[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
                          THE LONDON BOMBINGS:
                      PROTECTING CIVILIAN TARGETS
                         FROM TERRORIST ATTACKS
                             PART I AND II

=======================================================================

                                HEARING

                               before the

                        SUBCOMMITTEE ON ECONOMIC
                        SECURITY, INFRASTRUCTURE
                     PROTECTION, AND CYBERSECURITY

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                 SEPTEMBER 7, 2005 and OCTOBER 20, 2005

                               __________

                           Serial No. 109-39

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
[GRAPHIC] [TIFF OMITTED] TONGRESS.#13

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html


                               __________

                    U.S. GOVERNMENT PRINTING OFFICE
28-921                      WASHINGTON : 2007
_____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512ï¿½091800  
Fax: (202) 512ï¿½092250 Mail: Stop SSOP, Washington, DC 20402ï¿½0900012007


                     COMMITTEE ON HOMELAND SECURITY

                   Peter T. King, New York, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania            Edward J. Markey, Massachusetts
Christopher Shays, Connecticut       Norman D. Dicks, Washington
Peter T. King, New York              Jane Harman, California
John Linder, Georgia                 Peter A. DeFazio, Oregon
Mark E. Souder, Indiana              Nita M. Lowey, New York
Tom Davis, Virginia                  Eleanor Holmes Norton, District of 
Daniel E. Lungren, California        Columbia
Jim Gibbons, Nevada                  Zoe Lofgren, California
Rob Simmons, Connecticut             Sheila Jackson-Lee, Texas
Mike Rogers, Alabama                 Bill Pascrell, Jr., New Jersey
Stevan Pearce, New Mexico            Donna M. Christensen, U.S. Virgin 
Katherine Harris, Florida            Islands
Bobby Jindal, Louisiana              Bob Etheridge, North Carolina
Dave G. Reichert, Washington         James R. Langevin, Rhode Island
Michael McCaul, Texas                Kendrick B. Meek, Florida
Charlie Dent, Pennsylvania
Ginny Brown-Waite, Florida

                                 ______

   Subcommittee on Economic Security, Infrastructure Protection, and 
                             Cybersecurity

                Daniel E. Lungren, California, Chairman

Don Young, Alaska                    Loretta Sanchez, California
Lamar S. Smith, Texas                Edward J. Markey, Massachusetts
John Linder, Georgia                 Norman D. Dicks, Washington
Mark E. Souder, Indiana              Peter A. DeFazio, Oregon
Tom Davis, Virginia                  Zoe Lofgren, California
Mike Rogers, Alabama                 Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida            James R. Langevin, Rhode Island
Bobby Jindal, Louisiana              Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex          (Ex Officio)
Officio)

                                  (II)


                            C O N T E N T S

                              ----------                              
                                                                   Page

                               STATEMENTS

The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Chairman, Subcommittee on 
  Economic Security, Infrastructure Protection, and 
  Cybersecurity:
  Oral Statement.................................................    11
  Prepared Opening Statement, September 7, 2007..................     3
  Prepared Statement, October 20, 2007...........................    55
The Honorable Bennie G. Thompson, a Representative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security..............................................     4
The Honorable Norman D. Dicks, a Representative in Congress From 
  the State of Washington........................................    39
The Honorable James R. Langevin, a Representative in Congress 
  From the State of Rhode Island.................................    40
The Honorable Sheila Jackson-Lee, a Representative in Congress 
  From the State of Texas........................................    44
The Honorable John Linder, a Representative in Congress From the 
  State of Georgia...............................................    38
The Honorable Bill Pascrell, Jr., a Representative in Congress 
  From the State of New Jersey...................................    35
The Honorable Stevan Pearce, a Representative in Congress From 
  the State of New Mexico........................................    74
The Honorable Mark E. Souder, a Representative in Congress From 
  the State of Indiana...........................................    45

                               WITNESSES
                      Wednesday, September 7, 2005

Mr. Peter Lowy, CEO, Westfield America, Inc:
  Oral Statement.................................................    11
  Prepared Statement.............................................    13
Mr. Joe Madsen, Director, Safety and Risk Management, Spokane 
  Public Schools, Spokane, Washington:
  Oral Statement.................................................    25
  Prepared Statement.............................................    27
Mr. Bill Millar, President, American Public Transportation 
  Association:
  Oral Statement.................................................     5
  Prepared Statement.............................................     7
Mr. Michael Norton, Managing Director of Global Property 
  Management, Tishman Speyer Properties:
  Oral Statement.................................................    15
  Prepared Statement.............................................    18

                       Thursday, October 20, 2005

Mr. Robert Jamison, Deputy Administrator, Transportation Security 
  Administration, Department of Homeland Security:
  Oral Statement.................................................    64
  Prepared Statement.............................................    66
Mr. Robert Stephan, Assistant Secretary, Infrastructure 
  Protection Division, Department of Homeland Security:
  Oral Statement.................................................    57
  Prepared statement.............................................    58

                             For the Record

The International Council of Shopping Centers:
  Prepared Statement, September 7, 2005..........................    43
The Honorable Kip Hawley, Assistant Secretary, Transportation 
  Security Administration, Department of Homeland Security:
  Prepared Statement, September 7, 2005..........................    87
Letter From Mr. Robert B. Stephan................................    93


                          THE LONDON BOMBINGS:
                      PROTECTING CIVILIAN TARGETS
                         FROM TERRORIST ATTACKS

                              ----------                              


                      Wednesday, September 7, 2005

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Economic Security,
              Infrastructure Protection, and Cybersecurity,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:09 a.m., in 
Room 311, Cannon House Office Building, Hon. Daniel Lungren 
[chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Linder, Souder, Thompson, 
Dicks, DeFazio, Lofgren, Jackson-Lee, Pascrell, and Langevin.
    Mr. Lungren. [Presiding.] Good morning. I would like to 
welcome everyone to this hearing of the Committee on Homeland 
Security, Subcommittee on Economic Security, Infrastructure 
Protection, and Cybersecurity.
    We are meeting today for the first time in the committee's 
permanent hearing room, so maybe we will also get an office 
next to it at some time in the future, but we will work on 
that.
    This morning, the subcommittee will focus on the protection 
of civilian or soft targets against terrorist attacks. A soft 
target can be any place or thing whose destruction or 
impairment will cause a loss of life, economic damage or 
psychological trauma, which is difficult to protect or harden 
because it is a location that is accessible to the public.
    Soft targets would include schools, buses, trains, hotels, 
office buildings, restaurants, night clubs, apartment 
buildings, churches, mosques, synagogues or any place where 
many people can be found in close proximity.
    It is true that in a free and open society such as ours, 
there are an infinite number of such potential targets which a 
terrorist could choose to attack. Compounding our difficulties, 
terrorists have many advantages. They have the ability to 
choose what, where, when and how to execute an attack. As the 
President has said, we have to be right 100 percent of the 
time, while they only have to get lucky once.
    The latest tragedies in London and Egypt have highlighted 
the ease in which terrorists can perpetrate heinous crimes 
against the civilian population, even where reasonable security 
measures had already been instituted. Public transportation, 
particularly trains and buses, this has been the favored target 
of many high-profile attacks, but terrorists have also 
repeatedly targeted night clubs, restaurants and hotels.
    The inability to effectively restrict access and the 
potential for numerous casualties, combined with the 
psychological impact on the public and its resulting affect on 
our national economy makes these soft targets highly attractive 
to terrorists.
    According to the RAND Memorial Institute for Prevention of 
Terrorism database of terrorist events, there have been almost 
10,000 terrorist incidents worldwide since 9/11, of which more 
than 5,500 could be considered to have taken place against soft 
targets.
    Increasing physical security of such sites is, of course, 
part of the solution to the challenge, but let's face it: 
screening every person accessing every possible soft target is 
both a physical and economic impossibility. Even if it were 
possible, there is simply no way to be 100 percent effective 
against a determined terrorist that is willing to take his or 
her own life in pursuit of the mission.
    So accordingly, we must prioritize our efforts based on 
known risks and consequences, and avoid the temptation to focus 
on one soft target sector to the detriment of others. As 
Secretary Chertoff has said, terrorists are quite adaptable, so 
as we harden some types of facilities they would naturally 
switch to others that are seemingly less protected.
    We must also figure out how to remain one step ahead of the 
terrorists and stop them before they execute their plans. We 
can accomplish this in large part by continuing to aggressively 
pursue intelligence regarding terrorists and their intentions.
    And we can expand our intelligence-gathering capabilities 
further by training employees and civilians around or within 
soft targets to be watchful of suspicious behavior and attempt 
to intercept terrorists in the planning or reconnaissance or 
even implementation stages of an attack. Mass transit 
facilities and other security forces have begun doing this type 
of training already.
    So I would like to welcome our witnesses today and thank 
them for participating in this timely discussion.
    We had planned to have an initial panel with two witnesses 
representing the views of the Department of Homeland Security, 
the Honorable Kip Hawley, the Administrator of the 
Transportation Security Administration, and Robert Stephan, the 
Acting Under Secretary for Information Analysis and 
Infrastructure Protection. But given the need of these 
witnesses to be focused on the continuing response to Hurricane 
Katrina, we have decided to postpone that panel to another date 
later this month.
    So our planned second panel now will be our only panel 
today. The witnesses represent a wide array of soft-target 
sectors, including mass transit, shopping malls, office 
buildings, and public schools. Let me restate that. Our 
witnesses represent a wide array of our economy, which, because 
of the nature of terrorism, makes them soft-target 
opportunities. As I say, they include mass transit, shopping 
malls, office buildings, and public schools.
    The witnesses will provide us with important insights on 
the steps they have taken thus far to address the challenges 
posed by terrorists, the assistance they receive from DHS and 
other federal agencies, and what they believe the proper role 
of the federal government should be with respect to security 
within their sectors.
    As I have said many times, we do not have all the wisdom in 
government and we can be well educated as to what is being done 
in the private sector. We would particularly like to 
concentrate on the cooperative nature of efforts between the 
private and public sector.
    So I would like to thank the witnesses for appearing before 
us today and tell you that I look forward to your testimony.
    I would recognize the Ranking Member of the full Committee, 
Mr. Thompson, who has been busy in the last week or so with 
some concerns in his own district as a result of the hurricane.
    As you know, you have our best wishes and our prayers for 
the people in your district and the evacuees who have come to 
your district.

           Prepared Opening Statement of Hon. Daniel Lungren

                      Wednesday, September 7, 2005

    I would like to welcome everyone to this hearing of the Committee 
on Homeland Security Subcommittee on Economic Security, Infrastructure 
Protection, and Cybersecurity.
    This morning, the Subcommittee will focus on the protection of 
civilian or ``soft'' targets against terrorist attacks.
    A soft target can be any place or thing whose destruction or 
impairment will cause loss of life, economic damage, or psychological 
trauma, and which is difficult to protect or ``harden'' because it is a 
location that is accessible to the public.
    Soft targets include schools, buses, trains, hotels, office 
buildings, restaurants, nightclubs, apartment buildings, churches, 
mosques, synagogues, or any place where many people can be found in 
close proximity.
    In a free and open society such as ours, there are an infinite 
number of such potential targets from which a terrorist could chose to 
attack.
    Compounding our difficulties, terrorists have many advantages--
having the ability to chose what, where, when, and how to execute an 
attack. As the President has said, we have to be right 100 percent of 
the time, while the terrorists only have to get lucky once.
    The latest tragedies in London and Egypt have highlighted the ease 
in which terrorists can perpetrate heinous crimes against the civilian 
population, even where reasonable security measures had already been 
instituted.
    Public transportation--particularly trains and buses--has been the 
favored target in many high-profile attacks. But terrorists also have 
repeatedly targeted night clubs, restaurants, and hotels. The inability 
to effectively restrict access and the potential for numerous 
casualties--combined with the psychological impact on the public and 
its resulting effect on the national economy--makes these soft targets 
highly attractive to terrorists.
    According to the RAND-Memorial Institute for Prevention of 
Terrorism database of terrorist events, there have been almost 10,000 
terrorist incidents worldwide since September 11, 2001, of which more 
than 5,500 could be considered to have taken place against soft 
targets.
    Increasing physical security at such sites is, of course, part of 
the solution to this challenge, but screening every person accessing 
every possible soft target is both a physical and economic 
impossibility. Even if it were possible, there is simply no way to be 
100% effective against a determined terrorist that is willing to take 
his or her own life in pursuit of the mission.
    Accordingly, we must prioritize our efforts based on known risks 
and consequences, and avoid the temptation to focus on one soft target 
sector to the detriment of others. As Secretary Chertoff has said, 
terrorists are quite adaptable, so as we harden some types of 
facilities, they will switch to others that are less protected.
    We also must figure out how to remain one step ahead of the 
terrorists and stop them before they execute their plans. We can 
accomplish a large part of this by continuing to aggressively pursue 
intelligence regarding terrorists and their intentions.
    And we can expand our intelligence gathering capabilities further, 
by training employees and civilians around or within soft targets to be 
watchful of suspicious behavior--in an attempt to intercept terrorists 
in the planning, reconnaissance, or even implementation stages of an 
attack. Mass transit facilities and other security forces have begun 
doing this type of training already.
    I'd like to welcome our witnesses today and thank them again for 
participating in this timely discussion.
    We had planned to have an initial panel with two witnesses 
representing the views of the Department of Homeland Security: the 
Honorable Kip Hawley, Administrator, Transportation Security 
Administration, and Robert Stephan, Acting Under Secretary for 
Information Analysis and Infrastructure Protection. But given the need 
for these witnesses to be focused on the continuing response to 
Hurricane Katrina, we have decided to postpone this panel to another 
date later this month.
    So our planned second panel will now be our only panel today. The 
witnesses represent a wide array of soft target sectors, including mass 
transit, shopping malls, office buildings, and public schools. These 
witnesses will provide us with important insights on the steps they 
have taken thus far to address the challenges posed by terrorists, the 
assistance they have received from DHS and other Federal agencies, and 
what they believe the proper role of the Federal government should be 
with respect to security within their sectors.
    I would like to thank the witnesses for appearing before us today 
and I look forward to your testimony.

    Mr. Thompson. Thank you very much, Mr. Chairman.
    Let me acknowledge Mr. Pascrell and a number of other 
members of the committee who also called during what has been 
and continues to be a very trying time for this entire country, 
and more specifically for the people of Louisiana, Alabama and 
Mississippi.
    But as you know, the matter we have before us today is a 
very important issue for this country. Like all Americans, I 
was shocked and repulsed by the terrorist attacks in London. 
This latest attack should serve as a reminder that America and 
its close allies continue to face a determined enemy that 
thinks nothing of slaughtering innocent people.
    Now, after seeing the numerous failures to adequately 
prepare and respond to the Hurricane Katrina situation, I have 
my doubts about our nation's plans for dealing with 
emergencies. If we cannot handle a hurricane that we know is 
coming 4 days before, how can we trust that we are prepared for 
a catastrophic terrorist attack that we do not know about?
    Because we live in an open and democratic society, we are 
particularly vulnerable to terrorists who live among us. This 
is especially true when it comes to our mass transit systems. 
Our mass transit and rail systems are large, open systems 
carrying billions of passengers a year, making it a prime 
target for terrorists.
    Almost 4 years after the September 11 terrorist attack, 
passenger, rail and transit security remains a Department of 
Homeland Security afterthought. While the United States spent 
$11 billion on aviation security since 9/11, we managed to 
offer up $450 million for transit security. That is simply too 
little and too short, especially when one considers that 
Americans take mass transit 16 times more often than they 
travel by air.
    This disparity, frankly, sends chills down my spine when I 
consider the pattern of train bombings overseas, first in 
Madrid, then in Moscow, and most recently in London. If the 
recent past is any guide, what is to prevent New York, 
Washington or Chicago from being next?
    With the establishment of the Department of Homeland 
Security, the American people expected the department to help 
prevent such attacks. I would have to like to hear from the 
department who is doing this, but in the instance of this 
catastrophe we are dealing with, we will deal with it later.
    What I would like for them to do when they do come, Mr. 
Chairman, is provide us with the transit security plan that was 
due April 1 of this year. I have sent two letters to the 
administration indicating that you are overdue with this 
transit security plan, but I have yet to receive a response to 
those letters. It is sort of indicative of why we are behind 
right now.
    Trains are not the only targets of al-Qa'ida and like-
minded groups, as terrorists have attacked hotels in Saudi 
Arabia, a night club in Indonesia, and worst of all, a school 
full of children in Russia.
    I would like to hear from the witnesses today what measures 
are in place to protect these soft targets and what has DHS 
done to address it. We will look at it when they come.
    Mr. Chairman, I really would like to know whether or not in 
emergencies like we had with Katrina how our mass transit 
systems could potentially have helped with the evacuation of 
people, especially in the New Orleans area.
    And after that, how soon could we get our system up and 
running? In London, they did it in a day after the bombings. I 
wonder what it would take us, with any kind of event, to get 
our systems up and running again? Since we are supposed to have 
a plan, I would like to hear it.
    I look forward to the witnesses' testimony, and I yield 
back.
    Mr. Lungren. I thank the Ranking Member, Mr. Thompson.
    Other members of the Committee are reminded that opening 
statements may be submitted for the record.
    We are pleased to have one distinguished panel of witnesses 
before us today on this important topic. As I mentioned, 
Assistant Secretary Stephan has been and continues to be 
working more than 18 hours a day at the command center dealing 
with the Katrina devastation. Assistant Secretary Hawley is 
also working on the Katrina response. The Subcommittee plans on 
having both of them in later this month to answer questions on 
this critical issue.
    Let me remind the witnesses that your entire written 
statement will appear in the record. Because of the number that 
we have and the number of members we expect to be asking 
questions, we would ask that in accordance with committee rules 
you would limit your oral testimony to approximately 5 minutes, 
and then we would allow each panel member to testify before 
questioning any one of the witnesses.
    The chair would first recognize Mr. Bill Millar, President 
of the American Public Transportation Association.
    Mr. Millar, thank you for being here.

                    STATEMENT OF BILL MILLAR

    Mr. Millar. Thank you, Mr. Chairman and members of the 
committee. On behalf of the 1,500 members of the American 
Public Transportation Association, we are certainly glad to be 
here.
    It is very clear from your opening statement and Mr. 
Thompson's opening statement that the committee already has a 
very good understanding of some of the potential that public 
transit has to be a target and some of the funding disparities, 
in our opinion, that have occurred over the years.
    Quite simply put, we need to invest more money. We need to 
have better intelligence, and we need to do a better job of 
planning both for prevention and recovery. Those would be the 
three fundamental points of my testimony.
    In light also that we find ourselves the week after 
Katrina, it is also important to realize that much of the 
investment in making our transit systems more secure can also 
assist in meeting national and natural disasters such as 
Katrina represents. I will be pleased to make further comments 
upon that point during the question period.
    Public transit in America is a major form of public 
transportation. Every year, over 9.6 billion customers use 
public transit. Every weekday, 32 million times every weekday, 
Americans use public transit. And as has been pointed out, this 
is 16 times the number of people who use our nation's airline 
system, and yet the expenditure by the federal government to 
make public transit more secure is minuscule compared to the 
federal investment in the air system. We all understood and 
understand why the air system needs to be made secure, but now 
it is time to look at other parts of our transportation system.
    As you pointed out, Mr. Chairman, over the last 25 years 
public transit around the world has too often been a target of 
terrorist attack. While we are focused on the most recent 
events such as London or Madrid or Moscow, the list goes on and 
on and on. Thus, prior to 9/11/2001, our industry knew that we 
could be a target. Our industry had already in place many plans 
and had taken many steps to try to improve its dealing with 
security issues. However, much more needs to be done.
    Since 9/11, the industry has invested out of its own 
resources more than $2 billion in improving our security and 
preparing for terrorist attacks and in developing plans for 
recovery in the even that, God forbid, such an attack would 
occur in the United States. We do not need more wake-up calls. 
We need help. We need plans for action. We need investment.
    We did a survey of our members which we released about 1 1/
2 years ago asking that, at that point, we were 2 years into 
the post-9/11 environment. We knew that more needed to be done. 
What did our members tell us out of that survey?
    They told us several things. First, I have already referred 
to the $2 billion that at that point they had invested 
themselves. Second, they felt that a major capital investment 
approaching $5.2 billion was necessary to take common sense 
solutions.
    You are quite right, Mr. Chairman. None of us believe that 
you could totally insulate public transit systems from the 
potential of terrorist attack, but we do believe that there are 
many common sense steps that could be taken, such things as 
improving preparedness planning, training, drilling; such 
things as improving the communications systems of our transit 
systems; improving the access points to our access systems; and 
many, many common sense steps that could be taken.
    Regrettably, sufficient funds have not been provided to 
undertake these steps. This current fiscal year, the Congress 
appropriated $150 million to cover all of public transit, 
passenger, freight and rail security. That simply is not a 
large enough investment. More needs to be done.
    According to our survey, what did we find? Well, we find 
that over 2,000 rail stations in America do not have any 
security cameras. Some additional work we did subsequent to 
that revealed that 53,000 buses do not have cameras on those 
buses. Over 5,000 commuter rail cars do not have security 
cameras. Over half of all buses do not have automatic vehicle 
locator systems. And the list goes on and on and on.
    Certainly, we saw something in New Orleans that ought to 
make us all think about this next statistic. More than 75 
percent of the demand-response vehicles, the small vehicles 
that are used primarily to transport persons with disabilities 
or senior citizens or others in that type of need, over 75 
percent of those vehicles lack automatic vehicle locator 
systems.
    There is no permanent biological detection system in any 
rail transit system in America.
    And the list goes on and on and on.
    The second area I mentioned relates to the need for 
intelligence. After 9/11, in cooperation with the Federal 
Transit Administration, a federal public transportation-funded 
ISAC program, Information Security Analysis Center, was set up 
throughout the country. Regrettably, the funding for that ISAC 
center and the great intelligence that it provided to transit 
systems across the country has expired.
    The Department of Homeland Security has offered a 
substitute, allowing us to tap into what they call their 
Homeland Security Information Network, the HSIN Network. 
However, in our judgment, this is no substitute for the ISAC 
that has already proven its worth and is already in place. So 
we certainly need to work on how we can get more information 
access to intelligence.
    We need to make sure that when the terror alert level is 
raised that everyone understands that has major costs to that. 
For example, a survey we did this last summer showed that when 
the alert level was raised to orange, simply going up one step, 
even though nothing happened, we found that that added $900,000 
a day to our costs. In the time between July 7 when the London 
bombings occurred and the threat level was raised, until August 
12 when it was lowered, transit systems incurred over $33 
million in costs.
    So the list goes on and on. I am sure my time is about 
done. I will be happy to expand on these or any other points as 
may be appropriate.
    Thank you, again, Mr. Chairman and members of the 
committee, for your concern and allowing me to be with you.
    [The statement of Mr. Millar follows:]

                Prepared Statement of William W. Millar

                      Wednesday, September 7, 2005

    Mr. Chairman, thank you for this opportunity to testify on the 
security and safety of public transportation systems. We appreciate 
your interest in transportation security, and we look forward to 
working with you on these issues.
ABOUT APTA
    The American Public Transportation Association (APTA) is a 
nonprofit international association of more than 1,500 public and 
private member organizations including transit systems and commuter 
rail operators; planning, design, construction, and finance firms; 
product and service providers; academic institutions; transit 
associations and state departments of transportation. APTA members 
serve the public interest by providing safe, efficient, and economical 
transit services and products. More than ninety percent of the people 
using public transportation in the United States and Canada are served 
by APTA member systems.

OVERVIEW
    Mr. Chairman, public transportation is one of our nation's critical 
infrastructures. We cannot over-emphasize the critical importance of 
our industry to the economic quality of life of this country. Over 9.6 
billion transit trips are taken annually on all modes of transit 
service. People use public transportation vehicles over 32 million 
times each weekday. This is more than sixteen times the number of daily 
travelers on the nation's airlines.
    Safety and security are the top priority of the public 
transportation industry. Transit systems took many steps to improve 
security prior to 9/11 and have significantly increased efforts since 
then. Since September 11, 2001, public transit agencies in the United 
States have spent over $2 billion on security and emergency 
preparedness programs and technology from their own budgets with only 
minimal federal funding. This year's events in London and last year's 
events in Madrid further highlight the need to strengthen security on 
public transit systems and to do so without delay. We do not need 
another wakeup call like London and Madrid.
    In 2004 APTA surveyed its U.S. transit system members to determine 
what actions they needed to take to improve security for their 
customers, employees and facilities. In response to the survey, transit 
agencies around the country have identified in excess of $6 billion in 
transit security investment needs. State and local governments and 
transit agencies are doing what they can to improve security, but it is 
important that the federal government be a full partner in the effort 
to ensure the security of the nation's transit users.
    In FY 2003, transit security was allocated $65 million in federal 
funds for 20 transit systems from DHS. In FY 2004, $50 million was 
allocated for 30 transit systems from DHS. For the first time in FY 
2005, Congress specifically appropriated $150 million for transit, 
passenger and freight rail security. Out of the $150 million, transit 
is to receive approximately $130 million--almost $108 million for rail 
transit and more than $22 million for bus. Also, passenger ferries are 
slated to receive an additional $5 million for security from a separate 
account. We are very appreciative of this effort. However, in the face 
of significant needs, more needs to be done.
    We urge Congress to act decisively on this issue. In light of the 
documented needs, we have respectfully urged Congress to provide $2 
billion in the FY 2006 Homeland Security Appropriations bill for 
transit security. Of that amount, we recommended that $1.2 billion be 
provided for capital needs, and $800 million for additional transit 
security costs. Federal funding for additional security needs should 
provide for, among other things, planning, public awareness, training 
and additional transit police.
    Transit authorities have significant and specific transit security 
needs. Based on APTA's 2003 Infrastructure Database survey, over 2,000 
rail stations do not have security cameras. According to our 2005 
Transit Vehicle Database 53,000 buses, over 5,000 commuter rail cars, 
and over 10,000 heavy rail cars do not have security cameras. Less than 
one-half of all buses have automatic vehicle locator systems (AVL's) 
that allow dispatchers to know the location of the bus when an 
emergency occurs. Nearly 75% of demand response vehicles lack these 
AVL's. Furthermore, no transit system has a permanent biological 
detection system. In addition, only two transit authorities have a 
permanent chemical detection system. A partnership with the federal 
government could help to better address many of these specific needs.
    We were disappointed that the Administration recommended only $600 
million for a Targeted Infrastructure Protection Program in the FY 2006 
DHS budget proposal, which would fund infrastructure security grants 
for transit, seaports, railways and energy facilities. We were also 
disappointed that the Administration did not include a specific line 
item funding amount for transit security. We look forward to working 
with the Administration and Congress in securing adequate transit 
security funding that begins to address unmet transit security needs 
throughout the country.
    We further request that the existing process for distributing DHS 
federal grant funding be modified so that funds are distributed 
directly to transit authorities, rather than to State Administrating 
Agencies (SAA). While we understand the need to coordinate with the 
states and urban areas that we serve, we believe direct funding to the 
transit authorities would be more efficient and productive. For the 
FY2003 grant funding that was allocated by DHS, it took more than a 
year to be awarded to some transit systems. In addition, the FY2005 
grant funding has not been awarded to the transit systems to date.
    We are pleased to note that APTA has become a ``Standards 
Development Organization'' (SDO) for the public transportation 
industry. Our efforts in standards development for commuter rail, rail 
transit and bus transit operations over recent years have been 
significant and our status as a SDO has been acknowledged by both the 
Federal Transit Administration (FTA) and the Federal Railroad 
Administration (FRA). The FTA and the Transportation Research Board 
have also supported our standards initiatives through the provision of 
grants. We would like to apply our growing expertise in standards 
development to transit industry safety and security, best practices, 
guidelines and standards. We look forward to working with the 
Administration and Congress in support of this initiative and trust 
that federal financial assistance would be made available to develop 
such standards and practices.
    We also would like to work with Congress and the Department of 
Homeland Security's Directorate of Science and Technology to take a 
leadership role in advancing research and technology development to 
enhance security and emergency preparedness for public transportation.

INFORMATION SHARING
    Since the terrorist attacks of September 11, 2001, public transit 
systems across the country have worked very hard to strengthen their 
security plans and procedures and have been very active in training 
personnel and conducting drills to test their capacity to respond to 
emergencies. As well, to the extent possible within their respective 
budgets, transit systems have been incrementally hardening their 
services through the introduction of additional technologies such as 
surveillance equipment, access control and intrusion detection systems. 
While the transit systems have been diligent, they have been unable to 
fully implement programs without more assistance from the federal 
government.
    A vital component of ensuring public transit's ability to prepare 
and respond to critical events is the timely receipt of security 
intelligence in the form of threats, warnings, advisories and access to 
informational resources. Accordingly, in 2003, the American Public 
Transportation Association, supported by Presidential Decision 
Directive #63, established an ``Information Sharing Analysis Center 
(ISAC)'' for public transit systems throughout the United States. A 
funding grant in the amount of $1.2 million was provided to APTA by the 
Federal Transit Administration to establish a very successful Public 
Transit ISAC that operated 24 hours a day, 7 days a week, and gathered 
information from various sources, including DHS, and then passed 
information on to transit systems following a careful analysis of that 
information. However, given that the Federal Transit Administration was 
subsequently unable to access security funds, and given the decision of 
DHS to not fund ISAC operations, APTA then had to look for an alternate 
method of providing security intelligence through DHS's newly created 
``Homeland Security Information Network (HSIN).'' APTA is now in the 
process of transitioning from the successful Public Transit ISAC to the 
new HSIN network. However, we believe that consistent, on-going and 
reliable funds from Congress should be provided for the Public Transit 
ISAC that has been proven an effective delivery mechanism for security 
intelligence.
    In addition, APTA's membership includes many major international 
public transportation systems, including the London Underground, Madrid 
Metro, and the Moscow Metro. APTA also has a strong partnership with 
the European-based transportation association, the International Union 
of Public Transport. Through these relationships, APTA has participated 
in a number of special forums in Europe and Asia to give US transit 
agencies the benefit of their experiences and to help address transit 
security both here and abroad.

COST OF HEIGHTENED SECURITY
    Following the attacks on London, APTA was asked to assist the TSA 
in conducting a teleconference between the TSA and transit officials to 
discuss transit impacts pertaining to both increasing and decreasing 
the DHS threat levels. There is no question that increased threat 
levels have a dramatic impact on budget expenditures of transit systems 
and extended periods pose significant impacts on personnel costs. These 
costs totaled $900,000 per day for US public transit systems or an 
estimated $33.3 million from July 7 to August 12, 2005 during the 
heightened state of ``orange'' for public transportation. This amount 
does not include costs associated with additional efforts by New York, 
New Jersey and other systems to conduct random searches.
    Many transit systems are also implementing other major programs to 
upgrade security. For example, New York's Metropolitan Transportation 
Authority is taking broad and sweeping steps to help ensure the safety 
and security of its transportation systems in what are among the most 
extensive security measures taken by a public transportation system to 
date. NY-MTA will add 1,000 surveillance cameras and 3,000 motion 
sensors to its network of subways and commuter rail facilities as part 
of a $212 million security upgrade announced late last month with the 
Lockheed Martin Corporation.

SECURITY INVESTMENT NEEDS
    Mr. Chairman, since the awful events of 9/11, the transit industry 
has invested some $2 billion of its own funds for enhanced security 
measures, building on the industry's already considerable efforts. At 
the same time, our industry undertook a comprehensive review to 
determine how we could build upon our existing industry security 
practices. This included a range of activities, which include research, 
best practices, education, information sharing in the industry, and 
surveys. As a result of these efforts we have a better understanding of 
how to create a more secure environment for our riders, and the most 
critical security investment needs.
    Our latest survey of public transportation security identified 
enhancements of at least $5.2 billion in additional capital funding to 
maintain, modernize, and expand transit system security functions to 
meet increased security demands. Over $800 million in increased costs 
for security personnel, training, technical support, and research and 
development have been identified, bringing total additional transit 
security funding needs to more than $6 billion.
    Responding transit agencies were asked to prioritize the uses for 
which they required additional federal investment for security 
improvements. Priority examples of operational improvements include:
        Funding current and additional transit agency and local law 
        enforcement personnel.
        Funding for over-time costs and extra security personnel during 
        heightened alert levels.
        Training for security personnel.
        Joint transit/law enforcement training.
        Security planning activities.
        Security training for other transit personnel.

    Priority examples of security capital investment improvements 
include:
        Radio communications systems.
        Security cameras on-board transit vehicles and in transit 
        stations.
        Controlling access to transit facilities and secure areas.
        Automated vehicle locator systems.
        Security fencing around facilities.
    Transit agencies with large rail operations also reported a 
priority need for federal capital funding for intrusion detection 
devices.
    Mr. Chairman, the Department of Homeland Security issued directives 
for the transit industry in May 2004, which would require that transit 
authorities beef up security and to take a series of precautions which 
would set the stage for more extensive measures without any federal 
funding assistance. Transit systems have already carried out many of 
the measures that Transportation Security Administration (TSA) is 
calling for, such as drafting security plans, removing trash bins and 
setting up procedures to deal with suspicious packages. The cost of 
these measures and further diligence taken during times of heightened 
alert is of particular concern to us. We look forward to working with 
you in addressing these issues.
    As you know, in the FY 2005 Homeland Security Appropriations bill 
(PL 108-334), TSA can hire up to 100 rail inspectors using a $10 
million appropriation. We have concerns about this provision. We 
believe that funding for the inspectors would be better spent on things 
that would support the industry such as surveillance cameras, and 
emergency communication and other systems rather than highlighting 
security issues without providing the necessary resources to address 
them. We look forward to working with you in addressing our concerns.

ONGOING TRANSIT SECURITY PROGRAMS
    Mr. Chairman, while transit agencies have moved to a heightened 
level of security alertness, the leadership of APTA has been actively 
working with its strategic partners to develop a practical plan to 
address our industry's security and emergency preparedness needs. 
Shortly after the September 11 events, the APTA Executive Committee 
established a Security Task Force. The APTA Security Task Force has 
established a security strategic plan that prioritizes direction for 
our initiatives. Among those initiatives, the Task Force serves as the 
steering group for determining security projects with more than $2 
million in Transit Cooperative Research funding through the 
Transportation Research Board.
    Through this funding, APTA has conducted four transit security 
workshop forums around the nation for the larger transit systems with 
potentially greater risk exposure. These workshops provided 
confidential settings to enable sharing of security practices and 
applying methodologies to various scenarios. The outcomes from these 
workshops were made available in a controlled and confidential format 
to other transit agencies unable to attend the workshops. The workshops 
were held in New York, San Francisco, Atlanta, and Chicago.
    In partnerships with the Transportation Research Board, the APTA 
Security Task Force has also established two TCRP Panels that 
identified and initiated specific projects developed to address 
Preparedness/Detection/Response to Incidents and Prevention and 
Mitigation. The Security Task Force emphasized the importance for the 
research projects to be operationally practical.
    In addition to the TCRP funded efforts, a generic Checklist For 
Transit Agency Review Of Emergency Response Planning And System Review 
has been developed by APTA as a resource tool and is available on the 
APTA web site. Also through the direction of the Security Task Force, 
APTA has reached out to other organizations and international 
transportation associations to formally engage in sharing information 
on our respective security programs and to continue efforts that raise 
the bar for safety and security effectiveness.
    APTA has long-established Safety Audit Programs for Commuter Rail, 
Bus, and Rail Transit Operations. Within the scope of these programs 
are specific elements pertaining to Emergency Response Planning and 
Training as well as Security Planning. In keeping with our industry's 
increased emphasis on these areas, the APTA Safety Audit Programs have 
been modified to place added attention to these critical elements.

CONCLUSION
    Mr. Chairman, in light of our nation's heightened security needs 
post 9/11, we believe that increased federal investment in public 
transportation security by Congress and DHS is critical. The public 
transportation industry has made great strides in transit security 
improvements since 9/11 but much more needs to be done. We look forward 
to building on our cooperative working relationship with the Department 
of Homeland Security and Congress to begin to address these needs. We 
again thank you and the Committee for allowing us to testify on these 
critical issues, and look forward to working with you on safety and 
security issues.

    Mr. Lungren. Thank you very much, Mr. Millar, for your 
testimony.
    The chair would now recognize Mr. Peter Lowy, the CEO of 
Westfield America, Inc., to testify.
    Thank you for coming, sir.

                    STATEMENT OF PETER LOWY

    Mr. Lowy. Thank you and good morning, Mr. Chairman. My name 
is Peter Lowy. I am the chief executive of the Westfield Group.
    Westfield is, in terms of equity market capitalization, the 
world's largest publicly traded real estate company, with an 
equity market capitalization of over $23 billion. We own and 
operate 129 regional shopping malls in four countries: 
Australia, New Zealand, the United Kingdom, and here in the 
United States, where we own 68 regional shopping centers and 
manage the retail concessions at nine major airports, including 
terminals at JFK, Logan, Miami, Dulles and Reagan National.
    I am testifying today on behalf of the Real Estate 
Roundtable.
    In my written testimony, there are a number of broad 
suggestions with regard to business and homeland security 
relations that while I believe would be helpful, seem almost 
trivial in light of Hurricane Katrina. I would be happy to 
discuss those suggestions with the staff or the committee at a 
later date.
    It is clear from the country's response to the devastation 
in Louisiana, Mississippi and Alabama that we are not 
adequately prepared for the aftermath of a terrorist attack. 
Democracy and the political process that we are governed by, is 
by definition reactive.
    The issues that business and government need to deal with 
fall into three interrelated categories. They are 
communication, coordination and preparedness.
    From a communication point of view, things as simple as an 
organizational chart should be distributed so that we in 
business, and presumably the government, know who is 
responsible for what; whom to deal with for what issue; and 
most importantly, who is actually in charge.
    At Westfield, our security plans assume the new normal is a 
yellow alert level. However, we do not know if our normal 
operating systems are consistent with what the government might 
consider appropriate for a yellow alert level.
    Business often receives no indication of what threats we 
should be protecting against. And if they are identified, there 
is no standard for us to look at that tells us how to protect 
against that particular type of threat. A published list by 
Homeland Security of best practices, tied to specific types of 
threats, for example, would be extremely useful and helpful.
    As you may know, Westfield owned the leasehold on the 
retail mall at the World Trade Center prior to 9/11. Because of 
our involvement in the World Trade Center, we unfortunately 
have direct knowledge of the issues that a terrorist attack can 
cause, whether they are personal, corporate, legal, economic, 
or insurance-related. From a coordination and preparedness 
point of view, prior to 9/11 Westfield implemented a nationwide 
program to improve coordination between ourselves and first 
responders. We also photographed all of our centers and fully 
digitized those photographs and the building plans, including 
those of the World Trade Center. The idea is to create a 
database that can effectively and efficiently be shared with 
first responders.
    As you know, the Port Authority offices were destroyed on 
9/11, and all of the paper building plans were destroyed with 
it. So the emergency personnel did not have the use of the 
blueprints for search and rescue operations. We realized 
immediately after the attack that we actually had the plans 
digitized. However, we literally could not find anyone to give 
them to. Finally, 10 days after 9/11, with the help of the 
mayor's office, we were able to get those plans to FEMA and the 
Office of Emergency Management to assist rescue and recovery 
workers in their efforts.
    This experience resulted in our placing renewed emphasis on 
building solid lines of communication between ourselves, the 
local police, and fire and emergency departments at each of our 
locations. There is no doubt that 9/11 accelerated our security 
program and our investment in technology, people, systems, and 
increasing working relationships with our first responders. We 
sometimes even need to provide the technology that the local 
authorities need in order to access our information.
    We have now built strong relationships between the local 
authorities and ourselves. We have held tabletop exercises in 
our Los Angeles headquarters with the LAPD, L.A. Fire 
Department, FBI, DHS, U.S Secret Service, Los Angeles Sheriff's 
Department and other local emergency responders. We also staged 
joint drills and training exercises with those authorities in 
the many local jurisdictions where we have shopping centers 
across the country.
    In summary, I think that the events of the past week have 
clearly demonstrated that Congress must aggressively pursue its 
oversight of the government's planning and execution for all 
activities related to homeland security.
    Congress must work with DHS and all relevant state and 
local entities so that clear lines of communication exist for 
coordinated action to be carried out. The explosion of a 
biological or nuclear bomb or multiple conventional terrorist 
attacks in a major city can cause similar problems as those we 
have witnessed in New Orleans.
    Congress must make the effort to see around the corner and 
designate with strict precision who is responsible for all 
major facets of the government's response to a terrorist 
attack, in order to best mitigate the potential damage and loss 
of life.
    The private sector can work to take as many proactive 
measures as possible. As a mall owner, we can practice getting 
our customers and tenants safely out of the door. However, an 
effective evacuation will demand that the police can secure the 
routes, the city can provide potential medical relief if 
needed, and the state can provide transportation.
    Congress must do all possible to achieve a comfort level 
that Homeland Security and all relevant government entities 
will work and communicate in the execution of these crucial 
plans.
    I thank you for your time and would be happy to answer any 
questions after.
    [The statement of Mr. Lowy follows:]

                    Prepared Statement of Peter Lowy

                      Wednesday, September 7, 2005

    Good morning Mr. Chairman and Members of the Committee. Thank you 
for this opportunity to address you this morning.
    My name is Peter Lowy and I am the Chief Executive of The Westfield 
Group. By way of reference, Westfield is in terms of equity market 
capitalization the world's largest publicly-traded real estate company 
with an equity market capitalization of over $23 billion dollars. We 
own and operate 129 regional shopping malls in four countries--
Australia, New Zealand, the UK and here in the US where we own 68 
regional shopping centers and manage the retail concessions at 9 major 
airports including terminals at: JFK, Logan, Miami, Dulles and Reagan 
National.
    I am testifying today on behalf of the Real Estate Roundtable.\1\
---------------------------------------------------------------------------
    \1\ The Real Estate Roundtable is the organization that brings 
together leaders of the nation's top public and privately-held real 
estate ownership, development, lending and management firms with the 
leaders of major national real estate trade associations to jointly 
address key national policy issues relating to real estate and the 
overall economy. The Roundtable provides day-to-day operational 
staffing of the Real Estate Information Sharing and Analysis Center.
---------------------------------------------------------------------------
    I think I am in a somewhat unique position to discuss this issue. 
As you may know, Westfield owned the leasehold on the retail mall at 
the World Trade Center prior to 9/11. Because of our involvement in the 
World Trade Center we unfortunately have direct knowledge of the issues 
that a terrorist attack can cause--whether they are personal, 
corporate, legal, economic or insurance related, as well as firsthand 
experience in trying to cope with the new reality that malls as public 
gathering places are considered to be targets for potential terrorist 
activity.
    Because we view our malls as ``town centers,'' even prior to the 
recent events in London and before 9/11, Westfield was looking for more 
effective ways to keep our centers--and thus our customers and 
employees--safe. For instance, we had begun a nationwide program to (1) 
improve communication and coordination between ourselves and first 
responders and (2) photograph our centers and fully digitize them and 
the building plans--including those of the World Trade Center. The idea 
is to create a database that can be efficiently shared with responding 
governmental entities so that first responders can know very quickly 
where all the points of entrance and egress are--how to access the 
roof, the HVAC and other sensitive areas. We did this because we took 
on the view that while we may not necessarily be able to stop a 
terrorist event--we have an obligation to try to mitigate the damage 
one might cause in terms of death, injury and property damage.
    As you know, the Port Authority offices were destroyed on 9/11 and 
all of the paper building plans were destroyed with it--so that the 
City and first responders were lacking the blueprints of the 
structures. We realized immediately after the attack that we had the 
plans digitized--however, we literally couldn't find anyone to give 
them to. Finally, 10 days after 9/11 and with the help of the Mayor's 
office we were able to get the plans to FEMA and OEM to assist rescue 
and recovery workers in their efforts. This experience caused us to 
place renewed emphasis on building solid lines of communication between 
ourselves and local police, fire, and emergency departments.
    There is no doubt that 9/11 accelerated our security program and we 
invest in technology, in people, in systems, in creating active working 
relationships with first responders--we sometimes even need to provide 
the technology that local authorities need in order to access and 
understand our information. In the US alone (since 9/11), 20% of our 
operating costs are now devoted to security, that's approximately $40 
million per year, and 20-25% of our operating capital expenditures have 
been diverted to security infrastructure. But, as I have alluded to, 
arguably the most important--and most challenging--piece of this is the 
most low-tech of all. . .basic communication between the private sector 
and the local and federal authorities.
    Firstly, I recognize as a business person that building strong 
relationships between local authorities and other key agencies is a 
priority. That is why we have held table top exercises in our Los 
Angeles headquarters with the LAPD, LA Fire Department, FBI, DHS, US 
Secret Service, Los Angles Sheriffs Department and other local 
emergency responders. We have also staged joint drills and training 
exercises with those authorities in the many local jurisdictions where 
we have shopping centers across the country. As an observer and a 
participant in this process, it has been my observation that one of the 
most difficult issues to solve is the lack of communication and 
coordination between ourselves, the local authorities and the FBI and 
the Department of Homeland Security. However, I understand that DHS has 
launched a new initiative in the form of placing in the field 
``Protective Security Advisors'' to provide better coordination between 
Washington and the rest of the country. And there have been other 
outreach efforts including local Homeland Security Advisory Councils--
which I have recently become involved in the greater-LA and Orange 
County region. These and other initiatives are important as the 
communication gap must be closed in order for prevention and response 
to be effective.
    No where is this more telling than in the threat-level system. 
While again progress has been made, we all know of instances where the 
level has been elevated without business leaders then hearing from the 
government what measures we ought to take in order to meet that higher 
level of threat.
    Our security plans assume that the new, ``normal'' is a yellow 
alert level. However, we don't know if our normal operating systems are 
consistent with what the government might consider appropriate for a 
yellow threat level. So that if there is an incident at one of our 
centers, I can almost guarantee that someone will sue us and make the 
argument that we didn't operate up to par with what a company should be 
doing under a yellow alert. However, business often receives no 
indication of what threats we should be protecting against. And if they 
are identified, there is no standard for us to look to that tells us 
how to protect against that particular type of threat. While I am not 
looking to codify some new set of lengthy government regulations, it 
would be helpful to create for business some ``safe harbor'' in the 
event of litigation after a terrorist incident. One way DHS might 
assist business would be to publish a list of ``best practices'' tied 
to specific types of threats and then encourage insurers to incentivize 
them.
    I have here an internal document that shows how a mall such as ours 
might deal with the various threat levels. This is obviously a 
sensitive document that I would be hesitant to put into the official 
public record but I would be very happy to review it and share it with 
the Members of the Committee and the staff if that is helpful to them.
    Currently, insurers have incentives in place for certain building 
improvements to better protect the property in case of earthquake, 
flooding and other natural disasters. In theory, if insurers are 
provided guidance from federal or local authorities as to best 
practices in security--they can then in turn incentivize their policy 
holders. I am working with other CEOs around the country as a Member of 
the Advisory Board of Rand's Center for Terrorism Risk Management 
Policy where we are focusing on this issue of how insurance should 
function in the post 9/11 economy. Rand currently has a study that is 
underway which will look at the factors that affect the security 
decision-making of commercial real estate owners and will include 
insurance company incentives--or the lack thereof. I would be pleased 
to share the results of this research with the committee when they are 
available.
    However, a recent Rand's study, ``Trends in Terrorism'' did touch 
on this subject. That report stated: ``a long-run solution to terrorism 
should be designed to incorporate specific mechanisms, such as 
security-based premiums discounts, so that appropriate security 
investments can be encouraged through private insurance.'' Needless to 
say, in order for insurance to create incentives coverage needs to be 
available in the marketplace; so while I know its not the focus of this 
hearing I feel bound to remind you how important it is for Congress to 
extend the Terrorism Risk Insurance Act.
    As part of their outreach to the private sector, I know that DHS 
has been working with industry groups and the Chamber to address the 
need for more specific guidelines to the color code system. Clearly, 
this is positive. I would simply urge that more communication with the 
business community--and especially businesses like ours which thrive on 
drawing large numbers of people to our properties--is necessary if we 
are to be truly prepared for an emergency situation.
    The Rand ``Trends in Terrorism'' study has made it clear that the 
US Government's War on Terrorism has changed the operational 
environment of al-Qa'ida and other terrorist groups to softer targets 
that are easier to attack and more likely to be in the private sector. 
This trend has been exacerbated by target hardening around prominent 
sites--which has triggered a process of threat displacement to the 
easier to attack, civilian-frequented locations.
    In summary, it is my opinion that at the heart of any cooperative 
efforts between the government and the private sector lays clear and 
reliable lines of communication. With more direction from DHS as to 
``best practices'' and with insurers showing a willingness to reward 
policy holders for instituting them, I believe business would spend 
their limited resources more wisely and with greater benefit to the 
public. If we accept that soft targets have in fact become more 
attractive to terrorist cells, then it is especially important that a 
vibrant private-public partnership continue to develop and from that 
provide the business community with the best tools possible to secure 
our properties and most especially our employees and customers.

    Mr. Lungren. Thank you very much, Mr. Lowy, for your 
testimony.
    The chair would now recognize Mr. Michael Norton, Managing 
Director of Global Property Management for the Tishman Speyer 
Properties, to testify.
    Thank you, sir, for coming.

                  STATEMENT OF MICHAEL NORTON

    Mr. Norton. Thank you, Mr. Chairman and members of the 
committee.
    My name is Michael Norton. I am responsible for directing 
all property management activities at Tishman Speyer both in 
the U.S. and globally.
    Our company is one of the leading owners, developers, fund 
managers and operators of first-class real estate in the world, 
with a property portfolio totaling more than 42 million square 
feet in major metropolitan areas across the United States, 
Europe and Latin America. Notably, our portfolio includes 
Rockefeller Center, the MetLife Building and the Chrysler 
Building in New York City.
    I am testifying today on behalf of the Real Estate 
Roundtable, the Real Estate Board of New York, and BOMA 
International.
    Thank you for holding what I believe is the first 
congressional hearing since the events of 9/11 at which major 
real estate companies and their associations have been invited 
to share their experience and expertise in security-related 
matters.
    As a company and as an industry, we are committed to 
managing the risk of future acts of terrorism. That commitment 
is, of course, influenced by the expectations and demands of 
our various constituents including our tenant customers, our 
lenders, investors, insurers, legal advisers and local, state 
and federal government. In the end, any approach to security in 
buildings will need to be supported by all those constituents 
in order to be successful over the long term.
    As an industry, we are spending over 20 percent more on 
security than we were pre-9/11. And yet, in the end, managing 
the risk of terrorism is not principally about spending more 
money. It is about strategically using existing resources to 
cost-effectively mitigate risks. Access to information, 
experience and best practices are assets that are hard to put a 
hard-dollar number on and yet they may be the most critical 
resources we have.
    In my statement, I have detailed specifically some of the 
risk mitigation measures we have implemented at our company for 
the buildings I mentioned above and for other high-profile 
properties. These best practices fall into six basic 
categories: communications; emergency response, including 
emergency area access; training programs; hardening techniques; 
information sharing; and coordination initiatives.
    In reviewing the specific security measures, it is 
important to recognize that we do not institute these measures 
without first undertaking building specific risk assessments. 
We are fully accountable for how we use our limited resources. 
Our tenants and other key partners are looking for us to be as 
efficient as possible by allocating limited resources where 
there is the greatest combination of threat and vulnerability.
    We certainly encourage Congress to take a similar risk-
based approach to funding homeland security. Scarce federal 
resources should only be allocated to places and initiatives 
that are addressing the greatest risk of death or injury to 
civilian populations.
    As for lessons learned, first let me say the need for 
robust local communications channels with emergency response 
officials is perhaps the single greatest lesson learned since 
9/11.
    One excellent system that I believe has become a model for 
other cities is the New York Police Department's communication 
channel to the private business sector known as the Area 
Police-Private Leadership Security Liaison, also referred to as 
APPL. Information about events taking place throughout the city 
is now continuously provided via APPL e-mails. The recipients 
of these e-mails are notified, normally in real time, of events 
such as a manhole explosion on Fifth Avenue or a suspicious 
package in a Times Square train station.
    This information flow allows real estate operators to 
ratchet up or down elements of their emergency response plans, 
if necessary. Equally important is the fact that we can forward 
this kind of information to our tenants and thus relieve 
frazzled nerves by reassuring them that we are in the know.
    Nationally, our focus on the need for improved 
communications led to the development by 13 major trade 
associations, representing office, hotel, shopping center and 
multi-housing owners, for our own Information Sharing and 
Analysis Center, also referred to as ISAC. Our ISAC is a 24/7, 
two-way information channel between the real estate industry 
and DHS that facilitates information sharing on terrorist 
threats, warnings, incidents, vulnerabilities and response 
planning to a network of over 120,000 real estate owners and 
operators.
    Our best local government partners know we are looking for 
information, including actionable intelligence that bears 
directly on the operation of our buildings, and they provide it 
quickly. I am not sure there is any organization in the country 
that does a better job of this than the NYPD. By working 
closely over time, we have begun to have a mutual understanding 
of our respective roles. We know our buildings' individual 
vulnerabilities. Government has more of a beat on the changing 
threat environment. We both need each other to succeed. This is 
the proper model for our partnership at the federal level as 
well.
    Another lesson learned has been the need to ensure 
government officials know who is actually responsible for the 
security of high-profile buildings in this country.
    Notably at the time of the orange alert for the New York 
financial sector last year, the first DHS officials to 
communicate with the private sector about the potential risks 
to the Citicorp Center, including the then-Secretary of DHS, 
were initially unaware that Citicorp neither owned nor managed 
the physical security of the facility that bore its name.
    To assist DHS and others to avoid that mistake in the 
future, the Real Estate Board of New York has made available 
its database of New York City commercial building owners and 
managers as a reference to local, state and federal officials. 
We strongly recommend other cities implement similar programs, 
perhaps working with local building owners and managers 
associations.
    In conclusion, we are truly blessed that there have been no 
major attacks on our country since 9/11. However, without 
further incidents, it is sometimes difficult, particularly in 
cities that have not experienced terror attacks in the past, to 
ensure the proper level of realistic vigilance.
    Through our ISAC, the real estate industry has recently 
completed a 6-month public service advertising campaign 
reaching well over 100,000 members of our industry. To that 
same end, in April, the Real Estate ISAC facilitated the 
participation of over 60 real estate firms in the national 
terrorism simulation known as TOPOFF-3.
    DHS should continue to reach out to the public at large 
with similar awareness campaigns and to provide our industry 
with opportunities to participate in exercises. We will get 
more support for what we are doing from our key constituents if 
there is consensus among the general public and our industry on 
the need for appropriate measures.
    These priorities must continue to be addressed aggressively 
by DHS and other government authorities. Only then can we feel 
confident that if there are other major acts of terrorism, we 
can return to your committee and say we did everything 
reasonably within our power to save human lives. That, in the 
end, is what this is all about.
    Thank you.
    [The statement of Mr. Norton follows:]

                Prepared Statement of Michael L. Norton

                      Wednesday, September 7, 2005

Introduction
    Chairman Lungren, Ranking Member Sanchez, and Members of the 
Committee, my name is Michael Norton. I am responsible for managing and 
directing all global property management activities at Tishman Speyer. 
Tishman Speyer (www.tishmanspeyer.com) is one of the leading owners, 
developers, fund managers and operators of first class real estate in 
the world, with a property portfolio totaling more than 74 million 
square feet in major metropolitan areas across the United States, 
Europe and Latin America. Let me note at the outset that I am not aware 
of any Congressional hearing where owners of landmark buildings have 
been given the opportunity to share their homeland security experience 
in the post 9/11 era. Thank you then for providing this unique forum.
    I am testifying today on behalf of the Real Estate Roundtable \1\ 
(www.rer.org) where our company's Chief Executive Officer, Jerry 
Speyer, is a member of the Board of Directors. I am also testifying on 
behalf of the Real Estate Board of New York \2\ (www.rebny.org) and the 
Building Owners Managers Association (BOMA) International \3\ 
(www.boma.org) two organizations where I personally sit on senior 
governing boards and councils. In addition to my work with these 
organizations, I am active on a number of other civic and charitable 
organizations and was recently promoted to the rank of Lieutenant 
Colonel in the U.S. Marine Corps Reserves.
---------------------------------------------------------------------------
    \1\ The Real Estate Roundtable is the organization that brings 
together leaders of the nation's top public and privately-held real 
estate ownership, development, lending and management firms with the 
leaders of major national real estate trade associations to jointly 
address key national policy issues relating to real estate and the 
overall economy. The Roundtable provides day-to-day operational 
staffing of the Real Estate Information Sharing and Analysis Center.
    \2\ As the oldest and most influential real estate trade 
association in New York City, The Real Estate Board of New York 
represents major commercial and residential property owners and 
builders, brokers and managers, banks, financial service companies, 
utilities, attorneys, architects, contractors and other individuals and 
institutions professionally interested in the city's real estate.
    \3\ Founded in 1907, the Building Owners and Managers Association 
(BOMA) International is a dynamic international federation of over 100 
local associations. The 19,000-plus members of BOMA International own 
or manage over 9 billion square feet of downtown and suburban 
commercial properties and facilities in North America and abroad. 
BOMA's mission is to enhance the human, intellectual and physical 
assets of the commercial real estate industry through advocacy, 
education, research, standards and information.

I. Managing the Risk of Further Terrorist Attacks on Commercial Office 
Buildings
        A. Our Company's Stake and Commitment
    The unique nature of our portfolio of assets--both existing 
buildings and projects under development--ensures that sophisticated 
risk management, including managing the risk of further terrorist 
attacks, is a core business priority. We own and manage some of the 
highest profile office buildings in the world, including Rockefeller 
Center, the MetLife Building and the Chrysler Center in New York City. 
Rockefeller Center, for example, is the number one tourist destination 
in New York City with all the pedestrian traffic that comes with that 
status. The Chrysler Center is a worldwide icon that, together with the 
Empire State Building, defines the New York skyline. All these 
buildings--and many others in our portfolio--sit atop mass transit and, 
in the case of the MetLife Building, Grand Central Station itself. 
Current projects now under development by Tishman Speyer include the 
new baseball stadium for the New York Yankees, a major new building for 
Citigroup in Long Island City, and the new headquarters buildings for 
Goldman Sachs and the Hearst Corporation in New York City.
    In the end, our guiding principle as a company in managing the risk 
of terrorism is to meet or exceed the expectations of our customers--
our tenants. Many of these tenants are Fortune 500 companies or other 
high-visibility institutions with strong commitments to managing 
terrorism-related risks. We are also deeply influenced by the 
expectations or demands of our lenders, investors, insurers, legal 
advisors and local, state and federal government.
    B. Our Industry's Commitment
    Managing the risk of terrorism in the post 9/11 environment, and I 
am speaking for the industry as a whole at this point, has galvanized 
our individual and common resources to an unprecedented degree. By our 
industry's standard benchmarking reference--BOMA's 2005 Experience 
Exchange Report \4\--we are spending, as an industry, over 20% more on 
security than we were pre 9/11. And yet, I hesitate to mention that 
statistic because in the end managing risk is not principally about 
allocating additional resources, it is about strategically using 
existing resources to cost-effectively mitigate risks. Information and 
experience are two assets that are hard to put a dollar value on and 
yet they may be the most critical resources we have. Post 9/11, there 
has been an unprecedented degree of information sharing within our 
industry and with local, state and federal counter-terrorism and 
emergency response authorities. This sharing of information--including 
best practices--is being advanced in New York City through the 
sophisticated local networks facilitated by the Real Estate Board of 
New York as well as national networks supported by the Real Estate 
Information Sharing and Analysis Center or ISAC (www.reisac.org), and 
the various committees and task forces of BOMA and the Real Estate 
Roundtable. We are also allocating substantial resources as an industry 
to support the work of Rand Corporation's new Center for Terrorism Risk 
Management Policy. (http://www.rand.org/multi/ctrmp)
---------------------------------------------------------------------------
    \4\ The Experience Exchange Report is an annual income and expense 
benchmarking report for the commercial real estate industry performed 
by the Building Owners and Managers Association International for more 
information see www.boma.org. The report is based on the weighted 
average responses of 3,210 buildings, representing approximately 700 
million square feet of space.

    C. The Nature, Including the Limits, of Our Industry's Role
    Upon reflection, it is evident that the terrorist attacks in New 
York City on 9/11 were, among other things, attacks on major US 
commercial buildings and their tenants/occupants. In the aftermath of 
these events, no one has implied that the collapse of the two towers 
was as a direct result of the failure of the commercial real estate 
industry. In fact, just five years after the 1993 Trade Center bombing, 
the twin towers became internationally renowned for having the best 
security measures of any commercial real estate property in the world. 
After 1993, the World Trade Center had to provide the utmost security, 
without making that office, retail and hotel complex the equivalent of 
a closed military compound. In fact, as we all know, even a closed 
military complex--the Pentagon itself--was also unable to deter 
airborne attacks on 9/11.
    As a result of the attacks of 9/11, the subsequent anthrax scares 
(including one at NBC studios, located in Rockefeller Center), last 
year's Citigroup Building incident, and the recent London bombings, the 
commercial high-rise building industry, through no failure of its own, 
has been severely affected, challenged, and thrust into the heart of 
the terror threat issue. We always look for ways to better manage the 
risk of further threats and attacks. But, at the same time, we remain 
very dependent on the ability of government (including mass transit 
authorities) to help limit the ability of terrorists to reach our 
facilities in the first place.

    D. The Reality of Target-Substitution
    As Frank Cilluffo, the former special Assistant to the President 
for Homeland Security and the current Director of the Homeland Security 
Policy Institute at The George Washington University, testified before 
this subcommittee on June 15, 2005,
        We do not face an adversary that we can defeat in a 
        conventional war on a traditional battlefield by going plane 
        for plane or tank for tank, but one that will take the path of 
        least resistance by constantly searching for our greatest 
        vulnerabilities.
    Mr. Cilluffo's assessment, as well as that of many experts with 
Rand's Center for Terrorism Risk Management Policy, confirm the harsh 
reality of ``target substitution.'' Specifically, as traditional 
critical infrastructure, including government facilities, are further 
hardened, the attractiveness and vulnerability of our nation's so 
called civilian ``soft targets'' is increasing. To mitigate this 
disturbing reality, it is crucial that we move to simultaneously 
address the threats against both hard and softer targets.

    E. Pre-condition for all Security Measures: Sound Risk Assessment
    Before detailing specific risk mitigation measures, it is important 
to stress the central role that building-specific risk assessments play 
in any rational allocation of resources. We are fully accountable for 
how we use our limited ``resources''. Our customers, lenders and 
investors are looking for us be as efficient as possible. Spending more 
of their money, while sometimes appropriate, is not the way that we or 
our constituencies measure progress. Limited resources need to be 
applied first to those measures that have the greatest potential for 
limiting loss of human life and property damage.
    Risk is assessed both from the standpoints of threats and 
vulnerabilities. In addressing the vulnerability-part of the equation, 
we have benefited (as I know other major real estate companies have 
been) by visits from DHS officials that have reviewed with us our own 
assessments of our properties' vulnerabilities. These teams toured a 
number of our buildings and spent a day at each property, speaking with 
the staff and assessing what security measures were in place and what 
additional measures we might consider now or in the event of specific 
threats. We understood the overall aim of this exercise for DHS was to 
assess privately owned commercial office buildings across the country 
in an effort to establish the current state of security at these high 
profile locations and to identify what ``best practices'' can be 
established and shared among our business community. The DHS visits 
were informative exchanges of private and public sector perspectives 
and helped establish improved working relationships between our 
organizations. In New York, the NYPD provides a similar service.

II. Commercial Real Estate Industry Lessons Learned and Best Practices 
for Managing Terrorism Risk for Higher-Risk Buildings
    The specific ``lessons learned'' and examples of best practices I 
would like to share now with the subcommittee fall into six basic 
categories: communication, emergency response (including emergency area 
access), training programs, ``hardening'' techniques, information 
sharing, and coordination initiatives.

    A. Communication & Information Sharing
    One of the greatest lessons that the real estate community learned 
from 9/11 was the need for more robust communication channels between 
the private and public sectors. These channels--both formal and 
informal--should enable real estate operators to instantaneously 
receive information and act more effectively based on that that 
information. The channels should convey valid information, as well as 
dispel rumors.
    Locally: The need for robust local communications is perhaps the 
single greatest lesson learned since 9/11. One excellent system--that I 
believe has become a model for other cities--is the New York Police 
Department's communications channel to the private business sector 
known as the Area Police-Private Leadership Security Liaison or 
``APPL.'' \5\ Information about events taking place throughout the city 
is now continuously provided via APPL emails. The recipients of these 
emails are notified normally in real time of events such as a manhole 
explosion on Fifth Avenue, a suspicious package in a Times Square train 
station, or an unauthorized helicopter flight over the Empire State 
Building. This information flow allows real estate operators to ratchet 
up or down elements of their emergency response plans, if necessary. 
Equally important is the fact that we can forward this kind of 
information to our tenants, and thus relieve frazzled nerves by 
reassuring them that we are ``in the loop.''
---------------------------------------------------------------------------
    \5\ A number of other cities have strong systems in place or under 
development. In Chicago's Central Business District the Chicago Police 
Department has established the Security Broadcast Email System to 
communicate with private sector security directors. Within the same 
district they have established the Early Alert Radio Network (EARN) 
program. EARN is a system by which high-rise buildings that purchase a 
radio receiver can obtain information from the Chicago Police 
Department. In the District of Columbia, ``D.C. Alert'' uses the Roam 
Security Alert Network (https://textalert.ema.dc.gov/
index.php_CCheck=1) to provide immediate text notification and update 
information during a major crisis or emergency. This system delivers 
important emergency alerts, notifications and updates to a number of 
devices, including cellular telephones, e-mail accounts, Blackberry 
devices, and pagers.
---------------------------------------------------------------------------
    After this communication channel was established with the NYPD, 
Tishman Speyer subscribed to an international communication service 
that enables us to send messages to employees and tenant contacts 
worldwide via email, text messages, and voice messages. Here is a real-
world example of how this information flow helps our company operate 
more effectively:
        Last month a suspicious package was discovered against a 
        building located on 54th Street and Madison Avenue, which is 
        directly across from one of our properties. The police had 
        arrived and closed off all pedestrian and vehicular traffic. 
        APPL sent out a message that informed us what was occurring and 
        later notified us that the package was found to be a regular 
        briefcase with no explosive devices. We were then able to use 
        our own in house multi-medium communication channels to 
        simultaneously inform every one of our tenants.
    Nationally: The real estate industry--including major office, 
hotel, shopping center and multi-housing owners and operators--has 
requested and received permission from federal counter-terrorism 
officials to create our own Real Estate Information Sharing and 
Analysis Center (ISAC). The ISAC is a 24/7, two-way information channel 
between the real estate industry and DHS that facilitates information 
sharing on terrorist threats, warnings, incidents, vulnerabilities and 
response planning to a network of over 120,000 real estate owners and 
operators. For many years prior to 9/11, traditional critical 
infrastructure industries (e.g., the financial services, electric 
power, oil and gas, water, telecommunications, information technology, 
chemical and food industries) all operated similar ISACs. We are 
grateful to the White House and DHS officials that were willing to 
think ``outside the box'' by supporting the creation of an ISAC for our 
industry.

        B. Emergency Area Access Procedures
    Another lesson learned was the need for essential authorized 
building personnel to have access to their properties as soon as 
possible following an event. Immediately following the September 11 
attacks on the World Trade Center the police cordoned off a very large 
area in downtown Manhattan. However, in the future, property managers 
and building engineers, who can identify themselves as such, will be 
granted access to these types of restricted areas in order to address 
vital building issues (e.g., shutting down running machinery and 
turning off water lines). This will allow us to prevent any additional 
damage and further economic loss. The cities of Boston, New York, and 
Chicago have all instituted programs that allow private property owners 
to register critical personnel with the city for that purpose.

        C. Training Programs
    Another lesson learned is the importance of expanding training 
programs that incorporate the lessons learned from 9/11 so that they 
can better prepare security officers and building management officials 
that work in high-rise office buildings. Training should address not 
only evacuation procedures, but also consider the difficult issue of 
how and when to ``shelter-in-place'' if an actual or suspected bio-
chemical event occurs.
    The American Society of Industrial Security, International (ASIS, 
International) has established the Private Security Officer Selection 
and Training Guideline. This guideline sets forth minimum criteria for 
the selection and training of private security officers, which may also 
be used to provide regulating bodies with consistent minimum 
qualifications. In addition, ASIS's Physical Security Measures 
Guideline is currently under development. This guideline will assist in 
the selection of appropriate physical security measures, including 
defining risk levels, implementing an integrated set of physical 
security measures, and devising policies and procedures related to 
security incidents, access control, monitoring systems, lighting, 
security personnel, and audits and inspections. When completed, this 
will be an extremely helpful tool to ensure that we members of the 
private sector are providing improved training to our security officers 
and other relevant officials.
    Training should be provided not only to security officers but also 
to other building personnel, including property managers, engineers, 
fire safety directors and cleaners. It is important to remember that, 
for all these groups, emergency action plans should be considered 
crucial elements of their respective training programs. Exercises that 
test these action plans are fundamental to the learning process. The 
training, should, of course, include how to address biological and 
chemical attacks, explosive devices, suicide bombers, and other 
recognized terror techniques.

        D. Target Hardening Techniques
    As discussed above, it has become common practice, as part of sound 
risk assessments, to perform vulnerability risk assessments on all 
major properties. Buildings that receive high threat vulnerability 
ratings may be appropriate for target hardening especially against 
explosive devices (vehicular or pedestrian borne). Target hardening 
focuses particularly on building lobbies, and since 9/11 many large 
commercial office buildings in New York have installed turnstiles and 
card access readers. In addition to the lobbies, the facades, loading 
docks, and underground parking lots of many commercial office buildings 
have been target hardened. After 9/11, Tishman Speyer target hardened 
various elements of all of its then existing properties We are also 
developers and as such we now incorporate target hardening from the 
very beginning of the design and construction process.

        E. Research
    As stated above, post 9/11, the commercial real estate industry has 
supported sophisticated research on how best to protect our homeland. 
Most notably, we have helped launch the new RAND Center for Terrorism 
Risk Management Policy (CTRMP) and provided high-level technical 
consulting to that organization. While the Center has several missions, 
one of its principal goals is to help security decision-making in an 
age of catastrophic terrorism. Its mission is to help not only the 
private sector but also the public sector assess the consequences of 
individual and collective decisions about allocating terrorism security 
resources and help these institutions make decisions about the risks 
they face and the security portfolios appropriate to mitigating those 
risks.
    In addition to analytic research, the CTRMP has provided invaluable 
learning tools for interactive strategic exercises. Most recently, 
CTRMP further developed a RAND simulation involving the mock detonation 
of a nuclear device smuggled into the United States aboard a container 
ship in a major California port city. The exercise, which was developed 
for various business sector audiences and senior Congressional 
staffers, showed just what the human and financial losses would be if 
this were actually to occur and what impact it would have on other 
parts of the United States and the rest of the world.

        F. Coordination with Government Authorities on Building 
        Ownership and Management Data
    The commercial real estate industry stepped up to face another 
challenge last summer when the national threat advisory system was 
elevated for the financial sector. As you know, intelligence was 
uncovered showing al-Qa'ida was doing extensive pre-attack surveillance 
on prominent properties housing several major financial institutions. 
The Citicorp Building in New York City was one of those properties. 
Notably, the first DHS officials ``on the ground'' in New York--
including the then Secretary of DHS--were initially unaware that 
Citicorp neither owned nor managed the physical security of that 
facility. Indeed, across the country, it is not uncommon for counter-
terrorism officials to assume that the companies whose names are 
associated with landmark buildings actually own or manage those 
buildings.
    To assist DHS and others identify quickly those actually 
responsible for the management of a given building's physical security, 
the Real Estate Board of New York has made available its database of 
New York City commercial building owners and managers as a reference. 
This database is regularly updated as purchases and sales take place 
within the New York City office market. It includes landline telephone, 
cellular telephone, beeper, and email contact information sorted by 
building name and address. This could prove to be a valuable resource 
for DHS, especially when notifications are required in an 
``actionable'' timeframe. REBNY has also provided this database to the 
New York City Office of Emergency Management (OEM) and to the New York 
City Department of Buildings (DOB). We encourage other cities to make 
use of similar data bases of office buildings by working with local 
BOMA organizations.

        G. Building Industry Awareness Through Media Campaigns and 
        Exercises
    Post 9/11 it has become increasingly clear that without continuous 
citizen awareness campaigns, public interest and concern about 
terrorism can drop dramatically. This is particularly true in cities 
that have never had a major terrorist incident. Therefore, the Real 
Estate ISAC in January of 2005 commenced a six-month public service 
advertising campaign to encourage building owners and managers to 
address homeland security issues. Through their ``Fighting Terrorism'' 
advertising campaign in Real Estate Forum and 10 trade journals, the 
ISAC, its trade member groups and its media partner, Real Estate Media 
Inc., have reached over 120,000 real estate professionals with their 
important message about the need for a well-prepared real estate 
industry sector.
    To the same end, in April, 2005, the Real Estate ISAC further 
advanced its mission of encouraging greater industry awareness and 
readiness by facilitating the participation of over 60 real estate 
firms in the national terrorism simulation exercise known as ``TOPOFF 
3''. This biennial exercise, involving some 10,000 federal and state 
officials and representatives of Great Britain and Canada, sought to 
strengthen the nation's capacity to prevent, prepare for, respond to, 
and recover from large-scale terrorist attacks involving weapons of 
mass destruction. It was the first of these exercises in which the 
private sector, including the commercial real estate sector, was 
allowed to participate on an equal footing with our public sector 
partners. Those who participated from our industry leveraged this 
multi-million dollar federal exercise to assess their own current 
emergency plans. Following the exercise, industry participants reported 
making changes to those aspects of their plans that were found to be 
insufficient. Going forward, I cannot stress enough the importance to 
our industry of opportunities to participate in joint exercises with 
local, state and federal officials.

        H. Specific Security Measures and Best Practices for Major 
        Buildings
    In our company's experience, effective building security is a 
combination of design features (e.g., physical barriers and electronic 
systems), personnel and staffing strategies (personnel and procedural) 
that are integrated into a well-defined program. As indicated above, 
determining the degree to which each of these components should be 
utilized depends on several risk factors. These factors include whether 
the building is a symbol or has some other national status, the 
specific environment at or around the building (e.g., is it a tourist 
attraction? Are their high-risk tenants or other specific risk 
factors?), and the structural design of the building (e.g., is there 
interior parking). I would like to take a few moments to tell you about 
some of the security measures that have been implemented in our 
industry. I will use some examples of security measures that Tishman 
Speyer has employed at its properties, but most of these are recognized 
as best practices by other major owners in our industry.
         Satellite Telephones: Many real estate owners and 
        operators have satellite telephones in each region where they 
        have properties. In the event of an emergency, when all 
        landline and cellular connections are busy, these portable 
        satellite telephones will continue to operate. As events unfold 
        in a region, security directors and senior managers can remain 
        in contact with personnel on location in order to assess the 
        situation and issue instructions. The satellite telephones also 
        ensure that the building staff will be able to communicate with 
        the emergency services at all times during an incident. 
        Furthermore, key personnel, including senior management, should 
        carry emergency contact information with them at all times.
         Emergency Procedure Guidebooks: Buildings are often 
        equipped with Emergency Procedure Guidebooks These standardized 
        manuals provide staff members with check lists of their 
        respective responsibilities in the case of a property 
        emergency. This ensures that, even under difficult 
        circumstances, building personnel will know the procedures 
        necessary to facilitate the safe evacuation of their 
        properties.
         Company or Building Specific-Color Coded Alert 
        Systems: Many real estate companies have instigated their own 
        internal color code or security level alert systems. For 
        example, under our procedures, the color green represents the 
        current ``Standard Operating Procedures'', the color yellow 
        indicates ``Heightened Alert Operations'' and the color red 
        signifies ``Emergency Event Operations.'' This system requires 
        us to constantly and consistently assess the security risk in 
        any region at any time.
         Emergency Response Training Videos: Tishman Speyer has 
        developed a two hour training video for property staff to learn 
        about biological and chemical agents, including their effects 
        on the human body, how they can be transmitted, and what 
        initial actions should be taken while waiting for emergency 
        services to arrive. The objective of this training program is 
        to help ensure that the property staff can better identify the 
        potential release, dissemination, or detonation of these deadly 
        agents in the event of an attack. This training segment also 
        addresses what actions may be appropriate to take once an 
        attack has occurred, including evacuations or sheltering in 
        place, shutting off of fresh air intakes, and receiving of 
        updates from the local authorities.
         Terrorism Awareness Training: Security officers also 
        receive training in terrorism awareness and response. The 
        elements of common terror attack modes are discussed with a 
        focus on the opportunities a security professional may have to 
        intervene. The officer is encouraged to concentrate on a 
        person's behavior, as opposed to a person's physical 
        characteristics. For the purpose of this training, the ``Stages 
        of a Terrorist Event'' are defined as ``Target Selection; 
        Surveillance of the Target; Planning of the Operation; 
        Rehearsals and Dry-runs; Escaping from the Target; and the 
        Exploitation of the Act.'' Finally, substantial time is 
        committed to discussing conventional explosive devices and 
        improvised explosive devices, as well as the correct way to 
        handle a report of a ``suspicious package'' or telephone or 
        written bomb threat. This kind of in-house training may be 
        supplemented by DHS's own `'soft target'' terrorism awareness 
        training programs.
         Rapid Shut Down of Air-Intakes: Some high profile 
        buildings have implemented controls that enable building 
        personnel to quickly and easily shut off the fresh air intakes 
        in the case of an emergency. Automatic shut-off switches have 
        been installed at appropriate locations and can easily be 
        activated if we receive timely information from the relevant 
        authorities. A critical aspect to successfully addressing a 
        potential biological or chemical agent attack/event at or in 
        the vicinity of a building is having adequate early warning/
        communication channels with the appropriate local government.
         In-Depth Property-Specific Threat Vulnerability 
        Assessment: In our high profile properties property specific 
        threat vulnerability assessments were performed by nationally 
        recognized security consultants, and these consultants provided 
        recommendations on how to improve security in certain areas. 
        Action plans to implement these recommendations, together with 
        the corresponding budgets, are formulated by each individual 
        building's property manager in light of property specific 
        factors including tenant demand.
         ``Closed Buildings'': Many properties that are viewed 
        as potential targets have been transformed from open access 
        buildings into ``closed'' buildings. Building lobbies were 
        historically vulnerable areas for unauthorized access into a 
        facility. Without lobby access control, anyone can enter an 
        elevator and reach any floor desired. Prior to September 11, 
        2001, most properties only enacted access control systems after 
        normal business hours (6PM--7AM, Monday--Friday and weekends). 
        Since 9/11, turnstiles and visitor pre-registration systems 
        have been installed in certain buildings to provide management 
        with detailed knowledge of when people are entering the 
        property. In order to pass through the turnstiles, tenants must 
        have valid building-issued identification cards including 
        personal photographic images.
         Visitor Processing Centers and Courier Centers: Post 
        9/11, some buildings have set up visitor processing centers and 
        courier centers. The visitor centers authorize access to the 
        elevators only after they have received approval from relevant 
        tenant hosts. The security officers then scan the visitors' 
        proof of identification and issue temporary access badges, in 
        some cases with photographs of the visitors on them. At the 
        courier centers, security officers use X-ray machines to scan 
        all packages. In some cases, couriers are not granted access to 
        the buildings and instead building employees deliver packages 
        to the appropriate offices.

        H. Response to the London Mass Transit Bombings
    The London bombings occurred exactly two months ago to the day, on 
July 7, 2005. As such, it is still too early to identify exactly what 
new lessons we learned and what new security measures will be 
instituted as a result of this tragedy.
    We have long had an excellent working relationship with the 
Metropolitan Transit Authority (MTA) and are working with the REBNY and 
the Real Estate Roundtable to build a stronger industry-wide 
partnership with mass transit authorities throughout the nation. We 
are, of course, also watching closely as the MTA looks at the benefits 
of increased use of CCTV. This is one example of how this nation 
appears to be embracing technological advances to increase the safety 
of our civilian infrastructure. This is particularly relevant to us as 
we need to provide tenants with secure buildings but also we are 
directly affected by our tenants' confidence in the public 
transportation that delivers them to our properties on a daily basis. 
Furthermore, as I mentioned at the outset, many of our properties are 
built directly above subway networks and we are only as secure as our 
weakest link. Again our dependence on sound government security 
initiatives is extraordinary.

III. Continuing Challenges & Policy Recommendations
    My testimony has stressed specific ``on the ground'' lessons 
learned and best practices with the hopes that this may spur dialogue 
within our industry and elsewhere on how best to encourage improved 
homeland security. I recognize the extraordinary challenges that local, 
state and federal government authorities face in helping to advance the 
state of the art in terms of homeland security. At the same time, as an 
industry, we do have some policy suggestions for you to consider as you 
oversee the work of DHS.

        A. Priorities
    Emergency Response: In terms of allocating scarce federal 
resources, when it comes to improving public-private homeland security 
partnerships, we agree with the emphasis the 9/11 Commission has placed 
on the need for emergency response and business continuity planning. In 
that regard, we believe that partnerships at the local level with 
emergency response agencies should be a top priority. DHS can and 
should continue to support--financially where appropriate--outreach 
efforts at the local level to bring the business community more fully 
into partnerships with local emergency response officials. The decision 
to spend very limited federal funds should be made with a very 
realistic understanding of the different level of threat and 
vulnerability presented by different geographic locations.
    Also with respect to emergency response planning, we are well aware 
of the spotlight the 9/11 Commission, and later federal legislation, 
placed on the general goals and principles set out in the National Fire 
Protection Association Standard on Disaster/Emergency Management and 
Business Continuity Programs (NFPA 1600). As an industry we have a 
range of sound references to help us begin to apply those very general 
goals and principles to specific buildings and situations. As you may 
know, that Standard was not developed with individual building issues 
in mind.
    It will be important to retain the flexibility to make asset 
specific decisions, based on asset specific risk assessments. At the 
same time, we recognize the need to encourage greater consistency of 
performance across all business sectors and within our sector. The 
government does have a role in helping to create a shared language and 
set of performance oriented metrics in this area. We look forward to 
working with DHS and others to help improve the private sector's 
emergency readiness. A solid simulation and exercise program at the 
local level--supported where necessary by federal resources--is an 
important step in this direction. We also suggest that DHS continue to 
work closely with the insurance industry to ensure their policies offer 
proper incentives for positive performance in the area of emergency 
response planning.

    B. Actionable Intelligence
    With respect to the issue of intelligence sharing with the private 
sector, I want to stress that we are not asking for uncensored access 
to all intelligence reports. What we are looking for is access to any 
information made available to local counter-terrorism officials that 
bears directly on the operation of our buildings. Where the threat is 
so vague and general that no ``actions'' are being recommended, that 
fact also needs to be made clear. As indicated above, we have a growing 
number of strong partnerships at the local level where intelligence is 
shared effectively with our industry. I am not sure there is any 
organization in the country that does a better job of that than the 
NYPD. By working closely over time, we have begun to have a mutual 
understanding of our respective roles. We know our buildings' 
individual vulnerabilities; government has more of a beat on the 
changing threat environment. We both need each other to succeed. This 
is the proper model for our partnership at the federal level as well.

    C. Public Awareness
    Often, conflicting tenant expectations and awareness are challenges 
that we face as an industry. The tenants want to be comfortable that we 
are doing everything possible to ensure their safety but at the same 
time they do not want to work in a military fortress. We note that 
striking the right balance in this regard is also an issue that the 
public transportation authorities are forced to deal with today. The 
DHS needs to support the efforts at the local level to build public and 
business awareness of the importance of proper planning and training in 
this area. Only when our tenants have fully ``bought-in'' to the 
importance of this issue do they support our efforts to take rational 
security measures. In many parts of the country, tenants do not believe 
this issue is a major risk factor and are therefore unwilling to pay 
for some or all of the specific measures, I've detailed above. In my 
view, government has an obligation to help educate the public in a 
reasonable and realistic way about the threats we face in the post 9/11 
environment. Frankly, unless or until there are more attacks, that 
educational process will be very challenging. Hearings like this and 
recent public comments by Secretary Chertoff suggest top government 
officials are committed to this goal.

    Conclusion
    These priorities must continue to be addressed aggressively by DHS 
and other government authorities. Only then can we feel confident that, 
if other major acts of terrorism were to occur, we could return to your 
committee and say we did everything reasonably within our power to save 
human lives. That, in the end, is what this is all about.
    Thank you and I am happy to take questions.

    Mr. Lungren. Thank you very much, Mr. Norton, for your 
testimony.
    The chair would now recognize Mr. Joe Madsen, director, 
safety and risk management for the Spokane Public Schools, to 
testify.
    Thank you for coming, sir.

                    STATEMENT OF JOE MADSEN

    Mr. Madsen. Chairman Lungren, members of the Committee, I 
am Joe Madsen. I am a risk manager in a school district of 
31,000.
    There are 47 million students every day attending schools 
in our nation. Of those, 25 million ride 444,000 school buses. 
They do over 8.8 billion trips and are exposed that many times 
per year in regards to them being a soft target.
    I have provided you written testimony indicating what we in 
Spokane have done with the school district, the fire department 
and the police department.
    I certainly could come before you to indicate our wants, 
needs and desires in terms of funding for facilities, for 
training, target-hardening, or specific allocations for school 
resource officers. I, however, think it is more important to 
concentrate on the big picture, those things that actually 
matter at the ground level; those things that have affected us 
in Spokane.
    The all-hazards approach that we have conducted affects not 
only terrorism, not only disasters, or natural disasters, but 
any type of incident and the planning and preparation for those 
in advance has been what made the difference for us. Potential 
issues such as critical incidents, natural disasters and of 
course terrorism are those issues that we need to concentrate 
on.
    We are a nation of special interests, but one that cannot 
be seen through only one set of lenses. We need to be 
constantly looking at the big picture and looking at systems 
approaches, systems which combine resources, shared data, 
relationships built on trust, joint training exercises, not 
just large-scale required drills, but small-scale trust-
building exercises. It is less about me and mine, but more 
about us.
    Systems revolving around communications, relationships, 
pre-planning, data-sharing and the use of technology, I am here 
to tell you that it can be done with successful results.
    In a microcosm, I manage five departments: safety, 
transportation, security, worker comp, and insurance. Those 
five departments 10 years ago did not work together. They 
reported to different people and they did not help each other. 
But over the last 10 years, we have been able to cause the 
effect that we need to successfully work together.
    By ensuring that safety officers work with security 
officers, that security officers work with transportation 
staff, we ensure a system that responds to an incident no 
matter large or small, no matter whether it is a security issue 
or a safety-related issue, as a unit.
    In the city of Spokane, we also have made that opportunity. 
For over 10 years, we have had police liaison meetings between 
the school district and the police department. Those types of 
relationships and trust-building are critical to having 
resolved our incident at Lewis and Clark High School.
    Just 2 weeks ago, the police department conducted SWAT 
exercises within our high schools. They did not do it by 
themselves. They did not do it at the police academy, but they 
came into our schools. They have been doing this for years. At 
those exercises, we had our principals and our district 
resource officers.
    It is the relationships that we have built over the past 
several years that allow us to respond to an incident, to plan 
for it, and to communicate effectively when an incident occurs.
    At the state level in Washington, we have the Department of 
Emergency Management, the Office of Superintendent for Public 
Instruction, the Washington State Patrol, all working together 
with a data management system that allows us to map schools, to 
provide photographs, to provide the information related to the 
critical structures and information related to the 
organizational charts in every one of our facilities.
    Right here today in my computer, I have all 12 of our high 
schools and middle schools and all the data I need to make a 
decision from across the nation to be able to respond to an 
emergency or to communicate effectively with the fire 
department and police department.
    It is communication, relationships, data-sharing, 
preparation and working together as a system that causes the 
effect that we need. The question is, is on the federal level, 
are we sharing data, are we communicating, and do we have the 
relationships between the multitude of different agencies?
    I work currently with the Department of Homeland Security, 
the Department of Education, Occupational Safety and Helath 
Administration (OSHA), but I receive different direction from 
each of them. If we can have the relationships and the 
information and the communication that I think that we have 
shown in Spokane in the state of Washington with our police and 
fire, I think that we would go a long ways to solving our 
issues such as Katrina.
    Thank you for the ability to present. You have my written 
testimony. I would be happy to answer any questions.
    [The statement of Mr. Madsen follows:]

                 Prepared Statement of Joseph C. Madsen

                      Wednesday, September 7, 2005

    Mr. Chairman, Ranking Member Sanchez, and Members of the 
Subcommittee, thank you for having me here to discuss this important 
subject. My name is Joe Madsen and I am the Director of Safety and Risk 
Management for Spokane Public Schools in Spokane, Washington.
    I am before you today to discuss school safety and how the federal 
government can be more proactive in protecting our school children, 
teachers, and staff from a wide variety of threats and emergencies. 
Following 9/11, the federal government focused its efforts on improving 
security around airports, transit systems, and public facilities, the 
so called ``hard targets.'' Today I'd like to talk about one of our 
nation's most valuable assets, our children, and a successful program 
begun in Washington State that combines old fashion relationship-
building, interagency cooperation, and state-of-the art technology to 
protect our schools against terrorist attacks and other emergencies.
    We have more than 47 million children enrolled in educational 
facilities across the U.S. Because schools typically contain large 
numbers of students in a single location, they represent an appealing 
target for terrorists seeking the maximum emotional impact for their 
cowardly acts. Domestically we've already experienced a form of 
terrorism, and schools like West Paducah in Kentucky; Springfield in 
Oregon; Columbine in Colorado; and Red Lake in Minnesota stir emotion 
in the hearts of parents and dispel the feeling ``that it couldn't 
happen here.'' On the international side, it's even more disturbing. In 
Beslan, Russia last year, terrorists took more than 1,100 hostages at a 
local school. More than 330 students and staff were killed and another 
700 people were seriously injured. A similar incident occurred this 
June when terrorists attacked an international school in Cambodia and 
took over 70 children and staff hostage.
    I know first hand the damage a terrorist attack can do at a school. 
At 11:30 a.m. on September 22, 2003 a student with a 9mm handgun 
entered one of my schools, Lewis and Clark High School, in Spokane. It 
was the lunch hour and the school was packed with more than 2,000 
students eating lunch in the hallways, a tradition at this school.
    Normally, chaos would break out at this point. But in Spokane, the 
police, fire, school staff, and students are well trained on how to 
respond to emergencies. Just prior to the incident, Washington State 
had begun deployment of a statewide crisis management system (CMS) for 
protection of critical public infrastructure. Using this new system, 
the Spokane Police Department, the Spokane Fire Department, the 
Washington State Patrol, and school district officials implemented pre-
determined tactical response plans and quickly responded to the school. 
Detailed information about the school building in the CMS system 
allowed police to isolate the gunman in just 12 minutes, evacuate more 
than 2,000 students to a pre-established family re-unification center, 
and immobilize the gunman. The students were spared the trauma of 
having to witness the incident and were able to return to their school 
the very next day.
    This situation, and it would be no different if it had been an 
organized terrorist incident, a fire, a hazmat spill, or a hurricane, 
was successfully mitigated because the first responders in Spokane have 
developed an excellent system for emergency response, involving 
training, relationship building, implementation of FEMA's National 
Incident Management System (NIMS) protocols, and use of state-of-the 
art CMS technology that makes critical facility information accessible 
to all responding agencies. How this incident was handled, and the 
systems put in place to mitigate such events, could well serve as a 
model for other school districts across the nation.
    I'd like to take a few minutes to talk about this incident in 
greater detail, because the story exemplifies many of the issues facing 
police and fire today in responding to a wide variety of emergencies.
    To provide you with some background: In 2003 the State of 
Washington funded development of a statewide crisis management system 
for critical infrastructure. The computer-based system provides first 
responders with instant access to critical information, including fire 
and police tactical preplans and more than 300 data points including 
facility emergency plans, satellite images, interior and exterior 
photos, floor plans, evacuation routes, utility shut-offs, hazardous 
materials locations and more. The simple, easy-to-use software is 
designed to allow emergency response personnel to act quickly, 
decisively, and safely during any facility-related emergency incident. 
The system combines data that used to be kept in three-ring binders at 
a variety of locations into a single, master database. It also provides 
all responding agencies with equal access to critical infrastructure 
data. Equally important, facility owners can quickly update information 
about changes at their facilities via the Web, ensuring that first 
responders are basing their decisions on the most current data 
available.
    This system was implemented at Lewis and Clark High School in 
August 2003, just two weeks before the actual shooting incident. An 
integral part of the implementation is a series of planning sessions 
where school officials meet with their local police and fire 
representatives to pre-plan how each agency will respond to various 
emergency scenarios. This process establishes working relationships 
between first responders from various agencies and is the basis for 
development of trust and cooperation. The system is also compliant with 
FEMA's National Incident Management System (NIMS) and the Incident 
Command System (ICS). ICS, a subset of NIMS, is a standardized on-scene 
incident management protocol designed to allow responders to adopt an 
integrated organizational structure equal to the complexity and demands 
of any single incident or multiple incidents without being hindered by 
jurisdictional boundaries.
    The crisis management system adopted by Washington State melds well 
with the approach advocated by many of our nation's police and fire 
departments emphasizing the primary role local public safety agencies 
play in emergency response:
        1. Local responders need to have venue specific information 
        available to them in order to plan, prepare, and mitigate acts 
        of terrorism and other emergencies (both man-made and natural).
        2. While not frequently addressed in national anti-terrorism 
        policy, schools represent perhaps our community's most 
        sensitive venues.
        3. Local, tribal, state, and federal public safety providers 
        need to have affordable, reliable, scalable, and extensible 
        data system(s) to manage this information.
        4. Development of ``information silos'' creates 
        interoperability issues at local, regional, and federal levels. 
        The goal would be development of a standardized national 
        interface.
        5. First responders need to have simple and reliable access to 
        information in order to act swiftly and decisively.
        6. Disaster mitigation requires interagency cooperation and 
        common access to information in a standardized form.

    The Lewis and Clark High School Shooting Incident
    Now, let's go back and look at how this combination of interagency 
cooperation, preplanning, use of the Incident Command System protocols, 
and implementation of a crisis management system helped us successfully 
mitigate a potentially dangerous shooting incident at Lewis and Clark 
High School. It is important to remember that during this type of 
incident, many things are happening concurrently and involving a wide 
number of public safety agencies and other stakeholders.
    As gunfire rang out in the school, the principal and the school 
resource officer (SRO) immediately responded to the 3rd floor to 
evaluate the situation and determine the exact location of the gunman. 
In a shooting incident, the standard operating procedure calls for a 
school lockdown, but in this situation there were thousands of students 
out in the hallways eating lunch. After a short discussion, they 
realized the quickest way to evacuate the students was to pull the fire 
alarm. Lewis and Clark students go through numerous fire drills during 
the school year and were quick to respond.
    At the same time, a SRO at another school had pulled up the crisis 
management system on his laptop and was relaying information about the 
gunman's location and the school layout directly to police dispatch, 
which in turn passed the information on to responding officers.
    Local patrol officers arrived at the school within four minutes and 
initiated what is known as an ``active shooter response'' to contain 
the suspect. This means that they immediately entered the school and 
moved directly towards the gunman, not waiting for a SWAT team to 
arrive and deploy.
    During the Columbine incident, it took more than five hours before 
officers responding from multiple police agencies coordinated their 
efforts and entered the building.
    Fire, police, and school security quickly set up a command post in 
a pre-determined location and accessed the crisis management program on 
a nearby computer. The program can be accessed via laptop computers, 
Internet connected computers, or by thumbnail-sized USB devices carried 
by SROs and first responders. A SRO initially assumed the role of 
Incident Commander per the ICS protocol. Police, fire, and emergency 
services in the Spokane area all adhere to ICS, whereby responders play 
pre-determined roles during an emergency, independent of their rank or 
agency. This high level of coordination made a world of difference in 
their ability to quickly respond and mitigate the critical situation at 
the high school.
    The SWAT team, taking over from the active shooter team, positioned 
themselves in a nearby stairwell outside of Room 307 where the gunman 
was barricaded. They were puzzled when he popped his head out of three 
different doorways along the 3rd floor hallway. Officials at the 
command post accessed the floor plan via the CMS system and told them 
that Room 307 and Room 305 were connected by an internal doorway.
    As a hostage negotiator began talking with the gunman, officials in 
the command post noticed that the corner room he occupied had 
unobstructed views of the grassy field where the students had been 
evacuated, and to eight lanes of traffic on the adjacent Interstate 90 
freeway. Officials viewed aerial photos of the site and decided to move 
the students under the overhead freeway where they would be out of the 
line of fire. Using phone contacts listed in CMS, I called our 
transportation contractor, Laidlaw Educational Services, and asked them 
to immediately send 20 buses to relocate the students to an alternative 
site. Since the school district transportation department had 
participated in the preplanning sessions, they immediately understood 
what was needed. At the same time, a list of pre-determined roadblocks 
from the CMS was sent to the Spokane City Streets Department to block 
access to the school. Another list was sent to the Washington State 
Patrol to block access to the eight lanes of Interstate 90, which were 
exposed to the gunman's line of fire from the corner classroom. In both 
instances, valuable time was saved because all the roadblocks were 
determined during the pre-planning sessions with school officials, 
police, fire, and State Patrol that are part of the CMS implementation.
    As news of the incident spread to parents via cell phone calls from 
their kids, it became important to discourage parents from driving 
towards the school and blocking local access routes for emergency 
vehicles. PIOs from both the school district and the police departments 
worked together to provide ongoing information to parents and the 
general public regarding the evolving situation.
    Another problem developed when the gunman asked the police 
negotiator for matches. Fire officials knew from the CMS that Room 307 
was a science lab, and as such, had a number of natural gas outlets. 
The concern was the gunman may be suicidal. In addition, there was 
always the potential for an explosion caused by any errant gunfire. 
Officials in the command post called the local gas company, which 
dispatched the nearest crew to help shut off the gas. Unfortunately, 
the crew was used to working on residential facilities and wasn't 
familiar with commercial installations.
    Using the CMS, officials printed out photos of the utility shut-off 
valves and their location. A police officer escorted the utility crew 
and the gas was quickly shut-off. Fire officials also used the CMS to 
print out a list of all chemicals stored in Room 307. The printout 
listed the type of chemicals, their location, quantity, and Material 
Safety Data Sheets (MSDS) that profiled the chemical's characteristics 
and safety precautions.
    With all the students safely evacuated, the roads blocked off, and 
the gunman isolated to a single location, it became a waiting game 
between the police and the gunman. Unfortunately, the gunman chose to 
provoke the SWAT team who were forced to fire in self-defense. The 
wounded student was quickly evacuated by waiting paramedics to a nearby 
hospital where he eventually survived his wounds.
    What was learned as a result of this incident that is pertinent to 
terrorism incidents and other emergencies? First, schools are highly 
vulnerable to a terrorist type attack. They need to be considered by 
DHS for both increased funding and protection. Secondly, in any such 
incident, local responders always will be the first on the scene. In 
even a minor emergency, these responders will represent multiple 
agencies with overlapping and sometimes divergent priorities. It is 
absolutely critical that these agencies establish trusted, working 
relationships with each other prior to a major event. Facility owners 
(schools, court houses, businesses, etc.) also need to sit down with 
public safety officials to talk about how they will respond to a wide 
variety of emergencies, and how they will work with other agencies to 
mitigate the situation. Third, agencies need access to common, pre-
established communications channels during emergencies. Last week's 
rescue operations following Hurricane Katrina emphasize the problems 
when public safety and other responders cannot communicate with each 
other during rescue and recovery operations. And lastly, all first 
responders need access to detailed, up-to-date building and site 
information, such as that provided by a crisis management system.

    The Problem of Protecting Students on School Buses
    I've talked about the procedures for protecting students in school 
buildings, but we also need to consider the problem of protecting 
students on school buses, an often neglected area in emergency plans. 
Spokane Public Schools serve 31,000 students in 55 different 
facilities, including six high schools, six middle schools, 35 
elementary schools and a variety of special schools located in jails, 
hospitals and contracted agencies. Seven thousand of these students 
ride school buses to get to and from their local school. These 167 
buses, carrying between 44 and 72 students each, travel 9,000 miles 
each day, the equivalent of going from Spokane to New York City and 
back 180 times a year. Along the way, they stop at thousands of bus 
stops to pick up children.
    To give you an idea of the scope of the problem, there are more 
than 47 million students in any given day attending our nation's 
schools. Of these, 25 million ride in 440,000 yellow school buses that 
travel 8.8 billion trips each year. This is in comparison to public 
transit systems that serve 5.2 billion unlinked passenger trips each 
year in the U.S.
    It is now easy to understand why protecting students on all these 
buses is a gargantuan task. Imagine this frightening scenario: One of 
the Spokane School District buses does not show up at its school of 
destination after picking up its 58 students. It takes 12 minutes until 
a phone call is made from the school to the transportation department. 
They in turn call the bus contractor who attempts, without success, to 
contact the bus by radio. After another 15 minutes, the school 
district's security department and the Spokane Police Department are 
notified. In a city of more than 150 big, yellow school buses, it is 
next to impossible to check each one to see if they are the missing 
school bus.
    Meanwhile in Miami, Florida; San Francisco, California; Dallas, 
Texas; Tupelo, Mississippi; and Mt. Lebanon, Pennsylvania the same 
scenario is unfolding. Each local jurisdiction is dealing with a crisis 
of a missing bus full of children. It isn't until an hour later that a 
connection is made by a national AP reporter who ties together news 
reports of three of the instances. Thirty minutes later, now two hours 
into the incident, it is confirmed by an anonymous phone call to the 
FBI that what was a series of localized emergencies is now a national 
terrorist crisis.
    While it would be impractical to provide armed escorts for the 
thousands of school buses on our nation's roads each day, we can use 
technology, training, and communications tools to better protect these 
children. One solution, being implemented in Spokane Public Schools, is 
to do ``security mapping'' of school buses and incorporate this 
information, along with tactical response plans, into a CMS system. A 
similar approach could be taken with our metropolitan transit 
authorities nationwide, many of whom provide transportation services 
for school children.

    Constant Shifting of Priorities Jeopardizes National Security--A 
Study of HVAs
    Another issue effecting national security is how Hazard 
Vulnerability Analysis (HVA) information is ``siloed'' and not shared 
with other agencies. HVAs have been and continue to be a vital means of 
studying and prioritizing local community, state, and national areas of 
concern regarding natural disasters, emergencies, and security crises. 
There is no question that HVAs should be conducted at the local, state, 
and national levels. That said, local agencies, including emergency 
responders such as police, fire, medical, and EMS, as well as the 
institutions they serve (school districts, businesses, hospitals, etc.) 
should be held responsible for response planning, training, facilities 
security improvements, etc.
    Equally important is that the HVAs utilize an ``all hazards'' 
approach. I feel HVAs should not focus solely on security issues at the 
expense of fire prevention, medical services, or hazardous chemical 
exposures. As Hurricane Katrina has shown us in the past week, whether 
it is a terrorist incident, a hurricane, a flood or any other type of 
disaster, the emergency response is similar in all cases. Emergency 
agencies, as well as businesses and institutions, should support the 
cooperative sharing of HVAs through communication and joint planning.
    The root of this problem is that agencies often operate within a 
vacuum of their own priorities, frequently at the detriment of other 
agencies or service providers. Nationally, we seem to be bouncing from 
one priority to another (air transportation to subways to trains, etc.) 
with little coordination between agencies, first responders or those 
affected. HVAs certainly help to set department goals, budgets, 
training, etc., but if done without consultation with other responder 
agencies, it creates a system of individual priorities, and often, 
conflicting priorities. As a result, decisions about finance, training, 
personnel, equipment, policies, and response procedures are made 
without dovetailing into a national priority. It is easy to get caught 
up in MY needs and priorities when in an emergency; WE will need to 
work and act together as a system.

    The Importance of Sustainability of Programs
    Often the sustainability of a program is only thought of in regard 
to the funding of the program. Sustainability should be tied to local 
community priorities, or decisions regarding the determination of HVAs 
made by all stakeholder organizations. It is only through this joint 
decision-making that long term support of a program can be ensured. 
Most federal grants now require the signatures of many different 
service agencies or end users. These signatures by themselves, however, 
do not ensure long term cooperation.
    Another aspect of sustainability is the continued ``silo effect'' 
that permeates many agencies based on their specific goals or mission. 
While these missions are important to those they serve, they do not 
necessarily meet the needs of a common good. Take for example the 
Department of Justice, the Department of Homeland Security, and the 
Department of Education. Each of these agencies offers grants designed 
to serve the needs of states and local agencies. It is rare, however, 
that these agencies coordinate their efforts and require these funds to 
be used jointly or leveraged to serve a common good.
    One of the final indignities regarding sustainability of programs 
is that if a program is effective, the funds are cut! Why would you not 
reward and promote programs that have been successful, thereby enabling 
the programs (with a requirement in future funding) to help other 
agencies or service providers, both public and private. Agencies invest 
time, energy, and limited funding into these programs. To not support 
the outcomes and take advantage of their successes is poor fiscal 
planning in my opinion.
    Lastly, the sun-setting of grant funding creates an unmet need for 
newly created programs. In many programs, services are established or 
programs developed that then create service expectations in the local 
community. When the local entity cannot fiscally support these services 
due to grant money drying up, the program goes away leaving recipients 
empty handed and not served. Having the money to start up well meaning 
programs is great and serves to fill a short-term need. A more 
effective approach would be to tie grant funding to longer timelines 
for providing services and ensure that the written assurances of 
agencies supporting the grant application are, in fact, not just 
signatures but collaborative commitments. And by working with grant 
recipients in their local communities, rather than having them attend 
planning and training sessions in Washington, DC, you would go a long 
way to ensure the long term success of the programs.

    Federal Direction and Support for Communications Systems
    Currently, the various response agencies and those they support in 
Spokane have the following means of communications available for use in 
emergencies: ``push to talk'' radios, such as Nextel®, UHF radios, 
VHF radios, 900 MHz radios, cellular phones, PDA's, Smart Phones, cell 
phones, laptop computers with a variety of communications software 
platforms, personal recreation radios, and PC-based Internet e-mail. As 
you can see, we are not lacking in the means of communicating; we are 
in fact buried in it.
    Due to the number of divergent systems in place, we are less able 
today to communicate with other agencies and even within our own 
organizations. As an example, even the local branch of the U.S. Postal 
Service has its own internal PDA communications system. They have a 
wonderful means of communicating with their fellow members of the U.S. 
Postal Service, but it does not allow for communications with other 
agencies or those emergency responders who might be providing services 
to them.
    The ability to communicate is essential in an emergency. From the 
advent of the NIMS system in the 1970s, the result of disastrous 
wildfires that occurred due in part to a lack of common communications 
systems, to the recent 9/11 tragedy in New York City where fire and 
police could not communicate, communication continues to be a critical 
issue. Common radio frequencies or communications methods are an 
important part of an essential communications system. Again, the 
breakdown of communication between first responders during Hurricane 
Katrina exemplifies this point.
    Functional radio communication is one part of the solution, and 
human communication is another. Having agencies and end users meeting, 
planning, and training prior to an incident is critical to reducing 
response time and saving lives. Sitting down together and conducting 
pre-plan tactical exercises allows: 1) relationship building, 2) 
establishment of trust; 3) an understanding of the other agency's or 
business' needs during an emergency; and 4) the development of a common 
plan of action.
    In Spokane, we use a crisis management program that facilitates 
collaborative pre-planning sessions and collection of critical data 
about key facilities. In addition to providing a common platform for 
data collection (including photos, organizational charts, floor plans, 
site plans, hazard chemical listings, etc.), it provides the necessary 
forum for the pre-incident planning. In my experience, this approach is 
critical in breaking down communication barriers and building trust 
between first responder agencies and the organizations they serve.
    One of the benefits of the crisis management system developed by 
the State of Washington is that it is a statewide program. In 
Washington, all first responders, including police, fire, State Patrol, 
and others all have access to the same master database of information. 
The Washington Association of Sheriffs and Police Chiefs is responsible 
for the crisis management system, assuring that there is a common 
platform for data collection, training, procedures, response policies, 
and data security between local, county, and state first responders and 
their recipients.
    If each local fire, police, and emergency management agency chose 
to use a different system, a coordinated response would be difficult.
    Establishing a standardized statewide system is certainly not 
without its difficulties, especially those issues concerning ``turf,'' 
budgets, and political concerns. But once agencies begin to use the 
system in actual emergencies, most of these issues resolve themselves 
and the agencies begin to see the inherent value of such a system. In 
our case, the CMS approach has truly served as a catalyst for 
collaboration and problem resolution. This type of program fosters 
communication, collaboration, and helps to build trusted relationships, 
all of which are critical factors during an actual emergency situation 
when lives and property are on the line.

Suggestions and Recommendations
        1. Facilitate relationship-building between agencies at the 
        local, state and national level, both within individual 
        disciplines and between different types of agencies and 
        organizations. Providing for training, in-services, and product 
        conferences where planning, response, resolution and recovery 
        conversations could be facilitated to establish common ground 
        and exchange key information.
        2. Provide for sustainable funding of model programs based on 
        the requirement that agencies share their expertise and 
        experience with others in their industry. The funding would be 
        broad-based in that it would come from various agencies and 
        serve to establish and maintain collaboration between local 
        agencies and those they serve. It would encourage local 
        investment of time, talent, and funding to create joint 
        planning and response.
        3. Develop and adopt communication models that can be 
        implemented on a local or statewide basis. Support programs 
        that facilitate pre-incident data collection and pre-plan 
        tactical exercises, and encourage relationship-building between 
        emergency responders and those they serve.
        4. Support the development of an ``all hazards'' approach to 
        emergencies, disasters and crises by providing all first 
        responders with the basics in response protocols, 
        communication, and incident response. Encourage adoption of 
        NIMS / ICS protocols. Provide ICS training not only for police 
        and fire services, but also for other emergency responders, 
        including those in the public and private sector who will be 
        responsible for ensuring their own employees' safety during the 
        early stages of a crisis.
        5. Establish model plans for response to various emergencies, 
        disasters and crises. Select a lead federal agency in each area 
        that would become the ``go-to'' agency. This would reduce 
        competition between agencies, create efficiencies at the 
        Federal level, and reduce confusion on the part of local 
        agencies regarding direction.
    Once again, I appreciate the opportunity to come before this 
subcommittee to share my views on these subjects.
    I will be available for any questions.
    Thank you.
    [GRAPHIC] [TIFF OMITTED] T8921.001
    

    Mr. Lungren. Thank you very much for your testimony.
    I want to thank all the witnesses for their testimony. More 
than that, I would like to thank you for the work that you have 
already done in terms of responding to the various hazards, 
specifically terrorism, but all of the hazards that may affect 
your facilities wherever they might be.
    I would like to ask one question to all four of you on the 
panel.
    It seems to me that all four of you have talked about 
communications being extremely important, communications at the 
time of an incident, but even before that, communications in 
preparation for any type of problem, with local authorities, in 
some cases federal authorities.
    My question is this: While the detail of information that 
you have, the digitalized documents that actually give people a 
blueprint and a visual of where they go and where 
vulnerabilities are, I presume you would be very concerned 
about that falling into the wrong hands. Has there been any 
concern expressed by any of you about this information getting 
public?
    For instance, we do have the Freedom of Information Act. 
There are certain exceptions that we have built into the 
legislation that prohibit that from being turned over to the 
public.
    But have any of you had that concern raised, and if you 
have raised it, have you had responses that are satisfactory to 
you by the authorities, either local, state or federal?
    Mr. Millar?
    Mr. Millar. Yes, we have had that concern. However, we do 
believe that the steps taken by the Congress a couple of years 
ago to change, give those exceptions, as you have said, have 
taken care of it. That has greatly enlarged our ability to 
share among transit properties. So I do not believe that is a 
significant problem to us right now.
    Mr. Lowy. We are nervous about the issues there. Not only 
do we have the plans digitized and we give an update disk to 
local authorities each month, we also have then on the 
Internet. We have a Web site that is available where the local 
police, fire, ambulance, et cetera, have access to the mall 
that they may be dealing with.
    The issue for us, though, is that since we deal with them 
on such a local level, I would be surprised if even as you get 
higher up in the LAPD or certain of the police departments that 
we deal with that even know that that actually happens. When we 
deal with them, we deal with the local watch commander or the 
person in the local patrol cars. We go as far as having to buy 
them actually laptop computers because they do not have them to 
access the information.
    So while it is a risk, it is one that we deem appropriate 
because there is no other way to inform them and give them all 
the information they need.
    Mr. Lungren. So you are not sure exactly who all has it 
within the departments that you are dealing with?
    Mr. Lowy. We know who we are dealing with who has it. We do 
not know how far up the chain they actually send them and deal 
with the authorities. It also depends on how large a city you 
are dealing with or how small a city.
    Mr. Lungren. Sure.
    Mr. Lowy. In Los Angeles, such a large city, if it is not 
the West L.A. guys who know what we are dealing with, I would 
be surprised if they know what is going on downtown. That is no 
opinion about the city and how it is run. It is just such a 
large city.
    Mr. Lungren. Just an observation?
    Mr. Lowy. Yes, just an observation.
    Mr. Lungren. Mr. Norton?
    Mr. Norton. We have taken steps post-9/11 with regards to 
this, especially in New York City, where a lot of our building 
documents were a matter of public record. Anybody could go down 
to city hall and pull these documents and do studies on them.
    There was, working in conjunction with the Real Estate 
Board of New York, a law passed that there is a signature now 
required by the owner of that building if somebody goes down 
and is trying to get reference to that particular site. So that 
was a good thing that was implemented.
    Additionally, in other markets where we used to have 
readily available, and I am speaking on behalf of commercial 
office buildings, plans for potential leasing and potential 
bringing in tenants, that kind of data is now secured both 
internally within the company and outside as well as off-site 
locations. So in the event of an emergency, we have access to 
that and we can get that to federal and local officials.
    Again, I think it is important to emphasize we need to 
build the trust, and I think you have to earn that trust over 
time in working in conjunction with the federal, state and 
local.
    We have done that in New York City and we feel that working 
with them and having them look at our high-profile assets, they 
have a very comfortable level of if there was an issue that 
came up, they understand what we are up against and they 
understand how to attack it, unlike the World Trade Center when 
they went down. There were no plans. They did now know where 
people were down in the retail. So there were a lot of lessons 
learned there.
    Mr. Lungren. Mr. Madsen?
    Mr. Madsen. Three points.
    The data-set that we have in Spokane and Washington state 
is controlled by the Washington Association of Sheriffs and 
Police Chiefs. They own that data as such, so it is 
confidential in that nature.
    Secondarily, there are different levels of access in terms 
of us being able to authorize different agencies, whether it is 
police, fire, or the Department of Emergency Management.
    And then the last point is really about the control of the 
data, while still allowing it to be used. We had a flood in one 
of our high schools. That data was very important to the 
maintenance department to save a $100,000 gym floor. If we 
regulate it down to a point where it can only be used for one 
purpose, I think that that is wasted financial dollars. Again, 
that all-hazards approach is very important. That data can be 
used for a multitude of different things and it would be a 
shame to waste it. It is secure. We can limit it, but it has a 
multitude of purposes.
    Mr. Lungren. Thank you very much.
    Mr. Pascrell is recognized for 5 minutes.
    Mr. Pascrell. Thank you, Mr. Chairman.
    Mr. Madsen, I am very interested in what we tell kids about 
impending threats. I want to ask you a couple of questions, if 
you will respond, since you are there day to day.
    How do you prepare children to respond to an attack without 
inducing fear in those kids? How do you do that?
    Mr. Madsen. We have, for the last 10 years, done training 
with our staff and our students. We have a four-step process. 
That process starts with the general orientation of the 
principal of the building to let them know about the district-
wide plan, our three levels of crisis codes. From there, we 
then move on to the building staff itself.
    The reason for that first and second step is to make sure 
that the building staff, the school staff, have an 
understanding that their principal, their person in charge of 
the building, has a level of understanding and they then in 
turn have a confidence with them.
    We then move on to the third level, which is actually 
conducting tabletop exercises or small drills.
    Mr. Pascrell. What do you tell the kids before you are 
conducting the drills? Why are we conducting the drills? What 
are you telling these kids?
    Mr. Madsen. That is the fourth step, and that is 
publicizing to both parents in newsletters as well as students 
in orientation that we are going to be doing these drills, 
again from an all-hazards approach. It does not matter whether 
it is a terrorist activity, a school shooter, or a railroad 
tanker overturned by a school. We want to be prepared.
    They do nine fire drills every year. We are very well 
supported by the superintendent. In addition to that, we do two 
crisis drills. Those are active drills that are done, both 
walk-down as well as all-hazard.
    It is to the point where they are not fearful. It is 
commonplace, much like throughout this nation for 100 years we 
have done fire drills. It is the same level of preparedness, 
and just as they are not anxious because of the ongoing nine 
fire drills, their doing the two crisis drills every year 
allows them to not be anxious.
    Mr. Pascrell. So what you are telling us is that what you 
are telling children, communicating to children, is that we are 
stepping up the process, the mechanism, but really this is a 
fire drill we are doing which will encompass the entire school 
that you are in. Is that what you are telling kids?
    Mr. Madsen. It is moving beyond just a hazard of fire 
itself in a building, but all other hazards that could occur. 
Unfortunately in our nation, with what is occurring, we need to 
be prepared. We want to keep you safe. We tell parents we want 
to keep their children safe.
    We have had very, very little push-back from parents in 
regard to that these live drills. We are doing them throughout 
the school district at all levels, elementary, middle and high 
school in 55 facilities.
    Mr. Pascrell. Spokane schools, I imagine, have quite a few 
police officers in them with regard to the COPS program, which 
was a very successful program. What experience have you had 
with the very police that are already in your schools?
    Mr. Madsen. There are two levels of police. We have our own 
Spokane public school district resource officers. There are 11 
of them located throughout the elementary, middle and six 
particularly in the high schools. We did have six SROs as part 
of that COPS in-schools program.
    Those funds have gone away, and so unfortunately we do not 
have the Spokane Police Department SRO program currently. We 
still have retained the 11 officers and I know that the chief 
has prioritized the SROs to come back first on his budget.
    Mr. Pascrell. Mr. Millar, if I may?
    Mr. Millar. Yes, sir.
    Mr. Pascrell. In your testimony, you talked about not only 
the lack of response from Washington and this huge $6 billion 
inventory of needs that you laid out for us. And you are 
disappointed, correct me if I am wrong, at the $600 million 
response in the 2006 budget. Is that correct so far?
    Mr. Millar. That is correct so far.
    Mr. Pascrell. Let me ask you this question. It seems that 
you spent some emphasis on how the money gets to the transit 
systems. You are recommending and suggesting, I think, a change 
in how this money is distributed, since a lot of it has never 
gotten to the point of implementation.
    What you are suggesting is, are you not, the money go 
directly to the transit system, rather than go through the 
state administrative system. Would you explain that and why you 
believe that the system should change?
    Mr. Millar. Yes, sir. Transit systems are responsible for 
the safety and security of their customers. We understand that. 
We have long-time direct relationships with the federal 
government, primarily through the Department of Transportation. 
We are used to applying for federal money. We are used to 
receiving it. We are used to all the requirements for audit and 
other things that necessarily come with the federal government. 
We do not believe that there is any value-added by sending it 
through the states. It is simply another step.
    Now, we certainly agree that the states have statewide 
planning responsibilities, and we certainly agree that the 
money that we would receive ought to be consistent with the 
statewide plans, much the way transportation money is now 
distributed. It has to be consistent with area-wide and 
statewide plans. But we see no value in sending it through the 
states.
    In addition, the Congress at least 2 years ago authorized 
as much as 20 percent of the money intended for transit to be 
skimmed off by the state. Now, last year the Appropriations 
Committee put a 3 percent limit on it, but still we do not see 
why 3 percent of the money that should be going to improve 
security for our customers, your constituents, ought to go off 
to some administrative red tape. It makes no sense, never mind 
the time delays and all the other aspects of it.
    Mr. Pascrell. Thank you for the response.
    Mr. Chairman?
    Mr. Lungren. Thank you.
    The chair now recognizes Mr. Linder for 5 minutes.
    Mr. Linder. Mr. Millar, if $600 million is not enough, how 
much is enough?
    Mr. Millar. Let's be clear about the $600 million. The 
president's proposal was to take several infrastructure groups, 
public transit, railroads, ports, a number of other group, and 
lump them all together to $600 million. So even on my happiest 
day, I could not imagine, even if the Congress appropriated 
$600 million, that public transit would get anything other than 
a small portion of that because the needs in the other areas 
are great as well.
    What we have suggested is that we work with the Congress 
and the administration on about a $6 billion program. We could 
not spend all that money in a single year. We have suggested 
that it be spread over 3 years. We do believe that once this 
initial investment is made in capital infrastructure 
improvement, in training, in research, in planning, there will 
be an ongoing need, but it will be a much smaller need. It will 
be perhaps $800 million a year, something like that.
    But we simply need to bring our systems up to standard; do 
common sense improvements. As the chairman has said and we 
completely agree, we are not talking about an airport-style 
screen every passenger, but we do believe the kinds of 
improvements that I have spoken about in my testimony, which 
everyone agrees need to be done, ought to be done. It is a 
partnership between the federal government, state government, 
local government, and we are prepared to be part of that 
partnership.
    Mr. Linder. Mr. Lowy, how many owners of real estate, 
organizations are doing this, digitizing their plans?
    Mr. Lowy. As far as I understand, we are the only one that 
I know of. It is something we actually developed ourselves. As 
we were involved, we were in the retail facility at the World 
Trade Center prior to 9/11. It was something that we started 
doing even before that. Mainly the issue there is to be able in 
an emergency to know where all the entries and exists are; how 
to get people in and out; and how to get the first responders 
into the facilities.
    Mr. Linder. And that is in your interest?
    Mr. Lowy. That is definitely in our interest, and in the 
interest of our customers.
    Mr. Linder. Mr. Norton, why aren't other organizations 
doing that?
    Mr. Norton. I cannot speak for what other organizations are 
doing with regard to digitizing. But as I stated earlier, we 
have taken precautions post-9/11 with regard to building plans, 
securing them, making sure in the event, especially on a high-
profile asset like the ones that I had mentioned earlier, that 
we are prepared. If an event does take place, we are prepared 
to go in with both federal and local governments and assess 
that situation with the proper plans.
    Again, I cannot speak for what the rest of the industry and 
what they are doing and why they are not doing it.
    Mr. Linder. Do you have a rough idea, Mr. Lowy, of how much 
you have spent doing this?
    Mr. Lowy. Just on the digitization? What we have actually 
done is we have probably spent on the investment in security 
somewhere around $25 million a year on capital items, and about 
$40 million a year on operations. But the digitization of the 
plans and what we have done, we have actually created our own 
internal systems that integrate the digitization of the plans, 
the CCTV cameras that we use and all of the information on the 
malls that we can use remotely are on-site, really in response 
to what happened to us at the World Trade Center.
    Because we have been involved in it and have dealt with it, 
we have unfortunately a knowledge and an expertise that we 
would rather not have. But once we saw all the issues that we 
faced, we have just been developing these systems for the last 
4 or 5 years in-house. The problem at the end of the day, 
though, is while we can do this for our facilities, integrated 
with all these other office buildings and all the other cities 
and everything, and we need to be part of the wider community 
as well.
    Mr. Linder. Mr. Norton, why isn't it in the interests of 
BOMA to spread this information and do it on your own?
    Mr. Norton. Again, I cannot speak for BOMA, but again for 
Tishman Speyer's properties, we, and I think there are 
organizations on the vendor side that have new programs out 
there that you can actually buy into, are looking at this. 
Again, are you going to do a suburban building in Phoenix 
versus a high-profile asset that sits over a transit station in 
midtown Manhattan? I think post-9/11 we have put a lot of 
emphasis on just gathering that data and making sure it is 
secure and safeguarded.
    Again, I think it is something of the future, especially 
with the computer age, that we will continue to look at this 
and eventually get all of our buildings as an industry on this 
kind of a program. That will then be shared. Again, I think it 
will take getting more association with DHS and the other state 
and local government and federal agencies more time in getting 
comfortable with these organizations, to start sharing this 
kind of information. Because I think it would be overwhelming 
to try to get all this information and give it to these people.
    In the commercial real estate sector, it changes. You will 
move tenants in; you will move them out. You will reconstruct 
space. You will add floors and take floors down. So it is a 
continually changing process.
    So to update and keep plans accurate on such a mass volume 
of real estate throughout the portfolio of the United States 
that we are focusing on, I think would be a big undertaking. I 
think in time you will have to address it. It will have to be 
addressed.
    Mr. Linder. Thank you, Mr. Chairman.
    Mr. Lungren. The gentleman, Mr. Dicks, is recognized for 5 
minutes.
    Mr. Dicks. Thank you very much.
    I want to thank all the witnesses for their testimony, 
particularly Mr. Madsen. I want to welcome you here to the 
committee. I appreciate your work on the school mapping 
program.
    The incident that occurred at Lewis and Clark High School, 
which you referred to in your testimony, was terrifying, but 
lives were very likely saved because of your mapping program 
that had just been implemented a couple of months before, which 
enabled first responders to see detailed maps and information 
about the high school while they were traveling to the scene. 
Instead of taking many precious minutes to formulate a 
response, once they got the high school police were able to hit 
the ground running.
    That is the key to this mapping program, that you have all 
the information gathered and in a PC you can go through it as 
you proceed out to the incident, wherever it is.
    Mr. Madsen. You can access it in a variety of fashions. You 
can have it on the hard disk as I do on my laptop here. You can 
do it with a thumb-drive or you can do it via the Web. The 
benefit of the program is two-fold. One is the data-set itself. 
The other is the creation of trust and relationships. The pre-
planning tactical sessions that were done prior to the incident 
between police, fire, transportation and the school district is 
one of the critical pieces.
    Mr. Dicks. I would say to my colleagues on the committee, I 
am very proud of what Washington state has done on this. 
Washington has completed the emergency planning, mapping and 
inventorying all of the public high schools in the state, over 
400. The state legislature has initiated funding for mapping of 
all public elementary and secondary schools. The year-long 
project to map the more than 1,275 elementary and middle 
schools began this July.
    Also, we have done a program on critical infrastructure in 
the state of Washington so that key buildings, Washington has 
entered over 1,200 sites and 6,500 individual buildings into 
the critical infrastructure planning and incident management 
system, which I think will give first responders in our state a 
much better opportunity in a crisis to be able to deal with 
that particular facility. I think this technology, which has 
been developed by a company not in my district, but in Seattle, 
Prepared Response, Inc., they build and deploy this school 
mapping and solutions used by the state of Washington.
    So I want to commend you for your work on this and your 
involvement and leadership in the Spokane area. You need a 
little leadership over there these days. But honestly, you guys 
have done a great job and we are proud of you.
    Also on the question of transportation, I agree. I think we 
need to have a more even-handed approach to this thing. My view 
of it is a lot of the money has been spent on air 
transportation, and these other modes have not been given the 
consideration that they need to.
    I also want to thank the witnesses from the private sector. 
I would recommend that you take a look at what we are doing out 
in the state of Washington. I think in major cities to have 
this kind of a mapping program where they really can look and 
have the analysis of these buildings ahead of time would help 
in any situation.
    I thank you for my time, Mr. Chairman.
    Mr. Lungren. I thank the gentleman.
    Mr. Langevin is recognized for 5 minutes.
    Mr. Langevin. Thank you, Mr. Chairman.
    Gentlemen, I thank you all for your testimony this morning. 
It has been very enlightening and the committee appreciates it.
    Mr. Madsen, let me begin with you, if I could. In your 
testimony, you describe a sophisticated technological system to 
provide building plans and predetermined emergency response 
scenarios for first responders. I am actually familiar with the 
technology. It is actually very impressive. As my colleague Mr. 
Dicks just mentioned, the Lewis and Clark shooting incident 
proved that the system can mobilize police, fire and school 
security to quickly respond to an emergency.
    My question, if I could just delve in a little bit and talk 
about again the costs: I think you have mentioned that already, 
but the costs associated with implementing the system, and if I 
could ask how did your school district pay for the system? Did 
you receive any federal assistance in helping to pay for those 
costs?
    And if you could just elaborate a little bit for the 
committee on what other soft targets could potentially benefit 
from a similar implementation.
    Mr. Madsen. Our funding in Spokane public schools has come 
from a variety of sources. The initial funding, by us being 
proactive and actually wanting to be part of a pilot, we do 
that quite a bit, allowed us to be part of the state pilot 
project, which allowed us to be mapping Lewis and Clark High 
School when that incident happened.
    The rest of the high schools came from the state, funding 
through the state legislature. Our middle schools were a 
separate grant, privately funded. Our elementary schools, I 
attached that to our Safe Schools/Healthy Students Grant that 
we applied for last year and received this year.
    Our school district, along with five others, share a $8.3 
million, of which a portion of that, about $250,000, was 
assigned to our 35 elementary schools and the other 27 
elementary and middle schools in the other school districts.
    So it is creative financing. It runs anywhere from $5,000 
to $12,000 per building. Then it is just time from there on 
maintaining that data.
    Mr. Langevin. And can you elaborate for the committee on 
other soft targets, buildings, assets, that could benefit from 
the technology?
    Mr. Madsen. Currently, we are working on our school buses. 
I feel--and I am in a very unique position with both safety, 
transportation and security departments, to see kind of a 
bigger picture.
    I think that the issue with school buses in our nation, but 
specifically in Spokane, is critical. We will have all of our 
school buses, the six different types that we operate, with our 
contractor, Laidlaw as a partner, actually mapped. So all of 
the exits, all of the electrical shutoffs, the fuel tanks, all 
of those types of systems or components in regard to the 
physical school bus.
    So whether it is a rollover or whether it is a terrorist or 
hostage situation or a fire on board a bus, fire and police, 
school security and transportation all have access to that 
critical data. That is my next step in our school district, is 
to map the actual school buses. It is not a building, but it is 
a rolling facility for us, and it has up to 72 students.
    Mr. Langevin. Thank you.
    Mr. Dicks. Would my colleague yield just for a quick point?
    Mr. Langevin. Of course.
    Mr. Dicks. RPI, the company, has mapped all types of 
venues, including schools, hospitals, port facilities, 
commercial office buildings, water treatment facilities, and 
Navy ships. So this has been used broadly in many different 
contexts.
    I appreciate your yielding.
    Mr. Langevin. Thank you. I appreciate your making that 
point.
    Quickly before my time runs out, to Mr. Lowy. Your 
testimony indicates that your company spends about 20 percent 
of your operating costs on security.
    Can you just tell us, is this amount standard across the 
commercial real estate industry? At what point, I should say is 
there a point, where the economic costs of security have a 
greater affect on your bottom line where the cost-benefit 
analysis shifts?
    Mr. Lowy. I think the issue is not how much money we spend, 
but how effective is the money that we spend. Security is now 
the single largest line item in the mall industry itself, the 
single largest cost line item that we face, which is even more 
than our cleaning costs, which cleaning used to be major item.
    Where it is really affecting it is in the mall industry you 
tend to be able to collect the cost of managing and operating a 
mall back from the merchants. So what happens is at the end of 
the day the cost of security ends up in the price of goods that 
are sold to the consumer. It is in essence added to the rent 
that a retailer pays.
    The issue with those costs, though, is a retailer can only 
pay a certain percentage of the cost of these total sales at 
the end of the day. The cost of security, that is increasing 
substantially after 9/11, while it is not eating into the 
bottom line just now, it all depends on how much you can pass 
on to the consumer or not, what happens with general prices, 
and then what happens with the total cost of operations for a 
retailer.
    I would like to add to the last testimony, just for one 
second.
    We actually do something similar to what they are doing in 
Washington in our malls across the country. We are actually 
have integrated that into our CCTV cameras, which is also on 
the Internet. We run a 24-hour-a-day central facility which we 
can access and also local authorities can access, which has all 
the plans, all the maps, all the fire hydrants, everything 
available to them, as well as real-time online cameras that we 
use for management as well.
    So we have actually implemented that in the mall business 
here in the U.S. and we are actually exporting that to the U.K. 
within our own portfolio.
    Mr. Langevin. I see my time has expired. Thank you all for 
your testimony and for being here. It has been very helpful. 
Thank you.
    Mr. Lungren. The chair would state that we have received a 
statement of testimony from the International Council of 
Shopping Centers, who have requested that it be entered into 
the record. If there is no objection, I will do so.
    So ordered.

                             For the Record

 Statement Prepared on Behalf of the International Council of Shopping 
                                Centers

                           September 7, 2005

    Founded in 1957, the International Council of Shopping Centers 
(ICSC) is the premier global trade and professional association of the 
retail real estate industry. Its more than 50,000 members in 96 
countries include shopping center owners, developers, managers, 
marketing specialists, investors, retailers and brokers, as well as 
academics and public officials. As a global trade association, ICSC has 
relationships with 25 national and regional shopping center councils 
throughout the world.
    The shopping center industry takes its role of providing a safe and 
comfortable environment in which to shop very seriously. Security has 
always been a priority of the industry. Simply put, consumers will not 
shop at a shopping center that they do not feel is safe.
    Shopping centers employ well-trained professional security officers 
and enjoy excellent working relationships with their local municipal 
police departments. In fact, many shopping centers actually have a 
police sub-station located within the center. Those that do not have a 
police sub-station are frequently visited by local police patrols. 
While the shopping center industry has a long history of providing a 
safe environment in which to shop, we recognized that the terrorist 
attacks on our nation forever altered the way we police and secure our 
shopping centers.
    In October 2001, ICSC and the shopping center industry convened a 
conference call with the newly formed Department of Homeland Security 
(DHS) and representatives of the Federal Bureau of Investigation (FBI). 
The conference call was initiated by ICSC to establish a working 
relationship with DHS and to allow shopping center security 
professionals and law enforcement officials the opportunity to share 
security practices and procedures. In all, over 1,000 shopping center 
industry professionals participated in the call. Since that initial 
call, ICSC has been in constant contact with DHS and the FBI to provide 
a communication channel for our members.
    Communication is paramount. ICSC joined with other real estate 
associations in creating an Information Sharing and Analysis Center 
(ISAC) to expedite two-way security intelligence between retail 
properties and DHS. ICSC will continue to monitor the threat level and 
communicate to our members any and all information from government 
authorities as soon as it becomes available.
    ICSC members have actively participated in the DHS Basic Terrorism 
Awareness Training program. In the first year, ICSC had 609 
participants representing 20 programs. In 2005, 18 programs were 
involved with over 500 participants. In addition, ICSC is developing a 
comprehensive training program that addresses the potential for 
chemical, biological or radiological terrorism. Designed to meet the 
DHS Office of Domestic Preparedness requirements for the first-
responder community, ICSC's program is utilizing a ``train-the-
trainer'' approach. Each participant will be expected to share the 
program's training insights with other security personnel thereby 
enabling the industry to maximize the effectiveness of the program.
    Since September 11, 2001, the shopping center industry has been on 
a heightened state of alert. Many of the security procedures the 
industry implemented will be obvious to consumers. These include but 
are not limited to:
         Increased patrols by uniformed security personnel in 
        and outside of the shopping center.
         Increased patrols by uniformed local police officers 
        in and outside of the shopping center.
         No overnight parking in parking lots.
         No curbside parking.
         The use of barriers and or blockades in front of 
        entrances.
         The use of security surveillance camera systems.
    In addition to these security procedures, the shopping center 
industry has implemented many programs and policies that go on ``behind 
the scenes'' and will not be obvious to consumers. These include but 
are not limited to:
         The lockdown of heating and ventilation systems with 
        access limited to center personnel.
         The lockdown of loading docks.
         The lockdown of supply corridors.
         Searches of incoming deliveries.
         Background investigations of center personnel.
         All workmen entering a center must be prescreened, 
        have identification, and report to security before starting 
        work.
         Increased patrols by non-uniformed security personnel.
         Increased patrols by non-uniformed local police 
        officers.
    Shopping center security is very site-specific. What is needed and 
used at one center may not be appropriate at another center. There are 
many factors that are used by shopping center security professionals in 
concert with their local police departments to determine the level of 
security required. These factors include but are not limited to the 
size of the center, location of the center, history of criminal 
activity in the surrounding community, and size of the local police 
department.
    While we are under a heightened state of alert, some centers may 
choose to change or increase their level of security. Others may not 
because they are confident the level of security in place is 
sufficient. Again, security is a site-specific science and it is 
important for consumers to have a sense of normalcy in their lives, and 
that includes the ability to travel freely about our shopping centers 
without being unduly inconvenienced.
    As Peter Lowy of The Westfield Group demonstrated in his testimony 
before this subcommittee, the retail real estate community is actively 
engaged in responding to the lessons of September 11 as well as the 
attacks in London. ICSC appreciates this opportunity to provide the 
subcommittee with an additional perspective of the overall shopping 
center industry. Please do not hesitate to call upon ICSC or its 
individual members during your future deliberations.

    Mr. Lungren. The Gentlelady from Texas?
    Ms. Jackson-Lee. Thank you very much, Mr. Chairman.
    The issue before us is an extremely important issue and I 
will pose a question based upon your expertise. I would like to 
acknowledge the committee for its wisdom in delaying the other 
witnesses who are presently dealing with a horrific horror in 
our own nation that is occurring.
    In light of that and in light of my representation of the 
impact area in Houston, I just want to make these remarks for 
the committee's consideration, and as well for the record. It 
is very important that the work of rescue and recovery dealing 
with Hurricane Katrina continues, so I am the least willing to 
distract individuals from the work at hand. But I do believe 
that there should be important interaction.
    I note that a number of impacted members are on the 
Homeland Security Committee and are probably functioning from 
one place to another trying to assist their constituents and 
others. But I do believe, Mr. Chairman, and to the prospective 
full committee chairman and ranking member, that we should be 
having daily briefings either by conference call or otherwise 
of the progress that is being made in the region.
    I think there are some serious policy issues that should be 
addressed as well, particularly on the question of the human 
devastation. The individuals, in essence, in Houston for 
example, probably the largest repository at this time, 
placement of evacuee survivors, has an array of disparate 
policies that are enormously confusing, particularly with the 
presence or the work of the Red Cross and FEMA and the need for 
there to be some alignment and cooperation. The establishment 
of Red Cross sites is not really organized. The presence of 
FEMA personnel is not there yet, not enough. The need for 
increased technology, a system-wide technology that would be 
able to reunite families.
    And then one of such magnitude that I think that we need an 
immediate cease-secession order, cease and desist. And that is 
the random evacuation of persons who desire not to be evacuated 
to places unknown. There are policies of putting people on 
airplanes, and when the door is open in the jurisdiction they 
say, ``They put me on the plane, they closed the door, and I 
didn't even know where I was going.'' And this is in America.
    So I hope that, although Mr. Chertoff is certainly consumed 
with the responsibilities, I think part of the problem was that 
he was consumed and not in communication. Many members cited 
that on the floor of the House and I think that is unpardonable 
without excuse, inexcusable, if you will, and unacceptable. It 
certainly is unacceptable for those of us who have a large 
share of the responsibility, willingly so.
    I cannot announce for you, if you will, or articulate for 
you the wide depth of charitable expression in Houston; $10 
million that the city voted on in an emergency session just on 
Monday; feeding, if you will, food service bills for a day-and-
a-half of $225,000 at one site; individuals who have opened 
homes and gyms and otherwise taken money out of their own 
pocket; others who are in hotels; 15,000 Vietnamese are in our 
community that we have to address through their language; a 
number of people from Central America.
    And there are no enunciated policy positions dealing with 
this vast number of people except waving them out across 
America against their will. It is well known that the leaders, 
the elected persons of Louisiana want their constituents to 
return home.
    So we have a crisis that we need to deal with here. I 
expect and would hope that this committee would have immediate 
hearings or briefings. If they can be abbreviated, so be it, 
but we cannot operate in the dark again.
    I thank the committee for its indulgence.
    Gentlemen, your issue is very important, but I am facing 
day-to-day life and death situations, as my colleagues in 
Louisiana and Mississippi are. I have the aftermath. They have 
the real impact. I believe this is something egregious 
occurring and I believe we should act immediately.
    Mr. Lungren. I thank the Gentlelady for her comments.
    Mr. Souder is recognized for 5 minutes.
    Mr. Souder. Thank you.
    I apologize that I missed the first panel and the 
testimony. I have been trying to go through the testimony here. 
I had actually a hearing that I had to start in my own 
subcommittee, as well as another meeting.
    I have become particularly interested in this, having gone 
over with Curt Weldon over to London. We met with Prime 
Minister Blair shortly thereafter and gave him our 
congressional condolences, and was there particularly on the 
day where they had just had the shooting of the suspect who 
defied the authorities, and they thought potentially had a 
bomb.
    I wondered, Mr. Millar, do security guards have the ability 
to detain people, and if they restrain, can they shoot at them? 
Do you have the legal authority if they make a judgment on the 
ground that many people may die if they do not act, can they 
act?
    Mr. Millar. The individual police powers that individual 
transit police forces have is generally speaking governed by 
the state law of that particular state.
    So, for example, I used to run a transit system in 
Pennsylvania. Our police officers had full police powers and 
were trained and licensed to carry guns. Obviously, that was 
the absolute last resort, but in that case they were trained to 
use their judgment and were permitted to use guns if 
appropriate.
    So it depends on the state and depends on the jurisdiction 
as to what the law allows and what the orders are that guide 
what the officers do.
    Mr. Souder. In going through your testimony and looking at 
this problem in general, we spent so much time on airports and 
the numbers that use mass transit every day are much harder to 
screen and go through.
    Mr. Millar. Yes, sir.
    Mr. Souder. Yet much of what we seem to be oriented toward 
video surveillance and so on, seem to be more how to find the 
perpetrator after they have blown us up.
    Do you believe that it is possible to do more if we get a 
network, a security pass system that works for airports, that 
that can also be used long-term for mass transit, particularly 
for subways, but also for buses and other things?
    Or is this just not going to be possible because of the 
scale? When you think of the Staten Island Ferry and the 
numbers there, and people coming in at the last minute and 
holding the doors open, I mean, is this even conceivable?
    Mr. Millar. We do not believe that with current technology 
it is practical to screen every person who would choose to use 
the public transit systems. There are thousands and thousands 
of railroad stations. There are tens of thousands of bus stops. 
You are talking about more than 100,000 vehicles that provide 
service across the country, from the very largest cities to the 
very small.
    We believe that there are other steps that must be taken. 
We believe you need to start with good intelligence. In my 
testimony, I emphasize the fact that I think we need to 
continue the ISAC, the Information Sharing Analysis Center for 
Public Transportation, for example.
    We believe that you need to secure the facilities the best 
you can. Some of that is very low-tech and some is very high-
tech. It is low-tech in the sense of having better fending 
around garages where trains and buses are stored. It is high-
tech in the sense of in-stations have biological sensors, 
chemical sensors, radiological sensors.
    We believe that surveillance cameras have a very important 
role to play. We believe that the experience in London showed 
that. For example, while the terrible tragedy that occurred in 
London, we know over the last several years the camera system 
there has prevented at least 20 major attacks on the system. We 
know that in the aftermath of the attack, the camera system in 
London has been instrumental in obtaining evidence and 
ultimately obtaining the arrest of the perpetrators.
    So there are several different steps that must be taken, in 
our view. We believe these steps are common sense steps. We are 
not asking for pie-in-the-sky things that do not make sense, 
but it does require an additional investment, as my testimony 
lays out.
    Mr. Souder. With the chairman's indulgence, I would like to 
ask a question of Mr. Madsen that also may apply to those who 
work with the malls.
    At Columbine High School and the aftermath, over in the 
Education Committee one thing we learned, part of the reason 
for the delay is the police went in and the cafeteria had been 
remodeled. The map that they had did not work, and they had to 
come out, and a student and a teacher had to draw how the doors 
were shaped.
    A similar thing in 9/11, apparently going into the World 
Trade Center, some of the stairways were in different places 
because often when a school is redone, when a mall is redone, 
the plans that they find do not have the updates on them for 
the emergency personnel.
    Is this something that your school system has addressed? Is 
this something malls are addressing?
    I know that it is happening across the country. It can be 
fairly expensive, but it is unbelievable that when we go into 
the buildings we do not know where the doors or the stairwells 
and so on are. It is kind of a basic thing we ought to be 
focusing on.
    Mr. Madsen. The system that we have allows us to update and 
uplink information, and then that is automatically downlinked 
to all of the other computers that store that data that police, 
fire, school district security access.
    I have charged each of my district resource officers that 
responsibility to at least annually ensure that if there are 
any changes from a capital project standpoint that they 
communicate with our facilities department, get updated CAD 
drawings, and those are then entered into the system, much the 
same as organizational charts, photos from our photo ID system.
    Individual district resource officers have buildings 
assigned to them, and that is one of their charges to ensure 
that that data is correct and updated on an annual basis.
    Mr. Souder. Are the malls doing that as well? Obviously, if 
there are hostages; if there is a bomb in a location and our 
maps do not work, we are helpless.
    Mr. Lowy. It is a little easier for us because we get to 
control the resources, rather than a city itself. With 
merchants coming in a changing in the mall all the time, we 
actually update them every month, and then we uplink them onto 
our Web site and then we send a new disk to the local police 
and fire every month. They are on mall properties all the time 
anyway so we have terrific relationships with them.
    But you are right, if you do not update it every month or 
every year, the plans that you pull down can be old and things 
change.
    The one issue about digitizing all of the plans and having 
first responders come and go is the initial costs may be high, 
but you have to also keep the ongoing expenditure because you 
must update them all the time, otherwise it is a waste of time.
    Mr. Souder. Thank you.
    Mr. Lungren. Mr. Lowy, you mentioned in your written 
testimony that--and I know it is not the total focus of this 
hearing, but it seems to me it is an important component in 
this whole process, and that is the extension of Terrorism Risk 
Insurance Act (TRIA). Why do you find that important enough to 
have mentioned it?
    Mr. Lowy. It is a very important issue for us.
    One of the issues we talked about a little bit is the 
amount of money we spend on security and why have we put all 
these systems in place. One of the issues that we face even 
with TRIA or without TRIA is it is very difficult for us to get 
terrorism insurance. So that the risk of insurance or the risk 
of a terrorism attack prior to 9/11 was actually taken by the 
insurance industry itself.
    Without TRIA, we could not get enough insurance or in some 
cases any insurance for a terrorist attack, so the economic 
risk of that attack was moved over to the shareholders or the 
business owners or whoever else was earning the asset itself.
    So one of the reasons we spend so much money and time on 
the security is that we are actually at risk, whether TRIA is 
in place or not right now. We cannot get enough coverage. We 
have $14 billion worth of assets in the U.S. We can get $800 
million of coverage today. We believe that without TRIA being 
renewed, that coverage will fall to somewhere close to zero, 
and that we just will not have any ability to get insurance.
    The issue with that, then, is if you get another attack 
similar to what went on with 9/11, we believe at the end of the 
day that the federal government will have to decide whether it 
will come back in and make all the losses, make everybody good 
and settle up all the losses for the people and/or the 
property. Or it will stay out and the economics effects on the 
economy will be much greater than happened in 9/11.
    Just one last thing. The key in 9/11 to the economy being 
stable straight after the attack was that the federal 
government stepped up and put almost $30 billion into the 
economy to make good the losses and the victim's compensation 
fund.
    Mr. Lungren. Even though TRIA is not under the jurisdiction 
of this committee, I happen to think it is important for us to 
look at because it is part of the total picture as we deal with 
the soft targets that are out there in private industry.
    That leads me to another question. I would like to direct 
it to Mr. Lowy and Mr. Norton.
    That is this. Mr. Lowy, you have talked about the specific 
way you have developed you own program digitalizing plans and 
so forth, making them available, updating them every 30 days. 
It is obviously not the standard in the industry right now. 
Some may say you are the leaders in the industry.
    One of the concerns I have is this. How do we work from a 
governmental standpoint, working with those of you in the 
private sector, to emphasize best business practices that are 
actually best business practices?
    That is, if some take certain steps that they can afford to 
take to protect them against or their assets against possible 
terrorist attack, does that leave others open to lawsuits 
thereafter such that you are fearful of exchanging information, 
or such that the business community is worried about 
establishing what the business practices are?
    The reason why I say this is when we originally--I was 
outside the Congress at the time, but working on it--when TRIA 
was originally passed by the House, it contained in it some 
liability limitations with respect to terrorist attacks. When 
it went over to the Senate side, that was taken out.
    The Administration, having looked at TRIA, is not quite as 
negative about it as I feared the Treasury Department would be, 
but they indicated that Congress needs to look at some changes 
in the program.
    From your standpoint, both of you, is there a concern about 
liability after the fact that in some ways impedes the ability 
of your industry to get together and say, these are best 
business practices, or publish what the best business practices 
are, for fear that later on you will be subject to suits 
because you did not expend 20 percent of your capital as others 
have done?
    Mr. Lowy. I think the way we look at it is if there is a 
terrorist incident, we are convinced we will be sued no matter 
what we do. Part of the issue in the testimony is that one of 
the things we are looking for from Homeland Security is that we 
might have best practices or the money we spend may be wasted. 
I doubt it is wasted, but we think we have best practices. But 
depending on the alert level that Homeland Security puts out 
depends on how we operate our malls.
    I actually brought with me, which we would not put into the 
public record because it is a security document, what happens 
when the threat levels actually increase; what we actually do 
in the mall; how much more manpower; where do we put them; what 
do we do.
    So we respond to Homeland Security, but we do not know if 
we respond in a manner that is in line with what the government 
thinks or not.
    So at the end of the day, while it was not in my testimony, 
we would be looking for some form of safe harbor; that if there 
were best practices that came out from Homeland Security after 
a survey of what everybody does, that if we follow those 
practices we do get some safe harbor provision.
    Mr. Lungren. My concern is at some point in time you could 
make us so hardened to attack that you cannot do your job. We 
could make every mall in America and every hotel in America and 
every business in America and every school in America basically 
impenetrable, but people would not want to go. People do not 
want to go to a moat. You do not want to go to a prison to 
enjoy your honeymoon. You know what I am saying.
    Mr. Lowy. I agree.
    Mr. Lungren. So how do we strike that balance and how do we 
in the Congress encourage such activity? TRIA is part of it, 
but best business practices are others. Maybe tax incentives 
are others. But how do we do it in a mix of incentives and 
disincentives such that we do respond to the terrorist attack, 
but we do not change essentially who and what we are?
    Mr. Lowy. We agree with that. The biggest issue that we 
face is, while we all talk about security here, that is not my 
main focus in life, but we do have to make sure that our 
customers and our consumers are protected to the best of our 
ability, while keeping the malls open and while having freedom 
of movement, freedom of goods. At the end of the day, people 
have to come and shop and work within the society.
    The way we look at it is in conjunction with TRIA. At the 
moment, we get no benefit on our insurance premiums for any of 
the security work that we do, any of these systems that we have 
designed or any of the capital that we put in. Our insurance 
premiums are exactly the same as the person next door or the 
guy down the street.
    We would hope that Congress could work with the insurance 
industry and ourselves; that if a certain set of practices were 
used, that we could then get some break on the insurance 
premiums that we are paying for terrorism insurance, because we 
are making our responses better, our targets better. At the end 
of the day, we are not looking to make our malls impenetrable 
because we actually need to operate in a capitalist society, 
which we honestly prefer to do.
    Mr. Dicks. Mr. Chairman?
    Mr. Lungren. Yes.
    Mr. Dicks. Just for a second.
    I think it is especially relevant on transportation what 
you just said. I mean, you are talking about malls, but you 
have to have transportation systems that the people can use in 
a timely way.
    We have, for example, ferry systems in Washington state. If 
we had an inspection of every car or every truck, that would 
stop it. You would not be able to use the ferry system or the 
subway system. I think it is very relevant to the other 
witnesses here as well.
    Mr. Lungren. Thank you.
    I understand the Gentlelady has a statement to make?
    Ms. Jackson-Lee. Thank you very much, Mr. Chairman.
    Gentlemen, the hearing is very important. I am going to ask 
unanimous consent to have my statement placed in the record, 
and subsequently pose questions dealing with best practices.
    But as you realize, there are conflicting and competing 
concerns, and I want to thank you for this hearing and look 
forward to a further hearing.
    Mr. Lungren. Without objection, so ordered.
    The Gentleman from Indiana?
    Mr. Souder. I wanted to make an additional comment. As a 
member of Congress, we all have different things in our 
district that shed light upon the different things. By the time 
we retire, we are almost up to where we understand.
    This insurance question is huge, because it is not the 
insurance companies, it is the reinsurance companies. Lincoln 
Financial in Fort Wayne sold their big division to Swiss Re, 
and Swiss Re took a hit on 9/11 that was unbelievable because 
they had like 50 percent or 60 percent of all the reinsurance 
for the insurance companies.
    The insurance companies do not hold the bag; they just hold 
a percent. They pass it off. American Specialty in my district 
handles a high percentage of stadiums, NASCAR places, amusement 
parks and so on, and they put together the packages. Right 
after 9/11, we sat down with the risk assessment people.
    I mean, it is a tough decision right now whether to insure 
all you guys with their private capital, because unless we have 
these government programs to back it up, there is no way to 
factor in the risk of a failure without just assuming you are 
going to go bankrupt, then you do not have insurance anyway. 
Because if your reinsurance and your insurance preparers go 
bankrupt, the government is doing to wind up, either the people 
are out or the government is there.
    We have to have some form of backup supplemental. It is 
more of a question of what it is going to be and how much is 
going to be absorbed directly through the consumers; how much 
is going to be absorbed through taxes; and how much is going to 
be theoretically, businesses are just pass-through 
institutions.
    It is a huge challenge because from the insurer's 
perspective, they do not know how to factor this risk either.
    Mr. Lowy. As an industry, what we are really asking for is 
that the federal government give the reinsurance industry 
capacity so we can actually buy insurance at a reasonable cost. 
We are not looking for any handouts. We do not want this to be 
a big handout to the insurance industry. What we really need 
them to do is insure our risk at a reasonable cost for us to be 
able to deal with it.
    Mr. Souder. What the chairman was saying in sharing best 
practices and risk pooling, while it may be counter to some 
things that we have looked at in the past, the fact is it is 
one of the only ways to keep the insurance rates in a 
reasonable way either to the taxpayers or to the consumers who 
are going to pay it in raised prices, because businesses, like 
you say, are going to pass it on. You are just a pass-through 
institution. You either have to reduce the quality of your 
products or the labor costs or something, or raise the prices.
    This is a crux of how we are going to protect people, 
because if they cannot get insurance, we are in real trouble.
    Mr. Lowy. The biggest fear we have without TRIA is there 
will not be terrorism insurance and the economy will actually 
be taking the risk, not the insurance industry.
    Mr. Lungren. I thank the Gentleman from Indiana. Having 
been at Heinz Field in Pittsburgh this weekend to watch Notre 
Dame beat Pittsburgh, I compliment you on your dress today.
    [Laughter.]
    I will not say anything about the Washington Huskies.
    I thank the witnesses for their valuable testimony and the 
members for their questions.
    The members of the committee may have some additional 
questions for the witnesses, and we will ask you to respond to 
these in writing please. The hearing record will be held open 
for 10 days.
    Let me once again thank you. Your very, very helpful 
testimony will assist us as we move forward.
    Without objection, the committee stands adjourned.
    [Whereupon, at 11:43 a.m., the subcommittee was adjourned.]


                          THE LONDON BOMBINGS:
                      PROTECTING CIVILIAN TARGETS
                         FROM TERRORIST ATTACKS

                                PART II

                              ----------                              


                       Thursday, October 20, 2005

             U.S. House of Representatives,
                    Committee on Homeland Security,
                         Subcommittee on Economic Security,
              Infrastructure Protection, and Cybersecurity,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 3:06 p.m., in 
Room 311, Cannon House Office Building, Hon. Dan Lungren 
[chairman of the subcommittee] presiding.
    Present: Representatives Lungren, Pearce and Thompson (ex 
officio).
    Mr. Lungren. The hearing of the Committee on Homeland 
Security, Subcommittee on Economic Security, Infrastructure 
Protection and Cybersecurity will come to order.
    The subcommittee is meeting today to hear testimony from 
the Department of Homeland Security on protecting soft targets 
from terrorist attacks.
    I want to thank our panel of witnesses for joining us 
today. What we are doing today is convening as a continuation 
of a hearing that was held in the beginning of September on 
efforts to better secure our Nation's numerous soft targets. At 
that time we heard from representatives of shopping malls, 
office buildings and schools on their efforts to prepare for, 
protect against and mitigate a terrorist attack.
    We originally planned on having a government panel before 
the private panel, but due to Hurricane Katrina and the 
workload that ensued afterwards, our DHS witnesses had to 
postpone until today. This was fortuitous in some respects as 
we were able to learn a lot from that first panel of witnesses, 
and we can now get some answers and clarification from the 
Department with respect to some of the issues that were raised 
at that time.
    What became apparent during our first panel discussion on 
the soft target issue, and really an issue that we have 
grappled with time and time again on this committee, is how do 
we take our limited resources and expect to protect against an 
almost infinite number of civilian targets and terrorist 
scenarios. The response that we have collectively heard again 
and again to this problem is that our Nation must be risk-based 
in our approach to security.
    I think it is important that we take time to realize what 
this would actually look like in practice and begin to think 
about how the Department can move forward towards utilizing 
this methodology across the board. In practice, a risk-based 
methodology means not focusing on each sector from top to 
bottom--it means not focusing on one sector at the expense of 
others. I don't expect the Department to secure, or for that 
matter, even to analyze, the risk of every single chemical 
facility in this country and then move on to do the same for 
dams and office buildings, and then off to malls and so forth. 
There are not enough resources to do this, and certainly not 
enough time. We must be acting as if the next terrorist attack 
is just around the corner. And, the job at the Department of 
Homeland Security, I believe, is to focus on securing the 
highest-risk sites first.
    Each sector is filled with a mix of low, medium, and high-
risk sites, the majority falling into the first two categories 
of medium to low risk. For every low risk site the Department 
spends time analyzing or securing in one sector, there is the 
potential for a high-risk site in another sector to go 
unaddressed--at least for a time. What we need is cross-sector 
risk analysis to identify the highest-priority sites across the 
country and across all sectors, and simultaneously be working 
to identify protective measures that can be taken to mitigate 
those risks. At the same time, we should be working with our 
partners in the private sector to develop guidance for the low 
and medium risk sites so they can improve the security 
practices there as well.
    As Secretary Chertoff has said repeatedly since taking 
office earlier this year, Homeland Security must be more than 
simply reacting to the latest action of our adversary. We 
should avoid being dictated to by the ``target du jour''. We 
should be securing our homeland in a systematic and prioritized 
manner based on our best understanding of the risk.
    When we originally scheduled this hearing, I was expecting 
that Members would focus on transit security in the wake of the 
London subway attacks. We now know from the President himself 
that we have foiled al-Qa'ida attacks aimed at apartment 
buildings, other urban targets, tourist sites and ships. And, 
of course, post-Katrina there is a renewed focus on the 
vulnerabilities of dams and levees. Yet we recently learned 
that the New Orleans levee system, which for years has been 
identified as being vulnerable to hurricanes with catastrophic 
consequences by DHS itself, was something that received little 
attention by either DHS or state officials prior to Katrina, 
even though a terrorist attack on the levee system could have 
been even more catastrophic than a hurricane. In fact, it is my 
information that this levee system was not even included on the 
Department's list of top priority assets, even though other 
less consequential sites did make that list because they fell 
within a particular sector. I would hope that we would be 
better--we have to be better about developing a truly 
prioritized national list and doing so quickly.
    What I hope to hear from our witnesses today is how you are 
prioritizing across sectors, and what you are doing in real 
time to secure our most critical and most at risk 
infrastructure, whether they be dams, levees, chemical plants, 
subways, apartment buildings, malls, you name it.
    I thank the witnesses for their appearances today, and I 
recognize the Chairman of--excuse me, the Ranking Member--I 
keep calling him Chairman, I keep trying to get him to become a 
Republican.

               Prepared Statement of the Hon. Dan Lungren

                            October 20, 2005

    Good Afternoon everyone and I want to thank our panel of witnesses 
for joining us today. The Subcommittee is convening today as a 
continuation of a hearing that was held in the beginning of September 
on efforts to better secure our Nation's numerous soft targets. At that 
time, we heard from representatives of shopping malls, office 
buildings, and schools on their efforts to prepare for, protect 
against, and mitigate a terrorist attack.
    We had originally planned on having the Government panel before the 
private panel, but due to Hurricane Katrina and the workload that 
ensued afterwards our DHS witnesses had to postpone until today. This 
was fortuitous in some respect, as we were able to learn a lot from 
that first panel of witnesses and we can now get some answers and 
clarification from the Department with respect to some of the issues 
that were raised then.
    What became apparent during our first panel discussion of the soft 
target issue--and really, an issue that we have grappled with time and 
again on this Committee--is how do we take our limited resources and 
expect to protect against an almost infinite number of civilian targets 
and terrorist scenarios?
    The response that we have collectively heard again and again to 
this problem is that the Nation must be ``risk-based'' in our approach 
to security. I think it?s important that we take time to realize what 
this would actually look like in practice and begin to think about how 
the Department can move towards utilizing this methodology across the 
board.
    In practice, a risk-based methodology means not focusing on each 
sector from top to bottom--it means not focusing on one sector at the 
expense of others. I don't expect the Department to secure--or, for 
that matter, even to analyze the risk of--every single chemical 
facility in this country, and then move on to doing the same for dams, 
and then to office buildings, or to malls.
    There are not enough resources to do this--and certainly not enough 
time. We must be acting as if the next terrorist attack is just around 
the corner. And your job, as the Department of Homeland Security, is to 
focus on securing +the highest risk sites first.
    Each sector is filled with a mix of low, medium and high-risk 
sites--the majority falling within the first two categories of medium 
to low risk. And for every low-risk site that the Department spends 
time analyzing or securing in one sector, there is the potential for a 
high-risk site in another sector to go unaddressed.
    What we need is cross-sector risk analysis to identify the highest 
priority sites across the country--across all sectors--and 
simultaneously be working to identify protective measures that can be 
taken to mitigate those risks. At the same time, we should be working 
with our partners in the private sector to develop guidance for the low 
and medium-risk sites so they can improve their security practices as 
well.
    As Secretary Chertoff has said repeatedly since taking office 
earlier this year, homeland security must be more than simply reacting 
to the latest action of our adversary. We should be securing our 
homeland in a systematic and prioritized manner, based on our best 
understanding of the risk.
    When we originally scheduled this hearing, I expected that Members 
would focus on transit security in the wake of the London subway 
attacks. We now know, from the President himself, that we have foiled 
al-Qa'ida attacks aimed at apartment buildings, other urban targets, 
tourist sites, and ships. And, of course, post-Katrina, there is a 
renewed focus on the vulnerabilities of dams and levees.
    Yet we recently learned that the New Orleans levee system--which 
for years had been identified as being vulnerable to hurricanes with 
catastrophic consequences by DHS itself--was something that received 
little attention by either DHS or State officials prior to Katrina, 
even though a terrorist attack on the levee system could have been even 
more catastrophic than a hurricane. In fact, this levee system was not 
even included on the Department's list of top priority assets, even 
though other less consequential sites did make that list simply because 
they fell within a particular sector. We have to be better about 
developing a truly prioritized, national list, and doing so quickly.
    What I hope to hear from our witnesses today is how you are 
prioritizing across sectors, and what you are doing, in real time, to 
secure our most critical and most at-risk infrastructure--whether they 
are dams, levees, chemical plants, subways, or apartment buildings.
    I thank the witnesses for their appearance today, and I will now 
recognize the Ranking Member, Ms. Sanchez, for any opening statement 
she may wish to make.

    Mr. Thompson. You are already looking into the future.
    Mr. Lungren. Well, maybe I am looking into the future. We 
would always welcome you in the Republican Party. The Chair now 
recognizes the Ranking Member of the full Committee, the 
gentleman from Mississippi, Mr. Thompson, for any statement he 
might have.
    Mr. Thompson. Thank you very much, Mr. Chairman. The good 
thing about this committee is, as you know, whether you are 
Democrat or Republican, our real goal is to make sure that we 
are safe, and I can say that all our members see that as number 
one priority.
    Let me welcome the panelists for today. Generally speaking, 
this would be a full panel, but when the Congressional schedule 
changes, people go to their districts real quick, and we 
understand that. I think their absence is no indication of them 
not being interested in this issue.
    Like all Americans, I was shocked and repulsed by the 
terrorist attacks in London. This attack has served as a 
reminder that America and its close allies continue to face a 
determined enemy that thinks nothing of slaughtering innocent 
people.
    I was troubled, I have to say, by Mr. Chertoff's comments 
yesterday before the Katrina Committee that he had to get his 
house in order. How many disasters, attacks, and close calls is 
it going to take before the Department of Homeland Security 
wakes up? First, we saw the Government's response to the 
hurricanes. Then we saw the disconnect between the Federal 
Government and the New York officials about threats to the 
city's subway systems. Two days ago the Baltimore tunnel was 
closed. I heard, as the tunnel closed, conflicting reports 
about whether it was a real or fake threat.
    Mr. Chertoff, in your absence, while you have been putting 
your house in order, it has crumbled to the ground from neglect 
to its foundation and walls. Trust is important. I, along with 
every other American person, must be able to trust the 
Department of Homeland Security to perform at 100 percent, if 
not more. I am close to losing all trust.
    With regard to our mass transit and passenger rail systems, 
I am especially worried. Almost 4 years after the September 
11th terrorist attacks, passenger rail and transit security 
remains a Department of Homeland Security afterthought. While 
the United States has spent over 18 billion on aviation 
security since 9/11, we managed only to offer up 717 million 
for transit security. That simply falls too short, especially 
when one considers that every American takes mass transit 16 
times more often than they travel by air.
    The National Strategy for Transportation Security that the 
Department recently submitted that was supposed to lay the 
groundwork for securing our mass transit systems was lacking. 
Indeed, it did not meet Congressionally mandated requirements.
    Speaking of which, I want to know when DHS will start using 
the National Response Plan. Secretary Chertoff told Members of 
Congress yesterday that the Department did not have an 
integrated plan in place when Katrina struck. What about the 
National Response Plan? Did he forget about it? Is it another 
document that contractors put together that wastes taxpayers' 
dollars because the Department doesn't think it is good? I 
would like to know.
    One thing I would also like to hear from today's witnesses 
is when will the Department finish the National Infrastructure 
Protection Plan? Our Chairman alluded to this plan. The levee 
systems are not included in that plan. We had some, as you 
know, miniature golf courses that were on the plan, and I can't 
see how we can put a miniature golf course on this 
infrastructure protection plan but we can't put a levee system 
on the plan. Andy Purdy from the Department testified 2 days 
ago that he couldn't tell us definitively when it was going to 
be completed. I hope you can do better than that.
    GAO and IG both have looked at the National Infrastructure 
Plan, and they said it is inadequate. It is back in the 
Department for further review. We were told initially we might 
get it by November; now we hear February, but I would like to 
know for sure when that time is.
    I yield back.
    Mr. Lungren. Thank you, Mr. Thompson.
    Mr. Lungren. We are pleased to have two members for a 
distinguished panel of witnesses before us today on this 
important topic, and the Chair recognizes Mr. Robert Stephan, 
the Acting Under Secretary for Information Analysis and 
Infrastructure Protection of the U.S. Department of Homeland 
Security to testify.

                  STATEMENT OF ROBERT STEPHAN

    Mr. Stephan. Thank you, Mr. Chairman. Good afternoon. And 
good afternoon to you, Representative Thompson. I appreciate 
the opportunity to speak with you and your distinguished 
committee today.
    The Department of Homeland Security, I assure you, is 
committed to working with our partners in State and local and 
tribal governments, as well as across broad elements of the 
private sector to reduce the overall level of risk of terrorist 
attacks against our national critical infrastructure and key 
resource base.
    In analyzing terrorist risk, it becomes clear that certain 
means of attack against certain types of targets are easier for 
terrorists to accomplish and execute, and more difficult for us 
to protect against. The July 7th and 21st horrific attacks on 
the London mass transit system in 2005, as well as the March 
2004 attacks in Madrid, underscore the inherent vulnerability 
of so-called open-access systems.
    Recognizing that despite our best efforts we cannot always 
protect everyone and everything against all dangers, Secretary 
Chertoff's risk-based approach allows us to make better 
judgments about where we target resources, and prioritize our 
protection efforts to reduce this overall risk, and protect our 
critical infrastructures and key resources from terrorist 
attacks.
    In doing so, DHS has several principle objectives in mind: 
providing resources and training to State and local governments 
and law enforcement for security enhancements across the board; 
providing information to both public and private sectors on the 
threat environment, the tactics, techniques and procedures of 
terrorist organizations and terrorist individuals, our common 
vulnerability and risks, suggested protective measures; as well 
as creating information-sharing networks and mechanisms that 
efficiently and effectively enable DHS to share best practices, 
as well as our Federal Government partners in the unique 
aspects of their assets, to improve situational awareness 
during a crisis or when faced with a general or a specific 
threat situation.
    These objectives are being realized through the 
implementation of a Unified National Plan--and I will answer 
Representative Thompson's concerns regarding the National 
Infrastructure Protection Plan in follow-along questions, sir--
for the consolidation of critical infrastructure protection 
activities into your basket that we are responsible for. The 
cornerstone of this National Infrastructure Protection Plan is 
a risk management framework that combines threat, vulnerability 
and consequence information and approaches to produce a 
comprehensive, systematic and informed assessment of national 
and sector-specific risks that drive our risk reduction efforts 
in the critical infrastructure and key resource sectors.
    The principal steps in this risk management framework are 
to set sector security goals, identify assets, assess risks, 
and prioritize our efforts and resources accordingly based on 
the severity and mass effect of potential consequences 
principally, although, importantly, also taking into account 
vulnerabilities and specific threat information.
    DHS has developed two important tools to assist in this 
process. The first of these is the National Asset Database, the 
central Federal repository for national infrastructure-related 
information that we get from a host of stakeholders across 
State, local and private sector arenas, and serves also as an 
inventory of the Nation's assets and infrastructures.
    Secondly, we have a risk management tool called RAMCAP, 
which is an acronym for risk assessment and management for 
critical asset protection, which is collaboratively being 
developed across sectors that will guide and provide a 
spearhead for this national risk assessment, Mr. Chairman, that 
you are looking so desperately for, to enable an assessment and 
comparison of risk of critical infrastructure assets both 
across and within our most important sectors of responsibility, 
thereby enabling the prioritization of protective efforts and 
resources, and a more efficient conduct of our responsibility.
    DHS leads the Federal Government's critical infrastructure 
protection efforts and works in collaboration with State and 
local governments, the private sector, and, of course, numerous 
other Federal departments and agencies. We are not lone wolves 
in this mission.
    Examples of protected programs DHS has implemented 
successfully and will continue to execute upon include the DHS 
Vulnerability Identification Self-Assessment Tool, which has a 
very broad application across these open-access targets that 
you are very concerned about with this hearing. The goal of 
this program is to raise the level of security awareness in 
public assembly facilities across the Nation, as well as 
establish a common baseline of security from which these 
facilities can build their protection plans and their 
appropriate response mechanisms with Federal, State and local 
partners.
    We also have a Target Awareness Training Program that 
provides baseline prevention and awareness training to first-
level supervisors and security personnel across these so-called 
soft target categories in order to increase their ability to 
deter and detect potential attacks, as well as increase the 
reporting of suspicious activity and suspect items.
    One of the principal goals of our Federal, State, local and 
private sector partnership is providing the necessary framework 
and support to really enable coordination and information 
sharing within critical infrastructure sectors across these 
sectors, and between all levels of government and the private 
sector in order to achieve and execute our responsibilities.
    Examples of various information-sharing mechanisms. Later 
on in the question-and-answer session, I would love to get in 
more deeply with you some of the more specific incidents 
surrounding the London bombings, the recent terrorist threat 
information relative to New York and Baltimore, if you would 
like.
    Examples of things that we use as information-sharing 
mechanisms includes sector coordinating councils, government 
coordinating councils, our Homeland Security Information 
Network--which our director Matt Broderick will be briefing you 
on tomorrow--the National Infrastructure Coordinating Center, 
and various private sector information-sharing and analysis 
centers.
    DHS also has and will continue to work closely with allied 
nations and international partners with respect to garnering 
information relative to open-access target sets as well as 
tactics, techniques and procedures that are employed by 
terrorist adversaries that more routinely perhaps than in the 
United States perpetrate devastating attacks abroad against 
their facilities, assets and open-access systems.
    We also are members of the Department of Defense's effort 
in the Joint Improvised Explosive Device-Defeat Task Force, 
which is an important interagency, international effort with 
Israeli, Australian, Canadian and British participation to get 
at very significant problems.
    In terms of reacting to crisis situations in the immediate 
aftermath of the London attacks on July 7th, DHS activated our 
Interagency Incident Management Group to serve as the national 
headquarters-level multiagency coordination hub for incident 
management and response. Upon the decision to elevate the 
Homeland Security advisory system from yellow to orange for the 
mass transit sectors specifically targeted, the Office of 
Infrastructure Protection, in partnership with the 
Transportation Security Administration, coordinated outreach 
with the private sector and public sector partners broadly in 
the mass transit sector to provide them with an overview of the 
latest threat intelligence, to explain the implications 
nationwide of the move to orange, and to provide them an 
opportunity to discuss those implications.
    We have worked with our Federal partners to enhance 
security in our Nation's largest mass transit system and 
transit systems across the board, and have made Urban Area 
Security Initiative funding available for overtime to State and 
local law enforcement for activities related to increased mass 
transit security.
    Throughout this process DHS effectively executed a mission 
during the July 7th and 20th attacks as coordinator of National 
Critical Infrastructure Protection efforts as well as the 
national--level focal point for information sharing both within 
the Federal Government and between the public and private 
sectors.
    In conclusion, I would like to reinforce--and I want to 
answer many of the important questions you raised in your 
introductions, gentlemen--that we are dedicated to working with 
infrastructure stakeholders across the country to increase the 
security of our Nation's critical infrastructure sectors using 
Secretary Chertoff's risk-based approach. The places and events 
where our fellow citizens are most vulnerable are a key 
priority. With your continued support, spirit of cooperation, 
as well as that of the American people, we will succeed in this 
very important issue, and these people are not going to beat 
us. Thank you.
    Mr. Lungren. Thank you very much, Mr. Stephan.
    [The statement of Mr. Stephan follows:]

                Prepared Statement of Robert B. Stephan

                            October 20, 2005

Introduction
    Good morning, Mr. Chairman, Ranking Member Sanchez and 
distinguished Members of this Subcommittee. I appreciate the 
opportunity to speak with you.
    The Department of Homeland Security is committed to working with 
our partners in State, local and tribal governments and the private 
sector in reducing the overall level of risk of terrorist attacks 
against our national critical infrastructure. By reducing risk, we mean 
examining the consequences of a potential attack; examining the 
vulnerability of critical sites and facilities to various modes of 
attack; and examining the potential threat--that is, the intent of 
terrorists to attack in a given place and their likelihood of success.
    In analyzing risk, it becomes clear that certain means of attack 
against certain types of targets are easier for terrorists to 
accomplish and difficult for us to protect against. The July 7 and 21 
attacks on the London mass transit system in 2005, as well as the March 
2004 attack in Madrid, underscore the inherent vulnerability of open-
access systems.
    Recognizing that despite our best efforts, we cannot always protect 
everyone against all dangers, this risk-based approach allows us to 
make better judgments about where we target resources and prioritize 
our protection efforts.
    In working to reduce risk and protect critical infrastructure, DHS 
has three principal objectives:
         Provide resources and training to State and local 
        governments and law enforcement for security enhancements;
         Provide information to both public and private sectors 
        on the threat environment, tactics and techniques of 
        terrorists, common vulnerabilities and suggested protective 
        measures; and
         Create information-sharing mechanisms that enable DHS 
        stakeholders to share best practices and the unique aspects of 
        their assets to improve situational awareness during a crisis 
        or when faced with a specific threat.

The National Infrastructure Protection Plan
    These objectives are being realized through the implementation of 
the National Infrastructure Protection Plan (NIPP). Directed by 
Homeland Security Presidential Directive 7 (HSPD-7), the NIPP is a 
unified national plan for the consolidation of critical infrastructure 
protection (CIP) activities. The NIPP is a collaborative effort between 
the private sector, State, local, territorial and tribal entities and 
all relevant departments and agencies of the Federal government.
    The cornerstone of the NIPP is a risk management framework that 
combines threat, vulnerability, and consequence information to produce 
a comprehensive, systematic, and informed assessment of national or 
sector risk that drives our risk reduction efforts in the critical 
infrastructure/key resources (CI/KR) sectors. This framework applies to 
the general threat environment as well as specific threats or incident 
situations.

NIPP Risk Management Framework
    Set Security Goals. Achieving a secure, protected, and resilient 
infrastructure requires a common set of national and sector-specific 
security goals that address those aspects of risk that can be affected 
and collectively represent an acceptable security posture. Therefore, 
sector security goals will be determined through a collaborative effort 
of government agencies and the private sector. Establishing sector 
security goals is the nexus of the NIPP planning process that will 
drive the public/private partnership. Nationally, the overarching 
security goal of reducing risk begins with an enhanced state of CI/KR 
security, a state which is best achieved through the implementation of 
focused risk reduction and protective strategies across the critical 
sectors.
    Identify Assets. Once security goals are set, the next step in the 
framework is to develop and maintain an inventory of the Nation's 
assets. First, asset information is collected and catalogued in the 
National Asset Database (NADB), which is the central Federal repository 
for national infrastructure-related information. Second, after an asset 
is identified and basic information on it is collected, DHS employs an 
initial screening methodology to determine whether or not it is of 
national consequence. Finally, priority is given to applying federal 
resources to those assets that, if attacked, could have a nationally 
significant effect.
    Assess Risk. If an asset is determined to be of national 
consequence, it is then subjected to a risk analysis. As mentioned 
before, risk is determined through a combined assessment of:
         Consequence--estimates of the damage a successful 
        attack would cause;
         Threat--estimates of the likelihood that a particular 
        target or type of target will be selected for attack; and
         Vulnerability--assess which elements of infrastructure 
        are most susceptible to attack and how attacks against these 
        elements would be most likely carried out.
    One of the Department's principal risk-assessment tools is RAMCAP 
(Risk Assessment Methodology for Critical Asset Protection). RAMCAP is 
being developed by DHS in collaboration with other federal agencies and 
the private sector as a sector-specific consequence, vulnerability, and 
risk methodology. RAMCAP enables an assessment and comparison of risk 
of critical infrastructure assets both across and within CI/KR sectors, 
thereby enabling the prioritization of protective efforts and effective 
use of available resources.
    Prioritize. It is impossible, nor do we attempt, to protect all CI/
KR equally across the entire United States. We assess the potential 
consequences of an attack, threats, and vulnerabilities for CI/KR 
sectors, as well as individual assets within those sectors and 
prioritize our efforts based upon the severity and mass effect of 
potential consequence. Conducting risk analysis provides us with the 
information needed to make such determinations, as well as provides the 
department a basis upon which to make longer-term resource decisions 
including strategic protective programs and planning for response and 
other contingency situations.
    Implement Protective Programs. The widely dispersed nature of 
critical infrastructure demands equally dispersed ownership and 
execution of protection programs. It requires centralized leadership 
which in turn drives consistent implementation and ensures the greatest 
cost-benefit through addressing the greatest risks. DHS leads the 
Federal government's critical infrastructure protection effort, and 
works in collaboration with State and local governments, the private 
sector, and our international partners to protect against potential 
terrorist attacks through reducing our vulnerabilities and enhancing 
our response capabilities to potential terrorist attacks. Some of the 
key DHS programs include:
         Vulnerability Identification Self-Assessment Tool--An 
        important initiative designed to increase the capabilities of 
        private sector owners and operators to enhance their own 
        security is the DHS Vulnerability Identification Self-
        Assessment Tool (DHS-VISAT). This is a voluntary, on-line 
        assessment tool that was originally developed to help 
        transportation asset owner/operators enhance security. The goal 
        of this program is to raise the level of security awareness in 
        public assembly facilities across the nation and establish a 
        common ``baseline'' of security awareness from which these 
        facilities can build their protection plans. To date, it has 
        been adapted for use by stadium and arena managers and access 
        has been provided to over 300 stadiums and 400 arenas. 
        Currently this tool is being modified for use by other 
        commercial venues including convention and performing arts 
        centers. In addition, we have engaged in piloting efforts with 
        the States of Texas, Virginia, and California to adapt the tool 
        to support security awareness in K-12 schools.
         Target Awareness Training--The Target Awareness 
        Training (TAT) program provides baseline prevention and 
        awareness training to first level supervisors and security 
        personnel and is supported by VISAT. The primary objectives of 
        TAT are to increase the ability to deter and detect potential 
        attacks and to increase the reporting of suspicious activity 
        and suspect items. The courses focus on law enforcement and 
        security staff working in shopping malls and centers, places of 
        worship, educational institutions, hotels, and sports 
        complexes. Over 2,500 law enforcement and private sector 
        personnel have participated in 128 TAT Courses since September 
        2003. We also provide a Surveillance Detection Course, Surface 
        Transportation Antiterrorism Program, and an Improvised 
        Explosive Devices/Weapons of Mass Destruction (IED/WMD) 
        Electronics course.
         Bomb Prevention--Bombing is a preferred tactic for 
        terrorists seeking relatively uncomplicated, inexpensive means 
        for harming large numbers of people and inflicting maximum 
        damage on critical infrastructure. The threat that IEDs and 
        other types of explosive weapons pose are of great concern 
        given the relative technological ease with which such an attack 
        could be planned and executed. Central to preventing bombing 
        attacks are:
         the need for new critical thinking and analysis 
        regarding the nature and scope of preventing an attack;
         innovation in detection, deterrence, and improving 
        system robustness in the face of an adaptable enemy;
         the importance of increased stakeholder participation 
        and cooperation;
         the need for more robust information sharing and 
        collaboration measures; and
         meaningful dialogue between State and local 
        jurisdictions and the Federal government to identify and fill 
        operational capability gaps related to training, equipment, 
        technology and resources
    We will continue to assist state and local entities in identifying 
gaps in protective capacity and obtaining required resources. Under 
Homeland Security Presidential Directive-8 and the National 
Preparedness Goal, the Department is identifying bomb prevention 
capabilities at every level of the government and identifying gaps in 
this capability. We are taking steps to address any gaps that exist by 
developing a focused and unified national bombing prevention effort 
through such groups as the Interagency Governance Board and the IED 
Task Force. DHS is also developing enhanced knowledge management 
systems that foster information sharing and collaboration between 
Federal, State, and local entities involved in bombing prevention, and 
among various and disparate law enforcement jurisdictions.

    Information Sharing
    One of the principal goals of the Federal-State-local-private 
sector partnership is to provide the necessary framework and support to 
enable coordination and information sharing within each CI sector, 
across all CI sectors, and between all levels of the government and 
private sector in order to achieve the execution of a full spectrum of 
prudent and responsible protective actions.
         Sector Partnership Model--Under the NIPP framework, 
        DHS is helping to create private sector-led Sector Coordinating 
        Councils (SCCs) for each of the 17 critical infrastructure 
        sectors. These councils will serve as a mechanism for 
        identifying risk and protection issues within their specific 
        sector and addressing the range of infrastructure protection 
        activities. For example, the ``Commercial Facilities'' sector 
        coordinating council encompasses open-access facilities that, 
        if attacked, could cause significant casualties and economic 
        damage. Accordingly, membership in the Commercial Facilities 
        SCC includes all major sports leagues, International Council of 
        Shopping Centers, Marriott, Warner Brothers, Disney, the Real 
        Estate Roundtable, the Self Storage Association, the 
        International Association of Assembly Managers, and others.
    Both the SCCs, and their government counterparts, Government 
Coordinating Councils (GCCs) will increase inter-agency coordination 
and information sharing on critical infrastructure protection 
activities. The GCC coordinates strategies, activities, policy, and 
communication across organizations within each sector. Unlike the SCC, 
it does so through the Federal government. The SCC and GCC work 
together to create a coordinated national mechanism for infrastructure 
protection in their sector. Members of the Commercial Facilities GCC 
include the US Secret Service, the Federal Protective Service, the 
Environmental Protection Agency, the General Services Administration, 
and the Departments of Commerce, Justice, Interior, and Education.
     Homeland Security Information Network--DHS is developing a 
networked approach to information-sharing that enables rapid 
information dissemination to decentralized decision makers across the 
nation. The key objectives of this approach are to enable multi-
directional information sharing between and across government and 
industry; provide all CI/KR sector owners and operators with a robust 
communications framework, tailored to the specific information sharing 
requirements of each sector; and provide a comprehensive threat 
landscape to all security partners, including general and specific 
threats, incidents and events, impact assessments, and best practices.
    At the core of this networked approach is a series of 
sophisticated, secure tools and support mechanisms, collectively 
referred to as the Homeland Security Information Network (HSIN), which 
provides a national communications platform that enables the flow of 
near real-time information among governmental entities at all levels 
(i.e., Federal, state, territorial, local, and tribal), private sector 
organizations, and international security partners.
     National Infrastructure Coordinating Center--The National 
Infrastructure Coordinating Center (NICC) is a 24x7 watch operation 
center that maintains operational and situational awareness of the 
Nation's CI/KR sectors. The fully operational NICC provides a 
centralized mechanism for gathering information and a process for 
sharing and coordinating information between and among government, 
SCCs, GCCs, and other industry partners. The NICC receives incident 
reports from specific sectors in accordance with pre-established 
information-sharing standard operating procedures. When required, the 
NICC also disseminates a wide range of products containing warning, 
threat, and critical infrastructure protection (CIP) information to the 
private sector and government entities. The NICC is also responsible 
for receiving situational and operational information from the private 
sector and disseminating that information throughout the Homeland 
Security Operations Center (HSOC), other government operation centers, 
and industry partners as applicable.
     Information Sharing and Analysis Center--The private 
sector has established a number of information-sharing mechanisms that 
contribute to the protection of their assets. One such mechanism is the 
Information Sharing and Analysis Center (ISAC). While the SCCs 
ultimately define the unique information-sharing requirements for each 
sector, ISACs and other existing mechanisms provide an array of options 
and capabilities for some infrastructure owners and operators.
    ISACs, while varying greatly in composition, scope, and 
capabilities, offer a viable information-sharing mechanism. Some ISACs, 
for example, maintain 24x7 watch centers and provide various levels of 
sector-specific alerting and analysis. In this regard, the Surface 
Transportation and Public Transportation ISAC collects, analyzes, and 
distributes critical cyber and physical security and threat information 
from government and numerous other sources on a 24/7 basis. Other ISACs 
maintain a watch center that is staffed during traditional business 
hours, with the ability to contact analysts via telephone or pager 
during periods of increased activity. Still others operate primarily 
through Websites, allowing members to access sector-related alerts, 
warnings, and incident information. Regardless of the variance in 
breadth and depth, however, ISACs are capable of disseminating DHS-
issued threat information.
     International Information Sharing--We have made 
significant progress in cooperation with our international partners in 
the war on terror to share best practices and intelligence. This is 
especially true in the area of bombing prevention. The United Kingdom 
and Israel have years of experience in bombing prevention. DHS has and 
will continue to work closely with Scotland Yard and the Israeli 
Defense Force and police in order to learn better methods of bombing 
detection and prevention.
    Additionally, we are part of the Department of Defense's effort in 
the Joint Improvised Explosive Device-Defeat Task Force, an 
interagency, international effort with Israeli, Australian, Canadian, 
and British participation. The task force will establish an open-door 
program of international partners who will work to develop and exchange 
detection and prevention technologies.

    Reacting to Crisis
    In the immediate aftermath of the July 7, 2005, attacks in London, 
DHS stood up the Interagency Incident Management Group (IIMG) to serve 
as the national headquarters-level multi-agency coordination entity for 
incident management. Secretary Chertoff then recommended to the 
President that the Homeland Security Advisory System (HSAS) move from 
YELLOW to ORANGE for the Mass Transit Sector. In response, the Office 
of Infrastructure Protection, in partnership with TSA, coordinated 
outreach with public and private sector owners and operators in the 
Mass Transit Sector to provide them with an overview of the latest 
threat intelligence, to explain the implications of a move to ORANGE, 
and to provide them an opportunity discuss those implications.
    We worked with our Federal partners to enhance security at our 
Nation's largest mass transit systems and made Urban Area Security 
Initiative (UASI) funding available for overtime to State and local law 
enforcement for activities related to increased mass transit security. 
Our intelligence and analytical units produced Joint Advisories and 
Information Bulletins with the FBI that detailed what we knew about the 
terrorists target selection, attack methodology, implications, and 
suggested protective measures that mass transit operators could 
implement. Following the attacks, personnel from the Office of 
Infrastructure Protection and TSA conducted analysis of mass transit 
systems, starting in large cities such as the New York and New Jersey 
systems. Inspectors from the Federal Railroad Administration conducted 
inspections of passenger rail operations in the days immediately 
following the July 7 attacks. Throughout this process, DHS effectively 
executed its mission as a coordinator of national critical 
infrastructure protection efforts, and served as the focal point for 
information sharing both within the Federal government and between the 
public and private sectors.

Conclusion
    DHS is dedicated to working with infrastructure stakeholders across 
the country to increase the security of our Nation's critical 
infrastructure sectors using a risk-based approach. The places and 
events where our fellow citizens are most vulnerable are a key 
priority. With your support and that of the American people, we will 
succeed. Thank you.

    Mr. Lungren. The Chair would now recognize Mr. Robert 
Jamison, the Deputy Administrator, Transportation Security 
Administration of the U.S. Department of Homeland Security, to 
testify.

                  STATEMENT OF ROBERT JAMISON

    Mr. Jamison. Good afternoon, Mr. Chairman and Mr. Thompson. 
I am pleased to appear before you in my new capacity as the 
Deputy Administrator for TSA to testify on the critical subject 
of protecting civilian targets from terrorist attack. My 
testimony this morning will focus on our approach to 
accomplishing this mission, focusing particularly on public 
transportation.
    At the outset, I want to acknowledge the team nature of 
security in today's world and express appreciation for the work 
of the Department of Transportation and our partners in State 
and local government and throughout the transportation 
industry.
    Public transportation in America is a dynamic, 
interconnected network. It consists of overlapping subnetworks 
and multiple organizations with a variety of government 
structures and a mix of public and private ownership. In terms 
of security, decentralized systems such as this are more 
difficult to control, but they also have advantages. They 
present more operational uncertainty to those who seek to harm 
them, and they are more robust in the face of catastrophic 
failure of any single component of their network.
    Despite the good work that has already been done in 
improving security in transit, the London bombings and other 
events throughout the world have demonstrated the need for a 
new strategic approach to transportation security. 
Fundamentally our challenge is to protect our transportation 
network in a constantly changing threat environment. We 
understand better that terrorists will not only look for 
weaknesses in our transportation system and in security 
measures, but they will also adapt to perceived security 
measures. As a result, it is not possible to precisely predict 
with any degree of certainty the next attack based on previous 
terrorist activity.
    In the face of this unpredictability and rapid change with 
respect to threats, our approach to security in every 
transportation sector must be based on flexibility and 
adaptability. While it is necessary, it is no longer sufficient 
to protect ourselves against known or suspected terrorists; we 
must protect ourselves against people with no known affiliation 
to terrorism. While it is necessary to, it is no longer 
sufficient to focus on finding threat devices like guns and 
explosives; we must enhance our ability to find terrorists 
before an attack is underway. And while it is necessary, it is 
no longer sufficient to subject every passenger to basic 
security procedures; we must create uncertainty, an element of 
unpredictabilty in our security operations, in order to disrupt 
terrorist planning and attempts.
    To accomplish these objectives, TSA is pursuing a security 
strategy based on Secretary Chertoff's Second Stage Review. 
There are four cooperating principles applicable to TSA. First, 
we will use analysis based on risk vulnerability and 
consequence to make investment and operational decisions. 
Second, we will avoid giving terrorists an advantage based on 
our predictability. TSA will deploy resources, such as K-9s and 
air marshals and inspectors, for example, and establish 
protocols, standards and best practices flexibly based on risk. 
Terrorists will not be able to use the predictability of our 
security measures to their advantage in carrying out an attack.
    Third, we will continue to intervene early based on 
intelligence, law enforcement information and suspicious 
incident reporting that focus our security measures on the 
terrorist as well as the means for carrying out the threat. 
Effective analysis and dissemination of timely information to 
those in need is a vital component of this effort.
    Finally, we will build and take advantage of security 
networks. We are pursuing a restructuring of TSA that will put 
renewed emphasis on building on information-sharing networks in 
every transportation sector. Through these efforts, we will 
work more closely with stakeholders and put a renewed emphasis 
on sharing intelligence, capacity and technology with other law 
enforcement, intelligence-gathering and security agencies at 
every level of government. We will build a more robust, 
distributed network of security systems to protect America.
    As we move forward, we are fortunate to be able to build on 
solid foundation not only at the local level, but nationally as 
well. This foundation includes products and resources developed 
by our Federal partners, especially at the Department of 
Transportation, with the Federal Transit Administration and the 
Federal Railroad Administration, and partners in the industry 
at the American Public Transportation Association, the 
Association of American Railroads and its members, labor 
unions, and individual public transportation systems. This 
collective expertise fortifies their knowledge, expertise and 
overall strategic approach. We value the critical role of 
Congress and especially this subcommittee, that this 
subcommittee plays in this effort, and we look forward to 
working with you on a full range of these issues.
    I am happy to appear, and I would be pleased to answer any 
questions you might have.
    Mr. Lungren. Thank you very much.
    [The statement of Mr. Jamison follows:]

                  Prepared Statement of Robert Jamison

                            October 20, 2005

    Good afternoon, Mr. Chairman, Congresswoman Sanchez, and Members of 
the Subcommittee. I am pleased to have this opportunity to testify on 
the subject of ``The London Bombings: Protecting Civilian Targets from 
Terrorist Attack.'' As requested, my testimony today will focus largely 
on public transit and intercity freight and passenger rail 
transportation.
    As you know, the September 11 attacks focused Congress, the 
Administration, and the public on improving the security of our 
aviation system. It is an honor today to assist Assistant Secretary 
Hawley in leading TSA as we refocus and realign it to reflect the 
changing reality of terrorist threats to the transportation sector. Of 
necessity, much of our early work at TSA focused on the very real and 
present threats and vulnerabilities in aviation. We were fortunate to 
have partners at DOT and in industries and communities around the 
Nation who immediately stepped forward at that time to initiate 
security improvements in the transit and rail sectors. Today, we 
continue to work with these partners and build upon their record of 
success to address the changing transportation threat environment.

    Overview of Surface Transportation
    America's passenger and freight transportation system is a dynamic, 
interconnected network. It consists of overlapping sub-networks and 
multiple organizations, with a variety of governance structures and a 
mix of public and private ownership. In terms of security, 
decentralized systems such as this are more difficult to ``control,'' 
but they also have advantages. They present more operational 
uncertainty to those who seek to do them harm, and they are more robust 
in the face of catastrophic failure of any single component of their 
networks.
    Public Transportation. America's public transportation system is 
actually composed of over 6,000 separate local transit systems. These 
local systems range from very small bus-only systems in rural 
communities, to very large multi-modal systems in urban areas that may 
combine bus, light rail, subway, commuter rail and ferry operations. 
Transit systems are not only locally operated, but they are also 
protected largely by State and local law enforcement.
    Americans took 9.4 billion trips using public transportation in 
2003. The 30 largest transit systems in the U.S. carry most (almost 80 
percent) of the Nation's transit passenger trips. There is now some 
form of rail transit (light rail, subway, or commuter rail) operated by 
53 different transit agencies located in 33 cities and 23 States. These 
rail systems provide a combined 11.3 million passenger trips each 
weekday, compared to 1.8 million domestic emplanements per day 
nationwide.
    Approximately 28 percent of all transit trips and 77 percent of all 
rail transit trips are on heavy rail. There are 14 heavy rail transit 
systems (also known as subways) in the U.S., consisting of more than 
2,000 route miles, with over 1,000 stations and approximately 10,500 
subway cars. The New York City subway system is the largest in the 
U.S., carrying about 75 percent of the nation's heavy rail passengers, 
with half of the stations and more than 6,000 scheduled trains per day 
carrying over 3 million riders. In New York's Penn Station alone, more 
than 1,600 people per minute pass through dozens of access points 
during a typical rush hour.
    Intercity Bus Transportation. Though not owned by public entities, 
intercity bus service is an important component of America's 
transportation network. Intercity bus service is provided by over 4,000 
private operators across the country, 90 percent of which operate 25 or 
fewer buses. Greyhound is the largest intercity bus operator, with a 
fleet of more than 2,400 buses. Public transit buses annually carry 
about 8 times the number of riders as intercity buses; heavy rail 
(subway) operators carry over 3 times as many riders as intercity 
buses.
    Intercity Passenger Rail. Intercity passenger rail service is 
provided by two entities: Amtrak and the Alaska Railroad Corporation 
(ARRC), which is a public corporation of the State of Alaska. The ARRC 
provides freight and passenger service from Whittier, Seward and 
Anchorage to Fairbanks, Denali National Park, and military 
installations.
    Amtrak carries approximately 25 million passengers per year or an 
estimated 68,000 passengers per day, operating as many as 300 trains 
per day and serving over 500 stations in 46 States. In many large 
cities, Amtrak stations are co-located with stations serving rail 
transit, intercity bus, and other modes of transportation. Amtrak 
operates over more than 22,000 route miles. It owns 650 route miles, 
primarily between Boston and Washington, DC, and in Michigan. In other 
parts of the country, Amtrak trains use tracks owned by freight 
railroads.
    Freight Rail. U.S. freight railroads operate over a network 
spanning more than 140,000 route miles. This system is vital to the 
economy, linking businesses and ensuring products reach consumers in an 
efficient, safe, and cost-effective manner. Still, recent events, such 
as the accidental derailment in Graniteville, SC, that resulted in the 
release of chlorine gas, have highlighted the need to focus additional 
attention on the potential security risks associated with freight rail. 
Over 64 percent of toxic inhalation hazard chemicals are currently 
transported by rail. In 2003, over 60,000 tank cars of chlorine or 
anhydrous ammonia chemicals were shipped, each carrying an average of 
90 tons of chlorine or 30,000 gallons of anhydrous ammonia.

    London Lessons Learned
    Al-Qa'ida and its affiliated extremist groups and sympathizers 
demonstrated their ability to strike mass transit targets with suicide 
bombings on buses in Israel, Turkey and China, and bombings of subways, 
rail systems, and ferries in India, Pakistan, Thailand, Chechnya, 
Russia and the Philippines. The Madrid train attacks in 2004 and the 
London subway and bus attacks on July 7 and 21 of this year have 
further reminded us that our trains, subways and buses may be terrorist 
targets.
    Heavy rail transit systems in the U.S., like the London 
Underground, are particularly high consequence targets in terms of 
potential loss of life and economic disruption. These systems carry 
large numbers of people in a confined environment, offer the potential 
of targeting specific populations at particular destination stations, 
and often have stations located below or adjacent to high profile 
government buildings, major office complexes, or public icons. Threats 
to particular economic sectors, like government or financial 
institutions, may also be carried out through attacks on public 
transit.
    The London attacks were particularly noteworthy from a security 
perspective.
         In a relatively short period of time, unknown and 
        apparently unaffiliated individuals/groups were able to plan 
        and execute the attacks with little or no surveillance or 
        rehearsal activity.
         The perpetrators came through fare-gates directly onto 
        the train; they did not access storage yards, tunnels or 
        bridges. As a result, London's extensive intrusion detection 
        devices and security cameras did not prevent the attacks. 
        Recording capability was helpful, but only after-the-fact in 
        helping to identify suspects.
         The improvised explosive devices used by the attackers 
        were assembled with materials readily available in local shops. 
        The devices fit easily into backpacks of the type and design 
        commonly carried by students, commuters, and tourists.
         Even with markedly increased public awareness, 
        countermeasures, and law enforcement presence after the first 
        London bombings, the same methods were able to be used in the 
        second attack without suspicion or detection.
    Immediately following the first London attacks, transit agencies 
and local officials took action. Responding to a joint inquiry by TSA 
and DOT's Federal Transit Administration (FTA), the 30 largest transit 
agencies reported that they:
         Extended patrol hours through law enforcement overtime 
        and the deployment of administrative and operational personnel;
         Expanded the use of canine explosive detection 
        patrols; and
         Issued more frequent and more detailed public 
        awareness announcements regarding how to report unattended bags 
        and suspicious behavior and how to evacuate from particular 
        transit environments (i.e., train cars, tunnels, and bridges).
    These actions built upon the important security foundation that was 
established over the last several years. In contrast to their pre-9/11 
security posture, all of the largest transit agencies have now: 
developed and implemented action plans that are specific to each 
Homeland Security Alert System threat level; sent front-line employees 
to Federally-funded security and emergency response training courses; 
instituted public awareness campaigns, many utilizing Federally-
developed materials; developed and tested emergency response plans; and 
hardened numerous assets to protect against security threats.

    Adapting to a Changing Threat Environment
    Despite the work that has already been done, Mr. Chairman, the 
London bombings and other events throughout the world have demonstrated 
the need for a new strategic approach to transportation security. 
Fundamentally, our challenge is to protect passengers, freight, and our 
transportation network in a constantly changing threat environment. We 
understand better that terrorists will not only look for weaknesses in 
our transportation system and its security measures, but they will also 
adapt to perceived security measures. As a result, it is not possible 
to ``predict'' the next attack based on previous terrorist activity or 
put into place specific security measures to protect against it. In 
this dynamic environment, history is an unreliable guide.
    In the face of unpredictability and rapid change in terms of 
threats, our approach to security in every transportation sector must 
be based on flexibility and adaptability.
     While it is necessary, it is no longer sufficient to 
protect ourselves against known or suspected terrorists; we must 
protect ourselves against people with no known affiliation to 
terrorism.
     While it is necessary, it is no longer sufficient to focus 
on finding weapons and common explosives; we must enhance our ability 
to recognize suspicious behavioral patterns and demeanors to identify 
people who may have devised a new means to attack our transportation 
systems or passengers.
     While it is necessary, it is no longer sufficient to 
subject every passenger to the same basic security procedures; we must 
create uncertainty and an element of randomness in security operations 
in order to disrupt terrorist planning and attempts.
     While it is necessary, it is no longer sufficient to focus 
solely on identifying the actors, like suicide bombers; we must 
integrate our security measures with local law enforcement to identify 
those who make the bombs and provide support.
    Therefore, TSA is pursuing a security strategy based on Secretary 
Chertoff's Second Stage Review, the National Strategy for 
Transportation Security, and the following four operating principles:
    First, we will use risk/value analysis to make investment and 
operational decisions. That means that we will assess risks based not 
only on threat and vulnerability, but on the potential consequences of 
a particular threat to people, transportation assets, and the economy. 
Further, we will assess and undertake risk management and risk 
mitigation measures based on their effect on total transportation 
network risk. This holistic approach to risk assessment and risk 
mitigation may lead us, for example, to redirect the actions of our 
airport screeners to focus less on identifying and removing less 
threatening items from carry-on luggage, so that their time and 
attention can be spent on identifying potential components of an 
improvised explosive device.
    Second, we will avoid giving terrorists or potential terrorists an 
advantage based on our predictability. TSA will deploy resources--
whether they are canine teams, screeners, air marshals, or inspectors--
and establish protocols flexibly based on risk, so that terrorists 
cannot use the predictability of security measures to their advantage 
in planning or carrying out a threat. This may mean changing or adding 
to inspection routines on a daily or hourly basis to introduce 
uncertainty into terrorist planning efforts.
    Third, we will continue to intervene early based on intelligence, 
and focus our security measures on the terrorist, as well as the means 
for carrying out the threat. Enhancing and expanding the techniques to 
identify suspicious persons at the transit, train, or bus station, or 
to detect explosive devices is necessary. However, the strongest 
defense posture detects the terrorist well before the attempt to launch 
an attack has begun. A coordinated interagency intelligence collection 
and analysis effort must stand as the first line of defense. Effective 
dissemination of timely intelligence products to those who need them is 
a vital component of this effort.
    And, finally, we will build and take advantage of security 
networks. As you may know, I am pursuing a restructuring of TSA that 
will put a renewed emphasis on building information sharing networks in 
every transportation sector--rail, transit, maritime, and trucking, as 
well as aviation. Not only will we work more closely with stakeholders 
in these industries, we will put a renewed emphasis on sharing 
intelligence, capacity and technology with other law enforcement, 
intelligence gathering and security agencies at every level of 
government. We will build a more robust, distributed network of 
security systems to protect America.
    As we apply these operational principles, I have also directed my 
staff to rededicate themselves to important customer service 
principles, as well. As we move forward,
         TSA will identify opportunities and engage the private 
        sector in its work to develop and implement security systems 
        and products.
         We will protect the privacy of Americans by minimizing 
        the amount of personal data we acquire, store and share, and we 
        will vigorously protect any data that is collected, stored or 
        transmitted.
         And TSA will remember, in all that we do, our goal in 
        stopping terrorism is to protect the freedoms of the American 
        people. Therefore, we will work to make travel easier for the 
        law-abiding public, while protecting the security of the 
        transportation network and the people who depend upon it.

    A Solid Foundation
    As we move forward strategically to enhance our security efforts in 
the public transportation and rail sectors, we are fortunate to be able 
to build upon a solid foundation of work, not only at the local level, 
but nationally, as well.
    Grants. Substantial Federal assistance has been and will continue 
to be provided to support improved transit and rail security. TSA has 
assisted the DHS Office of State and Local Government Coordination and 
Preparation (SLGCP) in the development of its Transit Security Grant 
Program (TSGP). To date, SLGCP has provided more than $255 million to 
State and local transit agencies through this program to increase 
protection through hardening of assets, greater police presence during 
high alerts, additional detection and surveillance equipment, increased 
inspections, and expanded use of explosives detection canine teams. In 
April 2005, DHS announced $141 million in TSGP funding, of which more 
than $107 million has been dedicated to owners and operators of rail 
systems. An additional $6 million was awarded to Amtrak through the 
Inter-city and Passenger Rail Security Program (IPRSGP) for security 
enhancements to passenger rail operations in the Northeast Corridor and 
at Amtrak's hub in Chicago. Additionally, through SLGCP's State 
Homeland Security Grant Program and Urban Area Security Initiative, the 
Department has allocated more than $8.3 billion for general 
counterterrorism preparedness.
    The FY 2006 appropriations bill includes an additional $2.5 billion 
for this purpose. The bill also includes a total of $390 million in 
discretionary grants specifically for surface transportation security 
programs, including $150 million for rail and transit security, $175 
million for port security, $10 million for intercity bus security, and 
$5 million for the Highway Watch program. TSA will continue to work 
closely with SLGCP on these programs, as well.
    Security Exercises and Training. TSA has held numerous security 
exercises that bring together stakeholders, Federal, State, and local 
first responders, and security experts to test preparedness and 
response and identify best practices and lessons learned. We are also 
seeking new and improved ways to exercise and train for prevention 
methods, which will help strengthen a national prevention capability. 
These efforts will develop and support effective relationships among 
Federal, State and local entities and the private sector, and they 
significantly enhance our ability to anticipate and respond quickly and 
appropriately to security issues.
    Additionally, through an interagency agreement with the Federal Law 
Enforcement Training Center (FLETC), TSA has trained over 400 law 
enforcement officers, transit police, and first responders through the 
Land Transportation Anti-Terrorism Training Program. TSA has also 
contracted with FTA's National Transit Institute to develop a CD-ROM-
based interactive training program for passenger and freight rail 
employees. This product is expected to be completed before the end of 
the current fiscal year. These training programs emphasize 
antiterrorism planning and prevention for land transportation systems. 
Areas of focus include security planning, transit system 
vulnerabilities, contingency planning, recognition and response for 
threats involving explosives and weapons of mass destruction, and 
crisis and consequence management. Guest instructors with specialized 
expertise supplement the FLETC staff, providing the benefit of actual 
experience through case studies.
    Self-Assessment Tool. TSA has developed the Vulnerability 
Identification Self-Assessment Tool (VISAT), a multi-modal tool that 
public transportation agencies may voluntarily use to self-assess 
vulnerabilities within their systems. Specific modules focus on mass 
transit (heavy rail/subways), rail passenger stations, highway bridges, 
maritime, and operations centers. Additional modules under development 
will ensure this tool covers the spectrum of modes for which TSA holds 
lead responsibility for security. In general, the tool focuses on the 
prevention and the mitigation of an array of threat scenarios developed 
for each mode within the sector. Users rate their entity in terms of 
target attractiveness (from a terrorist's perspective) and several 
consequence categories that broadly describe health and well-being, 
economic consequence, and symbolic value of the entity. The tool 
enables a user to capture a snapshot of its security system baseline 
assessing vulnerabilities in the system and assisting in the 
development of a comprehensive security plan.
    Surface Transportation Security Inspector Program. The Department 
of Homeland Security Appropriations Act for FY 2005 provided $12 
million to TSA for rail security, including $10 million to deploy 100 
Federal security compliance inspectors and Congress has continued this 
funding in FY 2006. TSA has made substantial progress in developing a 
robust and comprehensive surface transportation security compliance 
inspector program with emphasis on hiring, training, and logistical and 
procedural planning. A total of 99 inspectors are now on board. Among 
other tasks, the security compliance inspectors will identify gaps in 
security and validate compliance with TSA's security directives.

    Conclusion
    Mr. Chairman and Members of the Subcommittee, I want to assure you 
that TSA is pursuing a robust strategy to support rail and transit 
security that builds upon the work of other Department of Homeland 
Security agencies, the Department of Transportation, and our public and 
private sector partners at the State and local level. We look forward 
to working with Congress and this Committee as we continue to protect 
America's transportation infrastructure, its passengers, and the 
commerce that depends upon it.
    Thank you. I would be pleased to respond to questions.

    Mr. Lungren. We only have the two of us here, but I will 
sort of go by my 5-minute rule so we can go back and forth on 
this and spend as much time as we need.
    Mr. Stephan, do you prefer being referred to as Colonel 
Stephan?
    Mr. Stephan. Either one.
    Mr. Lungren. Well, I think someone who has earned that 
title ought to be able to keep it; so if you don't mind, I will 
call you Colonel.
    Mr. Stephan. All right, sir.
    Mr. Lungren. Thank you very much for your testimony.
    We have had this question about the National Infrastructure 
Protection Plan and sector-specific plans due by the end of the 
year. When are we actually going to see them? And plans are all 
well and good, but what do you do with them? I mean, what is 
the added value to those plans over and above what your 
Department is doing or what sectors are doing themselves 
individually?
    Mr. Stephan. Yes, sir. This subject is very near and dear 
to me, and I want to be very up front and candid with both of 
you gentlemen.
    I took this job--the most significant responsibility I 
think I have had in my life--the end of April of this year. The 
strategic backbone document for everything I am supposed to be 
doing is something called the National Infrastructure 
Protection Plan. I grabbed ahold of that document in the early 
May time frame in its interim form that the Department issued 
in February, and as I read the document, a sinking feeling 
rapidly came over me. I took the document and I compared it to 
what the requirements that President Bush set forth clearly, 
very clearly articulated in HSPD-7, and the document was simply 
missing in action 50 percent of what I believe the President 
clearly articulated needed to be in that document, in HSPD-7. 
And the document appeared to me to be yet another one of these 
never-ending series of documents that tell us what has to be 
done. After multiple years have passed since September 11th 
attacks, everyone in this room knows what has to be done. The 
question that document has to get to is: How are we going to do 
the whats that are listed in the document?
    So doing this the only way I know how to do it--and I have 
developed or led the development of three other national plans 
or strategies at this level--I took the document, I got a new 
team. It is not a team of contractors, it is a team of 
government employees that have helped me with previous plans. I 
have got them firmly under my direction, and we have worked 
that document over the last several months to include some very 
important missing-in-action items.
    We very clearly articulate now in this document what the 
roles and responsibilities of various State and local players 
in all of this and private sector players are; the 
international dimension; the cyber dimension; how the Federal 
budget infrastructure protection should come together in some 
kind of logical, meaningful way, a series of metrics, a series 
of things that will hold people accountable, deliverables, 
timelines. All of this, I am happy to report, I completed with 
my team last week, and I have turned it in to Department 
Secretary Jackson and Deputy Secretary Chertoff for their 
review.
    Prior to this, I conducted a broad review across our 
Federal Interagency Senior Leadership Council and have gotten 
back from them on a one-for-one Q&A session with no significant 
pushback on anything in the plan.
    What I need to do now is, upon release authority from the 
Secretary and the Deputy Secretary, is allow this plan in final 
draft form to go out for about a 30-day comment period to a 
broad gathering of State, local, tribal government partners and 
the private sector folks so I get their opinions, because the 
previous version of this document was not very broadly 
coordinated as it should have been across the very wide 
stakeholder community. I owe that to those people, so I am 
going to do that when I get the send button pushed from the 
Secretary. I hope to get that very, very soon.
    I will take the comments that come back from that process, 
and if there are significant comments, I will propose a second 
round of coordination across that stakeholder community. And I 
want to put the final pieces of this together as quickly as I 
can towards the end of the year or the first of the year, to be 
as frank and honest as I can with you. That will be depend on 
the level of comment that I get across the private sector and 
across our State and local government partners.
    I firmly believe in this document. If we don't have this 
document, we have no strategic backbone. We don't have the 
``hows'' answered. We need to figure out how we are going to 
operationalize this risk assessment piece that is now in this 
plan. We have to figure clearly and clearly state who is 
responsible for what, that is in this plan; how our resources 
come together; and how they are wisely targeted against the 
broad array of critical infrastructure and key resources.
    Mr. Lungren. You appreciate the frustration of Members of 
the Committee when they hear that this is the strategic 
backbone, and here we are 4 years after 9/11 and we don't have 
it yet?
    Mr. Stephan. Yes, sir. And I can say to you personally that 
no one in this room is more frustrated than I am personally by 
this, sir. And it is my job to fix it. I own this operation 
now, and it is going to be fixed. And it is on my boss's desk.
    Mr. Lungren. I looked at your bio, and I noticed that you 
had been involved with contingency operation planning in 
Somalia, Haiti, Bosnia, Croatia, Liberia, Colombia, Kosovo. You 
have been the one that has been involved in that kind of 
planning in the past as part of your military experience.
    Mr. Stephan. Yes, sir.
    Mr. Lungren. And I take it from what you are saying you 
have tried to apply that same sort of military rigor to this 
planning even though you arrived late at the process?
    Mr. Stephan. Sir, it has to be a very rigorous process. And 
I led the development of the President's Strategy for Critical 
Infrastructure Protection in the year 2001 and 2002. I know how 
to do this. I spent a lifetime trying to attack other people's 
target sets. I have to reverse-engineer that across the United 
States. And the defensive team is challenging, a lot more 
challenging than the offensive has it.
    Mr. Lungren. You see what happens here in the Committee, we 
look at DHS as sort of an amorphous operation, and when we have 
heard this plan is going to be coming out, it is going to be 
coming out, it is going to be coming out, we tend to look with 
a little skepticism about another repeat that ``it is going to 
come out''. But what I am taking from what you are saying is 
you arrived late to the game, you found somethi ng that looked 
like a fumbled football, and you picked it up, and you are 
trying to bring it forward; would that be correct?
    Mr. Stephan. Sir, I realize the importance of this document 
and how important it is to the country, and I realize I am not 
going to get another chance to get it right. And I am going to 
get it right with my team.
    Mr. Lungren. It was not right when you picked it up.
    Mr. Stephan. I don't believe it was accurate; it did not 
meet President Bush's thoroughly articulated criteria that 
appeared in HSPD-7.
    Mr. Lungren. Well, this is the President's clearly 
articulated criteria. What about your sense of what you needed 
to do to have a mission understood and carried out?
    Mr. Stephan. No, sir, it was not an operational document. 
This document was more akin to a strategy, broad-level strategy 
document that we have multiple copies of those kinds of things 
floating around the Federal Government. This needs to be an 
operational plan that everybody understands, knows what their 
part is, knows how resources come together, how they are 
applied, how we are going to focus, what risk assessment 
criteria we are going to use as a standard across the Nation. 
That is what this has to be. And I believe Bob Stephan has 
produced what it needs to be, and it is sitting on my boss's 
desk right now.
    Mr. Lungren. The Ranking Member is recognized for 5-plus 
minutes.
    Mr. Thompson. Thank you very much, Mr. Chairman.
    Colonel, I appreciate your truthfulness. And I think this 
committee supports the effort to come up with a document that 
we all can feel proud of. Anything less is not acceptable. I 
don't think you will have any problem from this committee 
pursuing exactly what you see as that mission and the 
production of the plan.
    I had a couple of questions I wanted to ask. Mr. Jamison, I 
actually had a hazmat question to ask you, and I was told I 
can't ask you this question as you have a conflict. Any idea on 
when you are going to get the conflict resolved so I can get my 
question answered?
    Mr. Jamison. I would be happy to provide an answer to you 
for the record. Unfortunately, this is my first day on the job 
at the Transportation Security Administration, so I am still 
going through the ethics process, and as soon as I am through 
with that process, I will be able to answer your question. But 
I will be happy to provide an answer to you for the record.
    Mr. Thompson. Can you give me some kind of time frame on 
when you will have it resolved?
    Mr. Jamison. I am hoping to have it resolved in the next 
several weeks.
    Mr. Thompson. And that conflict doesn't prevent you from 
doing your job?
    Mr. Jamison. It does not prevent me from doing my job. I am 
recused from certain matters until that conflict is resolved, 
but I am able to execute the duties of the job.
    Mr. Thompson. All right. Thank you very much.
    In the 9/11 Commission report and the legislation that came 
from that, we require a plan to be developed for transportation 
security, a strategy. When will Congress see that strategy?
    Mr. Jamison. They received the strategy in September, which 
is the National Strategy for Transportation Security, which was 
submitted. After Mr. Stephan submits his National 
Infrastructure Protection Plan, I believe it is 180 days after 
that it will be updated, but the strategy was received.
    Mr. Thompson. So it is your testimony that we now have that 
strategy?
    Mr. Jamison. You have the National Transportation Security 
Strategy.
    Mr. Thompson. Well, Mr. Chairman, I have a list of 
questions I would like to submit for Mr. Jamison to answer 
because what we have is not a strategy. We have some elements, 
but we don't have a strategy. But I will accept your word on it 
and just pursue it at a later date.
    Mr. Thompson. In addition to that, this committee heard 
testimony earlier in the week relating to some intelligence 
questions around collection and analysis as it relates to 
transit security with both New York City and Baltimore. We were 
a little troubled that there appeared to be a disconnect 
between the transit security system and the Department of 
Homeland Security intelligence-gathering system and the city of 
New York. Have you had--and I know this is your first day on 
the job, but have you had an opportunity to look at that 
disconnect? If so, can you tell us how we can fix it?
    Mr. Jamison. Well, while I was involved in my role in DOT 
in that event--and I think the lesson learned from London is 
even one of the most prepared systems in the world at a 
heightened state of alert, it is very difficult to prevent 
attacks on mass transit. So it is very important that the 
shared responsibility of security between Federal, State and 
local, that we share information as quickly as we can and get 
as much information to the State and locals and have them make 
a decision they need to make.
    In this instance that was done quickly, the information was 
shared. In addition to the information, an analysis portion, 
which the Federal Government plays a key role in, was shared 
with the New York officials. And it is their role--and I 
respect that role--to take that information and weigh the risk 
in their local areas versus the information and make decisions 
to take action.
    Mr. Thompson. So do you agree with what they did?
    Mr. Jamison. I respect the decision. I mean, the analysis 
that we gave them was given in an effort to enable them to make 
decisions.
    Mr. Thompson. I will ask you one more time, did you agree 
with the decision they reached, yes or no?
    Mr. Jamison. I agree that they have the right to make that 
decision. The issue on whether or not they have the right to 
deploy the resources, absolutely, I agree that they should have 
deployed resources if they felt like that was their 
responsibility.
    Mr. Thompson. Well, one of the things we keep hearing is we 
don't have enough connectivity between all these agencies; even 
though we passed legislation that mandated it, we still don't 
see it. At their press conference that Mayor Bloomberg had, the 
FBI was standing next to him, but not DHS. I am trying to 
figure out whether you agreed with it or you didn't. Does your 
absence at this press conference signify that you didn't agree 
with it?
    Mr. Jamison. Well, again, Congressman, I think this is a 
positive story that the system worked, that the information got 
down to the local levels, it got to the local levels quickly, 
they were able to assess it and make decisions. You know, I was 
not in Mayor Bloomberg's shoes--
    Mr. Thompson. Were you invited to the press conference?
    Mr. Jamison. Was DHS invited to the press conference? I 
don't know that. I don't know the answer to that.
    Mr. Thompson. Mr. Chairman, can we, for the record, find 
out from DHS if they were invited to this process conference 
that Mayor Bloomberg had? I think it would be important.
    Mr. Lungren. I am sure you can let us know whether you were 
invited or not.
    Mr. Jamison. Absolutely.
    Mr. Thompson. Your absence at the press conference would 
indicate a lot, given the information you provided New York 
City.
    Thank you, Mr. Chairman.
    Mr. Lungren. Mr. Pearce, are you ready to inquire?
    Mr. Pearce. Thank you, Mr. Chairman--
    Mr. Lungren. We have a loose 5-minute rule, more than 5.
    Mr. Pearce. Thank you very much. That differs from some 
committees, and I appreciate the Chairman's--
    Mr. Harley, the Transportation Security Administration just 
recently did a field test of the--we don't have Mr. Harley. Mr. 
Jamison. The TSA ran the puffer machines. I have seen one of 
those. They had, I think, one at Mount Vernon--not Mount 
Vernon, the Statute of Liberty--and I wonder how those machines 
are working and the effectiveness and what the cost on those 
is.
    Mr. Jamison. We did run what we deem as a successful test 
called Trip on the puffer machines, and actually a three-phase 
test. The first part was in New Carrollton, Maryland. And the 
major success part of the test is that we were able to take 
that technology, the puffer machine that is usually used in 
aviation, and adapt it to the transportation environment. It 
did work in that arena; however, there still remain a lot of 
problems with deploying that technology in the security or in 
the transit environment.
    One, the throughput, it takes 15 seconds or more for each 
passenger to go through that system, and it was tested in very 
low-volume conditions. So in an environment such as New York 
City, Penn Station, where you have 1,500 people a minute coming 
into a system through various entrances, it is just not 
practical to deploy that type of technology.
    We are continuing to research the technology, continuing to 
try to find ways that we get better throughput and develop the 
alternatives, but at this point there is no current plans to 
deploy that technology in the transit environment.
    Mr. Pearce. What is the basic cost on those units? And then 
if we could work out some of the problems, what cost are we 
looking at broad scale?
    Mr. Jamison. I don't know what the individual cost of the 
units are. I would be happy to provide that for you for the 
record. They are expensive.
    Mr. Pearce. Multiples of where we are right now?
    Mr. Jamison. Excuse me. I just got the answer to your 
earlier question. It is $125,000 per unit.
    Mr. Pearce. And how does that compare to some of the 
screening mechanisms we are currently using? Is that a multiple 
of two or three or the same?
    Mr. Jamison. Do you mean in the aviation environment?
    Mr. Pearce. Mm-hmm.
    Mr. Jamison. Actually, it is a multiple of two on some of 
the technology screening.
    Mr. Pearce. About $65,000 versus $125,000.
    If you we look at some of the screening devices that we are 
using at the airports, we look at the time that it takes there 
plus the labor intensity, do you see any emerging technologies 
that can detect the same thing the puffers do, the explosives 
or weapons? Are we seeing any technologies coming out of that?
    Mr. Jamison. We are carefully evaluating all the 
technologies that have been used in the aviation arena to see 
whether or not they are applicable in the transit environment, 
like backscanner and other types of technologies, to see if we 
can get high volumes of throughput. But based off of the 
evaluation currently, we don't see any near-term technology 
that is going to come up that is going to give us an 
opportunity to apply it in the transit environment.
    Mr. Pearce. What are the European nations doing with regard 
to transit safety? Are they doing anything at all?
    Mr. Jamison. There are some contemplating some technology 
deployments, as pilots only, and we are working closely with 
them. I was just on a trip overseas to London, and lessons 
learned, and we were discussing with them what some of the 
options are, but they currently don't have that technology 
deployed in London.
    Mr. Pearce. If there is none of the technology deployed, 
what is the basic philosophical outlook on safety in the mass 
transit system?
    Mr. Jamison. Well, first of all, I mean, I think the mass 
transit systems are more secure than they have ever been. What 
London did was validate that the approach to try to get the 
terrorists before they get to the system is the most effective 
strategy, and we need to continue to receive good intelligence 
and so forth. They also validated that the focus that we have 
had on training, awareness training, and making sure that your 
operators know how to spot suspicious behavior and know how to 
report it and know how to react, in addition to public 
awareness campaigns, and in addition to emergency preparedness 
so that you know how to respond and mitigate the impact of an 
event are still the most effective strategies.
    Mr. Pearce. And are we prepared in your agency to come to 
the conclusion that you might not--it might not be able to 
provide 100 percent fail-safe screening mechanisms; that the 
cost would be too prohibitive, and there are too many other 
access points? Are we prepared in this Nation and in your 
agency to have an open discussion about whether or not we can 
and should? Because it sounds like that is where Europe already 
is; that they may employ some things, but they are definitely 
not sitting here at the cutting edge of technology and 
approaching it the way we are.
    Mr. Jamison. That is correct. And as I mentioned before, I 
think we must continue to look--to put research money into 
technology and to try to determine what the opportunities are 
to continue to improve the security. But currently more boots 
on the ground, awareness training, other types of methods are 
most effective, and screening is not the solution in the near 
term.
    Mr. Pearce. I see my red light blinking, Mr. Chairman. How 
loose is your parameter here?
    Mr. Lungren. I just understand that Mr. Thompson has to 
leave, so I was going to let him inquire, and then--
    Mr. Pearce. Let me yield, and then if we have a second 
round, I will take another turn. Thank you, Mr. Chairman.
    Mr. Lungren. Mr. Thompson.
    Mr. Thompson. Thank you very much, Mr. Chairman. I 
appreciate you allowing me to do this.
    A couple more questions, Mr. Jamison. Can you tell me if 
TSA mandates transit systems to provide security training for 
its employees?
    Mr. Jamison. There is a security directive that instructs 
transit agencies to provide training to their front-line 
employees, yes.
    Mr. Thompson. Do you interpret ``instruct'' to mean 
``require''?
    Mr. Jamison. It is a security--it is a legal, binding 
security directive, yes.
    Mr. Thompson. Can you provide this committee with that 
document that requires transit systems to provide training to 
its employees?
    Mr. Jamison. Sure.
    Mr. Thompson. Thank you.
    Mr. Thompson. Another question. Colonel, at a hearing 
earlier this summer, we talked about chemical plant security, 
and I think basically you promised, in response to a question 
from me, that we would have a plan for chemical security within 
a few weeks. Can you tell me where we are with that now?
    Mr. Stephan. What I have done at my level in coordination 
with the Secretary and Deputy Secretary and the Homeland 
Security counsel, we have worked out, I believe, internal to 
DHS what we believe the major pillars of a regulatory framework 
for the chemical industry would look like in terms of a risk-
based approach by facility, by facility category, by facility 
type, performance measures. I am ready to discuss with Members 
of Congress the parameters associated with this.
    I don't believe we promised a plan, sir; I believe we 
promised we would be ready to have discussions with our friends 
on the Hill regarding a framework that would end up in a piece 
of legislation eventually.
    Mr. Thompson. Well, given the fact that our chemical 
plants, as you know, are vulnerable, we do need to come up, I 
think, in a short period of time with some kind of strategy for 
the security of those plants, and I look forward to working 
with you on it.
    Mr. Stephan. May I add, whether or not we get authority or 
not, as part of our sector-specific plan for the chemical 
industry we will have an option A and a B; an option A if we 
get regulatory authority through legislation, and an option B 
if we do not have a set authority. We will work through what 
our other options are and put that as far as the NIPP.
    Mr. Thompson. Could you, if it is available, provide us 
with any of that information? Or maybe, Mr. Chairman, we might 
need to set up a briefing because a number of our Members have 
concern about chemical plant security.
    Mr. Stephan. I would like to give you a briefing, if I 
could do that.
    Mr. Lungren. We can set that up.
    Mr. Thompson. Thank you very much.
    Mr. Jamison, earlier, in response to a question dealing 
with the transportation security strategy, I am aware that a 
plan was sent to us, it was a classified document, and for some 
reason we are not able to really address it as we should. I 
understand it is under review to be declassified, but according 
to Section 4001 of the 9/11 Act, there were some things that 
that strategy had to include, and I will read them: Set 
realistic deadlines to address transportation security needs 
across all modes, establish clear responsibilities between all 
levels of government and the private sector, delineate roles 
and responsibility for response and recovery, and prioritize 
research and development to ensure that effective technologies 
are deployed as soon as possible.
    Now, our reading of the plan indicates that these 
requirements are not there, so now can you tell me--if my 
interpretation is wrong. Can you just tell me if those things 
are there?
    Mr. Jamison. I don't know that the specific plan gets into 
that much detail. What I can tell you is it is currently 
security-sensitive information which should give you access to 
it for one issue. But also the issues that you just laid out 
there, the majority of those issues have been addressed in a 
memorandum of understanding between the Department of 
Transportation and the Department of Homeland Security, such as 
roles and responsibilities, research, and so forth and so on. 
Part of that memorandum of understanding requires that DHS and 
DOT do an annual plan to prioritize research funding, other 
resources to make sure that they are coordinated, and focused 
on risk, and prioritized based off of the resources of both 
agencies.
    Mr. Thompson. Mr. Chairman, I would basically submit my 
question to Mr. Jamison in writing so he can give it back to me 
in writing. Thank you very much.
    Mr. Lungren. Thank you, Mr. Thompson. And I am sure, Mr. 
Jamison, you will respond in writing to the question by the 
Ranking Member.
    Mr. Lungren. Mr. Jamison, following the Madrid bombing last 
year, it is my information that TSA issued 20 security 
directives to public transit agencies to increase transit 
security. There has been a suggestion by some observers as to 
whether or not these directives would be effective in 
preventing a terrorist attack.
    Has TSA had a chance to go back and look at those security 
directives to see if, in fact, they are sufficient for the 
purpose that they were issued?
    Mr. Jamison. Well, we continue to look at the security 
directives. And the security directives were meant to establish 
a baseline of protective measures, and they are also intended 
to give agencies some flexibility within those baselines so 
that they could adapt those directives to their individual 
operating conditions. But the fundamentals of some of the 
discussion that we were just talking about, about having aware 
employees, reporting suspicious activity, utilization of K9 
teams and other types of measures, is a good indication of the 
security directives. We need to continue to look at those, 
continue to work with the industry and continue to determine 
what are the most effective security measures.
    Mr. Lungren. So does that mean you are?
    Mr. Jamison. Yes.
    Mr. Lungren. I mean, you said you should, but I guess that 
means you are doing that.
    Mr. Jamison. Yes.
    Mr. Lungren. Congress appropriated millions of dollars to 
hire 100 rail security inspectors to enforce these security 
directives. What is the status of that, and how will they be 
utilized to improve security of mass transit?
    Mr. Jamison. Currently, 99 of the 100 on board are being 
processed through the HR process. That is an opportunity to 
look at the security directives and to continue to analyze the 
gaps in rail transit. It is also a huge opportunity to improve 
coordination with our stakeholders and make sure we will get 
real-time, ground-truth information from the field to determine 
whether or not the appropriate security measures are in place.
    Mr. Lungren. What kind of feedback are you getting?
    Mr. Jamison. Generally, the majority of the transit 
agencies--the overwhelming majority of the transit agencies are 
doing those measures, all of those awareness measures; and as 
the program ramps up and we get the opportunity to do more 
security gap analysis, we hope to get more information that 
helps us develop a more robust strategy.
    Mr. Lungren. Colonel Stephan, you stated the Department is 
focused on a risk-based approach to critical infrastructure 
protection. You heard my comments at the beginning that I was 
concerned that IP might have developed a risk-based methodology 
that focuses on each sector from top to bottom and one sector 
at the expense of others. What are you doing to make sure we 
are doing it across the board?
    I mean, risk number 10 in one sector may be less severe 
than risk number 75 in another; and if we are doing sector by 
sector my concern is, with the limited amount of resources we 
have, that we might divert them to a less risk-appropriate 
target scenario than otherwise.
    Mr. Stephan. We do not intend to methodically go through 
one sector at a time sequentially and somewhere, years and 
years and years from now, get to the bottom of this problem. 
What we are doing is attacking this at cross sectors now in 
terms of our data calls and data acquisition efforts with State 
and local governments and the private sector. We are doing this 
across all 17 critical infrastructure and key resource sectors 
that are defined in HSPD-7.
    The problem that we face, of course, is getting the data. 
That is one piece. The second piece is doing something 
meaningful with that data that would then inform a risk-based 
approach to planning and resource investments.
    What we are working on feverishly is making sure that we 
can compare these apples and oranges within sectors and across 
sectors. In order to do that, we have worked with the private 
sector: first with nuclear energy; the chemical industry, next; 
liquefied or natural gas; the various modes of transportation; 
the energy sector, to develop this RAMCAP piece.
    This is a risk-assessment technology, a technological tool 
that, when we get this deployed across all the sectors, we will 
have a standardized criteria by which these data calls will be 
supported with consequence information, vulnerability 
information and threat information that is logical across the 
sectors. That is my big stumbling block now. We are working 
diligently. We piloted these first two efforts. It took us 
about a year to get it right with the energy sector and the 
chemical piece.
    The next versions of these are going to go much quicker; 
and, again, I want to close this whole piece out within the 
next year or so in terms of having a risk-assessment module, 
that we have the same thing in each of the sectors in terms of 
the standardized criteria that allows me to take the data that 
people are providing me, put it into a computer, and have the 
apples and oranges all become apples so I can do this cross-
sector comparison.
    But we are also not waiting for that. We are also taking by 
whatever criteria I have now and we recently put out about 3 
months ago a data call across all the 17 sectors asking us for 
based-upon criteria that we put out to them. I will be happy to 
share this document with the committee.
    Agriculture and food, banking and finance, chemical, 
energy, information technology, emergency services, postal and 
shipping, the list goes on. What are your top assets systems or 
networks based upon criteria that is specifically defined for 
each of these sectors? Give us this information so that we can 
use it to better inform our buffer zone protection plan grant 
activities, to inform our operational planning, to inform our 
information-sharing activities.
    So that stuff is all under way now.
    Mr. Lungren. Let me pick up on the buffer zone protection 
plan grants. It is my information that the way it is to operate 
is that every State will be given 70 BZP slots. That is, the 
State of California will be given 70, the State of Wyoming will 
be given 70. Then, within that, each State is supposed to make 
a determination on their own.
    My question is: Is that your understanding of the way it is 
going to be? And, if so, does that make sense that each State 
gets 70 slots? That is, that you would presume--and I don't 
want to pick on Wyoming, but in the previous grants program 
everybody has analyzed it to show that Wyoming has 7 times or 
10 times per capita the amount of grants in the previous 
homeland security grant funding than New York does. So that is 
why I will pick on Wyoming.
    Mr. Stephan. That must have been an earlier version of the 
BZPP for '06 process. I saw what I think is probably a similar 
version about 2 or 3 weeks ago; and I told my people that is 
not the way, in fact, we are going to do this. The BZPP thing, 
we have to take a look at using a risk-based approach. We are 
going to have to marry it up with the UASI program, marry it up 
with the transit grant programs. We are going to focus it where 
we have clusters of targets so we can get more bang for the 
buck.
    Because the intent of this program is to drive operational 
planning between State and local governments and the private 
sector and help those people develop operational prevention and 
response capabilities clustered around key areas where nuclear 
plants, chemical plants, transportation systems--where if we 
are going to provide grants to law enforcement capability, it 
can surge multiple ways.
    That is one piece of this, but there are still important 
facilities across the country that may not be clustered with 
others, that are standalone, very consequential; and the BZPP 
program has to take those into account. I think one of the 
Secretary's visions in creating this new preparedness 
directorate, of which IP would be a part as well as the new 
Assistant Secretary for Grants in Training, is to make sure we 
are logically looking at what the requirements are across the 
board, figuring out what the criteria are for the different 
individual grant programs and making sure we are putting the 
most bang for the buck where it makes sense based on risk.
    Mr. Lungren. I am going to recognize the gentleman from New 
Mexico but first mention, at least from what I hear at the 
local level in my State, what you have just said has not been 
conveyed to them. Somehow it was conveyed to them every State 
was going to get a predetermined number of slots, irrespective 
of risk; and the States would decide what they do. The number 
we heard was 70 to each State, and that didn't seem to me to 
make a whole lot of sense.
    Mr. Pearce is recognized for at least about 5 minutes.
    Mr. Pearce. Thank you, Mr. Chairman.
    If we explore this risk-based prioritization again as 
Secretary Chertoff has placed emphasis on, can you--what is the 
ultimate determinative risk?
    Mr. Stephan. There are three pieces to the risk puzzle.
    The first piece is threat information, which, sadly, is not 
always as granular as we would like it to be with respect to 
these critical infrastructure, key resource sectors, although 
we are following it with very smart people every single day. 
Just never seems to get us the granularity expect for some 
specific instances you all know about, mainly in the mass 
transit world over the last several months.
    The other piece of the equation is consequences, 
consequences in terms of public health and safety, human lives, 
human impacts, economic consequences, national security 
consequences. Those go into the mix.
    And, finally, vulnerabilities, just how vulnerable is a 
consequential facility with respect to various potential modes 
of terrorist attack.
    All of these pieces involve a formula that is basically 
consequences times vulnerabilities times threat equals risk.
    Mr. Pearce. So if we were going to say look at the nuclear 
power plant that is just west of our State in eastern Arizona 
and we are going to assess the risk of that versus a 
conventional power plant located in New York State with a dense 
population, which of those is going to percolate higher in the 
risk stream?
    Mr. Stephan. If you go strictly by consequences in terms of 
population impact, naturally the piece in New York is going to 
receive more attention. But I also have to say this is not--
this is an art, this is not a science; and I would say a 
successful attack on any nuclear plant anywhere in the United 
States of America is going to have a very important 
psychological dimension that no mathematical formula can bring 
to the table.
    So in addition to those pieces of the risk calculus, we 
have to have good old-fashioned common sense and roll in some 
Kentucky windage reference psychological impacts to all of 
these target sets out there.
    Mr. Pearce. I understand that, but as a Department agency 
and looking at Secretary Chertoff's emphasis on risk-based 
prioritization, I am just asking which is going to percolate 
higher in the stream.
    Mr. Stephan. I think all nuclear power plants are going to 
receive a high priority focus across the country.
    Mr. Pearce. If we then downgrade the risk to the next level 
and we look at water systems and you get, say, a water system 
pretty well protected and not very vulnerable, no threat info, 
and you have the open lake in New Mexico that feeds all down 
through Mexico and Texas, through the rest of New Mexico, and a 
biological hazard placed in that, no threat info on that, so 
which of those are going to percolate to the higher end of the 
risk-based assessment?
    Mr. Stephan. Again, then we get a little bit more into the 
mathematical calculus piece. But this is not a winner-take-all 
or a winner-loser zero sum game. No matter what your level of 
risk happens to be, there are certain kinds of things that the 
Department of Homeland Security is going to reach out and touch 
you on. Everyone is going to be part of some kind of organized 
leadership structure that allows us to interact and 
interoperate and figure out what each other's needs and 
requirements are.
    Everybody that wants to be is going to be tied into an 
Information Sharing Mechanism, no matter what your level of 
risk, because I hope to God in all this risk-management piece 
that al-Qa'ida kind of follows our own risk-management 
methodology or we could be in trouble. Therefore, everybody--if 
you are on a target set today that meets our risk criteria, but 
al-Qa'ida goes another way, everybody has to be connected from 
an information perspective so we can rapidly adjust from where 
we think they hit us to where they might hit us based upon 
their own calculations.
    So when we say risk-based focus, I am really talking about 
an allocation of DHS dollars and specifically IP dollars in 
terms of the monies we have at our disposal for specifically 
targeted initiatives like BZPPs, or buffer zone protection 
plans. Everybody is going to get a leadership structure put on 
top of them that they participate in. Everybody is going to get 
an information-sharing mechanism. Everybody is going to get 
access to a widely accepted vulnerability assessment 
methodology set of criteria and tools to help them out. And 
everyone is going to get information bulletins that specify 
specific threats when they do arise.
    So I don't want to leave you all with the impression this 
is a zero sum game in terms of risk. There are certain baseline 
things everyone will be plugged into or be a part of.
    Mr. Pearce. Being from one of the rural areas, I will tell 
you that the great concern is that, through whatever mechanism 
that bureaucracies work and agencies work, is that risk-based 
is going to end up percolating down to population; and I will 
tell you that the Nation will be worse off than better off if 
population becomes a single criteria. I know you are telling me 
that is not the case, but I will tell you that human nature is 
that we try to find the easiest solution when the solutions are 
not very easy.
    I will tell you that the nuclear components in New Mexico, 
with al-Qa'ida sitting there, coming across a border, that has 
nobody posted on it now. Last night, we got word that the 
border patrol has completely evacuated, and we are the last to 
learn that al-Qa'ida has come across our border. We get that in 
the newspapers when everybody else reads it. Somewhere we have 
to do a little bit more thorough job of understanding that 
risk-based is a little bit broader than just population. That I 
think is a task for us to remember through the long, dark 
nights of trying to assess our risk, but I appreciate your work 
on the effort.
    I yield back.
    Mr. Stephan. Thank you, sir.
    Mr. Lungren. Colonel, if I could just ask you something 
with respect to an issue we dealt with on the committee 
yesterday that has to do with the Bureau of Reclamation.
    They run over 400 dams and levee assets in the western half 
of the country in the 17 western States. They have what they 
would describe as a rather robust effort to provide security 
for their assets. Is your operation informed of their efforts? 
Are you integrated in any form, shape or fashion? What added 
value do you provide to them, if any, over and above what they 
are doing? And how does that contrast with what your other 
elements of DHS are doing with the other dams?
    Because we are talking about 400 dams, levee assets under 
Bureau of Reclamation. That doesn't talk about State dams and 
certainly doesn't talk about privately owned dams.
    Mr. Stephan. Yes, sir. Our problem is we have about 80,000 
or so dam structures and levee structures across the United 
States of America. I think about 5 percent may be owned by the 
Federal government across multiple agencies. The rest are State 
and local owned and operated facilities.
    Our value in this has given this incredible patchwork of 
ownership authorities, regulations, resource dollars that go 
into this, is to provide an organizing leadership to all of 
that patchwork of different people out there searching for 
leadership. Through the NIPP structure, the National 
Infrastructure Protection Plan organizing umbrella, we at DHS 
IP lead the dams sector in terms of the government coordinating 
council represented by DOI, the Bureau of Reclamation, the Army 
Corps of Engineers, Agriculture, Energy, the Department of 
Defense, other folks that own dams wearing Federal hats. We 
also, through that coordinating council, bring together the 
major State players that own dams within their jurisdictions; 
and we have a private sector and some State membership on 
another council that we also bring to the table so that all of 
those equities are there. Our goal is to bring this amazing 
patchwork of different dam owners and operators together, make 
very sure that all those people are connected to some kind of 
information-sharing network.
    The Federal pieces of the puzzle are fairly well connected 
together at this point in time. The State pieces of the puzzle 
are connected very well through the homeland security advisor 
network at this point. We have more work to do in terms of 
connecting individual State-level and private-sector dam owners 
and operators together from an information-sharing piece. Right 
now, we reach out and touch them through local law enforcement 
networks in partnership with the FBI, but I also need to be 
able to reach out and touch the owners and operators of those 
various facilities together.
    We work together, realizing that some people like Bureau of 
Reclamation has some important resources they can bring to the 
fight. In other cases, where there is nobody covering down on a 
particular set of assets, we may make a buffer zone protection 
grant available based on consequences to a State government 
that has an important dam within its jurisdiction and try to 
make all of that work in some meaningful way.
    Again, just a lot of different actors out there, a lot of 
players, a lot of information needs to be shared. We have to 
work together to make sure we clearly have identified what is 
more important than other things based mainly on consequences 
in the dams world and that we are all putting some kind of 
resource patchwork together to get at the really significant 
problems.
    Mr. Lungren. I hope you don't mind if I harp a little bit 
on dams, but as I have explained before, I live downstream of a 
major dam that has been identified by the Bureau of Reclamation 
as one of concern.
    Let me ask you about this. DHS and with dams, other than 
this information sharing and trying to get people together and 
so forth, do you have any operational responsibility in a 
terrorist attack scenario? What I mean by that is this--We know 
now, because we have had a couple of breaches of the no-fly 
zone around the D.C. area, that there is a decisionmaker that 
makes the decision as to whether or not to shoot down a plane. 
What about in terms of critical assets like a Federal dam?
    I am not going to talk about any specific dam, but dams 
have different structures. You may have a reservoir that has 
several dams on it, maybe earthen, maybe the concrete 
structure, maybe dikes. A determination could be made at a 
particular time that, because of a threat to it, they have to 
relieve some stress on certain areas; and that decision could 
put some population centers at risk more than other population 
centers, actually, life-and-death situations.
    Do those decisions that would be made operationally by 
Bureau of Reclamation in that context, would they in any way 
interface with the Department of Homeland Security before that 
decision is made or is that decision made within the Bureau 
itself?
    Mr. Stephan. Sir, again, the decisionmaking power, as you 
correctly stated, resides with those organizations. But I think 
if we are talking about a terrorist incident here in terms of 
prevention, protection, response and recovery phases, DHS owns 
the overall operational coordination piece across the Federal 
Government for each particular phase of a response to a 
potential terrorist threat or national incident. There is an 
important role that headquarters would play in terms of that 
operational information-sharing reference the threat, reference 
protective measures that are in place and that need to be 
bolstered through the State homeland security advisor network 
principally as well as our Federal Department and agencies if 
it is a Federal asset.
    The FEMA component of DHS has a very significant role to 
play in terms of consultation and the emergency preparedness 
posture of the downstream communities. There is a big program 
in FEMA, the Dams Safety and Security Program, that was created 
back, I think, in 2002 by an act of Congress that give those 
guys some very specific roles and responsibilities and some 
grants to facilitate preparedness planning on a steady state 
basis every day of the year, as well as technical assistance, 
as well as some other security-related activities.
    Mr. Lungren. Maybe I will have to follow up with you at 
some other time, and maybe I need to look at some of the 
tabletop exercises that have gone on. It just strikes me after 
seeing Katrina and some suggestion that we didn't have--we had 
failure of decision making in some areas and not others. And 
posse comitatus, that goes in there. But if you have got a 
Federal facility and a terrorist attack, I don't think you have 
to worry about posse comitatus, but I think it would be good 
for us to insure we know what the chain of command is and the 
decisionmaking, where it may be considered operational of a dam 
or other asset. But the decision could very well determine who 
is in harm's way by the election of the decisionmaker, and I 
just would hope that we think about that ahead of time.
    Mr. Pearce, if you have some further questions.
    Mr. Pearce. I do, Mr. Chairman, one more series of 
questions.
    Mr. Stephan, the idea that we have got 80,000 dams out 
there that need some sort of protection plan, is homeland 
security going to provide the protection plan for each one of 
those?
    Mr. Stephan. No, sir, we are not. The protection plan is 
the responsibility of the owners and operators.
    Mr. Pearce. How can we tell when they have done their 
homework?
    Mr. Stephan. That is the challenge. There is no way that we 
can insure that 80,000 facilities--and they go from things like 
the Grand Cooley dam all the way to a simple earthen levee that 
is part of some neighborhood complex.
    Mr. Pearce. Early on, our office engaged in the difficulty 
of not only dams--I mean, 80,000 dams tends to put it in 
perspective, but if we look at the number of communities with 
the number of risks in communities, there is no way the Federal 
Government can identify and understand each risk, that it 
becomes a local and a State responsibility but mostly it is a 
local responsibility.
    In trying to put some sense into that process, our office 
early on established--we went to one of the institutions that 
is syndicated with several other higher education institutions 
to provide security for the Nation and security training; and 
they helped us develop a thing called Certified Communities, 
with 35, 34 different components that are measurable--many are 
already measured, just not tabulated--and we created a concept 
called Certified Communities.
    The idea is that the certified communities would get some 
sort of rating from insurance agencies. The insurance agencies 
do that right now, the ISO ratings for fire. What happens if 
your community loses its capability or drops its training for 
fire protection, homeowners get increases in their insurance 
policies. So what you have is you have all the residents of a 
community become kind of overseers. They are the first to 
realize that their insurance rates are going up because our 
community has not prepared itself. And if our community hasn't 
prepared itself then they call and they begin to raise 
pressure, you guys have let your ISO rating drop and we now are 
paying more insurance.
    So it is not just that you need a program but you need a 
program that reinforces itself, that self-enforces it; and 
tying it to insurance rates is a way to get the public vision 
on it.
    The second aspect of tying it to that is communities will 
know, if they have a better ISO rating, then their personal 
insurance costs go down. So, many times, they can pay for the 
protection that they are getting through the lower insurance 
premiums for the community.
    Now we submitted this thing, and it has been locked down in 
ODP for about 6 months, and they refuse to bring it to the 
light of day. We think it could be done regulatorily, and it 
just does not make sense that Homeland Security has got this 
thing deep-sixed. It is just a gift that these education 
institutions have given to the Homeland Security Department. It 
would be very easy to implement, and it doesn't have any 
requirement that you do it. It just gives us a measuring stick, 
gives the tie-together that if you do--we visited with the 
insurance industry. Would you be willing to give better rates 
if communities are prepared against either terrorist threats or 
natural disasters, and they said of course we would.
    So the enforcement mechanism is right there. That is the 
people and their insurance accounts. I just--someday maybe 
Homeland Security is going to think it important enough to get 
those 80,000 dams certified and all the communities across the 
Nation, some sort of process to where people will know if they 
are actually doing their work to prepare or not. It is very 
frustrating from our point of view to have asked agencies or 
institutions to do this of work and then have it locked down 
over in ODP. So if you want to make a comment, fine.
    Mr. Stephan. The only comment, I am not aware of the status 
of this paperwork, but I will go back and press on that.
    Mr. Pearce. I would appreciate it. It just makes sense for 
the Nation and appears like it would give us a measurement 
mechanism. The thought process that went into it came far 
broader than just into New Mexico. It was institutions across 
the country that are in this group that just worked to prepare.
    Mr. Stephan. May I ask for the title of the program?
    Mr. Pearce. Certified Communities Program.
    Mr. Stephan. Certified Communities Program.
    Mr. Pearce. It is very straightforward.
    I appreciate it, Mr. Chairman. Thanks for your indulgence.
    Mr. Lungren. I thank the gentleman from New Mexico for his 
questions, his inspiration and his persistence. I thank the 
witnesses for their valuable testimony and the members for 
their questions. I just want to let you know the absence of 
more members is not an indication of an absence in the interest 
of the work that you are doing, but it is the fact that at 
12:30 we stopped having votes.
    Mr. Pearce. The other people got their airplanes out, and 
we did not.
    Mr. Lungren. Mr. Pearce and I decided we would rather stay 
here with you.
    The members of the Committee, as you know, may have some 
additional questions for you, and some will be submitted to you 
in writing. We would ask for you to respond to these in writing 
in a timely fashion. The hearing record will be held open for 
10 days.
    The subcommittee stands adjourned.
    [Whereupon, at 4:27 p.m., the subcommittee was adjourned.]

                             For the Record

             Prepared Statement of the Honorable Kip Hawley

                           Spetember 7, 2005

    Good morning, Mr. Chairman, Congresswoman Sanchez, and Members of 
the Subcommittee. I am pleased to have this opportunity to testify on 
the subject of protecting civilian targets from terrorist attack. My 
focus today will be on the programs and initiatives of the 
Transportation Security Administration (TSA) in rail and mass transit 
security--where we are investing our resources and why--as well as our 
immediate response to the London bombings and our vision for the road 
ahead.
    TSA is an agency created on the heels of the atrocious 9/11 attacks 
on our Nation. We are charged with protecting all modes of 
transportation--a mandate we have taken seriously since our inception, 
notwithstanding the more visible comprehensive federalization of our 
Nation's aviation security system directed by the Aviation and 
Transportation Security Act (ATSA). The tragic bombings in Moscow on 
February 6, 2004, in Madrid on March 11, 2004, and in London on July 7, 
2005, and the attempted attacks there two weeks later, are grim 
reminders of the heinous tactics of our enemies and of the need to 
remain vigilant and prepared.

Our Current Program
    Efforts to ensure transportation security vary with the nature of 
the system being protected. The Nation's rail and mass transit systems 
are fundamentally different from our aviation system. Transportation 
systems differ in size, in openness, and in control. Most importantly, 
our passenger rail and mass transit systems are, by design, far more 
accessible than the commercial passenger aviation system, with multiple 
entry points, few barriers to access, and hubs that serve and allow 
transfers among multiple modes--subway, intercity rail, commuter rail, 
and bus--and multiple carriers. While commercial passenger aviation is 
a closed system that can be closely monitored at controlled 
checkpoints, passenger rail and mass transit are open systems without 
controlled checkpoints--hence, monitoring cannot be accomplished by a 
single staff person or closed circuit television. Many passenger rail 
and mass transit systems are vast in terms of infrastructure and 
ridership. As just one example, each weekday an average of 4.5 million 
passengers ride the New York City subway, compared to approximately 1.8 
million domestic aviation enplanements per day, nationwide. In 
addition, passenger rail and mass transportation assets are owned or 
controlled by State or local governmental entities or private industry, 
each of which is responsible for its own security. The Federal 
government has only very recently issued security regulations in mass 
transit and passenger rail. In contrast, although commercial passenger 
aviation also has a wide variety of owners and operators, its security 
has historically been heavily regulated by the Federal government.
    And so, we cannot simply graft our commercial passenger aviation 
security systems onto the passenger rail and mass transit modes. To do 
so would be unrealistic, expensive, disruptive, and ultimately 
ineffective. Instead, we have, since our inception, been carefully 
weaving a web of security measures that depend upon three key 
components: stakeholder partnership and cooperation; risk assessment; 
and technology evaluation. These components have provided a strong 
security base and promise to strengthen mass transit and passenger rail 
security as we move forward.
    Stakeholder Partnership and Cooperation. One hallmark of our rail 
and mass transit security program is the close working relationships we 
have fostered with other DHS components, with the Department of 
Transportation (DOT) and its modal administrations, and perhaps most 
importantly, with the stakeholders--the public and private providers of 
rail and mass transit transportation who are also responsible for the 
systems' security. Our efforts have focused on greater information 
sharing between the industry and all levels of government; addressing 
vulnerabilities in the rail and mass transit sector to develop new 
security measures and plans; increasing training and public awareness 
campaigns; and providing greater assistance and funding for rail and 
mass transit activities.
    Risk Assessment. Security measures are a filter, not a guarantee, 
but effectiveness can be maximized, without unduly sacrificing freedom 
of movement, through risk assessment. A primary goal of our approach to 
security is to assess the risks and evaluate vulnerabilities associated 
with different components of the rail and mass transit systems to 
determine how to optimize resources. TSA's initiatives are intended to 
focus the collective limited resources available on the protection and 
prevention of terrorist incidents with the greatest potential 
consequences.
    Technology Evaluation. The challenge of harnessing security 
technology for rail and mass transit is two-fold: How can we best adapt 
the security technology developed for aviation to the unique 
circumstances of rail and mass transit systems? What new technologies 
are uniquely suited to rail and mass transit systems? Pilot programs, 
exercises, and research and development aim to leverage current and 
emerging technologies to deter attacks against rail and mass transit 
systems, especially those intended to cause catastrophic damage through 
use of chemical, biological, radiological, or high explosives weapons.
    Together, these three components support our current security 
program and future planning.
    Grants. Although primary responsibility for funding mass transit 
security rests with State and local governments, substantial Federal 
assistance has been and will continue to be provided through a variety 
of grants. TSA has worked closely with DHS' Office of State and Local 
Government Coordination and Preparedness (OSLGCP) in the review of 
grant applications, the determination of eligibility, and final award 
determinations. Since its creation, through the State Homeland Security 
Grant Program and the Urban Area Security Initiative, DHS has allocated 
$8.6 billion for counterterrorism preparedness. The President's FY 2006 
homeland security budget proposes an additional $2.4 billion for this 
purpose as well. These funds can also be allocated by State and local 
governments for rail and mass transit security efforts. The FY2006 
budget also requests $600 million--a more than 60 percent increase--for 
the Targeted Infrastructure Protection Program, which covers security 
for mass transit, rail, ports, inter-city buses, and programs such as 
highway watch and buffer zone protection. These areas and programs 
combined received $365 million in FY 2005. Additionally, to date DHS' 
Transit Security Grant Program (TSGP) has provided more than $255 
million to State and local transit authorities to increase protection 
through hardening of assets, greater police presence during high 
alerts, additional detection and surveillance equipment, increased 
inspections, and expanded use of explosives detection canine teams. In 
April 2005, DHS announced $141 million in TSGP funding, of which more 
than $107 million has been dedicated to owners and operators of rail 
systems. An additional $6 million was awarded to Amtrak through the 
Intercity Passenger Rail Security Program for security enhancements to 
rail operations on the Northeast Corridor and at the railroad's hub in 
Chicago.
    TSA has also coordinated closely with DOT's Federal Transit 
Administration (FTA), which launched a comprehensive public 
transportation security initiatives program funded primarily through a 
$23.5 million supplemental security allocation in an FY 2003 emergency 
wartime appropriation. The program included threat and vulnerability 
assessments at 37 of the largest transit agencies, most involving 
multiple modes; the deployment of on-site security technical assistance 
teams to the 50 largest transit agencies; the award of security drill 
and exercise grants to over 80 transit agencies; the launching, with 
industry partners, of a Transit Watch security public awareness 
campaign; and the development and holding of community forums to 
enhance coordination and integration of transit agencies with emergency 
responders, fire and police departments, and other key stakeholders.
    Security Exercises and Training. TSA has held numerous security 
exercises that bring together rail carriers, Federal, State, and local 
first responders, and security experts to test preparedness and 
response and identify best practices and lessons learned. These efforts 
support effective relationships among Federal entities and with State 
and local governments and the private sector and greatly enhance our 
overall security posture. These exercises assist TSA and stakeholders 
in addressing gaps in antiterrorism and response training among rail 
personnel.
    Through an interagency agreement with the Federal Law Enforcement 
Training Center, TSA has trained over 400 law enforcement, transit 
police, and first responders through the Land Transportation Anti-
Terrorism Training Program. Additionally, TSA has contracted with the 
National Transit Institute to develop a CD-ROM based interactive 
training program for passenger and freight rail employees. This product 
is expected to be completed before the end of the current fiscal year.
    Stakeholder Engagement. TSA has reached out and engaged with 
industry stakeholders, including the American Public Transportation 
Association and Amtrak, to identify common security practices and 
obtain feedback on security programs and initiatives. This input is 
crucial to TSA's efforts to identify best practices, which will enhance 
security in the rail and mass transit modes. We are committed to 
maintaining these engagements and using the information and experience 
gained in security measures and programs.
    Corporate Security Reviews (CSR). Since FY 2003, TSA has conducted 
27 on-site corporate security reviews with rail and mass transit 
stakeholders, including six of the Nation's seven Class I railroads, to 
gain an understanding of each surface transportation owner/operator's 
ability to protect its critical assets. The program's goals are to 
supply baseline data that can be used to develop security standards, 
provide domain awareness of security measures throughout the 
transportation sector, and promote outreach to transportation 
stakeholders as a means to ensure constant communication and foster 
stakeholder relationships.
    The CSR Program has several recognized benefits. The data collected 
during these visits, such as security plans and critical infrastructure 
lists, supplies TSA with information to assist with other programs and 
exercises, baseline the state of security in the Nation, and establish 
performance-based security standards. This data also assists TSA in 
identifying areas where additional resources need to be dedicated to 
address security shortfalls. Additionally, the field presence fosters a 
higher degree of confidence in TSA with the stakeholder community, 
builds trusted partnerships faster, and validates stakeholder policies 
and procedures already in place.
    Security Directives. To secure the U.S. passenger rail and mass 
transit sectors after the Madrid attacks, TSA issued Security 
Directives (SDs) that mandate specific security measures. The SDs set a 
standardized security baseline. They were developed in conjunction with 
stakeholders and DOT. The measures required by the SDs support DHS's 
overarching goals of prevent, protect, respond, and restore. A key 
measure mandated by the SDs is frequent inspections of key facilities, 
including stations, terminals, and passenger rail cars, for suspicious 
or unattended items.
    Surface Transportation Inspection Program. In addition to the grant 
programs I have discussed, the Department of Homeland Security 
Appropriations Act for FY 2005 committed $12 million to TSA for rail 
security, including $10 million to deploy 100 Federal security 
compliance inspectors. TSA has made substantial progress in developing 
a robust and comprehensive surface transportation security compliance 
inspector program with emphasis on hiring, training, and logistical and 
procedural planning. More than 60 have been deployed to date. TSA 
expects to have hired and deployed all 100 inspectors to field 
locations in the next 60 days. The inspectors will identify gaps in 
security and inspect for compliance with the SDs.
    Pilot Programs. TSA has successfully conducted the Transit and Rail 
Inspection Pilot (TRIP) program, which was designed to test the 
feasibility of screening passengers, their luggage, and cargo for 
explosives in the rail environment. The pilot occurred in three phases 
and tested advanced automated x-ray explosives detection equipment and 
canine patrols. TRIP provided valuable lessons on how to successfully 
deploy, maintain, and use screening technology outside the airport 
environment. Results indicated that such technology might be useful if 
threats were made against a specific rail or mass transit system or in 
support of a National Special Security Event (NSSE). This aspect was 
successfully demonstrated at the Republican National Convention in the 
summer of 2004 and at the Presidential Inauguration in January 2005.
    Explosives Detection Canine Teams. The FY 2005 DHS Appropriations 
Act also includes $2 million to deploy explosives detection canine 
teams. The National Explosives Detection Canine Team Program consists 
of two components. First, a Rapid Deployment Force (RDF) has been 
developed to deploy DHS explosives detection canine team resources in 
support of local law enforcement agencies on an as needed basis in the 
event of heightened levels of security. TSA's participation in the RDF 
has included augmentation of local law enforcement and local 
authorities during NSSEs, such as the Presidential Inauguration and the 
Democratic and Republican National Conventions, as well as conducting 
joint training and assistance to existing mass transit canine teams. 
The second component of the explosives detection canine team program is 
devoted to rail and mass transit and should be completed by the end of 
calendar year 2005. This segment is being accomplished by partnering 
with local mass transit and rail authorities. It includes the training 
and deployment of additional TSA-certified explosives detection canine 
team assets to support mass transit systems and the development of 
national standard operating procedures for rail and mass transit 
systems. As one example, TSA partnered with the Metropolitan Atlanta 
Rapid Transit Authority, deploying six TSA-certified explosives 
detection canine teams throughout their system.
    This program is effective and expanding. On August 10, 2005, TSA 
offered a cadre of three dogs each to ten of the largest mass transit 
systems in the Nation. Law enforcement officers from the ten systems 
that choose to participate will attend the TSA Explosives Detection 
Canine Handler Course beginning this month. During that ten-week 
course, handlers will be matched with a TSA canine and trained in 
proper dog handling and search techniques. Upon graduation, the teams 
will return to their systems for local training, familiarization, and 
certification.
    Hazardous Materials. The security of hazardous materials (HAZMAT) 
shipments, including radioactive materials and defense related items, 
is an area that has received special emphasis since September 11, 2001. 
DHS and DOT have been working on several initiatives that support the 
development of a national risk-based plan to address the shipment of 
HAZMAT by rail and truck. For rail, a major effort is the assessment of 
the vulnerabilities of urban areas through which toxic inhalation 
hazard (TIH) materials are transported. TSA and DHS' Directorate for 
Information Analysis and Infrastructure Protection (IAIP) have worked 
together to enhance security in the Nation's capital with the National 
Capital Region (NCR) Rail Security Corridor Pilot Project. The $9.6 
million pilot initiative established a seven-mile long Rail Protective 
Measures Study Zone to protect HAZMAT traveling through the city. 
Measures undergoing testing and development include screening and 
monitoring of trains, monitoring of personnel, chemical monitoring, 
radiation and contamination monitoring, and physical security measures 
to prevent intruders from tampering with the rail lines or trains. The 
task force for this effort includes private stakeholders and other 
Federal and local government agencies that conducted risk vulnerability 
assessments and identified critical areas and mitigation strategies to 
enhance HAZMAT security along the D.C. Rail Corridor.
    TSA continues to improve HAZMAT security through the High Threat 
Urban Areas (HTUAs) Corridor Assessments. The DHS/DOT team is 
conducting vulnerability assessments of HTUAs where TIH HAZMAT is 
transported by rail in significant quantities. TSA, IAIP and federal 
partners from DOT (Federal Railroad Administration (FRA) and Pipeline 
and Hazardous Materials Safety Administration (PHMSA)) have completed 
four corridors. The goal of DHS is to complete nine corridor 
assessments of selected high-threat urban areas by the end of this 
calendar year. These assessments comprise one portion of a DHS and DOT 
plan to enhance the security of TIH rail shipments. Other goals of the 
plan are to enhance the ability of railcars to withstand attack, 
improve compliance with security plan regulations, develop protocols 
for protective measures, establish communication standards on rail car 
tracking systems, and improve rail car security during storage in 
transit.
    TSA contracted with the Texas Transportation Institute (TTI) to 
conduct an independent rail HAZMAT placarding study to assess the 
feasibility of technological alternatives to the current placard system 
that would enhance security while maintaining the same level of safety 
for the first responder community. TTI identified alternatives in three 
categories: cloaking devices; decentralized systems; and centralized 
systems. The study was completed on December 17, 2004, but the 
technologies examined did not demonstrate capabilities that would 
justify replacing the current system. Therefore, the Secretary of 
Homeland Security has decided that the current placarding system will 
remain in effect.
    In addition, FRA has administered and enforced the hazardous 
material shipment regulations promulgated by PHMSA or its predecessor, 
DOT's Research and Special Programs Administration since the 1970s. 
These safety regulations cover multiple subjects implicated by the 
shipment of HAZMAT by rail, including loading, unloading, transloading, 
placarding, rail car placement in trains, and documentation of the 
movement. There are nearly 100 FRA and State inspectors involved in 
aggressively inspecting and enforcing the HAZMAT regulations with 
respect to railroads, shippers by rail, tank car manufacturers, and 
tank car repair facilities. The FY 2005 FRA budget provides funding 
specifically for additional HAZMAT inspectors for tank car design, 
construction, quality, and maintenance.
    Freight Rail Security Demonstration Projects. TSA has worked with 
IAIP and DOT's FRA and PHMSA to develop projects to be funded with $5 
million allotted from the appropriation in the FY 2005 DHS 
Appropriations Act to OSLGCP for intercity passenger rail 
transportation, freight rail, and transit security grants. These 
projects will be carried out in accordance with the September 2004 
Memorandum of Understanding between DHS and DOT on agreed upon roles 
and responsibilities. Through this team approach, OSLGCP, TSA, IAIP, 
FRA, and PHMSA will engage stakeholders at the ground level in 
designing a comprehensive and meaningful strategy for successful 
implementation of the proposed demonstration projects.
    Self-Assessment Tool. TSA has developed a Vulnerability 
Identification Self-Assessment Tool (VISAT), a multi-modal tool that a 
rail or mass transit system may voluntarily use to detect and weigh the 
vulnerabilities within their systems. In general, the tool focuses on 
the prevention and the mitigation of an array of threat scenarios 
developed for each mode within the sector. Users rate their entity in 
terms of target attractiveness (from a terrorist's perspective) and 
several consequence categories that broadly describe health and well-
being, economic consequence, and symbolic value of the entity. The tool 
enables a user to capture a snapshot of its security system baseline by 
assessing vulnerabilities in the system and assisting in the 
development of a comprehensive security plan.
    Of note, VISAT has been adapted for use by stadium and arena 
managers to enhance security as well. To date, access to VISAT has been 
provided to over 300 stadiums and 400 arenas. IAIP is spearheading 
efforts to adapt the program for use by other commercial sector venues, 
to include convention and performing arts centers. An IAIP pilot 
program with the States of Texas, Virginia, and California, aims to 
adapt the tool to support security awareness in K-12 schools.
    Infrastructure Protection. TSA has been integral in assessing the 
vulnerability of rail and mass transit infrastructure. To date, TSA has 
reviewed over 2,600 facilities, structures, and systems in a 
comprehensive effort to determine critical infrastructure. DHS has 
conducted 52 Site Assistant Visits (SAVs) in the transportation sector 
including mass transit systems, tunnels, bus terminals/systems, rail 
lines, and bridges as of August 26, 2005. DHS and TSA personnel 
continue to review the security plans, countermeasures, mitigation 
strategies, and technologies used by industry, and will identify best 
practices in the future.
    FRA is assisting Amtrak in enhancing the security and safety of New 
York City tunnels under the East and Hudson Rivers. TSA and FTA are 
assessing the security of high-risk transit assets, including 
vulnerabilities in subway tunnels and at stations where large numbers 
of people converge and where an attack would cause the greatest loss of 
life and disruption to transportation services. FTA is working with 
local systems to develop best practices to improve communication 
systems and develop emergency response plans.
    By a final rule issued on May 31, 2005, FTA met Congressional 
direction to establish a program providing for State-conducted 
oversight of the safety and security of rail systems not regulated by 
FRA. To be codified at 49 C.F.R. Part 659, the rule imposes specific 
requirements for the development, implementation, monitoring, and 
assessment of security plans in addition to expanding safety oversight 
requirements.

Response to the London Attacks
    The recent London subway and bus attacks reaffirmed our need for 
vigilance in securing our rail and mass transit systems. The nationwide 
response to those attacks, however, also affirms the capability of 
TSA's approach to mass transit security to date. TSA and FTA jointly 
surveyed the top 30 transit agencies to determine changes in their 
security posture. Even before DHS officially raised the threat level 
for this sector, many transit agencies had voluntarily enhanced their 
security with additional patrols, explosives detection canine support, 
and enhanced public awareness campaigns. These efforts built upon 
improvements in the security posture brought on by adherence to the 
security directives TSA issued in the aftermath of the Moscow and 
Madrid bombings in 2004. Most transit agencies also increased the 
frequency of security inspections, including track inspections. Many 
indicated that they would continue increased use of these resources 
even after the downgrading of the threat level from Orange to Yellow.
    In the immediate aftermath of the bombings, TSA personnel were 
given access to transit agencies' operations centers nationwide to 
observe and evaluate and assist in responsive measures. TSA's surface 
transportation inspectors deployed to the operations centers of the 
major railroads and transit systems across the Nation to assess 
security posture and facilitate protective actions. FRA safety 
inspectors provided exceptional support and assistance in this effort 
with the railroads. This collective effort leveraged the assets, 
expertise, and carefully fostered partnerships of government and 
industry stakeholders to increase our situational awareness. Lessons 
learned by all parties will enhance overall security posture and 
awareness and foster effective cooperation and partnering among 
Federal, State, local, and private sector entities in the prevention 
of, and response to, acts of terrorism.
    Internationally, TSA officials have engaged with their foreign 
counterparts on rail and mass transit security issues, with the aim of 
sharing and gleaning best practices from countries with a history of 
terrorism against their surface transportation systems, an effort we 
will continue and expand upon. TSA has met with the responsible 
officials from the United Kingdom, Spain, Russia, Israel, France, 
Japan, Greece (particularly in preparation for the 2004 Olympic Games), 
the Netherlands, Canada, and other countries. TSA has developed forums 
for sharing security information and practices on behalf of DHS across 
all modes of transportation. TSA also benefits from the efforts of DHS 
representatives based overseas in U.S. Embassies, who have expanded 
their traditional aviation security roles to include security issues 
relating to all modes of transportation.

The Road Ahead
    We go forward with a disciplined measured program for protecting 
our rail and mass transit systems. Our efforts will continue to 
emphasize the shared responsibility of the Federal government, State 
and local governments, industry, and academia. TSA will continually set 
the standard for excellence in transportation security through people, 
processes, and technology.
    Crucial to our success as we move forward will be our ability to 
determine how to best invest our resources. As we continue with our 
risk assessments and pilot programs, we must optimize our resources to 
assure that they are invested where they will give the most information 
or protection. We cannot and will not arbitrarily push money into 
security programs without an intelligent assessment of their utility.
    Securing rail and mass transit systems must be a shared effort 
among Federal, State, and local governments and private stakeholders. 
Owners and operators are properly responsible for their own security. 
In mass transit, well-trained local law enforcement personnel 
understand the unique design characteristics and security challenges of 
their home town systems far better than anyone else. Success depends 
upon an effective partnership that builds on the strengths and 
resources that each level--Federal, State, and local--can offer and 
reflects the unique attributes and architecture of each system. To 
foster this effort, TSA has initiated a pilot program aimed at 
leveraging and networking information resources to ensure decision-
makers at all levels have the tools they need to implement measures and 
take actions to deter and prevent terrorist actions.
    Our challenge is great--to assure security and protect lives and 
property while maintaining the access and efficient movement that is 
essential to rail and mass transit systems. Stakeholder partnerships, 
information networks, development and leveraging of technology, using a 
risk-based approach to deployment of Federal resources, grants to 
foster innovation at the State and local level and in the private 
sector--through these means, we will continue to strengthen our base of 
security programs in a manner that ensures freedom of movement for 
people and commerce.
    Thank you for the opportunity to appear this morning. TSA looks 
forward to a continuing dialogue with Congress on the issues of rail 
and mass transit security. I will be pleased to answer any questions 
you may have.

[GRAPHIC] [TIFF OMITTED] T8921.002

                                 
