducting security vulnerability assessments, facilities 
have taken such steps as reconfiguring sites, allowing critical 
assets to be set back from the perimeter, install sophisticated 
state of the art electronic intrusion detection systems, 
implemented card access control with new biometric technology 
readers, required enhanced security communication systems, and 
shared security response plans with local law enforcement and 
appropriate Federal agencies.
    The majority of the almost 150 refineries and 200 
petrochemical manufacturing facilities in the United States are 
regulated by the Coast Guard under the Maritime Transportation 
Security Act. MTSA requires these facilities to conduct 
vulnerability assessments and submit comprehensive security 
plans to the Coast Guard. Our relationship with DHS and other 
agencies has been very effective in allowing industry to focus 
on the security threats that exist today.
    To conclude, Mr. Chairman, our industry takes very 
seriously its responsibilities for strengthening securities. We 
will continue to work with DHS to maintain and improve the 
security of the refining and petrochemical facilities.
    Thank you, and I will be happy to answer any questions.
    [The statement of Mr. Bandy follows:]

                 Prepared Statement of Steven P. Bandy

Introduction
    Good morning, Mr. Chairman, Ranking Member Sanchez, and Members of 
the Committee. I want to thank the Committee for holding this important 
hearing today. I look forward to discussing how the refining and 
petrochemical industries are performing the critical task of 
maintaining and strengthening the security of our national energy and 
petrochemical infrastructure.
    I am the Manager of Corporate Safety & Security for Marathon 
Ashland Petroleum LLC (MAP), headquartered in Findlay, Ohio. As Manager 
of Corporate Security for MAP, I am responsible for ensuring the secure 
operations of our facilities for our employees, customers and the 
communities in which we operate. MAP is a refining, marketing and 
transportation company, with a complementary network of operations 
stretching across 21 states. We own and operate seven refineries and 
have a total crude oil capacity of approximately 948,000 barrels per 
day.
    Today I am testifying on behalf of NPRA, the National Petrochemical 
& Refiners Association and API, the American Petroleum Institute. NPRA 
has more than 450 member companies, including virtually all U.S. 
refiners and petrochemical manufacturers, their suppliers and vendors. 
Petrochemical companies use processes similar to those in a refinery. 
NPRA companies supply consumers with a wide variety of products used 
daily in their homes and businesses. These products include gasoline, 
diesel fuel, home heating oil, jet fuel, lubricants, and the chemicals 
that serve as building blocks for everything from plastics to clothing 
to medicine to computers. API, a national trade association for the 
U.S. oil and natural gas industry, represents all sectors of the 
industry, including exploration, transportation, refining, storage, 
distribution and marketing.

Overview/Summary of Statement
    Maintaining the security of our workforce, plant, property, and 
equipment has always been a priority at refineries and petrochemical 
plants. Refiners and petrochemical manufacturers are heavily engaged--
and were so even before September 11--in maintaining and enhancing 
security. These industries have long operated globally, often in 
unstable regions overseas where security is an integral part of 
providing for the world's energy and petrochemical needs. NPRA and API 
member companies continue to address and prepare for potential threats 
to our facilities. We are absolutely committed to keeping all sites as 
secure as possible from threats of violence or terrorism. We are keenly 
aware of the responsibility we have to our employees, to our customers, 
and to the communities in which we operate. We have been working 
diligently to strengthen the security of our facilities, and in my 
testimony today I will outline some of the actions we have taken.
    When the tragic events of September 11, 2001, occurred, we as a 
nation realized immediately that a vastly different set of threats had 
to be taken into consideration in order to protect our homeland. The 
refining and petrochemical industries were no different. Industry--and 
I say this with special emphasis--did not wait for new government 
regulations before implementing additional and far-reaching facility 
security measures to address these new threats. Industry consulted with 
and obtained the input of federal, state, and local agencies, first 
responders and other security experts who are knowledgeable about the 
strategy, tactics and plans employed by terrorists. That information, 
coupled with the knowledge that each company has about the specifics of 
its own technology and materials, was then used to conduct intensive 
security vulnerability assessments. Based on those assessments, 
detailed facility security plans were prepared and implemented.
    Refiners and petrochemical manufacturers have taken and will 
continue to take additional measures to ensure facility security. We 
have developed close, working relationships with key federal agencies 
and state and local law enforcement offices to exchange critical 
infrastructure information. We have held joint training exercises 
simulating actual terrorist attacks and have developed educational 
programs featuring federal and state government officials with security 
expertise. We have sponsored association meetings to share best 
industry practices. This affords companies the opportunity to learn 
what others are doing, discuss new approaches and ideas, and implement 
the approaches that best fit their own particular security needs.
    With those considerations as background, NPRA and API urge the 
Committee to consider the following comments regarding the current 
state of security-related activities at refining and petrochemical 
facilities:
         The refining and petrochemical industry will continue 
        to maintain and improve our security operations to protect the 
        vital network that provides a reliable supply of fuels and 
        other petroleum and petrochemical products needed to keep our 
        nation strong and our economy growing.
         Industry, in cooperation with government security 
        agencies, has reassessed security vulnerabilities and 
        implemented strong and effective security measures since 
        September 11, 2001.
         Industry complies with security requirements under 
        post 9-11 federal security law, such as the Maritime 
        Transportation Security Act and the Patriot Act.
         A strong working relationship has been established 
        between government security agencies and the refining and 
        petrochemical industry to exchange ``real-time'' intelligence 
        data on security issues that allows them to respond rapidly to 
        terrorist threats.
         Industry has partnered with the Department of Homeland 
        Security on many important security initiatives and programs, 
        including the Risk Assessment Methodology for Critical Asset 
        Protection, or RAMCAP, the Homeland Security Information 
        Network (HSIN), and Buffer Zone Protection Plans. (These will 
        be discussed in more detail in my statement.)
         Industry supports full compliance with existing 
        security regulations, adequate funding for DHS and other 
        security agencies, and continuing public-private partnership 
        efforts to protect facilities and vessels and strengthen 
        intelligence-sharing networks.
         Congress has been wise to restrict public release of 
        facility specific security information, the release of which 
        would be disruptive to ongoing security operations.

Industry has conducted facility security vulnerability assessments.
    In 2003, NPRA and API, working with other industry groups, the 
Department of Homeland Security and the Department of Energy, developed 
and provided industry with a peer-reviewed security vulnerability 
assessment (SVA) methodology. In 2004, industry expanded the SVA 
methodology to include transportation-related activities, including 
pipelines and rail and truck transportation. DHS has endorsed the 
vulnerability assessment methodology and uses it to train its 
employees.
    The security vulnerability assessment methodology is a 
sophisticated and effective tool used to identify the security hazards, 
threats and vulnerabilities of a facility, and to evaluate the best 
measures to provide safe operations for employees and the public. The 
methodology provides the framework for a complete security analysis of 
the facility and its operations. Depending on the type and size of the 
facility, the assessment utilizes expertise in physical and cyber 
security, process safety, facility and process design and operations, 
emergency response, management, law enforcement, and other disciplines 
as necessary.
    Differences in geographic location, type of operations, and on-site 
quantities of hazardous substances all play a role in determining the 
approach taken. Security vulnerability assessments typically include 
the following types of activities:
         Characterizing the facility to understand what 
        critical assets need to be secured, their importance and their 
        interdependencies and supporting infrastructure;
         Identifying and characterizing threats against those 
        facilities and evaluating them in terms of their attractiveness 
        as targets for various adversaries, along with the consequences 
        if these assets are damaged or stolen;
         Identifying potential security vulnerabilities that 
        threaten the asset's service or integrity;
         Determining the risk represented by these events or 
        conditions by evaluating the likelihood of a successful event 
        and the consequences of an event if it were to occur; and
         Making specific recommendations for incident 
        mitigation and countermeasures appropriate to the risk level.
    Based on the results of the security vulnerability assessment, 
companies identify appropriate security measures and incorporate them 
in security plans which are then implemented.

Companies comply with security requirements under the Maritime 
Transportation Security Act of 2002.
    A majority of the almost 150 refineries and 200 petrochemical 
manufacturing facilities in the United States are subject to the 
jurisdiction of the U.S. Coast Guard, and are therefore regulated 
pursuant to the security requirements of the Maritime Transportation 
Security Act (MTSA) of 2002. (See attached map of U.S. refineries.) The 
Act requires that these facilities conduct security vulnerability 
assessments and submit comprehensive security plans to the U.S. Coast 
Guard. These security plans were submitted by facilities in December 
2003. They were reviewed and approved by the Coast Guard in 2004. Under 
the Maritime Transportation Security Act, companies are also required 
to designate facility security officers to oversee the implementation 
of their security plans. This officer is required to conduct drills on 
a quarterly basis to test elements of the facility's security plan. We 
understand that the Coast Guard has been pleased with the petroleum and 
petrochemical industry's implementation of the Act.

Industry has implemented strong, new security measures since September 
11.
    Media reports sometimes leave the impression that the industry has 
not taken any new security initiatives since September 11. That simply 
is not true. With the critical information gained from conducting their 
security vulnerability assessments, facilities have taken the following 
specific measures to enhance security:
         Reconfigured sites allowing critical assets to be set 
        back from the perimeter.
         Installed sophisticated, state-of-the-art electronic 
        intrusion detection systems around our perimeters and on 
        buildings.
         Implemented card-access controls with new biometric 
        technology readers, such as retina or thumbprint scanners.
         Acquired enhanced security communication systems.
         Shared security response plans with local law 
        enforcement and appropriate federal agencies.
         Conducted drills and exercises to test security and 
        response plans.
         Hired additional security personnel to assist in our 
        security efforts, which are an around the clock, seven days per 
        week priority.
    I emphasize that this is just a partial list. A longer list of 
measures taken by our industry is included as an attachment to this 
statement, but it, too, is only a partial list of measures taken as a 
result of a dynamic process.

Industry sponsors educational programs and holds training exercises 
with government officials to enhance security at facilities.
    NPRA and API have established standing committees on security; I am 
a past Chairman of the NPRA Security Committee and play an active role 
in the API Security Committee. NPRA has held or co-sponsored more than 
a dozen facility security conferences and workshops, featuring federal 
and state policymakers, security and counterterrorism experts, and the 
sharing of best practices. In February of this year, for example, NPRA 
conducted an intensive training workshop for persons designated as 
Facility Security Officers under the Maritime Transportation Security 
Act. The workshop enabled them to better fulfill their responsibilities 
under MTSA. Since 2002, API has been hosting training sessions for 
industry and government personnel to teach them how to use the 
vulnerability assessment methodology and develop security plans.
    NPRA has held two training exercises in cooperation with Texas 
Homeland Security. The exercises were conducted by Texas A&M 
University's National Emergency Response and Rescue Training Center and 
Texas Engineering Extension Service. The most recent training exercise, 
``Safe Horizon,'' was held in March of this year. This exercise was 
focused on incident deterrence and prevention of a postulated terrorist 
attack. These training exercises and educational programs provide 
information that allows companies to better assess the effectiveness of 
their own security policies, plans, and procedures, and make 
modifications as necessary.
    In addition to the SVA Methodology, API developed the first edition 
of ``Security Guidelines for the Petroleum Industry'' in March 2002. It 
has since been revised and the third edition was released in April 
2005. These Guidelines provide general guidance for effectively 
managing security risks and provide a reference to federal security 
laws and regulations impacting petroleum operations. I would like to 
provide a copy of both guidance documents, the SVA methodology, ``API/
NPRA Security Vulnerability Assessment Methodology for the Refining and 
Petrochemical Industries'' and the ``Security Guidelines'' to the 
Committee and request that they be included as part of the hearing 
record.

Industry works with federal, state and local officials to enhance 
facility security.
    The success of security programs in the refining and petrochemical 
industries is due in large part to the excellent working relationships 
our industry has established with various federal, state, and local 
governmental agencies. NPRA, API and their member companies work with 
more than a dozen federal agencies, as well as state and local law 
enforcement agencies and emergency responders throughout the nation to 
share critical infrastructure information and receive updates on the 
latest intelligence about terrorist focus and targets. The agencies 
that we work with include the FBI, the Department of Transportation, 
the Department of Energy, the Department of Defense, the CIA, the 
Government Accountability Office, and, of course, the Department of 
Homeland Security and its various components, including the U.S. Secret 
Service, the Transportation Security Agency, and the U.S. Coast Guard.
    Our relationship with DHS and other security agencies allows 
immediate access by government and industry to rapidly changing 
information affecting facility security. These relationships and 
communications are essential in keeping our facilities secure. If an 
agency is turned into an industry regulator through enactment of 
federal security legislation, the dynamics of the relationship will 
undoubtedly change and this level of information sharing could be 
diminished.
    The American Petroleum Institute has worked with our state 
petroleum councils to disseminate the API Security Guidelines to assist 
their state agencies in preparing plans to upgrade security at our 
facilities across the nation. As an example, in New Jersey where the 
industry has considerable presence with six refineries and many 
terminals, former Governor McGreevey accepted the API Security Guidance 
as the state's accepted petroleum industry practices in October of 
2003. Since then, the New Jersey Petroleum Council supplemented by 
company experts has been involved in educating state and local 
officials in security issues through regular meeting and training 
seminars.

Industry is working with DHS to improve risk assessment and to develop 
buffer zone protection plans.
    Our members are working with DHS on the RAMCAP, or Risk Assessment 
Methodology for Critical Asset Protection, project. This approach to 
risk assessment and management will provide a consistent framework for 
the assessment, reporting and management of terrorism risks across the 
nation's critical infrastructure and key resources. This will be 
accomplished by developing a common risk-based method for comparing 
security risks, thereby giving Congress and the executive branch the 
tools they need to make decisions and allocate resources based on risk. 
In short, RAMCAP aims to put all infrastructures and key resources, 
including refineries and petrochemical plants, on a common risk 
platform.
    Our members are also working with DHS, states, and local officials 
to protect and secure areas surrounding our facilities, which they 
neither own nor control, by developing buffer zone protection plans. 
These plans will identify specific threats and vulnerabilities with the 
buffer zone, analyze and categorize the level of risk, and recommend 
corrective measures to local law enforcement to reduce the risk of a 
terrorist attack.

Industry participates in private and public information networks to 
enhance security.
    As stated earlier, information sharing is a vital part of our 
industry's security efforts, and so our NPRA and API members serve on 
several security-related public and private sector boards and task 
forces. These include participation on the Boards of the Energy 
Information Sharing & Analysis Center, or ISAC; the Oil & Natural Gas 
Sector Homeland Security Coordinating Council; and the Chemical Sector 
Coordinating Council. NPRA also serves on a working group of the 
Homeland Security Advisory Council (HSAC), helping to resolve legal 
impediments that hinder the submission of private sector information to 
government officials. NPRA and API members have also responded 
positively to a request to serve on a working group of the President's 
National Infrastructure Advisory Council.
    One particularly important initiative underway--again, as a 
cooperative effort between DHS and industry--is the creation and 
implementation of the Homeland Security Information Network, or HSIN, 
for the petroleum and chemical industries. HSIN is an information 
sharing system facilitated by the DHS in partnership with the critical 
sector organizations. It links owners and operators with each other and 
with DHS and FBI to enable collaboration in protecting critical 
resources and to address physical and cyber threats, vulnerabilities, 
and incidents, and to share information about potential protective 
measures and best practices.

Chemical security legislation would be counter-productive.
    To conclude, Mr. Chairman, refiners and petrochemical manufacturers 
take very seriously their responsibilities for not just maintaining, 
but strengthening security at their facilities to meet any new threats. 
Our industry has complied with modernized, post 9-11 federal security 
requirements. We have utilized expert engineers who understand our 
facilities better than any one else to conduct vulnerability 
assessments and implement new measures to protect against new threats. 
We have called upon experts throughout all of industry, government 
agencies, and the security business to capture the best practices to 
protect our facilities. And perhaps most importantly the industry has 
created an outstanding working relationship with government security 
agencies to rapidly receive the fast moving information needed to fight 
terrorism. This working partnership has been very effective in 
exchanging information to allow the industry to focus on the security 
threats that exist today and are most relevant. We look forward to 
continuing this security partnership. Our efforts show that industry 
does not need to be prodded by government mandates to take aggressive 
and effective steps to secure its facilities. In fact, industry is 
concerned that changing the nature of the existing relationship between 
DHS, other security agencies and industry could disrupt the open 
exchange and rapid response to threats that we have achieved to date. 
As a result, we are not advocating chemical security legislation 
because the existing system is working well, and, being a dynamic 
process, will continue to improve with time ..
    In closing, I want to stress once again that NPRA and API member 
companies are absolutely committed to the security of our facilities. 
Thank you and I will be happy to answer any questions you may have.

    Mr. Pearce. Thank you, Mr. Bandy, for your testimony. The 
Chair now recognizes Mr. Marty Durbin, the Managing Director of 
Security and Operations for the American Chemistry Council.

                   STATEMENT OF MARTY DURBIN

    Mr. Durbin. Thank you, Mr. Chairman and members of the 
committee. I want to thank you for the opportunity to provide 
testimony today on behalf of the American Chemistry Council. 
ACC represent the leading companies in the U.S. chemical 
manufacturing sector responsible for nearly 90 percent of basic 
industrial chemical production and an essential part of our 
Nation's critical infrastructure. In my brief remarks, which I 
will try to make even briefer, I would like to highlight the 
following.
    The leadership role that ACC members have taken to further 
ensure the safety and security of their products, their 
facilities, their supply chain and the communities in which 
they operate and investment of more than $2 billion in security 
since 9/11, 2001. I also would like to touch on the great 
strides made cooperatively by the Federal Government and our 
industry to secure the chemical sector, and finally what we see 
is a real need for Federal legislation to provide nationwide 
assurances that all portions of the industry take the same 
aggressive action that ACC members have taken.
    Security is not new to our members but the tragedy of 
September 11 brought swift and decisive action from the 
industry leaders of our association. Without waiting for 
government direction, ACC issued site and transportation 
security guidelines in October and November of that year after 
which our board launched an aggressive effort to develop a new 
Responsible Care Security Code. Implementation of Responsible 
Care, ACC's signature program of continuous improvement in 
environmental, health, safety and now security performance is 
mandatory for all members.
    The security code and ACC members' security enhancements 
have been widely and uniformly acknowledged by government as 
well as the media. State and local governments have used the 
code as a model for their own regulation of chemical 
facilities' security, and the Coast Guard, which as you heard 
regulates nearly 240 chemical facilities under MTSA, recognized 
our code as an alternative security program for ACC members.
    Briefly, the code requires each member to prioritize every 
facility by risk, assess the vulnerabilities using 
methodologies developed by expert third parties, implement 
security enhancements commensurate with those risks, and to 
verify the implementation of physical security enhancements 
using outside third parties. All 2,040 ACC member company 
facilities have completed their vulnerability assessments, 
implemented security enhancements and nearly all have had their 
enhancements verified.
    ACC security code also covers transportation and cyber 
security, allowing members to extend the reach of the code 
throughout the value chain. All the guidance materials 
developed by ACC addressing site, transportation and cyber 
security as well as the security code itself are publicly 
available through our Web site so they can have the broadest 
possible influence beyond our membership.
    HSPD-7 specifically names DHS as the lead or sector 
specific agency for the chemical sector and we certainly think 
that is appropriate, and to achieve the infrastructure 
protection objectives of that directive ACC and its members and 
indeed the entire sector have worked in close partnership with 
the Department of Homeland Security.
    Over the past years, everything from facility visits to 
working on the Buffer Zone Protection Plan, ACC funds and 
maintains the Information Sharing and Analysis Center, which is 
a public service of ACC through our program, and we participate 
regularly in exercises and drills, everything from local level 
preparedness and response drills to the national level TOPOFF 
exercises that recently concluded.
    So why is Federal legislation necessary? Despite all the 
progress that has been made to date, there is no way to assure 
all chemical facilities that need to be protected are taking 
the same kinds of aggressive steps that American Chemistry 
Council members and others have taken to protect this critical 
sector. ACC has led the effort to ensure all chemical 
facilities are secured. We have worked continuously with 
Congress and the administration for enactment of national 
security legislation that will establish national standards for 
security at chemical facilities, require facilities to conduct 
vulnerability assessments and implement security plans and 
provide oversight, inspection and enforcement authority to the 
Department of Homeland Security.
    Without Federal action on this vital topic, State 
legislatures will fill the void. Both Maryland and New York 
have enacted chemical facility security laws. While ACC was 
able to support both of these statutes, we strongly believe 
that a national program, not an incomplete patchwork of 
potentially conflicting State efforts is necessary.
    Naturally, we believe any Federal legislation should 
respect ACC members' substantial actions and investments to 
implement the Responsible Care Security Code. As witnesses at 
an April Senate hearing concurred, ACC members deserve a level 
playing field and a common set of expectations. But let me be 
clear, we are not asking for an exemption from the law, only 
that DHS be allowed to recognize our members' significant 
actions such as the Coast Guard has already done.
    In closing, I want to reiterate our commitments. Our member 
companies are committed to taking all reasonable actions to 
enhance the security of their operations and products against 
those that would do us harm, but our Nation will not be safe 
until all chemical facilities that need to be protected have 
taken steps equivalent to those taken by our members.
    It has been over 3-1/2 years since 9/11. Now is the time to 
act and we welcome this hearing. We are committed to continuing 
work with this committee and others to see that legislation is 
enacted in this session of Congress. Thank you, and I would be 
happy to answer any questions.
    [The statement of Mr. Durbin follows:]

                 Prepared Statement of Martin J. Durbin

    Chairman Lungren and Members of the Subcommittee, my name is Marty 
Durbin, and I am the Managing Director for Security & Operations for 
the American Chemistry Council (ACC). I thank you for this opportunity 
to speak today on behalf of the Council's members on the important 
subject of security in the business of chemistry, a critical sector of 
America's infrastructure.
    The 132 members of the ACC manufacture essential life-saving 
products critical to homeland security and life-enhancing everyday 
items that keep the economy moving. Our products are critical to daily 
life and crucial to efforts to combat the war on terrorism. We are 
essential to making Kevlar vests, night vision goggles and stealth 
aircraft. The products we manufacture are essential to the things that 
make modern life possible, from plastics to pharmaceuticals, from cars 
to clothing. And the products of chemistry are critical in many aspects 
of American life, including keeping our drinking water safe, supporting 
agriculture, and spurring medical innovations to prevent and treat 
disease.
    ACC represents the leading companies in the U.S. chemical 
manufacturing sector, an industry which is the largest exporting sector 
in the economy ($91 billion), and employs one million people in America 
alone, with $460 billion in sales. Our members are responsible for 
nearly 90% of basic industrial chemical production. In addition, the 
U.S. chemical industry has the largest share of knowledge workers of 
any industry, and it is the largest private industry investor in 
research and development.
    Mr. Chairman, I welcome the opportunity to highlight four things 
for you and the subcommittee:
        1. The leadership role ACC members have taken--at a cost of 
        over $2 billion since 9/11--to further ensure the safety and 
        security of their products, their facilities, their supply 
        chain and the communities in which they operate;
        2. The great strides the federal government has taken, in 
        cooperation with the chemical sector, to secure the industry;
        3. The need for national legislation to provide an appropriate 
        federal regulatory role in chemical facility security; and
        4. Our views on the important and frequently misunderstood 
        subject of inherent safety.

I. ACC Has Taken a Leadership Role in Enhancing Chemical Security
    Even before September 11, 2001, Council members had begun to 
address the challenge of terrorist threats to our operations, by 
developing site security guidelines for chemical companies. Our Board 
of Directors was actually meeting that sad day, and their reaction to 
those events was swift and decisive. We quickly completed and issued 
our security guidelines, and a companion set of transportation security 
guidelines, in October and November of that year.
    In those uncertain months, we shared those guidelines with state 
and federal agencies, and we and OSHA posted them on our public 
websites to make them as broadly available as possible. We also 
partnered with EPA to hold regional security briefings for our members 
and other chemical companies, state and local government officials, and 
first responders.
    In January 2002, our Board launched an aggressive effort to develop 
a new Responsible Care Security Code. Now in its 17th year, 
Responsible Care is ACC's signature program of ethical principles and 
management systems designed to continuously improve our members' 
safety, health and environmental performance--and now, their security 
performance as well. Implementation of Responsible Care is mandatory 
for all members of the American Chemistry Council, as well as 
Responsible Care Partner companies, who represent chemical carriers, 
warehouses, logistics planners and others along the supply/value chain. 
In developing the Security Code, we consulted closely with plant-level 
Community Advisory Panels, and with first responders and government 
agencies at all levels. In June 2002, the Board adopted the Security 
Code.
    The Security Code, and ACC members' security enhancements, has been 
widely and uniformly acknowledged, from the Washington Post editorial 
page \1\ to Government Accountability Office reports.\2\ Former 
Homeland Security Secretary Ridge has referred to it as a ``model 
program.'' The State of New Jersey has recognized the Code as a ``best 
practice'' for chemical facility security. In addition, the City of 
Baltimore adopted a security ordinance that recognizes the Code as an 
alternative means of compliance, and Maryland legislation mirrors the 
Code. At a hearing held April 27, 2005 by the Senate Homeland Security 
& Governmental Affairs Committee, Chairman Collins declared that 
companies like ACC's members ``should be commended'' for the steps they 
have taken to date voluntarily to secure their facilities. GAO official 
John Stephenson focused particularly on the substantial work that ACC 
members have done implementing the Responsible Care Security Code, 
stating that ``ACC is very good.''
---------------------------------------------------------------------------
    \1\ ``Some of the biggest security gains have been made cheaply, 
sometimes thanks to unobtrusive, even private-sector initiatives. The 
140 large companies that form the American Chemistry Council, for 
example--a group with both financial and practical interests in not 
having their chemical plants blown up--have created their own security 
code, internal communications system and inspectorate.'' The Washington 
Post, p. A26 (May 27, 2005).
    \2\ ``To its credit, the chemical industry, led by its industry 
associations, has undertaken a number of voluntary initiatives to 
increase security at facilities. For example, the ACC, whose members 
own or operate 1,000, or about 7 percent, of the facilities [handling 
large quantities of hazardous materials in the country] requires its 
members to conduct vulnerability assessments and implement security 
improvements.'' GAO, ``Homeland Security: Voluntary Initiatives Are 
Under Way at Chemical Facilities, but the Extent of Security 
Preparedness is Unknown'' (GAO-03-439, March 2003) at ``Highlights.''

    The Security Code requires member companies to:
         Prioritize their sites by degree of risk, sorting them 
        into four tiers. This process was begun before the Code was 
        adopted, and every ACC member company completed it on schedule 
        in June 2002.
         Thoroughly assess vulnerabilities, using rigorous 
        methodologies developed by Sandia National Labs and the Center 
        for Chemical Process Safety (CCPS), a program of the American 
        Institute of Chemical Engineers (AIChE).
         Implement security enhancements commensurate with 
        risks, and taking into account inherently safer approaches, 
        engineering and administrative controls, and other security, 
        prevention and mitigation measures.
         Verify the implementation of these physical security 
        measures, using third parties that are credible with the local 
        community, such as first responders or law enforcement 
        officials.
    All 2,040 ACC member company facilities have completed their 
vulnerability assessments, and almost all have completed their 
enhancement verifications. Progress in implementing the Code was 
verified by GAO in its most recent report on chemical facility 
security.\3\
---------------------------------------------------------------------------
    \3\ Based on work conducted between October 2004 and March 2005, 
GAO stated: ``All 10 of the chemical facilities we visited reported 
making significant progress in fulfilling the requirements of the 
security code.'' GAO, ``Protection of Chemical and Water 
Infrastructure: Federal Requirements, Actions of Selected Facilities, 
and Remaining Challenges'' (GAO-05-327, March 2005), at 5, 37. ACC 
members' implementation of the Code is discussed in detail at pages 17-
21.
---------------------------------------------------------------------------
    Our Security Code is not just limited to physical plant security. 
It covers the complete ``value chain'' for chemicals, from suppliers to 
customers, including transportation. Value chain management is an area 
where we have a long and successful history of partnering with and 
supporting federal agencies to prevent the diversion of legitimate and 
essential chemicals that have the potential to be misused to make 
illegal drugs or chemical weapons. In fall 2002, the Council issued a 
detailed value chain guidance document to enhance the security of our 
products outside the fence line. Our members who also belong to the 
Chlorine Institute have, together with the Association of American 
Railroads, implemented a chlorine rail car security plan.
    The Security Code also covers cyber security, to protect our highly 
computerized operations from being attacked electronically. Our members 
lead a broad Chemical Sector Cybersecurity Information-Sharing Forum to 
promote cybersecurity in our industry. In spring 2003 the Forum issued 
a cybersecurity guidance document. The Forum also launched a broad 
cybersecurity practices, standards and technology initiative through 
CIDX, the Chemical Industry Data Exchange. All of these guidance 
materials, and the Security Code, are available through our websites 
(www.americanchemistry.com and www.rctoolkit.com) so that they can have 
the broadest possible effect beyond our membership. The CIDX materials 
are similarly available at www.cidx.org/CyberSecurity/default.asp.

II. The Federal Government, Working with ACC, Has Greatly Enhanced the 
Security of the Chemical Sector
    ACC and its members have worked closely with the Department of 
Homeland Security during its first two years of existence. We concurred 
with GAO's recommendations in 2003 that the federal government should 
develop ``a comprehensive national chemical security strategy that is 
both practical and cost effective,'' and that should:
         ``Identify high-risk facilities based on factors 
        including the level of threat and collect information on 
        industry security preparedness;
         Specify the roles and responsibilities of each federal 
        agency partnering with the chemical industry;
         Develop appropriate information sharing mechanisms; 
        and
         Develop a legislative proposal, in consultation with 
        industry and other appropriate groups, to require these 
        chemical facilities to expeditiously assess their vulnerability 
        to terrorist attacks and, where necessary, require these 
        facilities to take corrective action.'' \4\
---------------------------------------------------------------------------
    \4\ See ``Homeland Security'' supra note 2, at 27.

    A. Identify High Risk Facilities
    Starting in March 2003, DHS partnered with ACC to facilitate visits 
to our members' facilities. ACC also worked with DHS to develop methods 
for evaluating facilities based on potential physical and economic 
consequences. And even before the creation of DHS, the Coast Guard and 
state offices of homeland security or counterterrorism visited 
facilities to offer advice on enhancing facility security.
    Today, DHS' Protective Security Division (PSD) and the Coast Guard 
are actively visiting chemical facilities, reviewing vulnerability 
assessments and security plans, understanding common vulnerabilities 
and developing plans, in conjunction with local law enforcement and 
responders, to protect facilities and their communities. Information 
gained from these visits supports the development of DHS's ``Buffer 
Zone Protection Program'' to provide support and resources to local 
governments in plant communities. ACC is also working closely with PSD 
to develop, refine and publicize its ``Risk Analysis and Management for 
Critical Asset Protection'' (RAMCAP), which allows DHS to compare the 
vulnerabilities of disparate assets and resources against a series of 
benchmark threat scenarios. RAMCAP will enable DHS to allocate 
protective resources rationally, on the basis of risk.

    B. Specify the Roles and Responsibilities of Federal Agencies
    In December 2003, the President issued Homeland Security 
Presidential Directive 7, which clearly defines roles for various 
federal agencies in protecting the nation's critical infrastructure and 
key resources, and specifically names DHS as the lead or ``sector-
specific'' agency for the chemical sector. With DHS's blessing, ACC 
organized the Chemical Sector Coordinating Council--a group of 16 
leading trade associations that coordinates communications between DHS 
and our sector for purposes of infrastructure protection. ACC serves as 
the administrative secretariat for the Sector Council. This model has 
proven so attractive to DHS that they are encouraging its adoption by 
the other critical infrastructure sectors.
    The federal Maritime Transportation Security Act (MTSA), which was 
enacted in late 2002, puts the Coast Guard in charge of regulating 
security within ports, on vessels, and at facilities that have the 
potential to be involved in a transportation security incident. Roughly 
240 chemical plants in the United States--including most of the largest 
facilities nationally--are currently subject to rigorous Coast Guard 
oversight under the MTSA. These facilities have all conducted security 
vulnerability assessments, have implemented facility security plans, 
and have been inspected by the Coast Guard. Facility security plans 
specify actions the facility will take at different MARSEC (threat) 
levels regarding access control, restricted areas, handling cargo, 
delivery of vessel stores and bunkers, monitoring, security incident 
procedures, and barge fleeting facilities. They also include schedules 
for employee security training and response drills and exercises. Even 
more facilities are covered by area (i.e., port) security plans.
    ACC supported the MTSA throughout the legislative process and we 
have worked closely with the Coast Guard to make the law a success. In 
particular, the U.S. Coast Guard recognized the Responsible Care 
Security Code as an Alternative Security Program (``RCSC-ASP'') for 
purposes of fulfilling facility security regulatory requirements under 
the MTSA. The RCSC-ASP was the first alternative security program the 
Coast Guard approved for facilities.

    C. Develop Appropriate Information Sharing Mechanisms
    Effectively securing privately-held infrastructure--like the 
business of chemistry--requires a partnership between the private 
sector and the government. Within seven months of 9/11, ACC and the FBI 
created a Chemical Sector Information Sharing and Analysis Center 
(ISAC) to share security information daily between the federal 
government and companies that make and use chemicals. The Chemical 
Sector ISAC provides 24-7 capability for DHS's Homeland Security 
Operations Center (HSOC) to contact the chemical sector as well as for 
individual members of the ISAC to convey incident or threat information 
to DHS. Members of the ISAC receive daily intelligence reports from DHS 
as well as episodic alerts and warnings. Open to any chemical sector 
business, whether or not it is a Council member, the ISAC has almost 
600 participants. The Council runs the ISAC for free as a public 
service through its CHEMTREC service,\5\ in cooperation with Department 
of Homeland Security (DHS). It is located at http://
chemicalisac.chemtrec.com. ACC is also one of the first critical 
infrastructure sectors to be piloting DHS's new Homeland Security 
Information Network--Critical Sectors (HSIN-CS), a set of secure 
communications and collaboration capabilities. ACC anticipates that the 
Chemical Sector ISAC will eventually be integrated into HSIN.
---------------------------------------------------------------------------
    \5\ CHEMTREC is a 24-hour-a-day emergency communications center 
that ACC has operated as a public service since 1971. CHEMTREC 
provides emergency responders with round-the-clock resources for 
information and assistance for spills, leaks, fires, explosions and 
other emergencies involving chemicals and other hazardous materials. 
CHEMTREC has provided critical information to emergency service workers 
for incidents ranging from the attacks at both the World Trade Center 
and the Pentagon to the Columbia space shuttle disaster.
---------------------------------------------------------------------------
    On behalf of the chemical sector, ACC recently participated in 
TopOff 3, the third in a series of congressionally mandated emergency 
response exercises. TopOff 3 was the first such exercise to involve the 
private sector. ACC's involvement in TopOff 3 helped generate ideas for 
further improving the Chemical ISAC and added significant value to 
other signature parts of the exercise. The success of the public--
private sector cooperation and coordination during TopOff 3 clearly 
underscored the value of private sector involvement, not only for 
providing expertise but ensuring that the business impacts of terrorist 
events and official reactions (or inaction) to such events are 
considered in both short and long term emergency management planning.

    D. Develop a Legislative Proposal
    ACC recognizes that not all chemical facilities are currently 
regulated under the MTSA. We also recognize that not all chemical 
facilities belong to ACC, and may not have taken the same kinds of 
aggressive steps that our members have taken--steps that have cost our 
members an estimated $2 billion since 9/11.
    As a result, ACC has been taking a leadership role at the federal 
level to ensure that all chemical facilities are secured against the 
threat of terrorism. We have worked continuously with Congress and the 
Administration to secure enactment of national security legislation 
that will:
         Establish national standards for security of chemical 
        facilities;
         Require facilities to conduct vulnerability 
        assessments and implement security plans;
         Provide oversight, inspection, and enforcement 
        authority to DHS.
    In the absence of federal action on this vital topic, state 
legislatures are beginning to fill the vacuum. Both Maryland and New 
York have enacted chemical facility security laws. ACC was able to 
support both of these statutes, and is working with the two states' 
offices of homeland security on their implementation. However, we 
strongly believe a national program, not a patchwork of potentially 
conflicting state efforts, is necessary.
    Naturally, ACC members feel that federal legislation should respect 
their substantial voluntary, at-risk expenditures implementing the 
Responsible Care Security Code. As GAO's John Stephenson stated at 
April's Senate hearing: ``I would expect that any federal system would 
give them credit for--indeed, recognize'' ACC members' efforts. At the 
same hearing, Richard Falkenrath, former Deputy Homeland Security 
Advisor, concurred that these measures were ``good,'' and that ACC 
member companies deserved ``a level playing field'' and ``a common set 
of expectations'' that all chemical facilities would be required to 
meet.

III. ACC's Views on Inherent Safety
    In legislative and policy debates over chemical security, no issue 
has proven more controversial than the concept of ``inherent safety'' 
and what role it should play. Because of ACC members' deep investment 
in this issue, I would like to spend the balance of my time explaining 
our views and why we feel so strongly about them.
    The concept of inherent safety was invented by the chemical 
engineering profession. In fact, it is no exaggeration to say that the 
business of chemistry, and indeed ACC members, wrote the book on 
inherent safety. The leading reference on the subject--Inherently Safer 
Chemical Processes: A Life Cycle Approach, also known as the ``Gold 
Book''--was written by nine process safety experts, every one of whom 
worked for an ACC member company at the time.\6\ The concept of 
inherent safety has been well understood within the process safety 
community for many years. Basically, it means designing a process to 
avoid creating a hazard in the first place, rather than trying to 
control the hazard afterward with add-on protective equipment or 
procedures.
---------------------------------------------------------------------------
    \6\ Inherently Safer Chemical Processes: A Life Cycle Approach 
(1996), published by the Center for Chemical Process Safety of the 
American Institute of Chemical Engineers.
---------------------------------------------------------------------------
    The business of chemistry has long embraced inherently safer 
approaches. For over a decade and a half, our Responsible Care 
initiative has required ACC members to have mechanisms for reviewing 
the design and modification of facilities and job tasks, with 
inherently safer design and material substitution at the top of the 
hierarchy of controls. This drives our members continually to develop 
and implement safer processes. We conduct process hazard analyses of 
our facilities, and those analyses can lead us to change processes, 
modify procedures, or substitute materials to reduce and manage risks. 
As I noted earlier, the Responsible Care Security Code mandates that 
our members take inherently safer approaches into account in assessing 
possible security measures. As a result, the GAO documented that seven 
out of the 10 ACC members it visited had made process changes as a part 
of their security enhancements.\7\
---------------------------------------------------------------------------
    \7\ See ``Protection of Chemical and Water Infrastructure,'' supra 
note 3, at 21.
---------------------------------------------------------------------------
    I cannot overemphasize, however, that inherent safety is about 
reducing all the risks potentially associated with a process. Inherent 
safety typically involves making very challenging risk/benefit 
judgments to ensure that risks are not unwittingly shifted or 
substituted, and that overall risks are reduced. Many inherently safer 
approaches involve trading one risk against the potential of another. 
For example, advocates of inherent safety frequently speak of reducing 
onsite inventories, or reducing or eliminating storage, of hazardous 
materials. By reducing inventories, though, a facility may increase the 
number of truck shipments through the plant's neighborhood. Similarly, 
replacing a low temperature, low pressure process that uses a toxic 
chemical with a process that uses a less toxic chemical, but operates 
at higher temperatures and pressure, could endanger workers.
    Fundamentally, ACC has been dubious of any regulatory initiative 
that involves government agencies or other third parties reviewing and 
approving--or disapproving--facilities' decisions regarding inherent 
safety, whether in the context of security or otherwise. The history of 
``inherently safer'' approaches is full of examples of unintended 
consequences: chlorofluorocarbons, underground storage tanks and PCBs 
were all originally regarded as inherently safer, from the perspective 
of fire or explosion. Their possible effects on stratospheric ozone, 
groundwater or health, however, were not fully appreciated until later.
    The challenge to regulators is compounded by the complexity of 
chemical industry processes. There are no ``standard processes'' for 
making chemicals, and ``[c]omplex process systems, especially those 
with a long history of safe performance, should not suddenly be changed 
without careful thought and consideration.'' \8\ To expect effective 
regulatory oversight in this area is unrealistic, at least without 
great difficulty, expense and delay. In fact, in the Clean Air Act Risk 
Management Program rulemaking, EPA concluded that requiring and 
reviewing multiple process options at each regulated plant would not 
lead to greater advances in process safety.\9\ In doing so, it 
recognized that no small, central group of people can be so omniscient 
as to be able to understand the huge range of issues involved at so 
many unique facilities.
---------------------------------------------------------------------------
    \8\ David Moore, ``Judging Effectiveness of Inherent Safety for 
Safety and Security of Chemical Facilities,'' presented at the 20th 
Annual CCPS International Conference (April 11-13, 2005), at 3.
    \9\ See 61 Fed. Reg. 31699 (June 20, 1996). Dr. Falkenrath 
testified before the Senate in April that he ``disagrees'' with those 
who would try to accomplish the goals of federal chemical security 
legislation through existing authority under the Clean Air Act's 
general duty clause, adding that it would be ``politically imprudent'' 
to accomplish such a significant intervention in the economy via such 
an indirect and imprecise mechanism.
---------------------------------------------------------------------------
    The challenge facing regulators--and even businesses--is further 
heightened by that fact that, while the concept of inherent safety is 
well understood, how to implement that concept is not. One of the 
nation's leading academics in process safety has declared that ``a 
systematic methodology to measure inherent safety does not exist, and 
it is not currently possible to know how inherently safe a plant or 
equipment item is because it is not possible to evaluate the principles 
that have been applied.'' \10\ Another leading process safety expert 
concurs: given ``the lack of formal and agreed inherent safety 
approaches . . . [e]xperience has shown that regulators and industry 
have a difficult time interpreting inherent safety and agreeing on 
adequacy of efforts.'' \11\ This is not to say that such methodologies 
cannot be developed--they should, and ACC supports efforts to do so. 
But even if agreement on methods is achieved, leading process safety 
experts discount the feasibility of using them in a regulatory system: 
``[T]he complexity of process plants essentially prevents any 
prescriptive rules that would be widely applicable.'' \12\
---------------------------------------------------------------------------
    \10\ Sam Mannan, White Paper, ``Challenges in Implementing Inherent 
Safety Principles in New and Existing Chemical Processes'' (2002). Dr. 
Mannan is Director of the Mary Kay O'Connor Process Safety Center at 
Texas A&M University.
    \11\ David Moore, supra note 8, at 1.
    \12\ Mannan White Paper, supra note 10, at 6.
---------------------------------------------------------------------------
    Witnesses at April's Senate hearing agreed on the importance of 
legislation ``focus[ing] tightly'' on security and not becoming a 
``back door'' way of addressing ``extraneous'' issues. Dr. Falkenrath 
maintained that the government should not have the power to order 
hazard reduction measures to be taken. Mr. Stephenson agreed, adding 
that many types of chemicals and chemical processes do not lend 
themselves to such approaches without massive capital expenditures, and 
that, in general, facilities using or storing such chemicals can make 
such changes more easily than manufacturing facilities.
    In the final analysis, ACC firmly believes that judgments about 
inherent safety are fundamentally process safety decisions that must 
ultimately be left to the process safety professionals. We will remain 
concerned about legislation that would enable government officials 
focused on security to second-guess process safety decisions.

IV. Conclusion
    In closing, I want to reiterate our commitments. Our member 
companies are committed to doing all they reasonably can to enhance the 
security of their operations and products against those who would do us 
harm. But we know that our nation will not be safe until all chemical 
facilities that need to be protected have taken steps equivalent to 
those taken by our members.
    It has been over three and a half years since 9/11. It is time to 
act, and we welcome this hearing. We are committed to working with you 
and others to see that legislation is enacted in this session of 
Congress. Thank you, and I'd be happy to answer any questions.

    Mr. Pearce. [Presiding.] Thank you for your testimony, and 
the Chair now recognizes Mr. Allen Summers, President and CEO 
of ASMARK, testifying on behalf of the Fertilizer Institute.

                   STATEMENT OF ALLEN SUMMERS

    Mr. Summers. Thank you, Mr. Chairman, members of the 
subcommittee. I am Allen Summers. I am a farmer, retail 
fertilizer dealer and a compliance consultant specializing in 
safety and security at agricultural retail locations. I am here 
today to testify on behalf of the Fertilizer Institute.
    TFI is the leading voice of the Nation's fertilizer 
industry representing the public policy, communication and 
statistical needs of manufacturers, producers, retailers and 
transporters of fertilizer. On behalf of TFI, I very much 
appreciate the opportunity to testify today on the tremendous 
security efforts our industry has put forward.
    We farm about 800 acres in Glendale, Kentucky. I also 
happen to be a co-owner of a retail farm center called Cecilia 
Farm Services in Cecilia, Kentucky. We do about a $5.7 million 
volume on an annual basis. We have a little over a thousand 
customers and we know who they are and call them by name when 
they walk through the door. We provide custom fertilizer each 
year for 30,000 of our customers' acres and we employ 8 full-
time employees and 4 part-time employees.
    In 1990, I founded the company called ASMARK to help our 
retailers in the country comply with the regulatory 
requirements. We are exclusively agriculturally based and our 
purpose is to assist the agricultural retailers with their DOT, 
EPA and OSHA compliance requirements. We have been in business 
a little over 15 years and lost only 4 clients. We have a very 
close industry, and I would like to paint you a picture of our 
typical facility. We are included in these chemical plants' 
security testimony today, but I need to paint you a very clear 
picture of our typical facility.
    On average, the typical facility only has 5 to 7 employees. 
It is located in small, rural, sparsely populated communities, 
and we are really not attractive targets for terrorists. We are 
not a chemical facility, but we realize we do have a 
responsibility to secure our facilities. Our industry has 
already made a voluntary effort to secure our facilities.
    Shortly after the September 11 tragedy, the fertilizer 
industry adopted a management practices security code designed 
to help the industry achieve continuous security performance 
using a risk based approach. The code calls on fertilizer 
makers to use methodologies developed by the Center for 
Chemical Process Safety or the Synthetic Organic Chemical 
Manufacturers Association when making security related 
improvements.
    2002 also brought the year that we began work on a 
agricultural Web based security vulnerability assessment. We 
work with the Center for Chemical Process Safety to accredit 
the ASMARK's security vulnerability assessment model. We work 
with the Fertilizer Institute, Agricultural Retailers 
Association, Crop Life America and the various State trade 
associations that we work with.
    It was an industry collaboration, I might add, to make a 
Web based SVA available to the Nation's retailers. There is 
approximately 6,500 retailers of this description in our 
country. And to date, more than 2500 SVAs have been voluntarily 
performed around the United States. Other industry efforts 
include Clemson University recently purchased the SVA tool for 
use at 220 retail locations in South Carolina. The Alabama 
Department of Homeland Security has also expressed interest, 
and we are working with them now.
    All facilities have developed and implemented written 
security plans required by DOT and the Coast Guard, and all 
facilities with anhydrous ammonia have prepared and implemented 
their risk management plan.
    One addendum to my testimony I would like to make is that 
our facilities at a retailer are a program 2 RMPs and that may 
help the panel in their effort of assigning risk. I would also 
offer that our efforts to enhance security have been noticed by 
Congressman Ron Lewis as he introduced legislation to help 
offset some of the security related expenses in the form of a 
tax credit.
    To conclude, we really don't consider ourselves a chemical 
facility and any legislation should be applied proportionately 
based on risk. Too many times our small industry gets saddled 
with one size fits all regulation that simply does not work and 
is not effective. We hope you will refrain from adopting 
antiquated concepts such as the inherently safer technologies 
which pose an economic and logistical threat to our industry.
    All we ask is that our Members of Congress recognize the 
tremendous actions that have been taken in our small 
communities and by our small industry and provide fair 
treatment for low risk facilities such as our retailers.
    I thank you for the opportunity to testify today and look 
forward to any questions you may have.
    [The statement of Mr. Summers follows:]

                  Prepared Statement of Allen Summers

Introduction
    Mr. Chairman and Members of the Subcommittee, I am Allen Summers. 
I'm a farmer, retail fertilizer dealer and compliance consultant 
specializing in safety and security at agricultural retail locations 
and I am here today to testify on behalf of The Fertilizer Institute 
(TFI). TFI is the leading voice of the nation's fertilizer industry, 
representing the public policy, communication and statistical needs of 
manufacturers, producers, retailers and transporters of fertilizer. On 
behalf of TFI, I very much appreciate the opportunity to testify today 
on the tremendous security efforts the American agricultural community 
has already undertaken and the steps Congress could take to bolster 
those efforts.
    Currently, I reside in Owensboro, Ky., where I pursue my life-long 
commitment to agriculture, a commitment that began on my family's farm 
in 1974. We currently farm over 800 acres of corn, soybean, wheat and 
tobacco and raise beef cattle and hogs. I am also a partner in Cecilia 
Farm Service, a retail farm supply business located in Cecilia, Ky., 
which provides custom fertilizer and crop protection product 
application to over 1,000 customers, representing 30,000 acres with a 
dollar volume last year of $5.7 million. Cecilia has eight full time 
employees and hires four seasonal workers during the busy spring 
planting and fall harvest season.
    Fifteen years ago I recognized a need in the agribusiness retail 
dealer community for assistance in bringing businesses into compliance 
with a wide range of federal regulations. Subsequently, together with 
my wife Susan and business partner Randy Lawrence, I established 
ASMARK, Inc., which offers security and compliance assistance services 
regarding numerous regulatory regimes including: Department of 
Transportation (DOT) driver qualification requirements; the 
Environmental Protection Agency's Risk Management Program; and 
Occupational Safety and Health Administration hazard communication 
regulations.
    Today, ASMARK, and its 14 full-time employees, is helping over 985 
clients comply with federal regulations and meet industry security 
standards. Our clients include large, multi-outlet agribusiness retail 
dealers as well as smaller independent agribusinesses.

Fertilizer and Security
    In response to the tragic events in Oklahoma City and the September 
11 terrorist attacks, agribusiness retail dealers undertook tremendous 
efforts to ensure that criminals intent on harming our country could 
not purchase and misuse fertilizer and crop protection products that 
are vital in helping feed and nurture America and the world.
    For example, in 2002 the fertilizer industry adopted a management 
practices security code designed to help the industry achieve 
continuous security performance using a risk-based approach. The code 
calls on fertilizer makers to use methodologies developed by the Center 
for Chemical Process Safety (CCPS) or the Synthetic Organic Chemical 
Manufacturers Association when making security-related improvements (* 
Exhibit A).
---------------------------------------------------------------------------
    * Maintained in the Committee's File.
---------------------------------------------------------------------------
    Also in 2002, I began working with several of my clients and the 
Agribusiness Security Working Group, comprised of members of TFI, the 
Agricultural Retailers Association and CropLife America, to develop a 
program to aid agribusiness retail dealers improve facility security to 
protect their fertilizer and crop protection products. As a result, a 
Web-based security vulnerability assessment (SVA) tool was developed 
and is now available to agribusiness retailers. The SVA tool is an 
invaluable security program that assists retailers in fully meeting the 
criteria the CCPS has created for conducting security vulnerability 
assessments (* Exhibit B). To date, the tool has proven to be a 
remarkable success, and is used by over 2,500 agribusiness retailers to 
develop security plans, based on SVA assessments, to address threats, 
risks and vulnerabilities.
---------------------------------------------------------------------------
    * Maintained in the Committee's File.
---------------------------------------------------------------------------
    The SVA tool also has a transportation component aimed at helping 
facilities comply with DOT security regulations. Most recently, Clemson 
University purchased the tool, making it available to all agribusiness 
retailers in South Carolina and just last week, I was contacted by the 
Alabama Department of Homeland Security regarding its potential 
interest in an arrangement to make the SVA available to all 
agribusinesses in Alabama. Naturally, we look forward to working with 
other states that might be interested in using the SVA to improve 
agribusiness facility security.
    In addition to the Web-based SVA tool, the Agribusiness Security 
Working Group has also developed and widely distributed ``Guidelines to 
Help Ensure a Secure Agribusiness.'' This six page document highlights 
three key security principles--identification of critical assets; 
establishment of layers of protection, and practice deter, detect and 
delay. The guidelines outline suggested practices covering facility 
security, customer transactions, special security measures and 
suggestions for partnering with customers on security and safety.
    As an owner of a farm supply center and a farmer, I firmly believe 
I have an obligation to ensure the security of the chemicals I store 
and apply. For example, at my farm center local fire and law 
enforcement officials are frequently invited to walk through the 
facility to recommend what additional security measures might be needed 
and to be provided with updates on the types of products we have on 
hand. I cannot of course speak for everyone in the agricultural 
community, but I do know that many of us have, on a voluntary basis, 
installed expensive security upgrades, conducted background checks on 
our employees and complied with DOT security regulations for 
transportation. Without question, a great many members of the 
agricultural community have undertaken tremendous efforts to guarantee 
the security of our nation.
    Across the country farmers and retailers are engaged in security 
efforts virtually unknown to the vast majority of the public. To 
illustrate, few members of the public may know that agricultural 
retailers and the Coast Guard work together to improve facility 
security. Yet from coast-to-coast, many agribusinesses have filed 
extensive security vulnerability assessments and plans with the Coast 
Guard in order to comply with the Maritime Transportation Security Act.
    In addition, commodity and production agriculture groups are 
actively working with the U.S. Department of Agriculture to develop 
practices to better secure inputs and design bio-safety protocols to 
address farm and ranch security issues. These on-going efforts are 
intended to increase producer-level awareness of steps that can be 
taken to safeguard America from acts of terrorism.

What More Needs to Be Done?
    During this hearing there has been considerable debate on whether 
Congress should approve chemical facility security regulations. There 
are those who charge that the chemical industry is not doing enough to 
secure products that wind up the hands of terrorists. In addition, 
there has been considerable debate over whether to mandate the use of 
inherently safer technologies (IST).
    Mr. Chairman, at this time I would like to briefly comment on these 
issues. The agricultural community, which bears the great burden of 
producing the food that feeds the world, is totally committed to the 
security of our homeland. Our strong commitment to security can be seen 
in the many steps already taken to secure our facilities, our farms and 
our food supply. Animal and crop producers, and retailers across the 
country have voluntarily conducted security assessments and developed 
security plans in response. Through our national and affiliated state 
associations we continuously remind the agribusiness community of their 
obligations to secure their facilities and the products they handle. In 
short, the agricultural community has done so much to improve security 
and must receive credit for the voluntary actions we have already 
taken.
    Mr. Chairman, it must be said that agribusinesses are generally 
located in rural, sparsely populated areas that are unlikely to be 
attacked by terrorists. The agriculture community has shown it is 
willing to do all that it can to help secure our country, but remember 
that each year millions of acres must be planted in a few short weeks 
and security measures that may work well for urban manufacturing 
centers will not work for agriculture. Therefore, it is essential that 
future security requirements are proportional to the risks found in 
rural communities.
    Finally, IST is not a security issue--it is a safety issue. If 
there is a safer, more economical way of doing something, we do it. IST 
is a decades-old, antiquated concept that can only work when applied by 
a site owner's engineers who truly understand the operation of the 
facility. Any attempt to require IST by government edict jeopardizes 
worker and community safety. Mr. Chairman, the agriculture community 
would strenuously oppose any proposal that would mandate the use of 
IST.

Conclusion
    Mr. Chairman and members of the committee, American farmers and 
retailers are committed to security, of that there can be no doubt. 
That commitment is readily demonstrated through the significant number 
of voluntary security steps our community has taken and will continue 
to take. Without question, we very much want to help Congress in its 
endeavors to shield this country from acts of terrorism. We support 
Department of Homeland Security (DHS) Secretary Chertoff's efforts to 
evaluate all of the nation's vulnerabilities and then prioritize the 
Federal government's response based on sound risk assessments.
    All we ask is that members of Congress recognize the tremendous 
actions already taken by our community, provide fair treatment for 
small, low-risk facilities, and reject any and all attempts to revive 
obsolete concepts like IST. In taking on 21st Century terrorists, 
Congress must first recognize the progress that has been made to date 
and take account of on-going DHS efforts to develop a framework that 
recognizes the special needs of agriculture.
    I thank you for the opportunity to testify today and look forward 
to answering any questions you might have.

    Mr. Pearce. Thank you, Mr. Summers, for your testimony, and 
the Chair now recognizes Mr. DePasquale, Security Specialist 
from the University of Georgia, to testify.

                  STATEMENT OF SAL DePASQUALE

    Mr. DePasquale. Mr. Chairman and Ranking Member Sanchez, if 
it is all right with the committee, you have my written 
statement and rather than read it to you in the interest of 
time to facilitate questions, if it is acceptable I certainly 
would waive reading it to you.
    Mr. Pearce. We have plenty of time to go ahead and you can 
make comments, and we have 15 minutes and 15 minutes 
legislatively could take us to next week.
    Mr. DePasquale. Thank you. My name is Sal DePasquale, and I 
have specialized in security for over 25 years with experience 
in chemical plants, industrial facilities, a range of 
government facilities, including the Department of Energy's 
facilities and many others. I thank the Chair for inviting me 
to speak with you today and allowing me an opportunity to share 
my observations relative to the security posture of chemical 
plants in our country and on the security of those industrial 
facilities that procure and utilize those chemicals.
    Over the past 25 years, my career in security has provided 
me with an opportunity to view the industry from many vantage 
points as a security consultant, as a system design engineer, a 
corporate security manager and as an academician, which is with 
Georgia State University and not the University of Georgia. My 
comments today represent the cumulative span of my experience 
there.
    There are three central points that I wish to make. The 
first is that although this is not the focus of this hearing, 
it is imperative, in my viewpoint, that consideration be given 
to the antagonisms that underlie the actions of our 
adversaries. To be sure, if the antagonisms are not addressed, 
the adversary will continue to attack, exploiting even the most 
remote vulnerabilities, taking greater risks and using bolder 
and more profound techniques for attack. The most thoughtful 
and comprehensive security programs may not be able to 
withstand the dedication of the adversary.
    Even if the source of antagonism is diligently confronted, 
there is still a substantial need to address our degree of 
vulnerability. Today there is little resistance to an adversary 
using modest techniques for attack. Indeed, it may be argued 
that an inner city liquor store is better protected than are 
the facilities that manufacture and use highly toxic and lethal 
chemicals.
    It is certainly true that we cannot inoculate ourselves 
against an attack, but surely we can do better than the 
mediocre and ineffectual practices that exist today. It is no 
secret that our industrial facilities are not prepared to 
defend against an armed assailant. Consequently, an adversary 
can reach a target using little more than a Saturday night 
special. Although industry claims it has invested considerably 
in security since September 11, the investments have been 
little more than window dressing. Indeed, the most 
sophisticated and costly camera systems cannot stop an armed 
assailant and may produce little more than material for use on 
the 11 o'clock news.
    Substantive security upgrades will require the following: 
Construction of formidable property barriers, application of 
sophisticated intrusion detection systems, and deployment of a 
trained and properly equipped security force for response to 
prevent the adversary from reaching the target. In my 
viewpoint, anything less is simply to demonstrate some action, 
however ineffectual.
    In a sense industry has been fortunate in that the 
adversary has used his skills to attack symbols of America. If 
the adversary alters strategy and attacks middle class America, 
industry may well be the next element of commerce that will be 
transformed into a weapon.
    Before we have a catastrophe that renders September 11 pale 
in comparison, I believe there are actions we may take to 
reduce our vulnerability to attack. I believe we need 
regulations. The legislation that was drafted by Senator Inhofe 
was rather promising. I would like to see it modified to 
require use of the physical security effectiveness tools 
produced by the Sandia National Laboratories, and I would like 
to see it include criminal penalties for corporate officers who 
fail to comply. In any event, I believe there are mechanisms 
available to avert a catastrophe, but it is imperative 
regulation provide the foundation.
    Having worked with the American Chemistry Council and the 
American Institute of Chemical Engineers in developing 
guidelines, I am well aware of the industry's argument that it 
can regulate itself. However, I also know they are quick to say 
that they do not want to issue prescriptive standards and 
prefer the softer and gentler method of promulgating guidelines 
that do not require substantive action. In my estimation, if 
the industry will not issue substitute standards, it cannot say 
that it is self-regulating. It is simply a contradiction in 
terms.
    The third point I would like to make is that it concerns 
emergency response preparedness. Across the country first 
responders have been scurrying to prepare for the threat of 
terrorism. That preparedness, however, has been couched within 
the paradigm of traditional exposures.
    When I am teaching first responders, I ask them how 
prepared they are for a chemical event. Typically, the response 
is that they are making great progress. They will tell me that 
they have X number of people trained at technician level 1 and 
X number trained to technician level 2 and so on. I would then 
suggest to them that the training they described is aimed at 
industrial accidents, not a terrorist attack. Indeed, response 
training and response protocols are geared for industrial level 
accidents. First responders are trained to container release, 
to plug holes in a leaking vessel and such.
    It is reasonable to project that a terror attack will not 
produce a leaking vessel, but instead will result in a ruptured 
vessel, completely unzipping the vessel. Within this context, 
there will not be any holes to plug. The magnitude of the 
release will quickly exceed the emergency response protocols 
and will likely result in injury to first responders.
    The scenarios contemplated for upgrading preparedness are 
not consistent with what might be anticipated. Our first 
responder community needs to focus on protocols within the 
context of a terrorist attack.
    Moreover, there is much lip service being paid to the new 
spirit of cooperation. At best, assorted agencies have 
conducted meetings to discuss the need for planning and then 
they go off individually and plan within the confines of their 
individual silo. It simply cannot go on that way if we are to 
be successful. In January of this year, in Graniteville, South 
Carolina, a railroad tanker carrying chlorine was involved in 
an accident.
    Mr. Pearce. If the gentleman would suspend there. If you 
could wrap up, we would appreciate it.
    Mr. DePasquale. In Graniteville, South Carolina, half the 
contents of a railcar was released and it was released over a 
4-day period. Fortunately, it was in a sparsely populated 
region. The emergency management people who responded to that 
said we were fortunate, because if it was a densely populated 
area, the death toll would have been well into that 10,000 
range, if not beyond.
    Thank you.
    [The statement of Mr. DePasquale follows:]

                  Prepared Statement of Sal DePasquale

    Good afternoon Chairman Lungren, Ranking Member Sanchez, and 
Members of the Committee. My name is Sal DePasquale and I have 
specialized in security for over 25 years with experience in chemical 
plants, industrial facilities, a range of government facilities 
including Department of Energy facilities and many others.
    I thank the chair for inviting me to speak with you today and 
allowing me an opportunity to share my observations relative to the 
security posture of chemical plants in our country and on the security 
of those industrial facilities that procure and utilize those 
chemicals.
    Over the past 25 years my career in security has provided me with 
an opportunity to view the industry from many vantage points as a 
security consultant, a system design engineer, a corporate security 
manager and as an academician. My comments today represent the 
cumulative span of my experience.
    There are three central points that I wish to make:
        1. Although not the focus of this hearing, it is imperative 
        that consideration be given to the antagonisms that underlie 
        the actions of our adversaries. To be sure, if the antagonisms 
        are not addressed, the adversary will continue to attack, 
        exploiting even the most remote vulnerabilities, taking greater 
        risks and using bolder and more profound techniques for attack. 
        The most thoughtful and comprehensive security programs may not 
        be able to withstand the dedication of the adversary.
        2. Even if the source of antagonism is diligently confronted, 
        there is still a substantial need to address our degree of 
        vulnerability. Today there is little resistance to an adversary 
        using modest techniques for attack. Indeed, it may be argued 
        that inner city liquor stores are better protected than are the 
        facilities that manufacture and use highly toxic and lethal 
        chemicals.
                It is certainly true that we can not inoculate 
                ourselves against an attack, but surely we can do 
                better than the mediocre and ineffectual practices that 
                exist today. It is no secret that our industrial 
                facilities are not prepared to defend against an armed 
                assailant. Consequently an adversary can reach a target 
                using little more than a Saturday night special. 
                Although industry claims it has invested considerably 
                in security since September 11, the investments have 
                been little more than window dressing. Indeed, the most 
                sophisticated and costly camera systems can not stop an 
                armed assailant and may produce little more than 
                material for use on the 11 o'clock news.

        Substantive security upgrades will require the following:
                 Construction of formidable property barriers
                 Application of sophisticated intrusion 
                detection systems
                 Deployment of a trained and properly equipped 
                security force for response to prevent the adversary 
                from reaching the target.
        In my viewpoint, anything less is simply to demonstrate some 
        action, however ineffectual.
    In a sense industry has been fortunate in that the adversary has 
used his skills to attack symbols of America. If the adversary alters 
strategy and attacks middle class America, industry may well be the 
next element of commerce that will be transformed into a weapon.
    Before we have a catastrophe that renders September 11 pale in 
comparison, I believe there are actions we may take to reduce our 
vulnerability to attack. I believe we need regulations. The legislation 
drafted by Senator Inhofe was rather promising. I would like to see it 
modified to require use of the physical security effectiveness tools 
developed by Sandia National Laboratories and I would like to see it 
include criminal penalties for corporate officers who fail to comply. 
In any event, I believe there are mechanisms available to avert a 
catastrophe, but it is imperative that regulation provide the 
foundation.
    Having worked with the American Chemistry Council and the American 
Institute of Chemical Engineers in developing guidelines, I am well 
aware of industry's argument that it can regulate itself. However, I 
also know they are quick to say that they do not want to issue 
prescriptive standards and prefer the softer and gentler method of 
promulgating guidelines that do not require substantive actions. In my 
estimation, if the industry will not issue substantive standards, it 
can not say that it is self regulating. It is simply a contradiction in 
terms.
        3. The final point that I wish to make concerns emergency 
        response preparedness. Across the country first responders have 
        been scurrying to prepare for the threat of terrorism. That 
        preparedness, however, has been couched within the paradigm of 
        traditional exposures.
    When I am teaching first responders, I ask them how prepared they 
are for a chemical event. Typically the response is that they are 
making great progress. They will tell me that they have x number of 
people trained to technician level one and x number to level two and so 
on. I will then suggest to them that the training they described is 
aimed at industrial accidents, not a terrorist attack. Indeed, response 
training and response protocols are geared for industrial level 
accidents. First responders are trained to contain a release, plugging 
holes in a leaking vessel and such.
    It is reasonable to project that a terror attack will not produce a 
leaking vessel, but instead will result in a ruptured vessel, 
completely unzipped. Within this context, there will not be any holes 
to plug. The magnitude of the release will quickly exceed the emergency 
response protocols and will likely result in injury to first 
responders.
    The scenarios contemplated for upgrading preparedness are not 
consistent with what may be anticipated. Our first responder community 
needs to focus on their protocols within the context of a terror 
attack.
    Moreover, there is much lip service being paid to the new spirit of 
cooperation. At best, assorted agencies have conducted meetings to 
discuss the need for planning and then they go off individually and 
plan within the confines of their individual silo. It simply can not go 
on this way, if we are to be successful.
    In January this year, in Graniteville, South Carolina a railroad 
tanker carrying chlorine was involved in an accident that resulted in 
over half of its contents released into the atmosphere over a four day 
period. Two first responders and several residents were killed.
    According to Georgia and South Carolina emergency management 
officials, the death toll could have been substantially higher. The 
area is sparsely populated and the material leaked out over several 
days. A massive rupture of a tanker in a highly populated area would 
produce a tragedy beyond imagination.
    Although the accident was relatively contained, it is exemplary of 
the lethal potential of industrial chemicals.
    Immediately after September 11, Senator Corzine and others put 
forth legislation to secure hazardous materials. The merits of the 
legislation may be debated, but it was an initial response to an 
obvious vulnerability. The chemical industry balked at the idea and 
argued that it could regulate itself more efficiently and effectively; 
ultimately killing the Corzine legislation.
    The chemical industry regulates itself by way of the American 
Chemistry Council's Responsible Care program. This program includes 
guidelines for member companies to embrace to demonstrate responsible 
management of hazardous substances.
    In regulating itself, however, the chemical industry says it does 
not want to produce prescriptive standards; it wants only to issue 
guidelines and best practices. It is very careful not to produce 
prescriptive standards for fear that the member companies might balk 
and because failing to comply with the standard would have legal 
implications.
    Without prescriptive standards, however, there can be no self 
regulation. The result of guidelines and nice sounding best practices 
is to create a smoke and mirrors exercise that makes it appear that 
something serious is being accomplished, when it, indeed, is not.
    The issue of security is no exception. In response to September 11, 
the ACC required its members to conduct a vulnerability analysis. This 
is a noteworthy exercise, but it does not require the companies to 
actually do anything in response to the analysis nor does it establish 
any minimum standards for defense against the most obvious exposures. 
Indeed, it is another exercise in smoke and mirrors; makes it seem like 
something substantive is occurring, when it is not. There are some 
additional requirements beyond the vulnerability analysis such as it is 
mandatory to have management support, but these additional items are 
innocuous.
    Fundamentally, the standard should be sufficient security to 
withstand an attack by an armed adversary intent on using hazardous 
materials for mass casualties. As it is, an adversary with a six 
shooter can defeat the security of most facilities.
    I thank you for this opportunity to testify, and I look forward to 
answering any questions you may have.

                  Sal DePasquale Additional Statement

1. Law Enforcement and Security
    There is a huge difference between Law Enforcement and Security, 
although the widespread paradigm is that they are synonymous; they are 
not. This does not mean a judgment that one is better than it other; it 
is simple to make a distinction.
    Law Enforcement is skilled in enforcing the law, when the law has 
been violated. The skills include investigative practices, interogation 
techniques, crime scene analysis, evidence preparation, etc. Security 
is focused on risk analysis, identification of vulnerabilities, the 
technical aspects of security systems, barriers and response forces. 
These are very different skills.
    When Homeland Security was formed, it was formed by combining 
numerous Law Enforcement agencies. The disarray that became evident 
after its commissioning was clearly demonstrated at the hearing last 
week. As the agency grappled with the tasks and responsibilities of 
security, it turned to the chemical industry, among others, for help in 
understanding chemical exposures. Industry lobbyists were all too 
willing to help. Consequently the agency provided data suggesting that 
a chemical attack would only expose about 10,000 people. In my 
estimation, this is astounding. You need look no farther than Bophal 
for an example of what may happen and, mind you, that event was not a 
complete vessel rupture.
    I find this troubling because it seems the committee is looking to 
the agency and other experts to provide data upon which it can develop 
legislation, if need be. For the legislation to be sound and effective, 
it must be based on credible data. I would urge the committee to hear 
from credible sources on the consequences of a chemical attack; non 
partisan chemical engineers unaffiliated with the chemical industry. 
The emergency management officials who managed the chorine accident in 
Graniteville, South Carolina may also provide significant insight. U.S. 
military chemical warfare specialist may also provide quality data.
    On the issue of how to secure dangerous chemicals I would suggest 
the committee hear from security officials from the Department of 
Energy, widely respected for their years of experience in security. The 
Homeland Security people claim they have helped the chemical industry 
by purchasing internet based cameras to aid in surveillance of the most 
sensitive chemical facilities. I would be very interested to hear the 
viewpoints of DOE security officials concerning the use of internet 
based cameras. My view is that this is terribly ill conceived as it 
allows the adversary to exploit internet security weaknesses to use the 
government purchased cameras for viewing the potentially targeted 
sites. Indeed, I would expect a junior security person to understand 
this fundamental tenant of security. Internet cameras have an 
application, but not where the stakes are high.

2. ACC reference to Third Party Verification
    It was noted during the hearing that the American Chemistry 
Council's (ACC) security program includes third party verification of 
the security assessments conducted by member companies. It is important 
to understand what that means exactly. It may have changed since I was 
last involved with the ACC Security Guidelines, but as I understand it, 
the third party verification is limited solely to verifying that the 
company implemented the security measures that it thought it should 
implement. It is not a verification of the analysis and of the adequacy 
of the selected security measures.
    This is analygous to a patient conducting a self diagnosis, 
discovering serious diseases and maladies, and concluding that they 
merely need some aspirin. The third party verifier simply needs to 
validate that the patient ingested the aspirin.

3. Security legislation should establish a credible agency with 
responsibilities for creating security codes and standards. The code 
should be similar to the fire code which accommodates a wide range of 
facilities and stipulates specific requirements.
    The legislation should require the codes and standards be developed 
to address the following:
         Criteria for determining the chemicals requiring 
        safeguards.
         Use of intrusion detection and physical barrier 
        systems to detect and delay an adversarial attack.
         Security response capacity to intercept and immobilize 
        the adversary before reaching the targeted chemical source.
                 Use of analysis tools developed by Sandia 
                National Laboratories for evaluation of the physical 
                security effectiveness.
                         Estimate of Adversary Sequence 
                        Interruption (EASI)
                         System Analysis of Vulnerability to 
                        Intrusion (SAVI)
         Training and qualification criteria for security 
        response officers.
         Background investigation criteria for individuals with 
        access to the chemical source or chemical operations area.
         Protocols for investigation of suspicious activity
         Standards for security record keeping
                 Define classified data
                 Define public access data
         Standards for cyber security
                 Business management systems
                 Automated manufacturing production systems
         Requirements for periodic updating, modification and 
        resubmittal of security plans for review and approval by the 
        regulating agency.
         Requirements for submittal of security plans for 
        review and approval by the regulating agency.
         Requirements for creating emergency response 
        protocols.
    Once again these are my viewpoints and not those of the 
organizations with which I am affiliated. Thanks again for the 
opportunity to express my views.

    Mr. Pearce. Thank you, Mr. DePasquale, and I thank all the 
witnesses. There are questions that the committee would like to 
ask, so with your indulgence, it will be about 15 to 20 
minutes, and we will reconvene at the call of the Chair. The 
committee stands in recess.
    [Recess.]
    Mr. Pearce. The committee will come to order and the Chair 
would recognize Mr. Dicks for questioning.
    Mr. Dicks. Thank you, Mr. Chairman. We appreciate your 
efforts here to keep this going. Mr. DePasquale, is that how 
you say it?
    Mr. DePasquale. DePasquale.
    Mr. Dicks. When you testified, you said we needed to have 
what kind of standards?
    Mr. DePasquale. Substantive standards that would give some 
specifics about establishing that barrier and establishing a 
response force that is capable of interceding and preventing 
the adversary from getting to the target. And I made reference 
to the models that have been developed by Sandia National Labs 
for evaluating physical security effectiveness, which are used 
in the Department of Energy and NRC environment extensively.
    Mr. Dicks. What you are worried about is an armed group 
attacking one of these plants, and then once they get in they 
could then release these chemicals; isn't that basically the 
scenario you are talking about?
    Mr. DePasquale. That is correct. If I am an armed adversary 
and I use my weapon to eliminate whatever obstacle I have in 
front of me, an armed guard or whatever the case may be, and 
then I reach the target, which would be a vessel containing 
toxic materials, I place a bomb on it and unzip the vessel to 
release it.
    Mr. Dicks. Now you also said that you have to have--trying 
to think of the phrase you used--substantive requirements and 
rather than just letting people self-regulate; if the industry 
will not issue substantive standards, it cannot say that it is 
self-regulating. It is simply a contradiction in terms.
    Tell me what kind of substantive standards you think should 
be promulgated, either by Congress or by whoever.
    Mr. DePasquale. I would say that the standards should be to 
provide a response force that is capable and has the capacity 
to intercept and demobilize an adversary before the adversary 
reaches the target. And I would also suggest that part of that 
standard would be to use the tools developed by Sandia to 
evaluate the response force capability. I would establish a 
code and a database on physical security systems that establish 
the delay factors of each of those systems and the reporting 
times for the devices.
    One of the mechanisms that Sandia has is it says if you 
have a fence and the fence has these devices on it, it will 
take an adversary 6 seconds to breach that barrier. And it will 
also evaluate other barriers that are between the exterior of 
the property and the target. And then what they evaluate is 
what is the response force capability. When you add up all the 
time that it takes the adversary to get through your obstacles, 
your physical security systems, is there sufficient time for 
the response force to be able to intervene?
    Mr. Dicks. Mr. Durbin, do you have any problem with that?
    Mr. Durbin. Mr. Dicks, I think the way I would respond to 
that, our member companies through the Responsible Care 
Security Code did utilize vulnerability assessment methodology 
that was developed by Sandia National Labs as well as a 
separate one by the Center for Chemical Process Safety. I think 
the issue of having armed response, it is not necessarily an 
issue of whether you have full-time armed forces on site at 
every facility, but where appropriate, based on risk, based on 
your vulnerability assessment, is there an armed response 
capability that is nearby and dedicated. We have member 
companies across the range, not only the types of facilities 
that they operate, but the way they respond to--the types of 
guards or other forces they may have. Some will have full-time 
guards. Some of them are armed. Others work with the local law 
enforcement to ensure that there is a standard operating 
procedure, so if there is a rise in the threat level of some 
kind, they have an agreement with either local law enforcement, 
contract services, off duty folks, whatever it might be, to 
ensure that if there is a need at that facility, you will have 
that capability.
    Mr. Dicks. That is not good enough, is it?
    Mr. DePasquale. No. The local police cannot get there 
quickly enough. The best local police response would not be--
and I am not talking about every chemical facility, I am 
talking about facilities that have--
    Mr. Dicks. You are talking about the ones that carry the 
highest risk?
    Mr. DePasquale. Exactly.
    Mr. Dicks. We know the number of those. I think it is 
classified, but several hundred.
    Mr. DePasquale. I think there are many, many more. If I 
take one railcar of chlorine, that is 90 tons of chlorine, 90 
tons. And there is a lot more than 123 of them. And if they are 
anywhere near a population, I am sorry, but I would venture to 
say that a lot more people are going to die than were 
characterized in those estimates that you heard earlier.
    Mr. Dicks. Do you think Congress has to step in here and 
legislate in order to get this done?
    Mr. DePasquale. Actually, I think it is unreasonable to 
look at an industry association to expect it to come up with 
rigorous codes and standards that its membership is going to 
embrace and like. I don't think that that is plausible. When we 
look at traditional security practices, and as I look at many 
of the chemical facilities and industrial facilities, those 
practices are good for dealing with our traditional criminals. 
When we add into the equation a terrorist who wants to get at 
that material, that wants to cause massive death, that is a 
whole different thing.
    Mr. Dicks. And willing to give up his life to do it?
    Mr. DePasquale. Willing to give up his life to do it. And 
it is just not tweaking the existing security. It is a radical 
rethinking of the security practices.
    Mr. Dicks. Can we afford to do it? This is the other side 
of the equation. There are a lot of--this is one sector. We 
have 17 sectors. Now I do believe that because of the danger of 
some chemicals this has to be given special attention. But that 
is the other side of the equation.
    Mr. DePasquale. I don't mean to minimize that, because I 
believe the costs are substantial and formidable. I would say 
this. If I take the security posture of industrial America and 
I apply that same posture to Department of Energy facilities, I 
don't believe any of you would accept that. I believe that you 
would say there is no way we could allow our nuclear facilities 
to be protected like that. And I would suggest that when you 
look at the lethality of these materials it is not very much 
different.
    Mr. Dicks. Thank you very much, and I appreciate your 
testimony. I am glad you were able to make your statement 
because I think it is a very important statement. Thank you.
    Thank you, Mr. Chairman.
    Mr. Pearce. Thank the gentleman and the gentleman's time 
has expired. The gentleman from Massachusetts.
    Mr. Markey. Mr. Durbin, you sent an e-mail to your 
corporate colleagues the same week that this committee marked 
up its Homeland Security authorization bill, and I would like 
to submit a copy, Mr. Chairman, of that e-mail for the record.
    Mr. Pearce: Without objection.
    [The information follows:]

    [GRAPHIC] [TIFF OMITTED] T4604.001
    
    [GRAPHIC] [TIFF OMITTED] T4604.002
    
    [GRAPHIC] [TIFF OMITTED] T4604.003
    
    [GRAPHIC] [TIFF OMITTED] T4604.003
    
    [GRAPHIC] [TIFF OMITTED] T4604.004
    
    [GRAPHIC] [TIFF OMITTED] T4604.005
    
    [GRAPHIC] [TIFF OMITTED] T4604.006
    
    [GRAPHIC] [TIFF OMITTED] T4604.007
    
    [GRAPHIC] [TIFF OMITTED] T4604.008
    
    [GRAPHIC] [TIFF OMITTED] T4604.009
    
    [GRAPHIC] [TIFF OMITTED] T4604.010
    
    [GRAPHIC] [TIFF OMITTED] T4604.011
    
    Mr. Markey. In that e-mail you said that ACC members had 
told the Senate that the ACC supported Federal chemical 
security legislation, but said that ACC had asked everyone to 
tell the House to oppose the Markey Federal chemical security 
legislation. Now today, you are telling this subcommittee that 
you do support legislation, so I would like to understand 
exactly what it is that you do support.
    Mr. Durbin, would the ACC support legislation that created 
mandatory enforceable risk-based Federal standards for chemical 
facilities that go beyond the voluntary measures that some ACC 
members have taken?
    Mr. Durbin. Yes, sir. That is what we have been saying all 
along. The Responsibility Care Security Code has set a model 
and we believe our members are doing the right thing, but we 
know it is not enough and that we need to make sure we have a 
national approach to ensure that all facilities that need to be 
protected are taking the same types of aggressive actions that 
our members have already taken.
    Mr. Markey. Would the ACC support legislation that requires 
the Department of Homeland Security to evaluate chemical 
facilities security using force-on-force exercises by entities 
that are not, in fact, controlled by the security around the 
chemical facility?
    Mr. Durbin. That issue has not been discussed among ACC 
members. What I would suggest, if the regulations are done on a 
risk-based, performance-based process and that the 
vulnerability assessments required are done, you have a 
rigorous--
    Mr. Markey. You are the Director of Security and Operations 
for the American Chemistry Council. Do you support having 
force-on-force tests of the security around chemical 
facilities?
    Mr. Durbin. I don't have enough information to be able to 
know whether that is appropriate.
    Mr. Markey. You are the Director of Security?
    Mr. Durbin. Yes.
    Mr. Markey. You don't have a view on whether or not force-
on-force--
    Mr. Durbin. I believe if the regulations are developed in a 
risk-based manner and it is determined--and again, we have said 
that we should give authority to the Department of Homeland 
Security to develop the regulations. And in that process, they 
determine that--
    Mr. Markey. I am asking your view. I am not asking for 
their view. You are the expert witness. Do you believe that 
force-on-force tests of existing security around chemical 
facilities is something that we should include?
    Mr. Durbin. I think it should be considered.
    Mr. Markey. But not included?
    Mr. Durbin. I don't have enough expertise.
    Mr. Markey. I have a hard time believing that the Director 
of Security for the chemical industry has no view on that 
critical question. There are only three or four critical 
questions. And you don't have a view?
    Mr. Durbin. I would be more than happy to get back to you 
on that.
    Mr. Markey. Would the ACC support legislation that required 
companies to reduce the risks their facilities posed by taking 
steps to replace toxic chemicals or processes with less 
dangerous technologies when it is economically and 
technologically feasible for them to do so?
    Mr. Durbin. No, sir. We would not, but I want to make clear 
that we believe the issue of--as you are doing your 
vulnerability assessments and security plans as within the 
Responsible Care Security Code, you absolutely would have to 
consider inherently safer design approaches. And frankly ACC 
member companies have been required to do that under the 
Responsible Care program even prior to the security code. That 
continues to be a core part of the way our member companies do 
their business, always searching for inherently safer ways of 
making their products and moving their products. And if you are 
doing a vulnerability assessment, a rigorous vulnerability 
assessment, that helps you identify areas where you can make 
process changes.
    Mr. Markey. That is an honest response. Would the ACC 
support having whistleblower protections for anyone who is 
retaliated against for reporting chemical security flaws that 
match at least the protections which the Sarbanes-Oxley Act 
provides for whistleblowers when they turn in bad corporate 
practices at private firms?
    Mr. Durbin. I believe so. Again, that is not an issue we 
specifically discussed within ACC. I know those types of 
protections have been included in proposals that have been made 
and that has not been one of the areas where we have had any 
concerns.
    Mr. Markey. In your testimony, you state that your member 
companies have taken steps to incorporate ACC's best practices. 
Has ACC attempted to visit all of these companies to verify 
that they have done so?
    Mr. Durbin. Not ACC itself. We are a trade association and 
not an enforcement agency. Our member companies had third 
parties come in themselves from the local area to verify that 
physical security enhancements were made at facilities.
    I would like to make one other thing clear. ACC has not 
taken the position that we should be left alone or we are self-
regulating. What we have said is we have set a bar on what 
needs to be done in security and that we believe there is a 
need for national legislation to ensure that the entire 
chemical sector is protected.
    Mr. Markey. Mr. DePasquale, as you know, the chemical 
industry has opposed all legislative proposals that contain a 
requirement to switch to less dangerous technologies in order 
to reduce the risk. In fact, Mr. Durbin's testimony today 
restated that point. In your opinion and based on your 
extensive industrial experience, have chemical companies 
already done everything they can to switch to safer chemicals, 
processes in order to reduce the risk to their facilities?
    Mr. DePasquale. You know, it is a curious thing. I have had 
several instances where I had a facility that used chlorine and 
they had examined prior to my involvement with them on a 
security issue, they had examined the feasibility of changing 
to other materials that were inherently safer, not completely 
safe, but still not as volatile as chlorine was. And they 
looked at the cost, number one, from a capital expenditure, and 
secondly from the ongoing expense, and it was a difficult 
management decision to make. When we brought into play the 
security issues, those were the things that in many cases drove 
them to say there is an added reason why we should do this, and 
they did.
    So, yeah, I think there are industries out there who will 
be responsive. And I also think that in terms of the 
legislation that if I have to comply with these things if I am 
using these materials, implied in it is if I am not using those 
materials then I don't have to comply with these regulations. 
So it seems to me that it is a fairly straightforward decision 
for companies to make.
    Mr. Markey. Mr. Chairman, I have one final question and I 
appreciate your indulgence, and that is to you, Mr. Summers. As 
you know, the bomb that Timothy McVeigh used to kill 168 was 
made with 2 tons of ammonium nitrate used in fertilizer. So was 
the 1993 World Trade Center bomb. The October, 2002 Al-Qa`ida 
attack on a Bali nightclub also reportedly used ammonium 
nitrate. Last year 3,000 pounds of ammonium nitrate was stolen 
from a fertilizer plant in North Carolina. In your testimony, 
you stated that many fertilizer and other agribusinesses have 
voluntarily increased security.
    Do you agree that facilities that manufacture or store 
significant quantities of ammonium nitrate should be required 
to increase security to ensure that it can't be stolen or 
detonated on site by terrorists?
    Mr. Summers. Well, I can't speak for everybody. My opinion 
is that the requirements of anything that is considered by the 
Department of Homeland Security should be a risk-based 
approach, and obviously someone that manufactures ammonium 
nitrate and someone who sells a pallet of it or stores a ton of 
it in a bulk building is two entirely different scenarios. One 
size fits all does not apply to our industry. So we would like 
differentiation between that.
    Mr. Markey. And where would you accept that top security is 
necessary?
    Mr. Summers. Being in the regulatory consulting business, 
there are some categories. And one of the things I heard today, 
I heard that there was 15,000 risk management plant facilities 
in the United States. One thing that I also heard was that 
there was not a good understanding. Mr. Stephan with the 
Department of Homeland Security tried his best to describe that 
worst case scenario and the prevailing winds, and I think there 
is an understanding that needs to be gained along that line 
that would help.
    In the RMP program there is program 1, which is a pretty 
insignificant hazard. There is a program 2 RMP that is probably 
easier to explain by explaining program 1 is an insignificant 
hazard. Program 3 is the most significant hazard. And program 2 
categorizes everyone that doesn't fit in program 1 and program 
3. And our retail facilities fall into program 2 RMPs. If I had 
to suggest something as Allen Summers from ASMARK, a farmer, 
retailer and consultant, I would say risk management plan 2 and 
1 are categories that probably don't pose a huge risk.
    There has been testimony today that said that 10,000 people 
would be affected--10,000 lives could be lost and 40,000 people 
could be affected within that area of concern around the plant 
at one of the worst facilities and one of the most highest risk 
facilities in the country. We work approximately 34 percent of 
our facilities of the 985 that we work with have anhydrous 
ammonia. They are all program 2 risk management plans. And 99 
percent of those, I can't give you definite numbers, but 99 
percent of those have less than 250 people in that 1.2 or 2.7-
mile area of concern around the plant. We are not talking about 
significant risk here.
    Mr. Markey. I want to get through this. How much ammonium 
nitrate was necessary to blow up the World Trade Center? They 
tried in 1993 and left a huge hole there. And the same thing is 
true for the Murrah building in Oklahoma City. What category 
would you put that in, the amount of ammonium nitrate in those 
two instances? What category would you--
    Mr. Summers. While I am appearing here today in defense of 
our industry and hoping that trying to describe what we have 
done and the money we have spent and the actions we have taken 
in doing our own security vulnerability assessment working and 
creating that methodology with the Center for Chemical Process 
Safety--
    Mr. Markey. Do you agree--and I apologize, Mr. Chairman--
but do you agree that Al-Qa`ida has ammonium nitrate at the top 
of its terrorist target list given what they did in Bali and 
what they did at the World Trade Center?
    Mr. Summers. No, I don't necessarily agree with that. There 
are a lot more attractive targets in the United States than 
that.
    Mr. Markey. Unfortunately, two of the biggest instances did 
involve ammonium nitrate, so we have to take note of that in 
committee in terms of the amount.
    Mr. Summers. If I could finish in answering your first 
question. While I am here today defending our industry and 
saying there needs to be risk based assessment applied to this 
decision, in the days to come, there is going to be--as an 
industry, we already recognize that we need to regulate the 
sale of ammonium nitrate and there will be a bill introduced.
    Mr. Markey. What I am trying to get from you so the 
committee could have the expertise--
    Mr. Pearce. The gentleman's time has expired.
    Mr. Markey. How much volume do you think requires that kind 
of security?
    Mr. Summers. I am not qualified to speak for the industry, 
but Allen Summers' opinion is that in order to do it we 
probably need to regulate every bag.
    Mr. Pearce. Gentleman's time has expired. And anyone else 
on the committee who seeks recognition? The chairman recognizes 
himself for 5 minutes.
    Mr. Bandy, are you aware of any of the regulations 
regarding EPA and the voluntary compliance mechanism that they 
have for different companies? The reason I ask is that Marathon 
has been recognized as one of the companies nationally that EPA 
has given full oversight of its own processes, and they come in 
periodically and check. And it just is a new paradigm in the 
last 5 years, I suspect, that EPA has engaged in.
    Mr. Bandy. That is EPA performance track. I am not familiar 
with the details.
    Mr. Pearce. Do you think that those same parameters could 
come into play in this particular arena?
    Mr. Bandy. Yes, I do. And OSHA has a similar program, 
voluntary protection program where they come in and evaluate 
your facility every 3 years.
    Mr. Pearce. Mr. DePasquale, as far as the ammonium nitrate, 
do you think--you said we should radically rethink our 
security. Can we secure our facilities to keep the theft of 
ammonium nitrate from occurring in your radical rethinking?
    Mr. DePasquale. I believe we can. One of the issues--
    Mr. Pearce. If we assume that we can, how would you handle 
the fact that someone who wants to blow up the World Trade 
Center, the purchase really--would you control the purchases, 
too?
    Mr. DePasquale. Right now it is relatively easy to purchase 
not only ammonium nitrate but other explosives as well.
    Mr. Pearce. Even if it were difficult, the cost and the 
regulatory effect, is there a radical rethinking that can 
protect us from that, yes or no?
    Mr. DePasquale. Radical rethinking, yes.
    Mr. Pearce. You could envision in your experience a radical 
rethinking that could keep anyone from purchasing a controlled 
substance and putting it to use against us?
    Mr. DePasquale. I don't think I would go that far. There is 
always a way for people to still breach--
    Mr. Pearce. That might be my point, Mr. DePasquale. Even a 
radical rethinking, we have to evaluate the cost to us as a 
nation and the cost to our freedoms.
    A great, great dishonor has been done to you, my friend. I 
apologize. Anytime--as a graduate from a State university, 
anytime I would be declared to be a graduate from the 
University of New Mexico rather than New Mexico State, I would 
feel a deep, deep wound. And so I apologize that this committee 
has declared you to be from the University of Georgia, and we 
will create that in the testimony and in the written testimony.
    All of you have been very patient. We appreciate your 
testimony. It is a very difficult subject and the answers--
    Mr. Markey. Mr. Chairman, could I ask one more question?
    Mr. Pearce. No, Mr. Markey. Your time has elapsed.
    Mr. Markey. May I ask unanimous consent?
    Mr. Pearce. The unanimous consent is not agreed to, because 
the chairman objects.
    Mr. Markey. Can I make a parliamentary inquiry?
    Mr. Pearce. Mr. Markey, you may not.
    Mr. Markey. Mr. Chairman, I think you have to allow a 
parliamentary inquiry.
    Mr. Pearce. You can make the parliamentary inquiry. Is it 
required that the witnesses be present for this? I would ask 
counsel if we can--you are bound to stay. The hearing is not 
over, you are still here. I apologize. And we will sit here 
until southern New Mexico freezes over if necessary to hear 
this necessary parliamentary inquiry.
    Mr. Markey. The parliamentary inquiry just goes to the 
issue of the fact that no other members came back from the vote 
on the floor. The witnesses are here. It is late and I just 
have another question to ask. And from a parliamentary 
perspective, I am asking the Chair why he would object to an 
additional question being asked.
    Mr. Pearce. Thank you. The Chair would point out that the 
gentleman had 5 minutes and the Chair allowed an additional 7 
minutes. About 5 of that elapsed after the gentleman reported 
that he had one more question, at which point there were 
multiple questions asked.
    I think the Chair has been very sensitive to the needs of 
the gentleman to ask questions to take advantage of the 
presence of these witnesses who have great, great knowledge on 
the issues. I think the chairman has given the gentleman ample 
opportunity to express his questions even to recognizing the 
gentleman before anyone on the majority side. I am not sure 
exactly why at 6:20 in the evening the gentleman would like to 
hold our witnesses for another round of questioning. But in 
response to that, I am willing to sit here and discuss the 
parliamentary inquiry at full length and the full breadth and 
would be willing to answer all questions that the gentleman has 
for me even at the delaying of our witnesses.
    So again, the Chair would make himself available to the 
parliamentary inquiry.
    Mr. Markey. I thank the gentleman. From a parliamentary 
perspective, as the gentleman knows that the hearing was 
supposed to start at 2:00 and, although the witnesses had no 
control over it, we then had eight roll calls that were called 
by the--on the floor of the House. And then subsequently, we 
had just another three roll calls. And there is no issue more 
critical to the security of our country, and of course the 
witnesses did not schedule 2:00 on a Wednesday afternoon for 
the hearing. So they are blameless in this. But obviously, the 
fact that we had between 10 and 11 roll calls in that brief 
period of time has reduced dramatically, as you can see from 
the attendance of the membership who came back after the 
witnesses finished their testimony. So no one actually came 
back with the exception of me and you, Mr. Chairman, who asked 
questions along with Mr. Dicks.
    Mr. Pearce. There was one Democrat.
    Mr. Markey. As I said, along with Mr. Dicks.
    Mr. Pearce. I missed that you included Mr. Dicks in the 
listing there.
    Mr. Markey. And the point I am making is that this is the 
panel on the subject. And unfortunately, because of 
circumstances beyond their control, although they probably came 
to this city at great expense, that members can't come because 
of the White House picnic where many of them are right now, but 
the experts on this subject are here with a willingness to 
answer questions from the panel. I don't hear any request from 
them they have to leave. I am pointing that out from a 
parliamentary perspective of where we are at this point. It is 
not their fault. It is not the member's fault or your fault. It 
is what happens when you schedule something at 2:00 in the 
afternoon and have 10 roll calls that you still have this panel 
here on an historic day where the American chemical industry 
has changed its position and we have an excellent opportunity 
to continue to explore that.
    But I can understand--I can sense an intransigence in the 
chairman's voice and I appreciate that, and it is your 
prerogative as the chairman to deny any further questions. And 
it appears that you are going to exercise that prerogative. 
Given the totality of the circumstances, we would be better off 
to continue to use the expertise of this perhaps one-time 
gathering on the experts of chemical security in America.
    And I yield back the balance.
    Mr. Pearce. I thank the gentleman for yielding. Are their 
observations from the witnesses? Any time you would like to 
elapse on your own now? Having said that, the hearing will now 
be adjourned.
    Thank you.
    [Whereupon, at 6:30 p.m., the subcommittee was adjourned.]

                                 
