[House Hearing, 109 Congress]
[From the U.S. Government Publishing Office]


 
                    TERRORISM RISK ASSESSMENT AT THE 
                    DEPARTMENT OF HOMELAND SECURITY 
=======================================================================
                                HEARING

                               before the

                     SUBCOMMITTEE ON INTELLIGENCE,
           INFORMATION SHARING, AND TERRORISM RISK ASSESSMENT

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED NINTH CONGRESS

                             FIRST SESSION

                               __________

                           NOVEMBER 17, 2005

                               __________

                           Serial No. 109-58

                               __________

       Printed for the use of the Committee on Homeland Security
                                     
             [GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]

                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________

                     U.S. GOVERNMENT PRINTING OFFICE
35-939 PDF                 WASHINGTON DC:  2007
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001























                     COMMITTEE ON HOMELAND SECURITY



                   Peter T. King, New York, Chairman

Don Young, Alaska                    Bennie G. Thompson, Mississippi
Lamar S. Smith, Texas                Loretta Sanchez, California
Curt Weldon, Pennsylvania            Edward J. Markey, Massachusetts
Christopher Shays, Connecticut       Norman D. Dicks, Washington
John Linder, Georgia                 Jane Harman, California
Mark E. Souder, Indiana              Peter A. DeFazio, Oregon
Tom Davis, Virginia                  Nita M. Lowey, New York
Daniel E. Lungren, California        Eleanor Holmes Norton, District of 
Jim Gibbons, Nevada                  Columbia
Rob Simmons, Connecticut             Zoe Lofgren, California
Mike Rogers, Alabama                 Sheila Jackson-Lee, Texas
Stevan Pearce, New Mexico            Bill Pascrell, Jr., New Jersey
Katherine Harris, Florida            Donna M. Christensen, U.S. Virgin 
Bobby Jindal, Louisiana              Islands
Dave G. Reichert, Washington         Bob Etheridge, North Carolina
Michael McCaul, Texas                James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania           Kendrick B. Meek, Florida
Ginny Brown-Waite, Florida

                                 ______

 SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK 
                               ASSESSMENT



                   Rob Simmons, Connecticut, Chairman

Curt Weldon, Pennsylvania            Zoe Lofgren, California
Mark E. Souder, Indiana              Loretta Sanchez, California
Daniel E. Lungren, California        Jane Harman, California
Jim Gibbons, Nevada                  Nita M. Lowey, New York
Stevan Pearce, New Mexico            Sheila Jackson-Lee, Texas
Bobby Jindal, Louisiana              James R. Langevin, Rhode Island
Charlie Dent, Pennsylvania           Kendrick B. Meek, Florida
Ginny Brown-Waite, Florida           Bennie G. Thompson, Mississippi 
Peter T. King, New York (Ex          (Ex Officio)
Officio)

                                  (II)

















                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Rob Simmons, a Representative in Congress From the 
  State of Connecticut, and Chairman, Subcommittee on 
  Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     1
The Honorable Zoe Lofgren, a Representative in Congress From the 
  State of California, and Ranking Member, Subcommittee on 
  Intelligence, Information Sharing, and Terrorism Risk 
  Assessment.....................................................     4
The Honorable Bennie G. Thompson, a Rpresentative in Congress 
  From the State of Mississippi, and Ranking Member, Committee on 
  Homeland Security:
  Prepared Statement.............................................     3
The Honorable Charlie Dent, a Representative in Congress From the 
  State of Pennsylvania..........................................    25
The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of Caifornia....................................     4

                               Witnesses

Ms. Melissa Smislova, Acting Director, Department of Homeland 
  Security, Homeland Infrastructure Threat and Risk Analysis 
  Center (HITRAC):
  Oral Statement.................................................     5
  Prepared Statement.............................................     6
Dr. Henry Willis, Policy Researcher, The RAND Corporation:
  Oral Statement.................................................    16
  Prepared Statement.............................................    17
Dr. Detlof von Winterfeldt, Director, Center for Risk and 
  Economic Analysis of Terrorism Events, University of Southern 
  California:
  Oral Statement.................................................    13
  Prepared Statement.............................................    14
Ms. Christine Wormuth, Senior Fellow--International Security 
  Program, Center for Strategic and International Studies:
  Oral Statement.................................................     8
  Prepared Statement.............................................    10


    TERRORISM RISK ASSESSMENT AT THE DEPARTMENT OF HOMELAND SECURITY

                              ----------                              


                      Thursday, November 17, 2005

             U.S. House of Representatives,
                    Committee on Homeland Security,
                  Subcommittee on Intelligence, Information
                    Sharing, and Terrorism Risk Assessment,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 3:05 p.m., in 
Room 311, Cannon House Office Building, Hon. Rob Simmons 
[chairman of the subcommittee] presiding.
    Present: Representatives Simmons, Lungren, Dent, Lofgren, 
and Thompson (ex officio).
    Mr. Simmons. The Committee on Homeland Security 
Subcommittee on Intelligence, Information Sharing and Terrorism 
Risk Assessment, will come to order.
    The subcommittee is meeting today to hear testimony on 
terrorism risk assessment at the Department of Homeland 
Security. We will be hearing testimony from four witnesses 
today. We will first hear from Ms. Melissa Smislova, Acting 
Director, Department of Homeland Security, Homeland 
Infrastructure Threat and Risk Analysis Center.
    We will also hear from Ms. Christine Wormuth, Senior Fellow 
in International Security at the Center For Strategic and 
International Studies.
    We will hear from Dr. Detlof von Winterfeldt, Director of 
the Center for Risk and Economic Analysis of Terrorism Events 
at the University of Southern California.
    We will hear from Dr. Henry Willis, Policy Researcher with 
the RAND Corporation.
    I welcome you all here today.
    Preventing terrorist attacks and assuring the safety and 
survivability of our Nation's critical infrastructure and key 
resources remains at the core of the DHS mission. To accomplish 
this mission, it is not enough to simply develop a 
comprehensive understanding of what we are protecting and what 
it is that is important to us as a Nation. We must also 
complete the picture by accurately and quickly fusing that 
knowledge with an understanding of America's enemies and the 
threats we face. It is only when we are able to successfully 
bring these two elements together that we can accurately gauge 
and respond to the risks we are confronting in the war on 
terrorism. This challenge is at the heart of terrorism risk 
assessment at the Department of Homeland Security.
    The Department of Homeland Security, as stated in the 
Homeland Security Act of 2002, is required to, ``integrate 
relevant information, analyses and vulnerability assessments in 
order to identify priorities for protective and support 
measures by the Department, other agencies of the Federal 
Government, State and local agencies and authorities, the 
private sector and other entities.'' In other words, to 
understand the Nation's vulnerability, to understand the 
internal and external threats to our homeland, and to bring 
that information together and help ensure appropriate action is 
taken and policies enacted.
    To more effectively carry out this critical role, the 
Department stood up the Homeland Infrastructure Threat and Risk 
Analysis Center, or HITRAC.
    The Department of Homeland Security has the unenviable task 
of gathering vulnerability data from across the United States 
from a wide variety of critical infrastructures and key 
resources. That data must then be combined with a comprehensive 
consequence analysis and further coupled with the best threat 
information that Federal, State, local and tribal governments 
can provide. This is a vitally important task, and while it 
must be done as quickly as possible, it is also important to 
get it done right, putting the highest priorities first.
    We look forward to hearing your views on how the Department 
and the risk analysis community are meeting that challenge and 
working to ensure the security of the homeland.
    The Chair now recognizes the ranking minority member of the 
subcommittee, the gentlelady from California, Ms. Lofgren, for 
any comments she might have.
    Ms. Lofgren. Thank you, Mr. Chairman. I am glad that we are 
turning our attention today to the Department of Homeland 
Security's approaches, capabilities and plans regarding the 
third component of this subcommittee's oversight jurisdiction, 
terrorism risk assessment. This is the first time that we are 
addressing this risk assessment issue directly and, more 
specifically, the criteria the Department should consider as 
part of its work in this area.
    If done correctly, a coordinated terrorism risk assessment 
will go a long way to help the Department decide where to 
target investments in combating terrorism, what critical 
infrastructure to secure and how to set priorities on the basis 
of risk.
    Developing an effective risk assessment strategy is 
especially important as we acknowledge that our private sector 
partners now own approximately 85 percent of the critical 
infrastructure in this country. In order to get the private 
sector to buy in to what the Department is doing in this area, 
however, we need the Department to partner effectively to 
develop consistent and flexible risk assessment criteria and to 
create incentives to ensure private sector participation.
    While I am certain that the testimony today will address 
all of these issues, and while this hearing is clearly an 
important one, I nevertheless wonder if we are not putting the 
cart before the horse. Most risk analysts agree that before you 
can do meaningful risk and threat assessment, you must first 
know what it is that needs protecting.
    The administration began an effort to create a national 
database of potential terrorist targets such as dams, 
pipelines, chemical plants and the like, more than 2 years ago. 
It was supposed to use that database to prioritize assets in 
order of risk and to harden facilities and systems accordingly. 
I am sorry to report that the database is still full of holes 
and has not been finished.
    Because the Department lacks the methodology to rank 
critical assets contained in the database, incomplete as it is, 
the Department to date has essentially assembled a spreadsheet 
of targets that, for the most part, does not tell the 
Department or Congress what to protect first or why.
    Part of the problem stems from the Department's failure at 
the outset of the database project to set clear standards for 
which assets should and should not be considered critical for 
homeland security purposes. Indeed, this lack of standards 
resulted in a miniature golf course in my home district being 
included as a critical homeland security asset. This would be 
funny if the stakes were not so high. Without standards, how 
that miniature golf course ranks in priority against protecting 
the Capitol building or a chemical facility or subway system 
remains an important question that the Department can't answer.
    I am dismayed that as of late last week the Department 
still had not submitted a report on its progress in completing, 
first, risk and vulnerability assessments of the Nation's 
critical infrastructure; secondly, the accuracy of the 
government's plans to protect such infrastructure; and finally, 
the government's readiness to respond to threats against the 
United States. Pursuant to the Intelligence Reform Act, that 
report was due this past June.
    I look forward to hearing about HITRAC and how the 
Department might consider assessing risk on a going forward 
basis. I am also particularly interested in what the risk 
assessment experts with us today have to say about how the 
Department should do this important work and how effective 
terrorism risk assessment can really be without a prioritized 
dynamic list of critical assets to guide the Department's 
efforts.
    I look forward to your testimony, and I welcome your 
participation in this hearing.
    Thank you, Mr. Chairman.
    Mr. Simmons. I thank the ranking member.
    The Chair recognizes the ranking member of the full 
committee, the gentleman from Mississippi, Mr. Thompson, for 
any statement he may wish to make.
    Mr. Thompson. Thank you very much, Mr. Chairman. I look 
forward to the testimony of the witnesses for the hearing 
today. I have a written statement, and I will submit it for the 
record. Thank you.
    [The statement of Mr. Thompson follows:]

         Prepared Opening Statement of Hon. Bennie G. Thompson

         I am very pleased that this Subcommittee is addressing 
        the issue of how the Department conducts terrorism risk 
        assessments.
     This function is critical to driving informed decisions 
about where to spend our homeland security dollars to protect our 
people, to secure our critical infrastructure, and--hopefully--to 
thwart terrorist attacks.
     I am very pleased that we have with us today a 
representative from HITRAC (``High-Track'')--the Department's Homeland 
Infrastructure Threat and Risk Analysis Center.
     Since it was created in January of this year, HITRAC has 
fused the talents of both intelligence analysts and infrastructure 
protection experts within the Department in order to separate the wheat 
from the chaff when it comes to terrorist risks and threats.
     I note that in many ways, HITRAC embodies what Congress 
had hoped the Information Analysis and Infrastructure Protection 
Directorate would be--a center for intelligence analysis and risk 
assessment devoted to protecting and securing the homeland.
     I sincerely hope that HITRAC can efficiently do what IAIP 
apparently could not, and I am interested in hearing about what lessons 
HITRAC has learned from the IAIP experience.
     This hearing, moreover, could not be more timely. On 
November 2nd, the Department finally released its draft National 
Infrastructure Protection Plan--which I note HITRAC's operations will 
support once the NIPP is finalized next year.
     Among its provisions, the draft NIPP addresses the need 
for a common approach to assess risk in order to set protection 
priorities.
     The draft NIPP likewise references the RAMCAP--a series of 
terrorist risk assessment tools that the Department is presently 
developing. Unfortunately, the draft NIPP is short on details about 
what criteria should apply to ensure effective assessments.
     It appears, however, that the Department may face 
significant hurdles in obtaining RAMCAP participation.
     Some in the private sector have complained that the 
Department has offered few incentives to the private sector for RAMCAP 
participation.
     Compliance with RAMCAP methodologies, moreover, is purely 
voluntary.
     And according to the NIPP, the Department is planning to 
create multiple versions of the RAMCAP applicable to different 
sectors--rather than a single, flexible standard.
     I look forward to hearing all of the witness' views of the 
draft NIPP and the RAMCAP generally, as well as suggestions for 
improving upon the Department's risk assessment approach on a going 
forward basis.
     Thank you for joining us today.

    Mr. Simmons. I thank the gentleman.
    I notice we also have the gentleman from California here 
today, Mr. Lofgren. As is our custom, you are free to insert 
any statements you may wish for the record.
    Mr. Lungren. I am Mr. Lungren.
    Ms. Lofgren. He is my cousin, not my brother.
    Mr. Lungren. Tomato, tomato, and I notice it is HITRAC, and 
as Ms. Lofgren and I both call it, HITRAC, because I think we 
were both English majors in college.
    Mr. Simmons. I thank the gentleman for his correction.
    The Chair now calls our panel of witnesses. What I will do 
is read a short bio for each witness before they make their 
statement. That way it will be fresh in our minds, their 
background and their experience. I will advise the witnesses 
that we do have their full statement in the record which we can 
read and follow. If they wish to summarize we will be providing 
5 minutes for their statements, at which point we will then ask 
questions.
    Our first witness is Ms. Melissa Smislova, currently 
serving as Acting Director of the Homeland Infrastructure 
Threat and Risk Analysis Center. I call it HITRAC. I kind of 
like that better. It may be HITRAC. Maybe you can answer that 
question when you begin.
    Prior to joining DHS, she spent almost 20 years in the 
field of intelligence analysis, most recently at the Defense 
Intelligence Agency. She brings a wealth of intelligence and 
analytical experience to her current role, which will serve the 
Department of Homeland Security and HITRAC well as they work to 
fulfill the critical mission of protecting our homeland from 
terrorist attack.
    I thank you for being here today. Please begin your 
testimony.

 STATEMENT OF MELISSA SMISLOVA, ACTING DIRECTOR, DEPARTMENT OF 
  HOMELAND SECURITY, HOMELAND INFRASTRUCTURE THREAT AND RISK 
                        ANALYSIS CENTER

    Ms. Smislova. Good afternoon, Mr. Chairman, and 
distinguished members of this committee. Thank you for having 
me here today to speak with you about the role of the Office of 
Intelligence and Analysis in the development of the DHS risk 
assessment process.
    As Secretary Chertoff has reinforced, DHS has adopted a 
risk-based approach in both our operations and in our 
philosophy. Because intelligence is a key component of risk 
analysis, the Office of Intelligence and Analysis, as well as 
the Office of Infrastructure Protection, did establish the 
Homeland Infrastructure Threat and Risk Analysis Center, which 
we do call HITRAC. HITRAC is meant to--
    Mr. Simmons. Boy, what a terrific witness we have.
    Ms. Smislova. Thank you, sir.
    HITRAC is meant to institutionalize risk assessments, as 
well as to produce some tailored threat assessments that can 
support the protection of the national critical infrastructure 
and our key resources. HITRAC reports both to the Office of 
Intelligence and Analysis, as well as to the Office of 
Infrastructure Protection, and we are comprised of members that 
belong to both groups.
    Under this dual structure, the priority of our 
infrastructure work requirements does come from the Office of 
Infrastructure Protection under the Assistant Secretary, Robert 
Stephan, but the approval of all the intelligence-derived 
production does remain with Mr. Charlie Allen, the new 
Assistant Secretary for Intelligence and Analysis.
    The HITRAC mission represents a unique capability within 
the U.S. Government. Our threat analysts have access to 
traditional Intelligence Community reporting and the data, as 
well as to the DHS component intelligence and information 
reporting. Our HITRAC infrastructure protection sector 
specialists, on the other hand, who possess the private sector 
expertise and sector-specific incident data, identify the 
sector-specific vulnerabilities and the consequences of a 
possible terrorist attack. Our HITRAC analysts then integrate 
all of this available information into strategic level risk 
assessments for the Federal, State and local authorities, as 
well as the private sector.
    In addition, we believe that our intelligence products are 
more relevant to infrastructure owners and operators because we 
frame our analysis in the context and unique operating 
environment of our diverse and specific critical infrastructure 
partners.
    We receive information about United States critical 
infrastructure through our Information Sharing and Analysis 
Centers, the ISACs, as well as through our contacts through the 
private and public infrastructure owners that have already been 
established by our colleagues in the Office of Infrastructure 
Protection and throughout the Preparedness Directorate.
    In addition, we are able to refine our national level 
Intelligence Community collection requirements by working back 
through the Office of Intelligence.
    DHS defines risk as the determination of weighting the 
factors of threat, vulnerability and consequence. While 
inherently the most subjective component of this risk equation, 
the threat of the enemy attack is derived from a study of enemy 
intent and capability. The intent of this particular adversary 
is assessed after study of all available information that we 
have about what this adversary wants to accomplish by attacking 
the United States. We work with our partners in the 
Intelligence Community to understand as much as we are able 
about the terrorists' goals, plans and desires.
    We match what we know about the intentions of this 
adversary with information that we do have about how this enemy 
is capable of accomplishing an attack. For this part of the 
equation, we rely both on what we see the enemy discussing, 
recruiting and training, as well as the lessons that we are 
learning from his attacks overseas.
    We work all the pieces of this puzzle together. HITRAC's 
unique partnering with the infrastructure protection 
specialists that are not professional intelligence officers 
allows us a different view of the data than what we believe our 
Intelligence Community colleagues sometimes have.
    One example of the integration of how Department of 
Homeland Security integrates threat analysis into our risk 
assessments is shown in our HITRAC production plan to support 
the National Infrastructure Protection Plan. Directed by the 
Homeland Security Presidential Directive 7, the National 
Infrastructure Protection Plan is a unified national plan for 
the consolidation of critical infrastructure protection 
activities. We call that the NIPP.
    The NIPP is a collaborative effort between the private 
sector, State, local, territorial and tribal entities and all 
relevant departments and agencies of our government. The 
cornerstone of the National Infrastructure Protection Plan, the 
NIPP, is a risk management framework that combines threat, 
vulnerability and consequence information.
    Mr. Simmons. If you want to summarize? I have actually read 
your statement. I am sure we all have.
    Ms. Smislova. Yes. That is just why we have established a 
HITRAC, to accomplish those specific tasks. Thank you.
    [The statement of Ms. Smislova follows:]

                 Prepared Statement of Melissa Smislova

Introduction
    Good afternoon, Mr. Chairman and distinguished Members of this 
Committee. I am here to speak with you about the role of the Office of 
Intelligence & Analysis in the development of DHS risk assessments.
    As Secretary Chertoff has reinforced throughout his tenure, DHS has 
adopted a risk-based approach in both our operations and our 
philosophy. There is no question that intelligence is a key component 
of risk analysis. For this reason, the Office of Intelligence & 
Analysis and the Office of Infrastructure Protection established the 
Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) to 
institutionalize strategic risk assessments and produce tailored threat 
documents in support of the protection of national critical 
infrastructure and key resources (CI/KR).
Homeland Infrastructure and Risk Analysis Center
    The Homeland Infrastructure Threat and Risk Analysis Center (HITRAC 
) reports to both the Office of Intelligence Analysis (OI & A) and the 
Office of Infrastructure Protection (OIP). It brings together members 
of the Intelligence Community under OI & A and infrastructure 
specialists from the OIP as well as experts from the National 
Communications System and the National Cyber Security Division, among 
others, to produce strategic-level risk assessments. Under this dual 
structure, priority of infrastructure work requirements come from the 
Assistant Secretary for Infrastructure Protection, Mr. Robert Stephan, 
while approval for all intelligence derived production remains with the 
Assistant Secretary for Intelligence and Analysis, Mr. Charlie Allen.
    The HITRAC mission represents a unique capability within the U.S. 
Government. HITRAC threat analysts have access to traditional 
intelligence community reporting and data as well as to DHS component-
specific intelligence and information reporting (for example, 
information gathered at the ports of entry and transportation centers 
by DHS component members). HITRAC infrastructure protection sector 
specialists, who possess private sector expertise and sector specific 
incident data, identify sector-specific vulnerabilities and 
consequences of attack. HITRAC analysts then integrate all available 
information to produce strategic-level risk assessments for Federal, 
State and local authorities and the private sector.
    HITRAC crafts products that make intelligence information more 
relevant to infrastructure owners and operators by framing our analysis 
in the context and unique operating environment of all seventeen CI/KR 
sectors. HITRAC receives information about the critical infrastructure 
through our Information Sharing and Analysis Centers and through 
contacts with private and public infrastructure owners that have been 
established by the OIP and throughout the Preparedness Directorate. In 
addition we are able to refine national intelligence community 
collection requirements though working with OI&A.
    In addition, HITRAC produces threat products for infrastructure 
owners and operators to use in their own risk calculations and for DHS, 
state and local entities, and other Federal entities to use in their 
own planning and operations. DHS defines risk as a determination of 
weighing the factors of threat, vulnerability and consequence. While 
inherently the most subjective component of the risk equation, threat 
of enemy attack is derived from study of enemy intent and capability. 
Intent of this adversary is assessed after study of all available 
information about what they want to accomplish by attacking the United 
States. We work with our partners in the intelligence community to 
understand as much as we are able about the terrorists' goals, plans, 
and desires. We match what we know about the intentions of the 
adversary with information we have about what the enemy is capable of 
accomplishing. For this part of the equation we rely both on what we 
see the enemy discussing, recruiting and training for as well as 
lessons learned from overseas attacks. We work all the pieces of the 
information puzzle. HITRACs unique partnering with Infrastructure 
Protection specialists that are not professional intelligence officers 
allows us a different view of the data than our IC colleagues.

Threat Products Supporting the National Infrastructure Protection Plan
    One example of the integration of threat analysis with DHS risk 
assessment efforts is in the HITRAC production plan to support the 
National Infrastructure Protection Plan. Directed by Homeland Security 
Presidential Directive 7 (HSPD-7), the National Infrastructure 
Protection Plan (NIPP) is a unified national plan for the consolidation 
of critical infrastructure protection activities. The NIPP is a 
collaborative effort between the private sector, State, local, 
territorial and tribal entities and all relevant departments and 
agencies of the Federal government.
    The cornerstone of the NIPP is a risk management framework that 
combines threat, vulnerability, and consequence information to produce 
a comprehensive, systematic, and informed assessment of national or 
sector risk that drives our protection efforts in the CI/KR sectors. 
This framework applies to the general threat environment as well as 
specific threats or incident situations.
    HITRAC's production plan supports the NIPP. The NIPP promises 
sector specific threat information to each sector following its 
finalization. Our analytic products are designed to provide threat 
information to the private and public infrastructure owners and 
operators. In particular we are producing:
         Sector Assessments for each CI/KR sector. HITRAC 
        through the OI & A and in coordination with TSA and USCG 
        intelligence entities will produce several sub-sector 
        assessments due to the broad characteristics of some sectors 
        (for example, HITRAC will produce sub-sector assessments for 
        aviation and mass transit which are sub-sectors of the broader 
        transportation sector). HITRAC leverages the expertise of 
        several sector specific agencies, including the Transportation 
        Security Administration, as well as our colleagues in the 
        intelligence community to support our efforts. These products, 
        written at multiple classification levels, provide DHS a 
        vehicle to deliver long-term strategic assessments of sector 
        risks by detailing HITRAC analysis of the intentions and 
        capabilities of known terrorists and integrating relevant 
        threat information with the unique vulnerabilities and 
        consequence of each sector.
         HITRAC is also producing Common Threat Themes in 
        support of the NIPP and other DHS and Federal risk assessments. 
        These threat scenarios are descriptions of potential attack 
        methods based on known or desired terrorist capabilities. These 
        scenarios, which will be updated as needed, are detailed 
        vignettes of the methods terrorist might use to attack the US 
        infrastructure and are derived from the study of terrorist 
        intentions and capabilities. These scenarios are intended to 
        inform vulnerability and consequence analysis while ensuring 
        that a given risk analysis has taken into account the minimum 
        set of potential attack vectors and the associated 
        vulnerabilities and consequences.
    These threat themes are used as the foundations to design and build 
the threat scenarios used by the Office of Domestic Preparedness. The 
scenarios used for ODP exercises are lengthy depictions of how a 
notional terrorist attack might unfold and they are drafted to test 
prevention and response capabilities. HITRAC's threat themes are 
specific descriptions of ways the enemy can attack and are for use by 
private and public infrastructure owners and state and local 
governments to develop their own risk assessments. For example, they 
describe in detail what we know about how the adversary can employ a 
vehicle borne improvised explosive device.

Conclusion
    The Federal government and private sector owners and operators need 
intelligence-based risk assessments to best protect against and respond 
to potential terrorist attacks. DHS established HITRAC to provide 
integrated strategic risk assessments and tailored threat products in 
support of the protection of critical infrastructure and key resources 
throughout the nation. This is a very challenging mission, but with 
your support, we will succeed.
    Thank you.

    Mr. Simmons. Thank you very much.
    Our next witness is Christine Wormuth, Senior Fellow in 
International Security at the Center for Strategic and 
International Studies, where she focuses on homeland security 
policy, U.S. national security strategy and policy and defense 
requirements and resource issues.
    Prior to joining CSIS, she was a principal at DFI 
Government Services, a defense consulting firm, where she 
developed a methodology to assess homeland security risks, 
including an analytical tool that comprehensively evaluates 
homeland security risks in terms of their potential to occur 
and possible consequences. She works closely with elements of 
DHS and the Homeland Security Council on a wide range of 
implementation issues aimed at increasing the preparedness 
level of the United States.
    Thank you for being here. You may begin.

 STATEMENT OF CHRISTINE WORMUTH, SENIOR FELLOW, INTERNATIONAL 
   SECURITY PROGRAM, CENTER FOR STRATEGIC AND INTERNATIONAL 
                            STUDIES

    Ms. Wormuth. Thank you, Mr. Chairman, and thank you other 
members of the subcommittee for asking me to testify here today 
on this important topic.
    Assessing homeland security riskS, which, of course, can 
come both from terrorism but also from natural disasters, is an 
enormously complex undertaking, but it is also, as you all know 
well, a critical task if the government seeks to marshal its 
finite resources effectively.
    I think Ms. Smislova has very well covered the basic 
components of risk assessment, so I will try to focus my 
comments on some of the challenges that I think are inherent in 
developing risk assessments for homeland security, as well as 
some observations about the broader strategic role that I think 
risk assessments can play in this field.
    The basic formula for risk assessment is simple. It is 
essentially probability, which is threats and vulnerabilities 
times the consequences of particular attacks, and that equals 
the risks. But in practice, I think analysts and experts face a 
lot of important practical challenges when they try to go about 
the task of assessing homeland security risks.
    One challenge, of course, is the lack of quantitative data. 
We can't determine the probability in a scientific sense of a 
terrorist attack, the percentage chance that a particular type 
of attack might occur, nor do we have extensive quantitative 
data at this point on the specific economic costs or the 
potential numbers of fatalities or serious injuries that are 
associated with different types of attack. One way to 
compensate, of course, for these challenges is to use expert 
judgment and to use computer modeling and simulation to 
extrapolate information based on what we do know.
    Another challenge I think that is important to note is how 
to handle intelligence in these types of assessments, and 
specifically by that I mean how can DHS develop models that 
factor in specific intelligence without skewing the assessment 
away from areas where we may not have specific information.
    Coming out of the Defense Department, I am fond of quoting 
Secretary Rumsfeld, who has said we don't know what we don't 
know. Just because the Intelligence Community doesn't know that 
a terrorist group doesn't have WMD does not mean that they 
don't in fact have some sort of capability.
    I think another policy challenge here is weighting the 
different pieces of a risk assessment. For example, should we 
weight different types of critical infrastructure targets or 
other critical assets more heavily in an assessment because a 
group like al-Qa'ida has expressed the intention to attack 
them, or should we weight human deaths and injuries more 
heavily than other elements of consequences. Those are policy 
decisions that I think we need to grapple with.
    Despite these challenges, I heartily believe that risk 
assessment is a very powerful tool for homeland security 
policymakers and should be at the heart of our approach.
    I do want to observe that I think DHS would serve not just 
itself as a department but the entire interagency, all of those 
cabinet agencies that have a role in homeland security, by 
taking the lead in developing what I like to call a National 
Homeland Security Risk Assessment.
    I see this as being something like a National Intelligence 
Estimate in that it would be developed on a regular basis, 
perhaps every couple of years, and it would serve as the 
authoritative assessment of risk and trends of significance in 
the area of homeland security.
    In my view, development of a National Risk Assessment 
should be actually an interagency undertaking, not just a DHS 
undertaking, although DHS should certainly be in the lead. But 
I think to really develop this kind of risk assessment it would 
be useful to draw on the expertise and the viewpoints of the 
other cabinet agencies that have a role in this field.
    I think a National Risk Assessment should focus on 
developing a strategic picture in the near term, at least in 
terms of setting broad priorities and directions, and then the 
details, all of those very important details, can be filled in 
over time with tools that are specifically developed to capture 
all of the nuances of the information.
    In my view, a risk assessment of this type could strengthen 
our homeland security policy development process and resource 
allocation process in three important ways: First, in guiding 
Homeland Security planning. At CSI, as noted in our recently 
released ``Beyond7 Goldwater-Nichols Phase II'' report, a 
strategic risk assessment really needs to be at the heart of 
developing concepts of operation for homeland security. It 
should also serve I believe as the basis for developing 
national homeland security planning scenarios.
    The 15 scenarios released by the Homeland Security Council 
are an important first step, but I think these scenarios would 
carry more weight across the interagency if they were based on 
a strategic risk assessment.
    Of course as you know, a risk assessment is very important 
in driving the resource allocation process. Again, I think a 
strategic risk assessment could harmonize our efforts, not just 
in DHS, but across the entire intergency, which would go a long 
way towards maximizing our unity of effort.
    Lastly, I think a risk assessment tool would help us 
evaluate the program options for mitigating consequences and 
enhancing our preparedness system, helping us think about where 
do we get our best bang for the buck.
    I will just conclude by noting that in my view, as you 
know, Secretary Chertoff has called on Congress to approve an 
Under Secretary for Policy. Assistant Secretary Baker sits in 
that chair right now. I believe one of his central 
responsibilities should be taking the lead in developing this 
kind of National Homeland Security Risk Assessment and then 
institutionalizing its results into the DHS resource allocation 
process and policy planning process.
    My colleagues at CSI have called on DHS to deliver a 
National Homeland Security Assessment by December 2006. I think 
this is still a very reasonable deadline. Obviously it would be 
wonderful to have more time, but I think given we are 4 years 
after September 11, it is very important to have a National 
Homeland Security Risk Assessment soon, even if it means that 
we as Americans, as you in Congress and our leaders in the 
executive branch, have to make choices based on less than 
perfect information. I think it is important not to let the 
best be the enemy of the good.
    I thank you very much for the opportunity to share my 
views.
    [The statement of Ms. Wormuth follows:]

               Prepared Statement of Christine E. Wormuth

    Mr. Chairman, Ranking Member Lofgren, members of the subcommittee, 
thank you for inviting me to testify before you today on assessing the 
risks of terrorism.
    Assessing homeland security risks, which can stem from both 
terrorism and natural disasters, is an enormously complex undertaking 
but is also a critical task if the federal government seeks to marshal 
its finite resources effectively. Before turning to the key policy 
issue of how to use risk assessments to maximize unity of effort at the 
federal level, I would like to briefly outline what makes a basic risk 
assessment and some of the challenges inherent in trying to assess 
homeland security risks.
    As Secretary Chertoff has emphasized since being named Secretary of 
Homeland Security, focusing on the ``trio of threat, vulnerability and 
consequence as a general model for assessing risk'' is at the heart of 
the DHS approach. It is worth peeling back the layers of the onion in 
those three areas a bit more fully to understand the complexities 
associated with assessing homeland security risks.
    In most formal discussions of risk assessment, risk is defined as 
the product of the probability that a certain event might occur--a 
suicide bomber attack on a hotel such as we saw take place last week in 
Jordan--and the consequences that could result from such an event. The 
probability side of the equation is basically a combination of threats 
and vulnerabilities. Threats could be assessed in terms of the 
different kinds of weapons and delivery systems that might be available 
to our enemies. In some cases weapons could be relatively difficult to 
acquire or develop, like the smallpox virus or a small nuclear device, 
or they could be much more common--an improvised explosive device 
carried on a delivery truck. Assessing vulnerabilities means 
establishing the pool of possible targets--which could include 
buildings that are vulnerable every day like chemical plants or once-a-
year events like the Super Bowl--and determining how vulnerable they 
are to the full range of threats. The final piece of a basic risk 
assessment involves looking at the consequences that might result from 
different attacks. Consequences might include not only the deaths and 
injuries that could result, but also the economic and psychological 
costs of a given type of attack, and the length of time it takes to 
resume normal activity levels after the attack.
    The basic formula for a risk assessment is simple--probability 
times consequences equals risks--but in practice assessing homeland 
security risks poses some important practical challenges.
    One challenge is the lack of quantitative data on which to base 
assessments of probability and consequences. We cannot determine the 
probability of terrorist attacks--the ``percent chance'' that a 
specific type of attack might occur. Nor do we have extensive 
quantitative data to pinpoint the numbers of potential fatalities or 
economic costs that might be associated with particular kinds of 
attacks. And how should we begin to think about psychological 
consequences? Can they be expressed quantitatively? We can use expert 
judgment and computer models to extrapolate representations of 
probability and consequences but they will be just that--
representations rather than certainties.
    Another challenge is how to handle intelligence. Many of you on the 
committee have noted the importance of intelligence in developing 
homeland security risk assessments. But determining how to incorporate 
intelligence effectively is a challenge for analysts. How can DHS 
develop models that factor in specific intelligence we may have about 
particular targets or payloads without skewing an assessment toward 
only those risks on which we have intelligence? As Secretary Rumsfeld 
has often said, ``we don't know what we don't know,''--just because the 
intelligence community does not have information that suggests a 
terrorist group has a WMD capability does not mean that group doesn't 
have a WMD capability. Or vice versa.
    Whether to weight the different pieces of a risk assessment is 
another challenge. Should some kinds of targets be weighted more 
heavily if we know groups like al-Qa'ida have expressed the intention 
to attack them? Should human deaths be weighted more heavily than other 
types of consequences? By how much?
    Despite these formidable challenges, it is absolutely worth the 
time and effort to develop robust homeland security risk assessments 
that can guide our planning and policy development. Risk assessments--
even if they are based on imperfect intelligence, expert opinion, and 
computer simulations of potential consequences--give us the tools to 
examine many different pieces of complex information in a structured 
way. They focus attention on the specific judgments that cumulate into 
an overall risk ranking and hence they can be ``unpacked'' to better 
understand where differences of opinion may lie and how they affect the 
assessment. Policy makers can use the structure that risk assessments 
provide to understand clearly where there are disagreements in the 
expert community, and can then assess for themselves the different 
sides of the debate before coming to a policy judgment that may have 
profound implications down the road.
    DHS would serve all of the Cabinet agencies with homeland security 
responsibilities well by taking the lead in developing a ``National 
Homeland Security Risk Assessment'' that would assess and rank the full 
spectrum of plausible homeland security risks--an assessment that would 
look comprehensively across all of the kinds of critical infrastructure 
and other potential target types combined with the different weapon 
payloads and delivery systems that adversaries might seek to use 
against the United States. As this Committee knows well, the 
legislation that established DHS stipulated that the department would 
develop a comprehensive risk assessment. This assessment is still of 
paramount importance.
    This type of assessment, much like a National Intelligence 
Estimate, would be developed on a regular basis, perhaps every couple 
of years, and would serve as the authoritative assessment of homeland 
security risks, identify trends of significance for homeland security 
and if necessary, identify differences of views about risks among the 
principal senior leaders in the U.S. government homeland security 
arena. Development of a National Risk Assessment should be an 
interagency undertaking, with DHS in the lead, but with significant 
support from the broader intelligence community, DoD, HHS, the 
Department of Energy, other Cabinet agencies, and leaders from the 
private sector and industry. A National Risk Assessment would sacrifice 
examining the threats, vulnerabilities and consequences of every 
possible scenario in their fullest details for a process that could 
generate actionable results in the near-term, at least in terms of 
setting broad priorities and directions. Subsequent, more detailed risk 
assessments focused on specific threats or infrastructure sectors could 
then fill in the details over a longer period of time.
    A National Risk Assessment could strengthen the homeland security 
policy development and resource allocation process in at least three 
very important ways.
         Guiding homeland security planning.. As CSIS noted in 
        its recently released Beyond Goldwater Nichols Phase II report, 
        before the interagency can develop robust concepts of 
        operations for homeland security, it needs to conduct a 
        strategic risk assessment. A National Risk Assessment would not 
        only serve as the basis for developing common interagency 
        strategies for addressing specific homeland security 
        challenges, it would also serve as the basis for developing 
        national homeland security planning scenarios. Putting forth 
        the fifteen Homeland Security Council scenarios was an 
        important step toward harmonizing ongoing planning activities, 
        but those scenarios could play a larger role in driving policy, 
        planning, and programming if they were based on the results of 
        an interagency-agreed National Risk Assessment.
         Driving the resource allocation process. Many have 
        noted the importance of using risk assessments to set broad 
        priorities for how DHS allocates resources. Looking beyond DHS, 
        a National Risk Assessment could serve as the basis by which to 
        harmonize not just DHS resource and policy decisions, but 
        homeland security related resource and policy decisions across 
        the entire interagency. This would go a long way toward 
        creating maximum unity of effort across the USG in this 
        critical area.
         Evaluating potential policy and programmatic options. 
        Where should DHS and other agencies invest their marginal 
        dollars? What will give us more bang for the buck, ten more 
        bomb detector dog teams, 50 more handheld radiation detectors, 
        or 100 more border patrol agents? These are the kinds of real 
        world decisions DHS and other agencies have to grapple with in 
        their budget processes, and risk assessment tools can help shed 
        light on these choices in a structured way.
    Secretary Chertoff has asked Congress for the authority to 
establish an Under Secretary for Policy in DHS. This is a very 
important and much needed position, and it is good news that Mr. 
Stewart Baker was confirmed earlier this year at the Assistant 
Secretary level. In my view, one of his central responsibilities should 
be to lead the development of a National Risk Assessment, working 
closely with his peers in the other relevant Cabinet agencies, and then 
to institutionalize the results into DHS's broader strategic planning 
and resource allocation processes. The Under Secretary, with his direct 
access to Secretary Chertoff, can elevate and integrate the many useful 
risk assessment processes ongoing inside DHS to help build a coherent, 
comprehensive risk assessment picture that truly drives policy and 
programming at the strategic level. In DHS 2.0, Rethinking the 
Department of Homeland Security, my colleague David Heyman at CSIS and 
James Carafano of the Heritage Foundation called on DHS to deliver a 
comprehensive risk assessment to our top national security leaders by 
December 2006. I think this remains a reasonable deadline. Highly 
granular assessments will clearly be needed, and there are assessment 
tools in development that will help us make finely tuned adjustments to 
our prevention, response and preparedness programs over time. But 
today, more than four years after the September 11 attacks, we need a 
comprehensive National Risk Assessment--and we need it soon. That means 
senior leaders, in the Executive branch and here in Congress, will have 
to make choices and set priorities on less than perfect information. 
That said, I suspect most Americans would prefer to see the government 
make those tough choices rather than letting the best be the enemy of 
the good. I applaud this Committee for engaging on this issue and thank 
you for the opportunity to share my views.

    Mr. Simmons. Thank you for that testimony. That will lead 
to some interesting questions, I am sure.
    Our next witness is Dr. Detlof von Winterfeldt, who is the 
Director of the Center for Risk and Economic Analysis of 
Terrorist Events at the University of Southern California. He 
is also Professor of Public Policy and Management in the School 
of Policy Planning and Development. His research interests are 
in the foundation and practice of decision and risk analysis as 
applied to technology, environmental and security problems. He 
is the coauthor of two books and the author or coauthor of over 
100 articles and reports on these topics.
    Thank you very much for being here. We look forward to 
hearing your testimony.

            STATEMENT OF DR. DETLOF von WINTERFELDT

    Mr. von Winterfeldt. Thank you very much, Chairman Simmons, 
Ranking Member Lofgren and distinguished members of the 
subcommittee. It is truly an honor to appear before you today 
to discuss the topic of terrorism risk assessment.
    I would like to cover three areas in this opening 
statement. I will briefly introduce you to the Center of Risk 
and Economic Analysis of Terrorism Events, called CREATE; I 
would like to provide some background on risk assessment and 
its uses over the last 30 years in various government agencies 
and private enterprises; and I would like to end by commenting 
on the uses, opportunities and important challenges of using 
risk assessment in the homeland security area.
    CREATE was the first university-based center of excellence 
funded by the Department of Homeland Security. It was selected 
in 2003 in a competition of 72 universities and we started 
operations in March 2004. CREATE is located at the University 
of Southern California and has partners at NYU and at the 
University of Wisconsin and other universities across the 
country. Our main goal is to develop advanced risk assessment 
tools and economic tools for homeland security decisions.
    Let me turn a little bit to risk assessment in the broader 
context. Risk assessment has a very long history, dating back 
to studies of nuclear power plant safety and spacecraft safety 
in the 1970s. Today, risk assessment is successfully applied in 
areas as diverse as medicine, business, environment, industrial 
safety and natural disasters. A typical risk assessment answers 
three questions: What can go wrong, how likely is it and what 
are the consequences? My overall impression is that risk 
assessment has been very successfully applied by identifying 
risks and by developing cost-effective solutions to reduce 
risks in these areas.
    The application of risk assessment to terrorism is fairly 
new, providing new opportunities and challenges. Natural and 
engineered systems are ``neutral'' agents who don't seek out 
our vulnerability. Terrorists, in contrast, are the adversaries 
who attempt to attack us where we are weak, and furthermore 
they adjust their actions in response to our defenses. This 
non-random nature of terrorism complicates risk assessment and 
requires the development of new tools.
    In spite of these challenges, risk assessment has made 
considerable progress in the terrorism area in the past few 
years. An important distinction, as mentioned earlier, in risk 
assessment for terrorism is the difference between threat 
assessment, vulnerability assessment and consequence 
assessment.
    I don't want to repeat what the previous speakers have 
said. I just want to bring one point clearly home, and that is 
that threat assessment is by far the hardest part of terrorism 
risk assessment. This deals with assessing terrorist 
motivations, capabilities and intent. Assessing vulnerabilities 
is somewhat easier, and we have developed tools based on 
project risk analysis to do this task.
    Finally, the assessment of consequences, given a successful 
attack, as terrible as these consequences may be, can be 
pursued with relatively off-the-shelf methods that are usually 
provided by the national laboratories.
    Another distinction is between the various levels of 
homeland security decision making. We typically distinguish 
between decisions on specific countermeasures; for example, 
specific decisions on MANPADS countermeasures.
    The second area is prioritizing and resource allocation 
within a threat area; for example, prioritizing infrastructure 
threat targets, which is much of the topic of this committee.
    Finally, the high level policy decisions having to do with 
resource allocation between broad threat areas; for example, 
within rad-nuke, biological and infrastructure threats.
    Our recent studies suggest that specific countermeasure 
decisions can well be supported with risk assessments, and 
CREATE has made some contributions in this area which I would 
be happy to discuss with you later. We also see some progress 
in the use of risk assessment within threat areas. For example, 
in the past few years, several commercial risk analysis tools 
have been developed for a session risk infrastructure targets 
and prioritizing them.
    Risk assessment at the highest policy level is difficult 
and will necessarily involve expert judgment and more 
qualitative forms of analysis. However, overall, I am very 
optimistic that risk assessment can improve our Nation's 
decisions to counter terrorism, and much progress has been 
made, but there are also many challenges ahead.
    I thank you very much for this opportunity to address you.
    [The statement of Mr. von Winterfeldt follows:]

              Prepared Statement of Detlof von Winterfeldt

    Chairman Simmons, Ranking Member Lofgren, distinguished members of 
the Subcommittee: It is an honor to appear before you today to discuss 
the topic of terrorism risk assessment.
    I'd like to cover three areas in this opening statement. First, I 
will briefly introduce you to the Center for Risk and Economic Analysis 
of Terrorism Events (CREATE); second, I'd like to provide some 
background on risk assessment and its uses in the past 30 years in 
government agencies and private enterprises; third, I'd like to comment 
on the uses, opportunities and challenges of risk assessment in the 
homeland security area.
    CREATE is the first university-based center of excellence funded by 
the Department of Homeland Security. It was selected in a competition 
of 72 universities and started operations in March of 2004. CREATE is 
located at the University of Southern California with partners at the 
University of Wisconsin, New York University and faculty affiliated 
with the Massachusetts Institute of Technology. CREATE researchers are 
developing advanced risk assessment models and tools for homeland 
security decisions. We also study the economic impacts of terrorist 
events and develop computer models and analysis tools to assist 
decision makers in government and industry to allocate funds to counter 
terrorism.
    Risk assessment has a long history--dating back to studies of 
nuclear power plant and spacecraft safety in the mid 70s. Today, risk 
assessment is successfully applied in areas as diverse as medicine, 
business, environment, industrial safety and natural disasters. A 
typical risk assessment answers three questions:
        1. What can go wrong?
        2. How likely is it?
        3. What are the consequences?
    In addition, risk assessments examine what can be done to reduce 
the likelihood of failures and the magnitude of consequences and to 
evaluate the effectiveness of alternative investments in improving 
safety. My overall impression is that risk assessments in these applied 
areas have been very successful by identifying risks and by developing 
cost-effective solutions to reduce risks.
    The application of risk assessment to terrorism is relatively new 
providing new opportunities and challenges. Natural and engineered 
systems are ``neutral'' agents, who don't seek out our vulnerabilities. 
In these areas we also have a fair amount of experience and data that 
can be used to estimate probabilities and consequences. Terrorists, in 
contrast, are adversaries, who seek out our vulnerabilities and adjust 
their actions in response to our defenses. This non-random nature of 
terrorism complicates risk assessments and requires the development of 
new tools.
    In spite of these challenges, risk assessment has made considerable 
progress in the terrorism area in the past few years. An important 
distinction in terrorism risk assessment is between threat, 
vulnerabilities, and consequence. When considering threats, we need to 
consider the motivation, capabilities, and intent of terrorist groups. 
This is probably the hardest part of terrorism risk assessment and 
there are no off-the shelf solutions for this task. CREATE researchers 
are working together with another university center of excellence--the 
Center for the Study of Terrorism and Response to Terrorism (START) at 
the University of Maryland--to develop risk analysis models for this 
purpose. Assessing vulnerabilities is somewhat easier. The key is to 
consider a wide range of threats and to assess the probability that an 
attempted terrorist attack is successful. CREATE researchers are using 
project risk analysis methods for this purpose. Finally, the assessment 
of consequences, given a successful attack, is quite straightforward 
and we can use off-the-shelf methods, for example, for modeling the 
dispersions of materials, spreading of infectious diseases, and so 
forth.
    Another distinction is between the various levels of homeland 
security decision making. Recent studies by our CREATE researchers 
suggest that specific countermeasure decisions, for example regarding 
MANPADS countermeasures, can be supported quite well with risk 
assessments. At the next level are decisions on how to allocate funds 
within a specific threat area or across potential targets. We see some 
progress in this area as well. For example, in the past few years 
several commercial risk analysis tools have been developed for 
assessing risks of infrastructure targets. At the highest decision 
making level are questions about how much money to spend on, for 
example, radiological and nuclear defenses vs. biological defenses vs. 
infrastructure protection. Risk assessment at this level is difficult 
and will necessarily involve expert judgments and more qualitative 
analysis.
    Overall, I am very optimistic that risk assessment can improve our 
Nation's decisions to counter terrorism. In other areas it often has 
taken years from the initial uses of risk assessment to mature 
applications. I believe that we can do better in making risk 
assessments useful in the terrorism area, but we also need to be aware 
of the many challenges we face.

    Mr. Simmons. I thank you very much for those comments.
    Our fourth witness is Dr. Henry Willis, who is a policy 
researcher with the RAND Corporation, where his research 
applies decision, analytical tools and risk analysis to help 
decisionmakers choose among competing resource management 
strategies or policy actions and options. Examples of his 
recent research include assessing risk-based approaches to 
allocating homeland security preparedness resources, reviewing 
current and proposed countermeasures for protecting U.S. 
maritime transportation infrastructure, and assessing personal 
protective equipment needs of emergency responders working in a 
post-structural collapse environment.
    Dr. Willis, welcome. We look forward to hearing your 
testimony.

  STATEMENT OF DR. HENRY WILLIS, POLICY RESEARCHER, THE RAND 
                          CORPORATION

    Mr. Willis. Thank you, Chairman Simmons, Ranking Member 
Thompson, Ranking Member Lofgren and distinguished members. I 
would like to thank you for giving me the opportunity to speak 
with you today about terrorism risk assessment at the 
Department of Homeland Security.
    Many of my comments are based directly on a recently 
released RAND report entitled Estimating Terrorism Risk. I will 
make hard copies of this report available to the committee, and 
would like to request that the report be made part of the 
official record.
    Mr. Simmons. Without objection, so ordered.
    The information is maintained in the committee file.
    Mr. Willis. Over the last 4 years, Congress and the 
Department of Homeland Security have made tremendous progress 
in maturing homeland security policy. Shortly after September 
11, 2001, decisions were dominated by the use of crude 
indicators, such as population, which approximated consequences 
of terrorist events. Subsequently, policy moved to 
vulnerability reduction. And, more recently, Secretary Michael 
Chertoff has called on DHS to adopt risk-based decision making. 
The next step in this process will be the focus on risk 
reduction and cost effectiveness, but the U.S. Government is 
currently in the early phases of this stage.
    With this as background, there are five recommendations 
from our work that are pertinent to today's hearing. First, the 
U.S. Government should consistently define terrorism risk in 
terms of metrics, like expected annual consequences. Critical 
infrastructure risk assessment is too often focused on 
potential consequences, either ignoring or under emphasizing 
factors that determine threat and vulnerability. Expected 
annual consequences take threat vulnerability and potential 
consequences into consideration in a rational way. Defining 
terrorism risk in terms of all these factors facilitates the 
incorporation of risk reduction as the goal of Homeland 
Security programs.
    Secondly, DHS should seek robust risk estimators that 
account for uncertainty about terrorism risk and variance in 
citizen values. Given the tremendous uncertainties surrounding 
terrorism risk assessment, it is prudent to plan for the range 
of plausible futures that may play out. Many different models 
exist, and experts disagree on terrorist capabilities and 
intentions. Risk assessment should reflect all critical models 
and expert judgments. The challenge is to support a single 
decision, while still being able to identify how risk is 
distributed differently across different outcomes, such as 
fatalities or property damage, and also explain how the 
decision would change if more emphasis were given to a single 
type of outcome or perspective on threats and vulnerabilities.
    Third, DHS should use event-based models to assess 
terrorism risk. Measuring and tracking levels of terrorism risk 
is an important component of homeland security policy. These 
data provide insights into how current programs are reducing 
risk and when and where new terrorist threats may be emerging. 
Only event-based models of terrorism risk provide insight into 
how changes in assumptions or actual levels of threat 
vulnerability and consequences affect risk levels.
    Fourth, relying on event-based models does not mean relying 
entirely on a top-down process. It is important to 
differentiate strategic risk assessment from risk assessment to 
support design or performance assessment or that to support 
tactical decisions. Strategic assessments might guide the 
distribution of resources that are not reallocated frequently. 
Design and performance assessment might be used to optimize or 
tune a response to a particular threat or protect a specific 
asset. Think of assessment used to reinforce the design of a 
nuclear power plant. Tactical assessments might be in response 
to intelligence regarding specific threats or events that have 
already occurred.
    Of course, all are needed. I recommend that a top-down 
approach is most practical for strategic risk assessment, and 
estimates need not be as detailed as design or tactical risk 
assessment. The goal is to distribute resources in roughly the 
right places and in correct proportion.
    On the other hand, I recommend a bottom-up approach to 
support design or tactical decisions. Here, more detailed 
models and analysis can be used to authorize spending on 
specific projects and justify current programs.
    Finally, the U.S. Government should invest resources to 
bridge the gap between risk assessment and resource allocation 
policies that are cost-effective. The first step in this 
process is implementing annual independent risk impact 
assessments to evaluate how risk reduction funds have succeeded 
in reducing risk. These assessments will provide a feedback 
mechanism that will ultimately help increase of risk.
    The second step is a capabilities-based assessment of the 
Nation's homeland security programs to document the unique 
contributions provided by each and ensure balance between the 
layered defenses that have been put in place.
    I would like to thank you for the opportunities to address 
the committee on this important subject, and I look forward to 
your questions.
    [The statement of Mr. Willis follows:]

             Prepared Statement of Henry Willis, Ph.D. \1\

    Good afternoon, Mr. Chairman and distinguished Members of this 
Committee. I would like to thank you for the opportunity to speak with 
you today about terrorism risk assessment at the Department of Homeland 
Security (DHS). Many of my comments are based directly on a recently 
released RAND Corporation report entitled, ``Estimating Terrorism 
Risk,'' which has been made available to Members of the Committee. This 
report is part of RAND's program of self-initiated research that is 
funded through the independent research and development provisions of 
our Federally Funded Research and Development Centers. It is the latest 
release by the RAND Center for Terrorism Risk Management Policy, which 
was established in 2002 to study terrorism risk management, insurance, 
liability, and compensation. I would like to request that this report 
be made part of the official record.SPELL
---------------------------------------------------------------------------
    \1\ The opinions and conclusions expressed in this testimony are 
the author's alone and should not be interpreted as representing those 
of RAND or any of the sponsors of its research. This product is part of 
the RAND Corporation testimony series. RAND testimonies record 
testimony presented by RAND associates to federal, state, or local 
legislative committees; government-appointed commissions and panels; 
and private review and oversight bodies. The RAND Corporation is a 
nonprofit research organization providing objective analysis and 
effective solutions that address the challenges facing the public and 
private sectors around the world. RAND'S publications do not 
necessarily reflect the opinions of its research clients and sponsors.
---------------------------------------------------------------------------
    Over the last four years, Congress and the Department of Homeland 
Security have made tremendous progress in maturing homeland security 
policy. Shortly after September 11, 2001, decisions were dominated by 
the use of crude indicators, such as population, which approximated 
consequences of terrorist events. Subsequently, policy moved to 
vulnerability reduction and more recently, Secretary Michael Chertoff 
has called on the DHS to adopt risk-based decisionmaking. The next step 
in this process will be to focus on the risk reduction and cost 
effectiveness, but the U.S. Government currently is in the early phases 
of this stage.
    The recently released draft National Infrastructure Protection Plan 
(NIPP) reflects this progression by defining an aggressive and 
comprehensive approach to risk assessment across sectors that affect 
the U.S. economy. As compared to earlier drafts of this document, it 
reflects adoption of Secretary Chertoff's guidance to use risk-based 
decisionmaking and represents the state of the Department's thinking on 
critical infrastructure protection. Specifically, it tries to take a 
balanced approach to incorporate: risk assessment; information sharing, 
feedback, and training; organizing and partnership with private sector; 
resource allocation; and long-range sustainability of protection 
efforts. Finally, the draft NIPP describes a framework that follows the 
best practices of risk analysis that are outlined in, among other 
places, the National Research Council in its foundational reports Risk 
Assessment in the Federal Government: Managing the Process (1983) and 
subsequently Science and Judgment in Risk Assessment (1994). These best 
practices require that risk assessments be: a) analytic, b) 
deliberative, and c) practical. For homeland security policy, these 
statements have the following translation:

a) Analytic
    An analytic process requires addressing all three of the factors 
that determine terrorism risk: 1) threat, 2) vulnerability, and 3) 
terrorism, and where feasible, to do so quantitatively. Risk 
assessments must be repeatable so all parties can replicate, analyze, 
and understand them. However, the uncertainty inherent in this problem, 
particularly in the terrorist threat, implies that unlike most of our 
successful experience with these tools in the past, some new thinking 
about all plausible threats, not just the most likely threat, will need 
to be taken into account.

b) Deliberative
    A deliberative process is necessary because the notion of a cold, 
analytic risk assessment is a myth. Values and judgment are part and 
parcel to the process and require transparency and a comprehensive 
discussion of outcomes. This is the only way to credibly address 
tradeoffs between risks to people from risks to property and risks from 
a conventional bomb, nuclear attack, biological attack, or even 
hurricane or other natural disaster.

c) Practical
    Finally, risk assessment must be practical, meaning that data 
collection and management requirements must not be untenable and 
estimates should not be overly reliant on a single perspective or tool. 
This last point is where concerns may arise with the draft NIPP. These 
concerns relate more to implementing what is outlined rather than 
concerns with the content of the plan itself. Implementation will need 
to address natural disasters as well as terrorist threat as the plan is 
used. Questions remain about the practicality of implementing risk 
analysis and information sharing given limitations in the real world as 
to funding, time, and staff available. These issues have not been 
ironed out.
    With this as background, there are 5 recommendations from our work 
that are pertinent to today's hearing.
    First, the U.S. Government should consistently define terrorism 
risk in terms of metrics like expected annual consequences. Critical 
infrastructure risk assessment is too often focused on potential 
consequences, either ignoring or under emphasizing factors that 
determine threat and vulnerability. Expected annual consequences take 
threat, vulnerability and potential consequences into consideration in 
a rational way. Defining terrorism risk in terms of all of these 
factors facilitates the incorporation of risk reduction as the goal of 
homeland security programs.
    Second, DHS should seek robust risk estimators that account for 
uncertainty about terrorism risk and variance in citizen values. Given 
the tremendous uncertainties surrounding terrorism risk assessment, it 
is prudent to plan for the range of plausible futures that may play 
out. Many different models exist and experts disagree on terrorists' 
capabilities and intentions. Risk assessment should reflect all 
credible models and expert judgments. The challenge is to support a 
single decision, while still being able to identify how risk is 
distributed differently across different outcomes, such as fatalities 
or property damage, and also explain how the decision would change if 
more emphasis were given to a single type of outcome or perspective on 
threats and vulnerabilities.
    Third, DHS should use event-based models to assess terrorism risk. 
Measuring and tracking levels of terrorism risk is an important 
component of homeland security policy. These data provide insight into 
how current programs are reducing risk and when and where new terrorist 
threats may be emerging. Only event-based models of terrorism risk 
provide insight into how changes in assumptions or actual levels of 
threat, vulnerability, and consequences affect risk levels. There are 
many types of event-based models in existence. In our report, we relied 
on the Risk Management Systems (RMS) Terrorism Risk Model. This and 
other insurance industry models could also be used to support homeland 
security policy. The national laboratories have made progress on 
detailed models of critical infrastructures and their 
interdependencies. Colleagues in academia are applying economic input-
output analysis to understand these same dependencies. Finally, the 
NIPP points to RAMCAP, or Risk Assessment Methodology for Critical 
Asset Protection, which is based on a foundation for risk analysis 
consistent for methods used in reliability analysis and also with the 
National Research Council framework.
    Fourth, relying on event-based models does not mean relying 
entirely on a top down process. It is important to differentiate 
strategic risk assessment from risk assessment to support design or 
performance assessment or that to support tactical decisions. Strategic 
assessments might guide the distribution of resources that are not 
reallocated frequently. Design and performance assessment might be used 
to optimize or tune a response to a particular threat or protect a 
specific asset. Think of assessment used to reinforce the design of a 
nuclear power plant. Tactical assessments might be in response to 
intelligence regarding specific threats (actionable intelligence) or 
events that have already occurred.
    Of course all are needed. I recommend that a top-down approach is 
most practical for strategic risk assessment; and estimates need not be 
as detailed as design or tactical risk assessment. The goal is to 
distribute resources in roughly the right place and correct proportion. 
On the other hand, I recommend a bottom-up approach to support design 
or tactical decisions. Here more detailed models and analysis can be 
used to authorize spending on specific projects and justify current 
programs.
    Strategic risk assessment ultimately needs event-based models. 
Until event-based models are more widely used to assess terrorism risk, 
density-weighted population is preferred over population as a simple 
risk indicator. Density-weighted population is simply a regions 
population multiplied by its population density. Our report found this 
metric to be reasonably correlated with the distribution of terrorism 
risk across the United States, as estimated by event-based models like 
the RMS Terrorism Risk Model. In contrast, our results suggest that 
population offers a remarkably weak indicator of risk, not much 
superior to estimating risk shares at random.
    Finally, the U.S. Government should invest resources to bridge the 
gap between terrorism risk assessment and resource allocation policies 
that are cost effective. As I intimated earlier, Congress and DHS are 
only in the position to estimate risks and distribute resources where 
the risks are believed to be the largest. Ultimately, the goal should 
be to distribute those resources where they most effectively reduce 
risk. The first step in this process is implementing annual, 
independent risk impact assessments to evaluate how risk reduction 
funds have succeeded in reducing risk. These assessments will provide a 
feedback mechanism that will ultimately help increase reduction of 
risk. Such assessments would benefit the DHS grant programs as well as 
border and maritime security programs like US-VISIT, C-TPAT, the MTSA, 
and TSA's baggage and passenger screening and profiling programs. The 
second step is a capabilities-based assessment of the nation's homeland 
security programs to document the unique contribution provided by each 
program and ensure appropriate balance to the layered defenses that 
have been put in place.
    I would like to thank you again for the opportunity to address the 
committee on this important subject and I look forward to answering any 
questions you may have.

    Mr. Simmons. Thank you all very much. I have a couple of 
questions that I would like to ask, and then we will go back 
and forth in accordance with our regular order.
    My first questions are to Ms. Smislova. Critically 
important to the success of your mission and your organization 
is information sharing, information sharing with the 
Intelligence Community to make sure you are getting the 
terrorist risk assessments with regard to intents and 
capabilities, but also information sharing with those private 
sector entities that manage the infrastructure that we are 
trying to protect, whether it be nuclear power plants or 
bridges or chemical facilities.
    It occurs to me that traditionally the Intelligence 
Community does not like to share information. I am sorry about 
that, but they like secrets. If you really like secrets, you 
don't tell anybody your secrets.
    Secondly, private sector industries may not be willing to 
share information on vulnerabilities for fear that if there is 
an incident they may be held financially liable for the 
consequences.
    So, how are you doing with these twin sets of challenges to 
information sharing? What is your status report as of this 
moment?
    Ms. Smislova. Yes, sir. We in the Intelligence Community 
like to just share, as you know, with each other, and we are 
accomplishing that through the Office of Intelligence and 
Analysis. We believe that through HITRAC, actually putting the 
infrastructure protection specialists together with those 
Intelligence Community professionals, is the best way to 
enhance that relationship and that communication.
    Our infrastructure protection specialists through the other 
offices in the Office of IP communicate daily with the 
infrastructure sectors. They are the ones who have developed 
the relationships and the contacts with the infrastructures and 
what their situation is on the ground and their daily 
information about what is happening in their sector. So every 
day when we are working on common goals and common work 
projects, the intelligence analyst is working with the 
infrastructure protection person. So we actually are receiving 
that information that is not traditionally looked at by 
intelligence.
    Mr. Simmons. And with regard to that interaction or that 
activity, what sort of products are you producing and how are 
they disseminated?
    Ms. Smislova. Yes, sir. We are actually producing a basic 
foundation document for every critical infrastructure or key 
resource that obviously is expanded beyond the critical 
infrastructure of transportation and would include one on 
aviation, maritime, railroads, mass transit and highways. So 
there are about 24 different products that we are producing.
    We are doing these in conjunction with our actual 
infrastructure operators and owners, and I think that is what 
does make us quite unique. While we have the benefit of 
actually all the information that our Intelligence Community 
colleagues have about the enemy, we are actually looking at 
everything that is available for the U.S. Government in all 
different classified areas of what the adversary wants to 
accomplish and how.
    We also at the same time have a dialogue, because we are 
this hybrid of intel professionals and non-intel professionals, 
we have a dialogue with the actual infrastructures. So through 
the framework of the NIB, we have committed to producing these 
foundation documents on what the terrorist threat to that 
particular structure or infrastructure might be.
    Mr. Simmons. Thank you.
    Dr. Winterfeldt, you made an interesting comment. The non-
random nature of terrorism complicates risk assessment and 
requires the development of new tools. For a number of years I 
served as a military intelligence officer in Vietnam, and we 
would collect information and make predictions about enemy 
attacks. The military units in responding to those predictions 
would take defensive measures, which would be observed by the 
other side and when they would see the defensive measures being 
taken they would realize it was a tip-off so they wouldn't 
conduct the attack. Then our own side would say you guys are 
wrong again.
    It occurs to me in a free and open society, such as ours, 
where we discuss our vulnerabilities and our efforts to protect 
our infrastructure, that the opposition is fully aware of those 
efforts and can adjust for that.
    How do we account for that in our risk assessment?
    Mr. von Winterfeldt. Thank you very much. That was a very 
interesting question, and something that we are grappling with 
in many ways.
    We actually have some of our team members who are looking 
at this from a red team and blue team perspective. They are 
looking at it from a game theoretic perspective. Actually, I 
see the greatest hope in sequential games, very much playing 
out in a modeling form the situation you described, which can 
even lead you in some cases to protect information about 
defensive measures, or, potentially, I hate to say this, 
provide misleading information about protective measures.
    I will just give you one example. Should we always say that 
we are doing 10 percent or 5 percent inspections of our cargo? 
Well, maybe we can do 10 percent and then claim we use 50 
percent. You remember the case of the cameras at the 
intersections, half of which never worked. So there are a lot 
of interesting issues.
    We certainly have no silver bullet nor simple answer to 
that. But that is exactly the kind of topics we are studying as 
we are working at CREATE.
    Mr. Simmons. Thank you. I see my time has run out. Ms. 
Lofgren.
    Ms. Lofgren. Thank you. I am glad to have Ms. Smislova 
here, because I have a continuing interest, as I mentioned in 
my opening statement, in the National Asset Database. I will 
just express some frustration. I am not alone in this 
frustration. But this has now gone on for a couple of years, 
and we have had several classified discussions, and I remember 
the first time it was a bipartisan group and informal, and I 
asked to see the database for my county because I know it well 
and the members from other parts of the country did the same, 
and all of us were struck by how preposterous the list was. I 
recently received an updated list, and it was still 
preposterous.
    So my question is, when do you think this National Asset 
Database will be complete, at least in its--I realize it will 
be updated, but delivered? When do you think that delivery will 
be to the Congress?
    Ms. Smislova. I am sorry, ma'am. I actually don't know the 
answer to that particular question. What I do know is that the 
National Asset Database is intended to catalogue all of the 
assets in this enormous country of ours. I know from notes I 
took during your opening statement that your goal here is to 
conclude what to protect first and why, and that is actually 
the issue that we are trying to start with in HITRAC.
    From my perspective as the senior intelligence person 
assigned to HITRAC, that is the focus of what we have put our 
efforts towards, trying to get a better understanding of this 
particular enemy, this adversary who we know wants to attack us 
here in the United States, what does he want to attack and how?
    By using information that is available through the National 
Asset Database, we have been able to crosswalk and narrow some 
things down. So we try to determine what does the adversary 
want to accomplish, what are his goals, and then how can he 
accomplish this. And because we don't have specific data that 
he wants to hit this building or another building or a specific 
mass transit fleet or anything that granular, we try to 
crosswalk it and say these are the things we think we need to 
protect first and why.
    But I will bring your other question back for the record, 
ma'am.
    Ms. Lofgren. I appreciate that. Along with that, and if you 
don't know today, that is fine, but if you can get back I would 
appreciate it. Part of the problem I discovered was--I met not 
only with DHS staff, but also with--we all go home every week--
with people in local government, with the State officials, 
trying to find out what was happening from their point of view, 
and learned in doing so that there had been an asset limit on 
how many assets could be reported, which is a preposterous way 
to proceed because in Santa Clara County, for example, it is a 
county of just shy of 2 million people. It is Silicone Valley. 
There are many, many assets. To be limited to 18 in Santa Clara 
and 18 in Shasta County, where you might be hard pressed to 
come up with 18, is ridiculous. So I am hoping I can get 
information on whether that that policy has been changed as we 
urged that it be.
    Let me ask a question for Dr. von Winterfeldt. We are being 
asked, and we agree, that Homeland Security dollars should be 
spent in a strategic way to protect our assets best, and I 
think all of us agreed with the Secretary that it automatically 
ought to be risk-based, it shouldn't be some formula like an 
entitlement program, that is not the way to do. But it seems to 
me central to that effort is the development of this National 
Asset Database and the database is not complete, it doesn't 
prioritize critical infrastructure assets across the 17 sectors 
identified in HSPD-7.
    In your view, how significant an obstacle is the failure to 
complete this database to meaningful terrorism risk assessment 
at the Department?
    Mr. von Winterfeldt. Well, I believe that it will be very 
useful to have that database as a start. Let me also say where 
I see this heading down the road, and that is to do a good job 
on critical infrastructures with the database, or even with 
part of the database, is you have to work yourself from the 
specific infrastructure assets up and roll it up. You can't do 
a risk analysis on the high level, not even at the county 
level, not even at the State level, unless you know what is 
going on with the particular assets and what you can do with 
it.
    So CREATE, for example, is now engaging with the California 
Department of Homeland Security to look from the bottom-up at 
the assets and the infrastructures that California has 
identified as important and start to build a risk analysis at 
that level and going up. Of course, the ultimately comparison 
between the States or even the urban initiatives in the urban 
areas can only be done if you have a complete set of assets and 
infrastructure elements.
    Ms. Lofgren. My time has expired, so I will save my further 
questions for the second round.
    Mr. Simmons. The gentleman from California, Mr. Lungren.
    Mr. Lungren. Thank you very much, and I understand what Ms. 
Lofgren says when she compares her county to Shasta County, but 
I do hope that Shasta Dam is on that list of critical 
infrastructures and so is the headwaters of the Sacramento 
River, which provides about one-third of the water for our 
whole state.
    Ms. Lofgren. I love Shasta County. Let me clarify that. I 
think Shasta County is a wonderful place.
    Mr. Lungren. I keep calling it HITRAC, but you want to call 
it HITRAC. See, when you are an English major, you divide 
things into proper syllables, and HITRAC sounds better than 
HITRAC.
    As I understand, HITRAC or HITRAC is a point of contact for 
summary and trend analysis for suspicious activity reporting, 
which I guess we call SARS, even though that has other 
indications these days, and they are supposed to be sent in by 
public and private individuals at local levels to provide 
warning signs of potential terrorist attack.
    How effective is this program? How much is it really on? To 
put it another way, if I happen to be a manager of an asset in 
northern California, private or public, how well am I informed 
of these suspicious activity reports? How do you see that 
reflected in what you receive in your shop?
    Ms. Smislova. The suspicious activity reports typically are 
coming from industry through the Information Sharing Advisory 
Councils, the ISACs, or directly to our operations center. 
Sometimes we get suspicious activity reporting just from 
American citizens. They will call them in and they are called 
Patriot reports.
    Mr. Lungren. My question is, how do I know that? How do 
people know that?
    Ms. Smislova. We distribute, disseminate, our products back 
again through that same vehicle, through the ISACs, through the 
Homeland Security advisers. We do send our reports to the 
JTTFs. That is all distributed.
    Mr. Lungren. I guess my question is, how comfortable are 
you in the belief that there is a high level of understanding 
of your activity and the need to report these things?
    Ms. Smislova. It is spotty, sir. Some industries we have 
been able to dialogue with and we have been able to discuss 
with them what we are trying to accomplish with the suspicious 
activity reporting, and some industries or entities we have 
not. It is easier at this point to have outreached to ones that 
are more organized. So for example, the electrical power grid, 
we have a dialogue with the people that run that particular 
infrastructure.
    It is more difficult with the shopping malls of America. We 
are trying to tailor our products to make sense to those that 
are protecting the different critical infrastructure, but we do 
realize that each group that runs the infrastructure is 
diverse, and that is again where I would get back to the 
requirement for the Department to outreach and dialogue with 
the individuals.
    Mr. Lungren. Let me ask you this question: This weekend 
there are literally going to be millions of people attending 
football games at major colleges, universities and in the NFL. 
Can you tell me from what you know, are people who run those 
operations cooperating with the Department of Homeland Security 
such that you are getting reports of any suspicious activity of 
this nature?
    Ms. Smislova. We actually do deal with the commercial 
services sector. I also sent a HITRAC employee to brief the 
security people that do the college football, all the college 
football security thing, have been briefed by us on what to 
look for or what we believe would be suspicious activity that 
might indicate an attack was pending.
    Mr. Lungren. You have told them that you have got this. Do 
you get reports from them?
    Ms. Smislova. We get reports from the commercial services 
sector, yes.
    Mr. Lungren. I guess I still have a little bit of time. For 
the whole panel, this seems to be a crucial part of protecting 
critical infrastructure, making owners and operators aware of 
what to look for in terms of suspicious activity. For the other 
panelists, what is your sense of the awareness of this program 
and do you have any recommendations on what we would do to make 
it more effective?
    Ms. Wormuth. I certainly can't speak to the public or 
industry's awareness of HITRAC in particular.
    Mr. Lungren. That is not what I am talking about. I 
appreciate listening to all of what you have to say, and it 
sounds good in theory. But if it breaks down, if all we are 
doing is talking about it and no one knows what information 
needs to get to us for this--I am just trying to find out if 
any of you have a sense of how broadly understood this is, how 
much is this actually working? Are we sitting here talking 
theoretically about what would sound like a great idea, but you 
can't analyze anything unless you get data to analyze?
    Ms. Wormuth. Congressman, I would say I am aware of at 
least New York City, and I would suspect some other major 
cities, have programs that are focused on going out and talking 
to businesses, industry owners, and again it sounds like very 
similar to what Ms. Smislova was speaking to, which is talking 
to those folks in the private sector about what to look for and 
what type of activity to report. I believe the program in New 
York City is called Hercules. My memory may be wrong, but some 
major cities certainly have programs designed to try to make 
the private sector aware and alert them to either report in to 
city governments or the State Homeland Security managers.
    Mr. von Winterfeldt. At CREATE we work a lot with local 
government officials, and I know there are many mechanisms for 
them to report at the local level. I don't know how the 
reporting works from there to the Department of Homeland 
Security or back, so I can't comment on that. But I do believe 
that the local level works well.
    Just recently in L.A. there was a discovery of two events, 
a discovery of two suspicious females that were taking 
pictures. They were pursued and eventually apprehended, and it 
turned out to be a false alarm. So some things seem to be 
working at the local level. I am not sure how the national and 
local level are communicating.
    Mr. Lungren. Thank you.
    Mr. Simmons. The gentleman from Pennsylvania, Mr. Dent.
    Mr. Dent. Thank you, Mr. Chairman. Ms. Smislova, I get a 
lot of comments from my folks back home in Pennsylvania, from 
the Homeland Security folks and others at the local level, and 
my main question to you is this: Are any local Homeland 
Security agencies detailed to HITRAC, or HITRAC, whatever the 
case may be?
    Ms. Smislova. Not at this time, no, sir.
    Mr. Dent. Regarding your evaluation of risk, what sort of 
input do you get from State Homeland Security or local first 
responders, I guess you don't get any, in making these 
evaluations? Do you get any input from them?
    Ms. Smislova. Yes, sir, we are. We are trying to outreach 
to different customer sets as we are developing them, and we 
also are briefing some States and first responders and then 
incorporating their comments or their suggestions.
    Mr. Dent. So I guess the broader question is what do you 
see as the role of these local groups in helping determine 
threat vulnerability and consequences?
    Ms. Smislova. We see the role as large and expanding. We 
have connectivity with every State and we talk to every State. 
We hope that would be our goal, to expand our production 
efforts to deal with at least all the major metropolitan areas.
    Mr. Dent. I guess my question is, my main comment is, these 
folks at the State and local level really want to be I think a 
greater part of this process. Sometimes I feel as if the 
information they receive is not helpful, that they just don't 
have the ability to process what gets sent down to them from 
Washington. This information sharing, something gets lost 
between the Federal and State and local levels, and they really 
want to be involved more than they have been.
    I guess the question would be, how do you go about 
disseminating risk evaluations to local communities that may in 
fact be vulnerable to attack, and how do you ensure that risk 
assessments are timely, relevant and helpful to local 
communities that must ultimately be forced to respond to any 
such attacks? They worry about the timeliness and relevance of 
the information they receive. How do you address that?
    Ms. Smislova. Again, our goal is to interact more often 
with the State and the local governments. We do have people 
from the State and local entities deployed in our operations 
center. We deal with them on a regular basis. We travel out to 
States and local places. I have two people today in Chicago 
discussing some risk assessments and plans for additional 
products. So that is just how we have begun with our work.
    Mr. Dent. I have raised these same questions to the folks 
from the ASSOC and elsewhere, and anybody else feel free to 
chime in if you have any points on this issue. I would be glad 
to hear it.
    Mr. Willis. I would like to say that I agree with the 
assertions that have been made that local intelligence is a 
very important part of understanding threat. I think it also 
points to one of the observations we found in our report, that 
risk assessment can't be done only from the top-down, but also 
sometimes from the bottom-up.
    My colleague, Dr. Winterfeldt, talked about work they are 
doing in California that is very much bottom-up where a lot of 
the information is. So there is a need to look at doing these 
risk assessments from both directions.
    Mr. Dent. No further questions. I yield back.
    Mr. Simmons. I thank the gentleman. We are going to go a 
second round, if that is all right.
    Let me pick up where my colleague left off on the issue of 
top-down versus bottom-up. First of all, Dr. Willis, you said 
in your statement that tremendous progress has been made in 
maturing Homeland Security policy, and I would agree with that, 
even though I certainly understand my colleagues' frustration 
when miniature golf appears on a list somewhere. But I would 
hope that is an anomaly and not characteristic. I think 
progress has been made.
    I think it is an impossible task to secure everything from 
everybody. If you try to do that, you will certainly fail. So 
you have to prioritize.
    I think information sharing is very difficult to do, but I 
think people at a local level are somewhat aware, in some cases 
more than somewhat aware, of what we are attempting to 
accomplish.
    So the challenge to me really is have we put in place a 
system that is sophisticated enough that not only does 
information come down from the top, presumably sensitive 
information or analytical products that the local community 
does not have the capacity to produce, but does the system 
allow local information and observation to go back up? Do we 
have a dynamic or a virtual system, in other words? And do the 
local folks have the tools and the networks to interact with 
the State and the Federal folks? Are we there yet or are we 
not?
    Mr. Willis. That is a very good question. I will try to 
comment first broadly on where I think these tools and 
approaching networks are for risk analysis, and then also in 
terms of threat and passing threat information. I have not 
studied that as much but will check back with my colleagues at 
RAND.
    In terms of risk analysis, what I have seen in all the 
States is organizations to try to link regionally to the State 
and make connections. In terms of tools, recently the 
Department of Homeland Security has released the draft National 
Infrastructure Protection Plan. In my written testimony I have 
included a few comments about that. I will try to summarize a 
few of the key points because I think it highlights some of the 
important points about the tools that are starting to be 
provided.
    I would like to say, acknowledge, that RAND Corporation has 
been providing support to the Department of Homeland Security 
in developing that plan. I myself have not personally been 
involved in that but have been asked to comment on it.
    The key points I make about the NIPP is that it is 
comprehensive and it addresses all sectors. It is realistic in 
that it points out that you can't treat these sectors with a 
cookie cutter approach. Water is different than 
telecommunications, et cetera.
    Where there might be--it is also laying out a common 
framework for doing risk analysis. This will help provide some 
structure to the local people who would be doing the analysis 
and also aid in comparison across assessments that come. Where 
there might be concerns is on implementation, because this is a 
very complex and resource-intensive approach, and that is where 
I would go back to my comments that we need to look for ways to 
trim the tree, we can't wait until we get all the assessments 
in to respond, and a combination of a bottom-up and top-down 
approach is necessary.
    Mr. Simmons. In the brief time I have remaining for Ms. 
Wormuth, you made comments about National Intelligence 
Estimates and you made comments about a National Risk 
Assessment. The National Intelligence Estimate on Iraq's WMD of 
October 2002 was wrong, inadequate information, in my opinion, 
analysis based on inadequate information. So now we shift 
quickly to National Risk Assessment. Again, we don't know what 
we don't know.
    Is this an exercise that is going to save the country, or 
is this an exercise that we engage in because we sort of know 
how to do it so we are going to do it?
    Ms. Wormuth. Thank you, Mr. Chairman. I knew when I made a 
comparison to a National Intelligence Estimate that I was 
opening myself up into a risky area, because not only can NIEs 
be wrong, they are also often viewed as relatively watered down 
and sort of lowest common denominator products.
    That said, in my opinion, I think the only alternative to 
trying to come up with some sort of strategic level homeland 
security risk assessment is to not use a risk-based approach at 
all, which to me seems more perilous than trying to go through 
a structured risk assessment process and perhaps getting it 
only 80 percent right.
    So I would argue that yes, there are dangers, but I think 
that there is not a better alternative. I think two broad 
advantages to risk assessments are that they will force 
policymakers to go through the myriad sets of threats and 
vulnerabilities in a structured way, and it really allows you 
to unpack some very difficult problems, as opposed to what I 
think many have observed is a tendency sometimes to try and 
allocate our resources to essentially the last war or sort of 
the new sexy thing.
    Lots of money went towards aviation security because 9/11 
was essentially an aviation-based event. Biological threats are 
very much in the news and a lot of resources are spent there, 
although for very good reasons.
    One other thing I would emphasize is that I think while 
certainly factoring in very specific intelligence and looking 
at motivations and looking at intentions is very important, I 
also think there is a lot of wisdom to taking perhaps what I 
would call more of a capabilities-based approach, again, 
perhaps coming out of my DOD background. But to a certain 
extent, I think there is some utility at looking at threats 
from the perspective of simply what is available in terms of 
different weapons systems, in terms of different delivery 
systems, to somewhat more generic terrorist groups that are 
fairly well resourced, and at least thinking very broadly, 
because--I think because it is so difficult once you start 
getting into intentions.
    Many, many people weren't even particularly aware of al-
Qa'ida before 9/11. So I think there are definitely challenges 
in trying to do a strategic level assessment, but to me it is 
very much still--the benefits far outweigh the risks.
    Mr. Simmons. Thank you for that answer.
    Ms. Lofgren.
    Ms. Lofgren. I want to get back to the National Asset 
Database, because I am hoping we can make some progress on it. 
Before I do, I just want to say I actually did check with 
people in the know and found out that there was no reason why 
the miniature golf course was on the list and that the people 
of San Jose should not worry about playing miniature golf. It 
could be dangerous in terms of the balls hitting people, but 
there is no other apparent threat.
    In looking at how this has been put together, I think the 
chairman is right, we need to look at the systems in place to 
see whether they are going to yield information that is 
valuable. One of the things that became apparent to me was that 
we had passed really local police departments to come up with 
the list of critical infrastructure, and they are doing a 
terrific job, their very best. This is not critical of their 
efforts, but there are certain things that they are just not in 
a position to know; for example, telecommunications physical 
infrastructure or certain cybersecurity issues. It is just not 
within the purview of the police department for the most part.
    There were some things actually that the fire department 
might know that the police department would not know, and they 
were not included, and the health people were not included, and 
the private sector people were not included.
    So I am wondering if there has been a change in the 
structure of who is included so that we can make sure that the 
critical infrastructure, all of it, is actually in this 
database.
    Does anyone know the answer to that?
    Ms. Smislova. Ma'am, we would be happy to come back and 
give you and your staff a briefing on the NADB. We can arrange 
that for you.
    Ms. Lofgren. But you don't know the answer to that?
    Ms. Smislova. No, ma'am, I do not.
    Ms. Lofgren. Maybe Dr. Winterfeldt would know this. At one 
point the Department asked the--I believe it was the sheriff's 
department, it might have been the police department, in the 
City of Los Angeles to lead a pilot project, to change how the 
database, the National Asset Database is put together. Are you 
familiar with that?
    Mr. von Winterfeldt. No, I am not specifically familiar 
with that.
    Ms. Lofgren. I would like to know--
    Ms. Smislova. Is that Project Archangel or Constellation?
    Ms. Lofgren. Archangel.
    Ms. Smislova. Yes, ma'am, I was actually briefed on that 
today by the Los Angeles Police Department, who was visiting. 
It is not a National Asset Database, but it is a way to map the 
infrastructure of Los Angeles, and that actually is being done 
by the police department in conjunction with the Department of 
Homeland Security.
    Again, it is not a system to prioritize, but rather to 
actually come up with a map so that when information is 
received, intelligence information, and it says something 
specific, that you are able to more quickly and rapidly come up 
with a facility list.
    Ms. Lofgren. That is different than the briefing I got. So 
perhaps it is more. But it seems to me that there needs to be 
some strategy. When I saw the list, there is shopping centers 
and there is a check cashing office in L.A. and stuff like 
that. I thought why would this stuff be there?
    I can see if you received a threat that had something to do 
with shopping centers, you would want to know where all the 
shopping centers are. That is a good thing to know. But since 
our risk assessment really relates to our vulnerabilities and 
the consequences of activities, if you don't have a different 
list for--if you want to take down the water supply of southern 
California, there is three or four different ways you can do 
it, none of which are on the list.
    So it seems to me that there needs to be--and I haven't 
seen it yet in the Department--any kind of a strategy for what 
would have a cascading both economic and also physical harm 
consequence that is connected with infrastructure so that as 
threats come in, we can lay those threats across what is a 
critical--
    Ms. Smislova. Right. We do, ma'am, work with the sector 
specific agencies to identify their top priority places. We 
have several of those sectors actually completed. That is a 
different effort, ma'am, yes. We can come backSec. 
    Ms. Lofgren. It is very mysterious, because we were told 
one thing about this database in the Congress and now 
apparently it has morphed into something else. So long as the 
job is getting done, I assume that is fine, but we have to 
really become convinced that the job has been done, and it is a 
long time since 9/11. We have wasted a lot of time, and I have 
some real concerns that we are not yet really ready and where 
we should be. So I will look forward to getting a further 
briefing on this.
    I see that the red light is on, and I yield back, Mr. 
Chairman.
    Mr. Simmons. The gentleman from California, Mr. Lungren.
    Mr. Lungren. Thank you very much, Mr. Chairman. In your 
testimony, I notice you talk about the formal challenges 
involved in risk assessment in the area of terrorism, but you 
say despite these formal challenges, it is absolutely worth the 
time and effort to develop robust homeland security risk 
assessments that can guide our planning and policy development.
    Then, Dr. Winterfeldt, you talk about how successful risk 
assessments have been in medicine, the business environment, 
industrial safety, natural disasters, how it is relatively new 
in the area of terrorism, but in spite of these challenges, 
risk assessments have made considerable progress in the 
terrorism area in the past few years. I would therefore say you 
indicate it is a tool that is automatically to be utilized at 
the present time.
    Here is my question: It is easy for us once we have 
determined what the risks are and what the most vulnerable 
targets are, if they are publicly owned, for us to command 
certain things to be done or for us to put as much money, 
government money as we can to it. But within the universe of 
critical infrastructure, a lot of stuff is owned by the private 
sector.
    A couple of years ago, Congress felt it necessary to pass 
TRIA, a back-up to the regular insurance program. We are 
considering now to reauthorize it. I happen to be one of the 
people who thinks it is necessary given the still existing 
uncertainties in a terrorist scenario for the private sector. 
But one of our obligations here is to utilize something like 
try to see what the insurance industry, how the insurance 
industry plays in all of this, so that perhaps instead of us 
regulating something or mandating certain best practices or 
providing government incentives by way of tax policy, the 
private sector makes some adjustments in terms of what 
insurance companies are supposed to do, risk assessment.
    How satisfied are you that the kind of information we have 
talked about that goes to DHS and is supposed to help drive 
policy, that that information is available such that private 
sector owners and the insurance industry can make the kind of 
judgments that will drive us towards the best business 
practices for a security purpose in light of what the true 
risks are out there?
    Mr. von Winterfeldt. Perhaps I could give it a start. 
Actually CREATE put together a conference just a few weeks ago 
on the reissuing of TRIA and we are fairly familiar with these 
issues, together with RAND by the way.
    It is a real difficult question of how you transfer the 
risk issues from the public back to the private sector. There 
ought to be self-interest in the private sector to protect 
themselves against terrorist events and I do not see it 
happening right now. This may be lack of information, it may be 
that they do not have the money or the capital to do it so they 
are looking to terrorism insurance. I am not sure that is a 
right solution either. The insurance only covers the asset when 
an event occurs. It does not do much in terms of protecting the 
asset against terrorist attacks, although properly implemented 
with insurance breaks and things like that it ought to do that.
    Mr. Lungren. You have fluctuating premiums depending on 
what you are doing with respect to security. At the same time I 
could construct an idea of a hotel, for instance, which we know 
are targets of terrorists, American-identified hotels. And the 
more that we protect public sector assets it seems to me if I 
am an terrorist, I look at the softer targets of the private 
sector. We could drive the hotel industry in such a direction 
that they basically make all of their hotels look like 
fortresses and moats and destroy the industry because no one 
wants to go to a moat--a fortress for a vacation.
    And what I was trying to figure out is how we establish a 
balance. And if we do not have the information available, it is 
even more difficult for us to get to the point as to where we 
want to go. And so my question really goes to the issue of are 
we in your judgment--have you seen, are we in the government 
when we gather this information, are we doing a good enough job 
of getting that out to the private sector, including the 
insurance industry, such that they can start to make rational 
judgments as to where they want to go and have some guideposts 
and where we can sort of push people to best business 
practices?
    Mr. von Winterfeldt. Very quickly and then I will pass it 
on to my colleague to my right. The insurance industry 
increasingly is turning to private companies to do these risk 
assessments for them. There are several companies, one is the 
one that Dr. Willis worked with, that do the risk assessments 
before the assets. So I do not see it necessarily happening 
only through information exchange between the Department and 
the private assets, but they are particularly interested in 
finding out which assets are threatened and make decisions 
about risk and premiums and insurance and things like that.
    Let me stop right here and ask Ms. Wormuth.
    Ms. Wormuth. Congressman, certainly the fine points of the 
issues related to the insurance industry are well outside of my 
expertise. I would say one thing. I do think that--two things, 
I think Dr. Winterfeldt noted that there should be some self-
interest on the part of industry to themselves take on some of 
the preventive measures. Because, of course, if they are 
attacked and their operations are essentially grounded for a 
period of time, that is not in their own interests.
    But I think part of the challenge, we would be helped I 
think in convincing our colleagues in industry of the types of 
steps they need to be taking. If we could again walk them 
through in a logical, structured way, here is how we have come 
to this assessment and this is why--and I am just posing this 
as a hypothetical, which is why, chemical industry, we believe 
that you all do pose a high risk versus another particular 
industry which may be a lesser risk and we would like you all 
to consider these types of measures.
    I think we would be able to better make that case to 
partners in industry if again we had a structured, defensible 
strategic assessment that we could walk them through in broad 
terms to help them see how they compared to other folks in 
industry.
    Mr. Lungren. One of the concerns I have is how do we make 
sure that the information flows in both directions? How do we 
encourage industry and other people to get information to DHS 
and how do we encourage DHS and government entities to share 
enough of the analysis and information that people understand 
in an intelligent way what the risks are so that it will be in 
their self-interest to do that?
    Because as the chairman has suggested, we have a culture in 
government which is not to share information. Give me the 
information and I can trust myself, but you are not going to 
get any of that out there. And I think it is a continuing 
problem because of the nature of the different functions we 
have. But in this area, if all we do on the government side is 
believe that government action is the sole universe in which we 
can deal with the threat, we are going to short ourselves from 
so much more activity that could be done of self-help and 
ultimately protecting us collectively, and I am just trying to 
raise these issues and look for as much information as I can.
    Ms. Wormuth. Sir, I take your point completely and I am 
sure Ms. Smislova can speak to it in more detail than I can. 
But in my experience working with organizations that work with 
DHS, I have actually been pleasantly surprised in many 
instances at how much DHS is doing to try to reach out to 
industry and my outside observation is that there has been a 
lot of emphasis on that. They are working with folks through 
the HITRACs. I know that other elements of DHS are trying to 
work with State and local and private sector organizations and 
I think certainly that framework is not fully in place but my 
experience has been that DHS is very much trying to seek input 
from the private sector and from the public.
    Mr. Lungren. Thank you.
    Mr. Simmons. Please.
    Mr. Willis. May I add one point on that?
    Mr. Simmons. Please.
    Mr. Willis. I agree with Representative Lungren that these 
are very important questions you are raising and since this 
panel is about risk analysis, I would say that I think risk 
analysis can answer many of these questions. In fact, RAND, 
through the Center for Terrorism Risk Management Policy, has 
been working with Risk Management Solutions as one of the 
insurance modeling groups that does some of this, and we would 
be happy to share with you some of the work that we have been 
doing to try to share that information. The information sharing 
actually goes both ways. I have been working with Risk 
Management Solutions and the Department of Homeland Security 
HITRAC to see how the type of modeling used in the private 
sector can inform DHS's risk assessment. Thank you.
    Mr. Simmons. Do any members of the panel have any 
additional questions they would like to ask?
    Any additional comments that the panel of witnesses would 
like to offer for the good of the order. Doctor? Anybody?
    Mr. von Winterfeldt. I just wanted to make one comment. It 
is very important, and you raise very important issues. In many 
agencies that started risk assessment, starting with the 
Nuclear Regulatory Commission in the 1970s, this is when it was 
new stuff. It took years for risk assessment to mature to, 
filter through all parts of the agencies and to become a truly 
useful tool. So maybe we are hoping for too much. Maybe we are 
expecting for things to come too quickly. We are pushing. But I 
am certainly hopeful that risk assessment will be useful and 
used down the road in the Department more and more effectively.
    Mr. Simmons. Anybody else have a final comment they would 
like to make?
    Ms. Smislova. Only to point out that Secretary Chertoff has 
appointed a new Assistant Secretary for the Private Sector as 
one of his developments under the reorganization and hopefully 
that will assist us in enhancing our outreach as a department 
to the private sector.
    Mr. Simmons. Thank you all very much. I appreciate your 
coming here and your testimony. If members of the committee 
have additional questions for the witnesses, we will ask you to 
respond to those in writing and the hearing record will be held 
open for 10 days.
    I would also like to conclude with an observation. On the 
week of September 11th I traveled to New York on a Friday with 
the President, and I represent the State of Connecticut. We 
lost people on 9/11. My daughter actually was living in New 
York at the time and never returned back to her apartment 
because of the damage of 9/11.
    As I stood there and looked at the devastation I was 
overwhelmed by the immense scope of it. Standing and looking at 
the burning remains of the World Trade Center, even as a 
Vietnam veteran, I would say it was probably one of the most 
devastating things I ever experienced. And then as we went back 
to the airport, took off and flew back to Washington we circled 
once and came over the top of the New York City and from that 
perspective the World Trade Center was simply a very small spot 
with a very small wisp of smoke coming up from it and the great 
expanse of New York, New Jersey and Long Island as well as 
Westchester County and Fairfield County, Connecticut seemed 
like an immense piece of property or real estate.
    I guess what came across in that was how truly huge our 
country really is. What an extraordinary set of infrastructure 
we have and how difficult it is to refine our risk assessment 
to the point where we can cover it successfully. It is not 
easy. And I think, Doctor, you put your finger on it. This is 
going to take time. Now we as Americans are impatient people. 
We like our food in 15 minutes or less. We like everything to 
be very quick. But working on this problem is not easy to do.
    So we thank you for the expertise that you bring to the 
table and wish you all the best as we pursue this issue into 
the future.
    Without objection, the subcommittee stands adjourned.
    [Whereupon, at 4:30 p.m., the subcommittee was adjourned.]

                                 
