b"<html>\n<title> - FOREIGN OWNERSHIP:</title>\n<body><pre>[House Hearing, 110 Congress]\n[From the U.S. Government Printing Office]\n\n\n \n                           FOREIGN OWNERSHIP:\n\n=======================================================================\n\n                                HEARING\n\n                               before the\n\n                     SUBCOMMITTEE ON TRANSPORTATION\n                      SECURITY AND INFRASTRUCTURE\n                               PROTECTION\n\n                                 of the\n\n                     COMMITTEE ON HOMELAND SECURITY\n                        HOUSE OF REPRESENTATIVES\n\n                       ONE HUNDRED TENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                             MARCH 23, 2007\n\n                               __________\n\n                           Serial No. 110-21\n\n                               __________\n\n       Printed for the use of the Committee on Homeland Security\n                                     \n[GRAPHIC] [TIFF OMITTED] TONGRESS.#13\n\n                                     \n\n  Available via the World Wide Web: http://www.gpoaccess.gov/congress/\n                               index.html\n\n                               __________\n\n\n\n                   U.S. GOVERNMENT PRINTING OFFICE\n43-557 PDF                  WASHINGTON : 2009\n----------------------------------------------------------------------\nFor Sale by the Superintendent of Documents, U.S. Government Printing Office\nInternet: bookstore.gpo.gov  Phone: toll free (866) 512-1800; (202) 512\xef\xbf\xbd091800  \nFax: (202) 512\xef\xbf\xbd092104 Mail: Stop IDCC, Washington, DC 20402\xef\xbf\xbd0900012009\n\n\n                     COMMITTEE ON HOMELAND SECURITY\n\n               BENNIE G. THOMPSON, Mississippi, Chairman\n\nLORETTA SANCHEZ, California,         PETER T. KING, New York\nEDWARD J. MARKEY, Massachusetts      LAMAR SMITH, Texas\nNORMAN D. DICKS, Washington          CHRISTOPHER SHAYS, Connecticut\nJANE HARMAN, California              MARK E. SOUDER, Indiana\nPETER A. DeFAZIO, Oregon             TOM DAVIS, Virginia\nNITA M. LOWEY, New York              DANIEL E. LUNGREN, California\nELEANOR HOLMES NORTON, District of   MIKE ROGERS, Alabama\nColumbia                             BOBBY JINDAL, Louisiana\nZOE LOFGREN, California              DAVID G. REICHERT, Washington\nSHEILA JACKSON LEE, Texas            MICHAEL T. McCAUL, Texas\nDONNA M. CHRISTENSEN, U.S. Virgin    CHARLES W. DENT, Pennsylvania\nIslands                              GINNY BROWN-WAITE, Florida\nBOB ETHERIDGE, North Carolina        MARSHA BLACKBURN, Tennessee\nJAMES R. LANGEVIN, Rhode Island      GUS M. BILIRAKIS, Florida\nHENRY CUELLAR, Texas                 DAVID DAVIS, Tennessee\nCHRISTOPHER P. CARNEY, Pennsylvania\nYVETTE D. CLARKE, New York\nAL GREEN, Texas\nED PERLMUTTER, Colorado\nVACANCY\n\n       Jessica Herrera-Flanigan, Staff Director & General Counsel\n\n                        Todd Gee, Chief Counsel\n\n                     Michael Twinchek, Chief Clerk\n\n                Robert O'Connor, Minority Staff Director\n\n                                 ______\n\n SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION\n\n                 SHEILA JACKSON LEE, Texas, Chairwoman\n\nEDWARD J. MARKEY, Massachusetts      DANIEL E. LUNGREN, California\nPETER A. DeFAZIO, Oregon             GINNY BROWN-WAITE, Florida\nELEANOR HOLMES NORTON, District of   MARSHA BLACKBURN, Tennessee\nColumbia                             GUS M. BILIRAKIS, Florida\nYVETTE D. CLARKE, New York           PETER T. KING, New York (Ex \nED PERLMUTTER, Colorado              Officio)\nBENNIE G. THOMPSON, Mississippi (Ex \nOfficio)\n\n                 D. Michael Stroud, Director & Counsel\n\n                   Natalie Nixon, Deputy Chief Clerk\n\n                 Coley O'Brien, Minority Senior Counsel\n\n                                  (II)\n\n\n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\n\n                               Statements\n\nThe Honorable Sheila Jackson Lee, a Representative in Congress \n  from the State of Texas, and Chairman, Subcommittee on \n  Transportation Security and Infrastructure Protection..........     1\nThe Honorable Daniel E. Lungren, a Representative in Congress \n  from the State California, and Ranking Member, Subcommittee on \n  transportation Security and Infrastructure Protection..........     3\nThe Honorable Gus Bilirakis, a Representative in Congress from \n  the State of Florida...........................................    29\nThe Honorable Yvette D. Clarke, a Representative in Congress from \n  the State of New York..........................................    27\nThe Honorable Eleanor Holmes Norton, a Delegate in Congress From \n  the District of Columbia.......................................    30\n\n                               Witnesses\n\nThe Honorable Stewart A. Baker, Assistant Secretary for Policy, \n  Department of Homeland Security:\n  Oral Statement.................................................     6\n  Prepared Statement.............................................    10\nMs. Ann Calvaresi Barr, Director of Acquisition and Sourcing, \n  Management Government Accountability Office:\n  Oral Statement.................................................    14\n  Prepared Statement.............................................    16\nThe Honorable Gregory Garcia, Assistant Secretary for \n  Cybersecurity and Telecommunications Department of Homeland \n  Security:\n  Oral Statement.................................................    10\n  Prepared Statement.............................................    14\nColonel Robert B. Stephan, Assistant Secretary for Infrastructure \n  Protection, Department of Homeland Security:\n  Oral Statement.................................................     8\n  Prepared Statement.............................................    13\n\n\n DISCUSSION OF CHALLENGES POSED BY FOREIGN OWNERSHIP TO USING CRITICAL \n                             INFRASTRUCTURE\n\n                              ----------                              \n\n\n                         Friday, March 23, 2007\n\n             U.S. House of Representatives,\n                    Committee on Homeland Security,\nSubcommittee on Transportation Security and Infrastructure \n                                                Protection,\n                                                    Washington, DC.\n    The subcommittee met, pursuant to call, at 10:08 a.m., in \nRoom 311, Cannon House Office Building, Hon. Sheila Jackson Lee \n[chairwoman of the subcommittee] presiding.\n    Present: Representatives Jackson Lee, DeFazio, Norton, \nClarke, Lungren, and Bilirakis.\n    Ms. Jackson Lee. [Presiding.] Good morning. The \nsubcommittee will come to order.\n    The subcommittee is meeting today to receive testimony on \nchallenges posed by foreign ownership to using critical \ninfrastructure and how the Department of Homeland Security is \nworking to protect critical infrastructure.\n    The chair wants to acknowledge the presence of the ranking \nmember, Mr. Lungren of California, wants to acknowledge the \npresence of Ms. Clarke of Brooklyn, New York, and the presence \nof Mr. DeFazio of Oregon.\n    I have often indicated that, as I have served on this \ncommittee, the Homeland Security Committee, and seen a number \nof individuals who come before us with the responsibility of \nsecuring the homeland, that we live in a new climate and a new \nera after 9/11. In fact, this committee and the department was \nnot a fixture of government prior to 9/11.\n    That poses an enormously heavy burden and responsibility, \none that I believe all of us accept. But what it does say is \nthat unlike our committees of jurisdiction, that if a tragic \nand horrific act were to occur again, that America would look \nto all of us.\n    I believe Chairman Thompson, and certainly I agree with him \nand will continue to work with that mission and message that we \nhave to be continuously subjective and objective in looking at \nthe responsibilities of the elements that make us secure.\n    Critical infrastructure, in this instance, has a vast \nlandscape and this committee is committed to reviewing the \naspects of critical infrastructures in the United States and as \nrelates internationally, as it may impact on the securing of \nAmerica.\n    I would then like to take the opportunity to thank all of \nus and all of you for joining us this morning so that we can \nbegin our exploration of the topic of foreign ownership and how \nit intersects with national security.\n    A little over a year ago, Congress united to oppose the \nadministration's failure to conduct an adequate oversight when \nthere was a proposal by Dubai Port World to enter into a deal \nthat would have put Dubai Port in charge of managing many of \nour USC ports.\n    The issue became a particular concern not because Dubai \nPorts was a foreign company, but because it was one that was \ncontrolled by a foreign government.\n    Needless to say, I believe most members will say to you \nthat we understand internationalism and trade and opportunity \nand exchange, but it is important for all sovereign governments \nto protect the people which they have responsibility for.\n    On the heels of September 11, this deal raised well-\ndeserved skepticism of how the United States monitors and \nevaluates foreign ownership of our critical infrastructure. \nToday, more than a year later, we continue to monitor this \nissue closely by holding this hearing and others that will \nexplore the Department of Homeland Security's involvement with \nthe Committee on Foreign Investment in the United States, \nCFIUS, as some would call it.\n    Before 9/11, the process was not a strong focus of many \nAmericans. As we know, this country relies on foreign \ninvestment. As a recent Congressional Research Service \npublication indicates, foreign investment in the United States \ncould top $160 billion for 2006. Thus, while foreign investment \nis a great resource and indicator of our strength in the global \neconomy, we must be vigilant that we do not compromise \nsecurity.\n    After 9/11, our outlook on foreign investment and \nespecially ownership of critical infrastructure changed. \nAmericans, including myself, began to wonder who is watching \nforeign investment is being made in the United States, where is \nit being made, and how vigilant are we being in making sure \nthat the elements that they may possess that relate to \nAmerica's security are, in fact, protected.\n    There are many more questions that we might ask. One of \nthem being the process that is used by CFIUS whether or not, \neven with the presence of the secretary of homeland security on \nthe committee and involved in the process, what strictures have \nwe put in place, what regulations, what directions have we put \nin place to ensure that we are an active participant in \nprotecting America.\n    I, like most Americans, wholeheartedly support capitalism \nand, of course, a balanced trade process. Yet, as events have \nshown, we need to pursue a vigorous oversight agenda, \nespecially in the area of foreign investment in critical \ninfrastructure.\n    Dubai Ports told us that we need not just focus on in one \narea of infrastructure, but we need to focus on all areas.\n    As the chairwoman of this subcommittee, which bears the \nterm infrastructure protection in its title, I intend to do \njust that--evaluate how infrastructure is being protected to \nensure its viability here and that it is available when America \nneeds it most, but that it is available by being safe and \nsecure.\n    As we all know, terrorists don't signal or call ahead \nbefore they attack. We saw this in Madrid and London, amongst \nother horrible incidents. Terrorists are creative, especially \nin the ways in which they will attack us.\n    It is not inconceivable that a terrorist might try and \nattack us with brute force, but simply by pressing a computer \nbutton or by crippling a key asset.\n    It is with this notion that I, along with other members of \nthis subcommittee, am seriously committed to protecting \ncritical infrastructure and understanding how the \nadministration is protecting our vital assets.\n    One example of how serious we are in taking this role on in \nthis committee is by supporting H.R. 556, Committee on Foreign \nInvestment in the U.S. reform bill. This bill provides needed \nreform for formalizing and streamlining the structure and \nduties of the Committee on Foreign Investment in the United \nStates.\n    I am happy to say that I voted to support this bill, along \nwith more than 400 of my colleagues on both sides of the aisle.\n    And this bill addresses many of the concerns raised about \nCFIUS, especially its current lack of transparency and \noversight and congressional reporting and accountability.\n    This bill adds much clarity to a relatively murky process. \nThis bill rectifies concerns from the business community by \nformally establishing the membership and timelines as to how \nand when this review would take place.\n    According to CRS's analysis of H.R. 556, the bill increases \nthe role of congressional oversight by requiring a reporting \nprocess on its actions and allowing for a greater amount of \ndetailed information about CFIUS's operations.\n    But there may be more that we need to do and I believe that \nthere may be legislative need that further enhances our \noversight over foreign investment and ownership.\n    Today we want to continue to explore the role that the \nDepartment of Homeland Security has with this new process and \nhow it is accomplishing its goal of overall infrastructure \nprotection.\n    I look forward to the witnesses' testimony and learning \nabout the process and the department's role that can be \nfortified, while protecting the United States' interests in \ninternational commerce.\n    It is my pleasure to yield 5 minutes to the distinguished \nranking member from California, Mr. Lungren.\n    Mr. Lungren. Thank you very much. I thank the chairwoman of \nour subcommittee.\n    And I welcome our guests here who are to speak to us, and I \nwelcome the opportunity to discuss foreign ownership and the \nchallenges it presents for our critical infrastructure.\n    This Homeland Security Committee is all too familiar with \nthe concerns and fears that foreign ownership of U.S. critical \ninfrastructure assets creates in our citizens.\n    The purchase last year of the operating rights at six U.S. \nports, including the ports of New York, New Jersey and \nBaltimore, by Dubai Ports World Company created a firestorm of \npublic and congressional opposition.\n    It also focused attention on the governmental process \nestablished to review such sales and determine whether it \ncreates a threat to our economic or national security.\n    This process of reviewing foreign purchases is done by the \nnow known Committee for Financial Investment in the U.S., or \nCFIUS.\n    In 1988, I believe in one of the last things I did as a \nmember of Congress during my first tour of service here, \nCongress passed the Exxon-Florio provision amid growing \nconcerns over foreign acquisition of American businesses.\n    This provision gave the president the authority to block \nproposed foreign acquisitions that were deemed to threaten our \nnational security.\n    Foreign acquisition of U.S. companies and assets pose a \nparticular challenge to our government. It creates a delicate \nbalancing act in the worldwide economy.\n    How do we attract vital foreign investment to the United \nStates without sacrificing or diminishing our national \nsecurity? One of the first questions we have is, what is \ncritical infrastructure? Infrastructure in this country is \nowned, depending on whose figures you look at, 85 to 90 percent \nin the private sector, not in the public sector.\n    So how do we do that? I believe we have the proper \nprocedures to protect our critical infrastructure and assets by \nrequiring foreign acquisitions to be closely reviewed and \nscrutinized by CFIUS.\n    For over 30 years, this process has worked effectively, \nguarding our capital markets, our highly valued infrastructure \nassets, and, most importantly, our national security.\n    Most of the time, it doesn't gain any headlines and that \nwas a conscious decision made by the Congress when it set up \nCFIUS. We did not want to do something that overreached such \nthat we denied ourselves the kind of foreign investment that \nactually proved to be beneficial to this country. So we set up \na process which, by and large, would oftentimes not gain any \nheadlines or public comment.\n    The problem that occurred last year, however, was there was \nan area that probably needed some public comment or at least \nneeded to be brought to the attention of the president of the \nUnited States and perhaps even to the attention of the Congress \nbefore it was made public.\n    In the years that we have had this law, on only one \noccasion, in 1990, did the president intervene and order \ndivestiture by a Chinese aerospace company of a U.S. aircraft \nparts manufacturer. Last year's debate on the Dubai purchase \nraised a number of problems with the CFIUS review process and \nit demonstrated that changes needed to be made in light of 9/11 \nand our nation's growing terrorist threat.\n    Important improvements were included in the legislation we \npassed last year, H.R. 5337, and, again, in February of this \nyear, H.R. 556, referred to by the chairwoman of this \ncommittee, and it did pass by an overwhelming vote of 423-0.\n    The legislation elevated the secretaries of homeland \nsecurity and commerce to vice chairs of CFIUS, and I believe it \nwill help address concerns about CFIUS applying too narrow a \ndefinition of a national security threat, which was a criticism \nof past reviews. The legislation also limits delegating these \nimportant CFIUS decisions.\n    I believe the hearing and future hearings will also look \ninto how the Offices of Infrastructure Protection and \nCybersecurity and Telecommunications work together to protect \nkey resources, especially as it relates to the CFIUS process.\n    I would just once again like to say publicly that I \nappreciate the cooperation and quick response of DHS to a \ncritical vulnerability involving cyber and critical \ninfrastructure uncovered by the private sector, the dispatch \nwith which they dealt with that, the cooperation they showed \nwith this committee, and I look forward to future briefings, \nparticularly of a classified nature, on the success of that \noverall effort.\n    And with that, I would yield back the balance of my time \nand thank the gentlewoman for giving me the time.\n    Ms. Jackson Lee. I thank the distinguished ranking member, \nMr. Lungren from California, for his statement.\n    And I would remind other members of the subcommittee that, \nunder the committee rules, opening statements may be submitted \nfor the record.\n    I welcome all of the panel members this morning and believe \nthat your presence here this morning emphasizes a journey that \nwe will take to expand our oversight over critical \ninfrastructure.\n    Our goal is to not only reach a point where we believe that \nwe have explored aspects that could be conceived that might \nharm the United States, but also that we are helping to provide \na necessary instructional direction to be able to help to \nsecure these facilities.\n    Our first witness, Mr. Stuart Baker, who I know has great \ninsight on this issue, is the assistant secretary for policy at \nthe Department of Homeland Security. Prior to joining the \ndepartment, Mr. Baker was general counsel of the commission on \nthe intelligence capabilities of the United States regarding \nweapons of mass destruction. And prior to this, he was the \ngeneral counsel for the National Security Agency.\n    Welcome, Secretary Baker, and we thank you for your \nservice. We look forward to hearing your testimony.\n    Our second witness, Colonel Robert Stephan, is the \nassistant secretary for the Office of Infrastructure Protection \nwith the Department of Homeland Security and was most recently \nin Houston, Texas.\n    And I applaud him for that, not only for being in Houston \nbut for also reaching out to constituencies and cities and \ncounties and states in order to get firsthand knowledge. And I \nthink that is extremely important.\n    Prior to joining the department in 2005, Colonel Stephan \nwas a senior director for critical infrastructure protection in \nthe executive office of the president. Colonel Stephan had a \ndistinguished 24-year career in the United States Air Force.\n    Welcome, Colonel, and we are happy to have you here, and we \nthank you for your military service to our country.\n    Our third witness is Mr. Gregory Garcia. We have had the \nopportunity to hear the insight of Mr. Garcia previously, and \nwe thank him for his insight. He is the assistant secretary for \nthe Office of Cybersecurity and Telecommunications with the \nDepartment of Homeland Security. Prior to joining the \ndepartment, Mr. Garcia was the vice president for information \nsecurity programs and policy with the Information Technology \nAssociation of America.\n    Giving him a balance of both private and public sector, \nbefore joining the association, Mr. Garcia worked with the \nHouse of Representatives Science Committee, certainly a \ncommittee that I have affection for and, as well, a \nlongstanding relationship.\n    Thank you for coming today. We look forward to your \ntestimony, and we thank you for your service.\n    Our final witness, Ms. Ann Calvaresi-Barr, is the director \nfor acquisition and sourcing management at the United States \nGovernment Accountability Office. Ms. Calvaresi-Barr has been \nwith the GAO for 23 years and is responsible for reporting and \ntestifying before Congress on issues impacting foreign \ninvestment, amongst other topics.\n    We are always appreciative of the objectivity that GAO \nprovides us. We will continue to access the resources, and we \nhope that you will assist us as we delve into determining how \nmuch more work we need to do to secure the homeland as it \nrelates to critical infrastructure.\n    Thank you for being here today. We look forward to your \ntestimony.\n    Without objection, the witnesses' full statements will be \ninserted into the record.\n    I now ask each witness to summarize his or her statement \nfor 5 minutes, beginning with Assistant Secretary Baker.\n\n  STATEMENT OF HON. STEWART A. BAKER, ASSISTANT SECRETARY FOR \n            POLICY, DEPARTMENT OF HOMELAND SECURITY\n\n    Mr. Baker. Madam Chairwoman, thank you very much. Ranking \nMember Lungren, members of the committee, it is a pleasure to \nbe here.\n    I am very proud of the work that DHS has done in CFIUS. It \nis the youngest member of CFIUS and I think it is widely \nrecognized as among the most creative users of CFIUS--we are \ncreative because we have to be, because the definition of \nhomeland security requires that we think of a wide variety of \nrisks that other agencies do not have to be concerned with--and \nas the most thorough member of CFIUS, in many respects, which I \nwill get into.\n    CFIUS has been around, as the ranking member suggested, for \nquite some time. It was actually started under an executive \norder even before the Exxon-Florio Act. We, of course, did not \narrive until we were created as a department, but we joined an \nexisting structure that set up a committee of now six \ndepartments and a variety of executive agencies, chaired by the \nTreasury Department.\n    Our authority is essentially the authority to recommend the \npresident blocking an investment in the United States because \nof the threat to national security.\n    In order to determine whether to make a recommendation to \nblock a transaction, we have to do an investigation of our own. \nThe investigation is supposed to last only 30 days. Everyone \nrecognizes that these transactions have short shelf lives and \nneed to be moved forward quickly.\n    So we have to jump on transactions. It is like being a \nfireman. As soon as you hear the alarm, you just jump into your \nboots and get on the pole and go to the fire. And we are doing \nthat more than we have done in years. Filings have gone from \nabout 40 or 50 a few years ago to being on a pace for almost \n150 this year.\n    And we try to handle all those transactions in less than 30 \ndays, if we can. If we can't, if we conclude we need more time, \nwe can ask for more time and we can extend the investigation to \n45 more days or ask the parties to withdraw and give us even \nmore time before we have to make a decision.\n    What do we do in those days? From DHS's point of view, we \nask a couple of fundamental questions.\n    First, what is the vulnerability? If this transaction \noccurred and the parties who are part of the transaction, who \nare making the acquisition intended to do us harm or some of \nthem did, how much harm could they do with this acquisition? \nThat is the first question we ask.\n    The second question we ask, not surprisingly, is do we have \nany reason to believe that the people who are engaged in this \ntransaction, the company that is engaged in this transaction or \nthe government that stands behind that company might wish to do \nany of those harmful acts.\n    So we look, first, at our vulnerability and then at the \nthreat.\n    Once we have carried out that analysis, we have to decide, \nare we opposed to the transaction or are there risks here that \ncould be minimized by changes in the practice of the company or \nby guarantees that the company wouldn't change its practice?\n    We often will ask companies for assurances that they are \ngoing to act in certain ways. These are called mitigation \nagreements, in which we mitigate the risk to national security.\n    We have been among the most active in seeking those \nagreements. All agreement with CFIUS in the form of mitigation \nagreements have increased. I think we entered into 13 during \nthe first 3 years of our existence and last year we did 15 in 1 \nyear alone.\n    Those mitigations and agreements have turned out to be \nquite useful and important to us. One of the things that we \nhave also pioneered is going back and checking to make sure \nthat the companies are carrying out their agreements.\n    There is nothing that concentrates people's mind so much as \nknowing that they are going to be audited on their performance \nand we have been active in auditing companies to make sure that \nthey actually carry out their agreements.\n    This is something GAO noticed 2 years ago when they did the \nreport on us. We have since established a formal unit that does \nnothing but audits, the first in government.\n    We are very proud of that record, and I am glad to answer \nquestions about when the remainder of the witnesses have made \ntheir presentations.\n    Ms. Jackson Lee. Thank you for your insightful and \ninstructive testimony.\n    I now recognize Assistant Secretary Stephan to summarize \nhis statement for 5 minutes.\n    Colonel, thank you very much.\n\n STATEMENT OF COLONEL ROBERT STEPHAN, ASSISTANT SECRETARY FOR \n            POLICY, DEPARTMENT OF HOMELAND SECURITY\n\n    Colonel Stephan. Madam Chairwoman, Ranking Member Lungren, \nother distinguished members of this subcommittee, thank you \nvery much for the opportunity to speak to you today on behalf \nof my office, the office of infrastructure protection, to \ndiscuss our role in the CFIUS process in support of Assistant \nSecretary Baker.\n    Within the office of infrastructure protection at DHS, we \ncarefully monitor and analyze the risk posed to the nation's \ninfrastructure. Part of this analysis includes an assessment of \nforeign ownership, control and influence over our most \nsignificant critical infrastructures on a transaction-by-\ntransaction basis.\n    Responsibility for this analysis rests jointly with the \ndepartment's homeland infrastructure threat and risk analysis \ncenter, which is a combination of the office of infrastructure \nprotection, with further outreach to other federal departments \nand agencies and other key players inside the department, as \nwell as the office of intelligence and analysis.\n    HITRAC, as it is commonly known, develops tailored \ninfrastructure-related threat and risk analysis products and \nmonitors the changes to the threats, the vulnerabilities and \nthe consequences associated with the nation's infrastructure \nthat could affect the national risk profile.\n    Significant changes in the national risk profile will, in \nturn, drive changes in our operational focus, security plans \nand programs.\n    The HITRAC organization helps set the priorities for our \ncollective infrastructure protection efforts from an analytical \nperspective. HITRAC also provides focused analytical support \ndirectly to the office of policy as part of the department's \noverarching role in the CFIUS process.\n    Although the policy office has overall responsibility for \nthe department's CFIUS-related review process and for making \nrecommendations to the secretary on how to approach each case, \nthe dedicated staff in HITRAC support departmental decision-\nmaking by preparing risk assessments of every single filing for \ntransactions and are provided directly to the office of policy.\n    These assessments, prepared by a specialized CFIUS support \nteam of infrastructure and intelligence analysts within HITRAC, \nprovide our policy decision-makers within the department an \nunderstanding of how these various potential acquisitions can \nimpact, in a cascading manner, U.S. infrastructure.\n    HITRAC analysts conduct detailed reviews of all classified \nand unclassified information related to the foreign company of \nconcern and subsidiaries involved in the transaction and look \nfor indications that the foreign company and its senior \npersonnel may have ties that could pose a threat to U.S. \nsecurity, including ties with other foreign governments, \nforeign intelligence services, organized crime syndicates, or \ninternational terrorist organizations.\n    This research and analysis is supported by our law \nenforcement partners within DHS, such as ICE and CDP, as well \nas outside of the department, such as the FBI and others.\n    An assessment of the threat posed by foreign investors or \nowners, however, is only part of HITRAC's analytical \ncapability. HITRAC's CFIUS analysts work with subject matter \nexperts in the infrastructure sector affected by a transaction \nto analyze the vulnerabilities associated within the U.S. \ninfrastructure that the transaction may expose.\n    Obviously, situations in which the potential \nvulnerabilities can be exploited by identified threats raise \nsignificant concerns.\n    HITRAC then coordinates its analysis with relevant federal \nsector-specific agencies, such as the DHS Office of \nCybersecurity and Telecommunications, the Transportation \nSecurity Administration, the U.S. Coast Guard, the Department \nof Energy, the Department of Defense, and various others.\n    The final risk assessment product informs the office of \npolicy's recommendation to the secretary by highlighting areas \nof concern and increased risk and by proposing potential \nmitigation strategies the department may use to manage risk \nposed by the transaction.\n    Under the DHS chief intelligence officer, Charlie Allen's \nleadership, HITRAC's assessments also inform the director of \nnational intelligence's reviews of each CFIUS case in \ncollaboration with the other key elements of the intelligence \ncommunity at large.\n    HITRAC provides analytical support and advice to the office \nof policy during negotiations on mitigation strategies that the \nU.S. government adopts to manage risk. It should be noted that \nHITRAC produces its assessments in a very compressed timeframe \nto allow policymakers maximum time to take appropriate action \nwithin the statutory 30-day initial timeframe and then the 45-\nday extended timeframe for presidential consideration.\n    In the year 2006, HITRAC reviewed 113 CFIUS cases, that is \n113, writing coordinated assessments on each one. The CFIUS \nstatutes prevent us from disclosing specific information about \nthese cases in an open forum, but HITRAC's assessments have \ncovered a wide range of infrastructures, to include chemical, \nenergy, nuclear power sectors, to the information technology \nindustry, to the defense industrial base.\n    Thus far in 2007, HITRAC analysts have reviewed \napproximately 30 cases, which is about a 20 percent increase \nover the same period of time from last year.\n    The office of infrastructure protection at HITRAC and its \nmany partners recognize that thorough scrutiny of potential \nrisk posed by foreign ownership of critical infrastructure is \nabsolutely vital to our nation's security and economic \nstrength.\n    We will continue to closely monitor CFIUS cases for the \nemergence of adverse trends and we will continue to work with \nour federal partners to ensure the performance of this mission \nmeets with highest possible standards.\n    Madam Chairwoman, Ranking Member Lungren, I look forward to \nyour questions. And, again, thank you for the opportunity to \npresent my briefing to you today.\n    Ms. Jackson Lee. Thank you very much for your testimony, \nColonel. We will look forward to engaging you in questions that \nwill allow you to give us your sense of the depth of the need \nof review of critical infrastructure. So we thank you for your \ntestimony.\n    I now recognize Assistant Secretary Garcia to summarize his \nstatement for 5 minutes.\n    Thank you very much.\n\n   STATEMENT OF HON. GREGORY GARCIA, ASSISTANT SECRETARY FOR \n CYBERSECURITY AND TELECOMMUNICATIONS, DEPARTMENT OF HOMELAND \n                            SECURITY\n\n    Mr. Garcia. Madam Chairwoman, Ranking Member Lungren and \ndistinguished members of the subcommittee, I appreciate the \nopportunity to briefly address you on our role, the Office of \nCybersecurity and Communications, in the CFIUS process.\n    The Office of Cybersecurity and Communications, or CS&C, \nhelps to ensure the security, integrity, reliability and \navailability of our information and communications networks.\n    Leveraging the subject matter expertise in CS&C, we \nevaluate transactions for potential vulnerabilities and the \nensuing risk to the cyber and communications sectors, as well \nas other critical infrastructure sectors.\n    As appropriate, we provide risk mitigation advice and \nparticipate in post-action compliance reviews. This can include \ndeveloping specific provisions in national security agreements \nbetween the U.S. government and the companies engaged in the \ntransaction.\n    For example, from a cybersecurity and communications \navailability perspective, we would just need to closely review \nforeign ownership or management or service of \ntelecommunications or IT services networks.\n    CS&C's role in the CFIUS process is a logical partnership \nas part of our work with cybersecurity and infrastructure \nprotection. CS&C is engaged with the office of infrastructure \nprotection, with Assistant Secretary Stephan, in incorporating \ncybersecurity and communications risk management processes \nthroughout the national infrastructure protection plan, or the \nNIPP.\n    The NIPP requires each of the 17 critical infrastructures \nand key resource sectors identified in HSPD-7 to develop \nsector-specific plans and these plans address the physical, \nhuman and cyber elements critical to the proper functioning of \nthat sector.\n    CS&C has a role in assisting sectors to address the cyber \nelement by providing input to their sector-specific plans and \ndeveloping cyber portions of risk management methodologies and \nsupporting the protective programs that cut across all of those \nsectors.\n    CS&C also is responsible for the development and \nimplementation of the information technology sector-specific \nplan and the communications sector-specific plan in \ncoordination with the IT and communications industry partners \nand the government partners responsible.\n    That will conclude my comments. Thank you for the \nopportunity to appear before the subcommittee today, and I will \nbe happy to answer any questions you have.\n    [The statement of Mr. Baker, Colonel Stephan and Mr. Garcia \nfollows:]\n\n    Prepared Statement of the Honorable Stewart A. Baker, Assistant \n         Secretary for Policy, Department of Homeland Security\n\n    Madam Chairman, Ranking Member Lungren, Chairman Thompson, Ranking \nMember King and distinguished members of this Subcommittee, I am \npleased to appear before you today to discuss the Committee on Foreign \nInvestment in the United States (CFIUS)--of which the Department of \nHomeland Security is a member--and about the challenges posed by \nforeign ownership of critical infrastructure.\n\nBackground\n    I should emphasize at the outset that the CFIUS process is one of \nDHS's highest priorities. We have significantly increased staff and \nother resources and have a very robust review process that enables our \nDepartment to bring to CFIUS a diversity of viewpoints, expertise, and \nskills from across our constituent components. The government agencies \nfrom which we were formed give us a broad perspective, informed by a \nthorough understanding of infrastructure threats, vulnerabilities, and \nconsequences.\n    Since the Department began functioning in March 2003, we have \nparticipated in the review of hundreds of foreign acquisitions, many of \nwhich have involved the nation's most critical infrastructure, \ntechnology, and other assets vital to our national security. In 2006, \nCFIUS reviewed over 100 transactions. DHS plays a particularly \nimportant role in CFIUS reviews of transactions involving critical \ninfrastructure, and when DHS requests mitigation agreements in those \ncases--a topic to which I'll return in a few minutes--DHS has a leading \nrole in monitoring compliance with those agreements to which they are a \nparty.\n    DHS interprets its security mandate broadly. DHS's implementation \nof this mandate sometimes gives rise to debate within CFIUS, but it is \na healthy debate that ultimately enhances both national security and an \nopen investment climate--twin objectives DHS does not believe can be \nproperly divorced from each other and which DHS always seeks to \npromote.\n\nJurisdiction\n    I want to highlight, however, that CFIUS is not a silver bullet \ncapable of securing all critical infrastructure. In particular, \nCongress explicitly--and appropriately--limited CFIUS's legal authority \nto investigations of mergers, acquisitions or takeovers by or with \nforeign persons that could result in foreign control of persons engaged \nin interstate commerce in the United States. All CFIUS jurisdictional \ndecisions are made based on a thorough evaluation of the specific facts \npresented by a given transaction.\n    Within CFIUS's statutory mandate,--that is, mergers or acquisitions \nthat result in foreign control of U.S. businesses--our review is a \nsearching one.\n\nOur Review Process\n    DHS generally analyzes the incremental risk presented by an \nacquisition in three parts: (1) vulnerability; (2) threat; and (3) \nconsequences.\n    The vulnerability analysis focuses on the assets being acquired. We \nask, ``what vulnerabilities are exposed by the transaction that may be \nexploited by someone with bad intent and significant capabilities'' \n(this includes the company acquiring the U.S. operations as well as \nothers who may take advantage of the new management). If a chemical \nplant is being acquired, for example, we want to know whether the \nchemicals produced are dangerous and, if so, whether there are \nsignificant vulnerabilities and if adequate security plans are in place \nto protect the physical facility and any sensitive data, systems, and \nnetworks.\n    The threat analysis then asks whether the acquirer has significant \ncapabilities for exploiting the target and has intent to do so. Here \nwe're looking for derogatory information about the buyer. The DNI \ncoordinates preparation of a National Security Threat Assessment for \neach transaction by the intelligence community (including elements \nwithin DHS), which generally serves as the principal source of our \nthreat analysis.\n    Finally, we ask what the consequences could be if the acquirer \nsuccessfully exploited the target. To go back to the chemical plant \nexample, we would want to know what would happen if someone exploited \ncritical assets within the plant to cause an explosion or chemical \nrelease--how would that affect the surrounding communities? And we may \nneed to know whether theft or exploitation of data, systems, and \nnetworks also could present a problem (e.g., within the chemical plant \nexample: could the business systems be exploited to reveal HAZMAT \nrouting information, or could the control systems be compromised to \ncause a dangerous chemical release?)\n    We then weigh these three factors--vulnerability, threat, and \nconsequences--to come up with an assessment of the incremental risk \npresented by the transaction.\n\nBackground on Mitigation Agreements\n    In most transactions that CFIUS reviews, the increase in risk as a \nresult of the foreign acquisition is either non-existent or \nsufficiently low that CFIUS needs to take no formal action. In other \ninstances, we may see an increase in risk, but we may believe that \nexisting authorities other than Exon-Florio and the International \nEmergency Economic Powers Act are sufficient to address the risk.\n    Occasionally, however, we come to the conclusion that the \ntransaction may impair national security, that the incremental risk \nposed by the transaction cannot be adequately addressed by existing \nlaw, and that the risk can and should be mitigated through a CFIUS \nagreement, as a condition to concluding the review or investigation \nwithout further action by the President.\n    A CFIUS mitigation agreement is an agreement between (i) companies \nundergoing a CFIUS review and (ii) and one or more of the CFIUS \nagencies. The purpose of such an agreement is to reduce the perceived \nnational security risks associated with a foreign acquisition, merger, \nor takeover of a U.S. company subject to review by CFIUS. When the \nparties come to terms, a mitigation agreement generally will pave the \nway for the CFIUS agency or agencies involved to recommend that CFIUS \nallow the transaction to proceed.\n    Consistent with Exon-Florio and the important U.S. policy interest \nin maintaining an open investment climate, a CFIUS agency entering into \na mitigation agreement seeks to mitigate national security risks using \nthe means least onerous to accomplishing that end. Where CFIUS \ndetermines there is a risk to be mitigated, it takes a variety of \napproaches to mitigation agreements dictated by the particular \ncircumstances of an individual transaction. They range from commitment \nletters on a specific issue of concern to formal mitigation agreements \nwith detailed commitments including cooperation in the development and \nexecution of security plans. As you would expect, agreements deemed \nnecessary in transactions involving significant risks to critical \ninfrastructure often are the most substantial. These agreements often \ninclude some combination of the following:\n        <bullet> Security plan and designated security officer\n        <bullet> Background checks for key personnel\n        <bullet> Limitations on foreign personnel's involvement in \n        certain sensitive tasks\n        <bullet> Certification of export control compliance\n        <bullet> Customer lists\n        <bullet> Notifications of certain security incidents, such as \n        cyber attacks\n        <bullet> Compliance with various appropriate international, \n        industry, and/or Federal standards, guidelines, and recommended \n        practices\n        <bullet> Right to site visits and access to books and records\n        <bullet> Audits\n        <bullet> Notification of changes to key management positions\n        <bullet> Liquidated damages for breach\n    Often the elements of these agreements--e.g., the requirements to \nhave a security plan, security officer, conduct background checks, and \ncomply with appropriate standards and recommended practices--reinforce \nmeasures already taken by the companies involved.\n    In rare cases, CFIUS agencies have asked the companies involved to \nagree to an ``evergreen CFIUS'' provision--i.e., the right to re-open a \nCFIUS case if the companies materially breach the mitigation agreement. \nThe decision to re-open would be made by CFIUS consensus at the highest \nlevels of each agency. DHS believes that this extraordinary remedy is \nappropriate in rare circumstances where the transaction presents \nsignificant national security risks, existing remedies will not be \nadequate to protect the national security, and we anticipate that \nstandard commercial incentives will not be sufficient to compel \ncompliance with the agreement.\n\n    Increase in Mitigation Agreements and Compliance Monitoring Work\n    Given the range of its responsibilities, DHS is often among the \nagencies which identifies the need to consider a mitigation agreement. \nReflecting the increase in filings and other factors there has been a \nnotable increase in the number of mitigation agreements.\n    Let me give you a few demonstrative statistics. From 2003-2005, the \nfirst three years of DHS's existence, we were a party to 13 mitigation \nagreements. In 2006 alone, DHS was a party to 15 mitigation agreements.\n    Of course, we recognize that when we enter into these agreements, \nwe assume an obligation to monitor compliance. Our compliance \nmonitoring is not new--GAO credited DHS's efforts in this regard two \nyears ago. For some time DHS has:\n        <bullet> monitored to ensure that companies provide all reports \n        and other deliverables required by mitigation agreements;\n        <bullet> reviewed all reports and other deliverables to ensure \n        that they are accurate, complete, and otherwise satisfy the \n        requirements of the agreements;\n        <bullet> occasionally conducted on-site visits and audits; and\n        <bullet> met with companies to discuss issues of compliance and \n        non-compliance.\n    What is new, though, is that we?ve significantly increased the \nresources devoted to monitoring compliance. For example, whereas site \nvisits previously were sporadic, DHS now has a program in place to \nconduct regular site visits.\n    We believe that DHS's CFIUS program represents a success story \nabout the protection of critical infrastructure and other assets, and I \nwould be happy to answer any questions you might have about the program\n\n              Prepared Statement of Col. Robert B. Stephan\n\n    Madam Chairman, Ranking Member Lungren, Chairman Thompson, Ranking \nMember King and distinguished members of the Subcommittee, I appreciate \nthe opportunity to briefly address you on our role in the Committee of \nForeign Investment in the United States (CFIUS). Within the Office of \nInfrastructure Protection, we carefully monitor and analyze the risks \nposed to the Nation's critical infrastructure and key resources (CI/\nKR). Part of that analysis includes an assessment of foreign ownership, \ncontrol and influence over CI/KR. Responsibility for that analysis \nrests with the Department's Homeland Infrastructure Threat and Risk \nAnalysis Center (HITRAC).\n    HITRAC, a joint infrastructure-intelligence fusion center between \nthe Office of Infrastructure Protection (OIP) and the Office of \nIntelligence and Analysis (I&A), provides tailored CI/KR threat and \nrisk products to the private sector and our Federal, State, and local \nsecurity partners. It monitors changes to the threats, vulnerabilities, \nand consequences associated with the Nation's infrastructure that could \naffect the national risk profile. Significant changes in the CI/KR risk \nprofile will naturally drive changes in our focus, plans, and programs. \nHITRAC helps set the priorities for our collective critical \ninfrastructure protection efforts.\n    HITRAC also provides focused analytical support directly to the \nOffice of Policy as part of the Department's role on CFIUS. As you \nknow, CFIUS is the interagency committee established in 1975 to review \nthe national security impact of acquisitions, mergers, and takeovers of \nU.S. assets by foreign persons. DHS was added as a full member of the \ncommittee in February 2003 and joined eleven other members who \ndeliberate each case in accordance with the Exon-Florio statute and \napplicable Treasury regulations.\n    Although the DHS Office of Policy has overall responsibility for \nthe Department's CFIUS-related reviews and for making recommendations \nto the Secretary on how to approach each case, dedicated staff in \nHITRAC support Departmental decision making by preparing risk \nassessments of every filing that are provided directly to the Office of \nPolicy. These assessments, prepared by a special CFIUS Support Team of \nOIP and I&A analysts within HITRAC, provide policy makers within the \nDepartment with an understanding of how these acquisitions can impact \nU.S. infrastructure.\n    HITRAC analysts conduct detailed reviews of all classified and \nunclassified information related to the foreign company and \nsubsidiaries involved in the transaction, and look for any indication \nthat the foreign company or senior personnel might, as the statute \nsays, ``take action that threatens to impair the national security.''\n    This research is supported by our law enforcement partners such as \nImmigration and Customs Enforcement (ICE) and Customs and Border \nProtection (CBP), which can provide evidence of potentially illegal \ntrade practices and reach back to the broader law enforcement \ncommunity.\n    An assessment of the threat posed by the transfer of control to \nforeign persons is, however, only part of HITRAC's analysis. HITRAC's \nCFIUS analysts work with subject matter experts in the infrastructure \nsector affected by a transaction to analyze the vulnerabilities in U.S. \ninfrastructure that the transaction may expose. Obviously, situations \nin which the potential vulnerabilities can be exploited by identified \nthreats raise the most serious concern. HITRAC coordinates its analysis \nwith relevant Sector Specific Agencies, such as the DHS Office of Cyber \nSecurity and Telecommunications, the Transportation Security \nAdministration, the U.S. Coast Guard, and the Department of Energy.\n    The final risk assessment informs the Office of Policy's \nrecommendation to the Secretary by highlighting areas of increased risk \nand proposing potential mitigation strategies the Department can use to \nmanage any risk posed by the transaction. Under DHS Chief Intelligence \nOfficer Charlie Allen's leadership, HITRAC's assessments also inform \nthe Director of National Intelligence's reviews of each CFIUS case, in \ncollaboration with the rest of the Intelligence Community.\n    HITRAC continues to provide analytical support and advice to the \nOffice of Policy during negotiations on mitigation agreements that the \nU.S. Government uses, in some cases, to manage risk. It should be noted \nthat HITRAC produces its assessments in a very compressed timeframe to \nallow policymakers maximum time to take appropriate actions within the \nstatutory 30-day timeframe mandated for initial CFIUS reviews.\n    HITRAC also performs similar analytical reviews of FCC license \ntransfers to foreign entities through an interagency group made up of \nthe Departments of Justice, Homeland Security and Defense.\n    In 2006, HITRAC analysts reviewed 113 CFIUS cases, writing \ncoordinated assessments on each one. The Exon-Florio statute prevents \nus from disclosing information about specific cases, but HITRAC's CFIUS \nassessments have covered a range of infrastructures, from the chemical, \nenergy and nuclear power sectors, to the information technology \nindustry, to the defense industrial base.\n    The Office of Infrastructure Protection and HITRAC recognize that \nthorough scrutiny of the potential risks posed by foreign ownership of \ncritical infrastructure is vital to protecting the Nation's security \nand economic strength. We will continue to closely monitor CFIUS cases \nfor the emergence of adverse trends, and we will continue to work with \nour Federal partners to ensure that performance of this mission meets \nwith the highest standards.\n    Thank you for the opportunity to appear before this Subcommittee \ntoday and I would be happy to answer any questions you may have at this \ntime.\n\nPrepared Statement of the Honorable Gregory Garcia, Assistant Secretary \n    for Cybersecurity and Telecommunications Department of Homeland \n                                Security\n\n    Madam Chairman, Ranking Member Lungren, Chairman Thompson, Ranking \nMember King and distinguished members of the Subcommittee, I appreciate \nthe opportunity to briefly address you on our role in the Committee on \nForeign Investment in the United States (CFIUS). The Office of Cyber \nSecurity and Telecommunications helps to ensure the security, \nintegrity, reliability and availability of our information and \ncommunications networks.\n    One area of particular emphasis for us is emerging cyber security \nthreats. The Department reviews transactions notified to CFIUS for \ncyber security and communications threats and vulnerabilities. \nLeveraging the subject matter expertise in our Office of Cyber Security \nand Communications (CS&C), we evaluate transactions for potential \nvulnerabilities and ensuing risk to the cyber and communications \nsectors, as well as other critical infrastructures sectors. As \nappropriate given the nature of the transaction and subsequent risk, we \nassess vulnerabilities, participate in risk assessments, provide risk \nmitigation advice and participate in post-action compliance review. \nThis can include developing specific provisions in risk mitigation \nagreements with the companies engaged in the transaction.\n    Our role in cyber security and infrastructure protection makes CS&C \na logical partner in the CFIUS process. CS&C is engaged with the Office \nof Infrastructure Protection in supporting the cyber security and \ncommunications components of the National Infrastructure Protection \nPlan, which requires each of the 17 critical infrastructure and key \nresources sectors identified in HSPD-7 to develop Sector Specific Plans \nthat address the physical, human, and cyber elements critical to the \nproper functioning of the sector. DHS/CS&C has a role in developing \ncyber portions of risk management methodologies and in supporting \nprotective programs that cut across all sectors (e.g., US-CERT, the \nControl Systems Security Program). DHS/CS&C also is responsible for the \ndevelopment and implementation of the Information Technology and \nTelecommunications Sector Specific Plans in coordination private and \npublic sector security partners.\n    Thank you for the opportunity to appear before this Subcommittee \ntoday and I would be happy to answer any questions you may have at this \ntime.\n\n    Ms. Jackson Lee. Mr. Garcia, thank you. We look forward to \nhaving an opportunity to question you this morning, and we \nappreciate your testimony.\n    I now recognize Ms. Calvaresi-Barr to summarize her \nstatement for 5 minutes.\n    Thank you.\n\n STATEMENT OF ANN CALVARESI-BARR, DIRECTOR OF ACQUISITION AND \n     SOURCING MANAGEMENT, GOVERNMENT ACCOUNTABILITY OFFICE\n\n    Ms. Calvaresi-Barr. Thank you. Thank you, Madam Chairwoman \nand members of the subcommittee. I am pleased to be here today \nto discuss GAO's work on the Committee on Foreign Investment in \nthe United States.\n    We have conducted many reviews of CFIUS since 1990 and have \nmade recommendations directed towards improving the CFIUS \nprocess. My statement today will address concerns from our 2005 \nreport, recognizing that some actions are currently under way.\n    We are encouraged to hear of these efforts and appreciate \nthe opportunity to recap our findings at this critical juncture \nin CFIUS's reform of the process.\n    Of concern to us were the fundamentally differing views \namong CFIUS members as to what constitutes a threat to national \nsecurity, what criteria should be used to go to an \ninvestigation, and the sufficiency of time for reviews.\n    Regarding what constitutes a threat to national security, \nCFIUS members appeared to either view threats as limited to \nconcerns about export controls, classified contracts, or \nspecific derogatory intelligence against or about certain \ncompanies, or they viewed them more broadly in terms of \nvulnerabilities that can result from foreign control of \ncritical infrastructure or critical inputs to defense systems.\n    For example, in one proposed acquisition, DOD raised \nconcerns about the security of supply of its specialized \nintegrated circuits, circuits that the Defense Science Board \nidentified as essential to a number of defense systems, such as \nUAVs.\n    However, some CFIUS members argued that this was an \nindustrial policy concern and, therefore, outside the scope of \nthe Exxon-Florio statute.\n    As a result, a key enforcement provision that would allow \nthe president to reopen a CFIUS review in the event of \nnoncompliance was removed, which weakened the ensuing \nagreement.\n    CFIUS members also disagreed on the criteria that should be \nused to determine whether an investigation is warranted. \nTreasury and some other members used essentially the same \ncriteria used by the president to suspend or prohibit an \nacquisition. That is, evidence that a credible threat exists \nand no other laws are adequate to deal with it.\n    However, officials from Defense, Justice and Homeland \nSecurity argued that applying these criteria is misguided, \nbecause isn't it the purpose of an investigation to, in fact, \ndetermine that a credible threat exists?\n    Disagreement among agency members on appropriate criteria \nfor investigation can significantly impact the entire process. \nOne notable case involved the acquisition of satellite \ntechnology.\n    Some members believed that an investigation was not \nwarranted because the technology was unclassified and the \ncountry was an ally. Others, however, argued that the \ntechnology was defense critical and were concerned about third-\nparty transfers.\n    While the case went to investigation, it was withdrawn and \nultimately resulted in weak mitigation measures.\n    CFIUS members also disagreed about the sufficiency of time \nallowed for reviews. While most reviews are completed in the \nlegislative timeframe, some agencies have faced significant \ntime pressures to conduct reviews of certain cases.\n    In one case, Homeland Security was unable to provide any \ninput within the legislative timeframe.\n    In addition to the differing views among members, our work \nrevealed that CFIUS typically allowed companies to withdraw \ntheir notices in order to resolve concerns and avoid \ninvestigation. However, this can be particularly risky when the \ntransaction has been completed and where national security \nissues have been raised. We found a number of such cases.\n    Avoiding investigations contributes to the opaque nature of \nthe process, a concern repeatedly raised by Congress. Without \nan investigation, there is no presidential decision and no \nrequired reporting to Congress.\n    Given our findings, we made several recommendations. First, \namend the Exxon-Florio statute to more clearly emphasize the \nfactors that should be considered. Second, eliminate the \ndistinction between review and investigation and make the \ncombined period available for review.\n    Third, require an annual report on the nature of concerns \nfor all transactions in the preceding year. Last, when using \nwithdrawals, place interim protections and timeframes for re-\nfiling.\n    Implementing Exxon-Florio in the context of open investment \nis a fine line to walk and presents significant challenges. \nRegardless of the sector in which a foreign acquisition occurs, \nthe process needs to be effective.\n    While we remain optimistic that recent actions taken by \nCFIUS will help improve the process, we have not examined how \nthese changes are working and strongly encourage any \nlegislative effort that strengthens and sustains what is a key \nsafety net in our national security framework.\n    This concludes my summary statement. My full statement has \nbeen submitted for the record. I would be happy to answer \nquestions you or other subcommittee members may have.\n    Thank you.\n    [The statement of Ms. Calvaresi-Barr follows:]\n\n              Prepared Statement of Ann M. Calvaresi-Barr\n\n    Madam Chairwoman and Members of the Subcommittee:\n    I am pleased to be here today to take part in this hearing on \nissues related to foreign ownership of U.S. assets and potential \neffects on national security. As you know, U.S. export control laws, \nnational disclosure policy, the National Industrial Security Program, \nand other processes and programs have been established to protect \ndefense technologies and other critical assets from falling into the \nwrong hands, and for other reasons. Similarly, the Exon-Florio \namendment to the Defense Production Act of 1950,\\1\\ enacted in 1988, \nauthorized the President to suspend or prohibit foreign acquisitions, \nmergers, or takeovers \\2\\ of U.S. companies that pose a threat to \nnational security. Exon-Florio is meant to serve as a safety net when \nlaws other than the International Emergency Economic Powers Act \\3\\ may \nbe ineffective in protecting national security.\n---------------------------------------------------------------------------\n    \\1\\ 50 U.S.c. app. Sec. 2170.\n    \\2\\ In the remainder of this statement, acquisitions, mergers, and \ntakeovers are referred to as acquisitions.\n    \\3\\ The International Emergency Economic Powers Act gives the \nPresident broad powers to deal with any ``unusual and extraordinary \nthreat'' to the national security, foreign policy, or economy of the \nUnited States (50 U.S.C. Sec. Sec. 1701--1706). To exercise this \nauthority, however, the President must declare a national emergency to \ndeal with any such threat. Under this legislation, the President has \nthe authority to investigate, regulate, and, if necessary, block any \nforeign interest's acquisition of U.S. companies (50 U.S.C. \nSec. 1702(a)(1)(B)).\n---------------------------------------------------------------------------\n    Exon-Florio is administered by the Committee on Foreign Investment \nin the United States, currently made up of 12 members: the Department \nof the Treasury, which serves as Chair; the Departments of Commerce, \nDefense, Homeland Security, Justice, and State; and six offices in the \nExecutive Office of the President. On the surface, the Exon-Florio \nreview process is fairly straightforward. According to regulations, \nafter a company voluntarily files a notice of a pending or completed \nacquisition by a foreign concern, the Committee conducts a 30-day \nreview to determine whether there are any national security concerns. \nIf the Committee is unable to complete its review within 30 days, the \nCommittee may either allow the companies to withdraw the notification \nand refile or initiate a 45-day investigation. If a case undergoes an \ninvestigation, the Committee submits a report to the President, \nincluding a recommendation for action. Cases that result in a \npresidential decision are reported to the Congress.\n    As requested, my comments today will summarize our reports on \nweaknesses in the Exon-Florio process that GAO has identified over the \npast decade. Before I begin, however, it is important to provide some \ncontext to Exon-Florio. Specifically, implementing Exon-Florio can pose \na significant challenge for the federal government because of the \npotential for conflict with U.S. open investment policy--a policy that, \nin recognizing the economic benefits associated with foreign \ninvestments, calls for foreign investors to be treated no differently \nthan domestic investors. This challenge has increased significantly \nsince September 2001, when threats facing the nation were fundamentally \nredefined to include threats against the homeland, including those to \nour critical infrastructure. At the same time, the economy has become \nincreasingly globalized, as countries open their markets and \ncommunicate regularly through the Internet. Government programs \nestablished decades ago are often ill-equipped to grapple with these \nemerging complexities. GAO, therefore, designated the effective \nidentification and protection of critical technologies as a \ngovernmentwide high-risk area, which warrants a strategic reexamination \nto identify needed changes.\\4\\ In terms of Exon-Florio, legislation has \nbeen introduced to reform the Exon-Florio process.\n---------------------------------------------------------------------------\n    \\4\\ High Risk Series: An Update, GAO-07-310 (Washington D.C.: Jan. \n2007).\n---------------------------------------------------------------------------\n    Our understanding of the Committee's process is based on our 2005 \nwork but built on our review of the process and our discussions with \nagency officials for our 2002 report. For our 2005 review, and to \nexpand our understanding of the Committee's process for reviewing \nforeign acquisitions of U.S. companies, we met with officials from the \nDepartments of Commerce, Defense, Homeland Security, Justice, and the \nTreasury--the agencies that are most active in the review of \nacquisitions--and discussed their involvement in the process. Further, \nwe conducted case studies of nine acquisitions that were filed with the \nCommittee between June 28, 1995, and December 31, 2004. We conducted \nour review from April 2004 through July 2005 in accordance with \ngenerally accepted government auditing standards.\n    To summarize our work in this area, we have found that several \naspects of the Committee's process for implementing Exon-Florio may \nhave weakened the law's effectiveness. First, we found a lack of \nagreement among Committee members about the scope of Exon-Florio--\nspecifically, what defines a threat to national security. Neither the \nstatute nor the implementing regulation defines ``national security.'' \nHowever, the statute provides factors that may be considered in \ndetermining threats to national security. Despite these factors, some \nCommittee members argued to apply a more traditional definition?one \nlimited to concerns about export-controlled technologies or items, \nclassified contracts, and the existence of specific derogatory \nintelligence on a foreign company. Other Committee members have argued \nthat a broader view is warranted, and in analyzing the effects of an \nacquisition, considered the potential vulnerabilities that an \nacquisition can create with regard to U.S. critical infrastructure, \ndefense supply, and defense technology superiority. These disagreements \nmay have limited the Committee's analyses of proposed or completed \nacquisitions.\n    Second, Committee members also had differing opinions on the \ncriteria that should be used to determine whether an investigation was \nwarranted. The criteria used by Treasury as the Committee Chair and \nothers were essentially the same criteria established in the current \nlaw for the President to suspend or prohibit a transaction, or order \ndivestiture--that is, there is credible evidence that the foreign \ncontrolling interest may take action that threatens national security \nand that no laws other than Exon-Florio and the International Emergency \nEconomic Powers Act are adequate to protect national security. Some \nCommittee members have argued that applying these criteria is \ninappropriate because the purpose of an investigation is to determine \nwhether or not credible evidence of a threat exists.\n    Third, while most acquisitions are not problematic and the \nCommittee's review can be completed within the 30-day period allowed by \nExon-Florio, some more complex acquisitions required more analysis or \nconsideration than the 30-day review period could accommodate. However, \nthe Committee has been reluctant to use the additional 45 days allowed \nby the legislation because it would require initiating an \ninvestigation. The Committee's concern was that the negative \nperceptions surrounding an investigation could discourage foreign \ninvestment in the United States, thereby conflicting with U.S. open \ninvestment policy. To avoid investigations, the Committee has in the \npast encouraged companies to withdraw their notifications of proposed \nor completed acquisitions and refile them at a later date. Between 1997 \nand 2004, companies involved in 18 acquisitions were allowed to \nwithdraw their notification and refile at a later time. The new filing \nis considered a new case and restarts the 30-day clock. While \nwithdrawing and refiling provides additional time for Committee members \nto review a foreign acquisition while minimizing the risk of chilling \nforeign investment, it may also heighten the risk to national security \nin transactions where there are concerns and the acquisition has been \ncompleted or is likely to be completed during the withdrawal period. \nThis was the situation in 4 of the 18 acquisitions cited above. One \ncompany did not refile for 9 months, another did not refile for 1 year, \nand 2 had yet to refile at the time of our review.\\5\\\n---------------------------------------------------------------------------\n    \\5\\ Given the immediacy of this hearing, we were unable to gather \nand verify data on the disposition of these cases. However, even if the \ncompanies refiled subsequent to our 2005 reporting, the refilings were \nnot timely.\n---------------------------------------------------------------------------\n    Finally, because very few cases required a presidential decision--\nthe criterion for reporting to the Congress on specific cases--the \nCongress had little insight into the Committee's process. Further, a \n1992 amendment to the legislation requires a report to the Congress \nevery 4 years on certain trends in foreign acquisitions. However, at \nthe time of our work only one report had been submitted, in 1994. I \nunderstand that another report, in response to that requirement, has \nbeen issued.\n    Since our 2005 report, the Committee has taken some actions to \nreform the process, such as increasing communication to interested \ncongressional committees. However, we have not examined how these \nchanges are working. It should be noted that because the law provides \nfor confidentiality of information filed under Exon-Florio, our ability \nto discuss details of cases we examined is limited.\n\nBackground\n    Enacted in 1988, the Exon-Florio amendment to the Defense \nProduction Act authorized the President to investigate the effects of \nforeign acquisitions of U.S. companies on national security and to \nsuspend or prohibit acquisitions that might threaten national security. \nThe President delegated investigative authority to the Committee on \nForeign Investment in the United States, an interagency group \nresponsible for monitoring and coordinating U.S. policy on foreign \ninvestment in the United States.\\6\\ Since the Committee's establishment \nin 1975, membership has doubled, with the Department of Homeland \nSecurity being the most recently added member. In addition to the \nCommittee's 12 standing members, other agencies may be called on when \ntheir particular expertise is needed.\n---------------------------------------------------------------------------\n    \\6\\ Executive Order 11858 (May 7, 1975), as amended by Executive \nOrder 12188 (Jan. 2, 1980),\n    Executive Order 12661 (Dec. 27, 1988), Executive Order 12860 (Sept. \n3, 1993), and\n    Executive Order 13286 (Feb. 28, 2003).\n---------------------------------------------------------------------------\n    In 1991, the Treasury Department, as Chair of the Committee, issued \nregulations to implement Exon-Florio. The law and regulations establish \na four-step process for reviewing foreign acquisitions of U.S. \ncompanies: (1) voluntary notice by the companies; \\7\\ (2) a 30-day \nreview to identify whether there are any national security concerns; \n(3) a 45-day investigation period to determine whether those concerns \nrequire a recommendation to the President for possible action; and (4) \na presidential decision to permit, suspend, or prohibit the acquisition \n(see fig. 1).\n---------------------------------------------------------------------------\n    \\7\\Notification is not mandatory. However, any member agency is \nauthorized to submit a notification of an acquisition if the companies \nhave not done so. As of our 2005 report, no agency has submitted a \nnotification of an acquisition. Instead, member agencies have informed \nTreasury of acquisitions that may be subject to Exon-Florio, and \nTreasury has contacted the company to encourage them to officially \nnotify the Committee of the acquisition to begin a review.\n---------------------------------------------------------------------------\n        Figure 1: Process Used by the Committee on Foreign Investment \n        in the United States to Implement the Exon-Florio Amendment\n\n\n\n\n                           Companies submit\n                           voluntary filing\n                           (can be pre--or\n                           post-acquisition)\n                           <d-arrow>\nCommittee actions          ......................\ncompleted and no\nnational security\nconcerns warrant\ninvestigation\n                                                   Companies\n                           Decisions to\n                           investigate\n                           <d-arrow>\n\n                           45-day\n                           <l-d-d-arr>investigati\n                            on<r-d-d-arr>\n\nCommittee                                          Companies\nrecommendation to                                  withdraw filing <SUP>a</SUP>\nPresident\n<d-arrow>\n                             President permits\n15-day window for   <r-d-\n u-arr>                    acquisition by taking\npresidential decision  <r- no action\n d-d-arr>\n\n\n\n    <SUP>Source</SUP> GAO</SUP> analysis</SUP> based</SUP> on</SUP> 50</SUP> \nU.S.c.</SUP> app.</SUP> Sec. 2170</SUP> and</SUP> 31</SUP> C.F.R.</SUP> \nPart</SUP> 800</SUP> and</SUP> case</SUP> file</SUP> reviews.\n    a</SUP>At any point prior to a presidential decision, companies can \nrequest to withdraw a notification.\n\n    In most cases, the Committee completes its review within the \ninitial 30 days because there are no national security concerns or \nconcerns have been addressed, or the companies and the government agree \non measures to mitigate identified security concerns. In cases where \nthe Committee is unable to complete its review within 30 days, it may \ninitiate a 45-day investigation or allow companies to withdraw their \nnotifications. The Committee generally grants requests to withdraw. \nWhen the Committee concludes a 45-day investigation, it is required to \nsubmit a report with recommendations to the President. If Committee \nmembers cannot agree on a recommendation, the regulations require that \nthe report to the President include the differing views of all \nCommittee members.\\8\\ The President has 15 days after the investigation \nis completed to decide whether to prohibit or suspend the proposed \nacquisition, order divestiture of a completed acquisition, or take no \naction.\\9\\ Table 1 provides a breakdown of notifications and committee \nactions taken from 1997 through 2004 (the latest date for which data \nwere available at the time of our 2005 review).\n---------------------------------------------------------------------------\n    \\8\\ 31 C.F.R. Sec. 800.504(b).\n    \\9\\ In 1990, the President ordered a Chinese aerospace company to \ndivest its ownership of a U.S. aircraft parts manufacturer. To date, \nthis is the only divestiture the President has ordered.\n---------------------------------------------------------------------------\nTable 1: Notifications to the Committee on Foreign Investment in the \nUnited States and Actions Taken, 1997 through 2004\n\n1997................................................                 62                  60                   0                   0                   0\n1998................................................                 65                  62                   2                   2                   0\n1999................................................                 79                  76                   0                   0                   0\n2000................................................                 72                  71                   1                   0                   1\n2001................................................                 55                  51                   1                   1                   0\n2002................................................                 43                  42                   0                   0                   0\n2003................................................                 41                  39                   2                   1                   1\n2004................................................                 53                  50                   2                   2                   0\nTotal...............................................                470                 451                   8                   6                  2<SUP>c</SUP>\n  ..................................................  <SUP>Source:</SUP> <SUP>Department</SUP> <SUP>of</SUP> <SUP>the</SUP> <SUP>Treasury.</SUP>\n  ..................................................  <SUP>a</SUP> Acquisitions that were withdrawn and refiled are shown in the year for initial notification.\n  ..................................................  <SUP>b</SUP> Investigations are shown in the year of their notification.\n  ..................................................  <SUP>c</SUP> In both cases the President took no action, thereby allowing the transaction, and sent a report\n                                                      to Congress.\n--------------------------------------------------------------------------------------------------------------------------------------------------------\n\n    Over the past decade, GAO has conducted several reviews of the \nCommittee?s process and actions and has found areas where improvements \nwere needed. In 2000, we found that gaps in the notification process \nraised concerns about the CommitteeSs ability to ensure transactions \nare notified.\\10\\ Our 2002 review, prompted by a lack of congressional \ninsight into the process, again found weaknesses in the process. \nSpecifically, we reported that member agencies could improve the \nagreements they negotiated with companies under Exon-Florio to mitigate \nnational security concerns. We also questioned the use of withdrawals \nto provide additional time for reviews.\\11\\ While our most recent work \nindicated that member agencies had begun to take action to respond to \nsome of our recommendations, concerns remained about the extent to \nwhich the Committee's implementation of Exon-Florio had provided the \nsafety net envisioned by the law.\\12\\\n---------------------------------------------------------------------------\n    \\10\\ Defense Trade: Identifying Foreign Acquisitions Affecting \nNational Security Can Be Improved, GAO/NSIAD-00-144 (Washington, D.C.: \nJune 29, 2000).\n    \\11\\ Defense Trade: Mitigating National Security Concerns under \nExon-Florio Could Be Improved, GAO-02-736 (Washington, D.C.: Sept. 12, \n2002).\n    \\12\\ Defense Trade: Enhancements to the Implementation of Exon-\nFlorio Could Strengthen the Law's Effectiveness, GAO-05-686 \n(Washington, D.C.: Sept. 28, 2005).\n\nViews Differed over What Constitutes a National Security Threat and \nWhen an Investigation Is Warranted\n    In 2005, we reported that a lack of agreement among Committee \nmembers on what defines a threat to national security and what criteria \nshould be used to initiate an investigation may have limited the \nCommittee's analyses of proposed and completed foreign acquisitions. \nFrom 1997 through 2004, the Committee received a total of 470 notices \nof proposed or completed acquisitions,\\13\\ yet it initiated only 8 \ninvestigations.\n---------------------------------------------------------------------------\n    \\13\\ Nineteen of these notices were refilings.\n---------------------------------------------------------------------------\n    While neither the statute nor the implementing regulation defines \n``national security,'' the statute provides a number of factors that \nmay be considered in determining a threat to national security (see \nfig. 2).\n\nFigure 2: Exon-Florio Factors That May Be Considered When Determining a \nThreat to National Security\n        <bullet> Domestic production needed for projected national \n        defense requirements.\n        <bullet> The capability and capacity of domestic indurstries to \n        meet national defense requirements, including the availability \n        of human resources, products, technology, materials, and other \n        supplies and services.\n        <bullet> the control of domestic industries and commercial \n        activity by foreign citizens as it affects the capability and \n        capacity of the United States to meet national security \n        requirements.\n        <bullet> The potential effects of the proposed or pending \n        transaction on sales of military goods, equipment, or \n        technology to any country identified under applciable law as \n        (a) supporting terrorism or (b) a country of concern for \n        missile proliferation or the proliferation of chemical and \n        biological weapons.\n        <bullet> The potential effects of the proposed or pending \n        transaction on U.S. international technological leadership in \n        areas affecting national security.\n    <SUP>Source</SUP> 50</SUP> U.S.C.</SUP> app.</SUP> Sec. 2170(f).\n\n        </SUP><bullet> Some Committee member agencies argued for a more \n        traditional and narrow definition of what constitutes a threat \n        to national security--that is, (1) the U.S. company possesses \n        export-controlled technologies or items; (2) the company has \n        classified contracts and critical technologies; or (3) there is \n        specific derogatory intelligence on the foreign company. Other \n        members, including the Departments of Defense and Justice, \n        argued that acquisitions should be analyzed in broader terms. \n        According to officials from these departments, vulnerabilities \n        could result from foreign control of critical infrastructure, \n        such as control of or access to information traveling on \n        networks. Vulnerabilities can also result from foreign control \n        of critical inputs to defense systems, such as weapons system \n        software development \\14\\ or a decrease in the number of \n        innovative small businesses researching and developing new \n        defense-related technologies.\n---------------------------------------------------------------------------\n    \\14\\ 14Defense Acquisitions: Knowledge of Software Suppliers Needed \nto Manage Risks, GAO-04-678 (Washington D.C.: May 25, 2004).\n---------------------------------------------------------------------------\n    While these vulnerabilities may not pose an immediate threat to \nnational security, they may create the potential for longer term harm \nto U.S. national security interests by reducing U.S. technological \nleadership in defense systems. For example, in reviewing a 2001 \nacquisition of a U.S. company, the Departments of Defense and Commerce \nraised several concerns about foreign ownership of sensitive but \nunclassified technology, including the possibility of this sensitive \ntechnology being transferred to countries of concern or losing U.S. \ngovernment access to the technology. However, Treasury argued that \nthese concerns were not national security concerns because they did not \ninvolve classified contracts, the foreign company's country of origin \nwas a U.S. ally, or there was no specific negative intelligence about \nthe company?s actions in the United States.\n    In one proposed acquisition, disagreement over the definition of \nnational security resulted in an enforcement provision being removed \nfrom a mitigation agreement between the foreign company and the \nDepartments of Defense and Homeland Security. Defense had raised \nconcerns about the security of its supply of specialized integrated \ncircuits, which are used in a variety of defense technologies that the \nDefense Science Board had identified as essential to our national \ndefense--technologies found in unmanned aerial vehicles, the Joint \nTactical Radio System, and cryptography and other communications \nprotection devices. However, Treasury and other Committee members \nargued that the security of supply issue was an industrial policy \nconcern and, therefore, was outside the scope of Exon-Florio's \nauthority. As a result of removing the provision, the President's \nauthority to require divestiture under Exon-Florio was eliminated as a \nremedy in the event of non-compliance.\\15\\\n---------------------------------------------------------------------------\n    \\15\\ The regulations provide that the Committee may reopen its \nreview or investigation and revise its recommendation to the President \nif it determines that the companies omitted or provided false or \nmisleading material information to the Committee (31 C.F.R. \nSec. 800.601(e)).\n---------------------------------------------------------------------------\n    Committee members also disagreed on the criteria that should be \napplied to determine whether a proposed or completed acquisition should \nbe investigated. While Exon-Florio provides that the ``President or the \nPresident's designee may make an investigation to determine the effects \non national security'' of acquisitions that could result in foreign \ncontrol of a U.S. company, it does not provide specific guidance for \nthe appropriate criteria for initiating an investigation of an \nacquisition.\\16\\ At the time of our work, Treasury, as Committee Chair, \napplied essentially the same criteria established in the law for the \nPresident to suspend or prohibit a transaction, or order divestiture: \n(1) there is credible evidence that the foreign controlling interest \nmay take action to threaten national security and (2) no laws other \nthan Exon-Florio and the International Emergency Economic Powers Act \nare adequate and appropriate to protect national security.\\17\\ However, \nthe Defense, Justice, and Homeland Security Departments argued that \napplying these criteria at this point in the process is inappropriate \nbecause the purpose of an investigation is to determine whether or not \ncredible evidence of a threat exists. Notes from a policy-level \ndiscussion of one particular case further corroborated these differing \nviews.\n---------------------------------------------------------------------------\n    \\16\\ 1650 U.S.C. app. Sec. 2170(a). Under the statute, \ninvestigations are mandatory in those cases in which the acquiring \ncompany is ``controlled by or acting on behalf of a foreign \ngovernment'' and the acquisition could result in control of the U.S. \ncompany and could affect the national security of the United States (50 \nU.S.C. app. Sec. 2170(b)).\n    \\17\\ 50 U.S.C. app. Sec. 2170(e).\n\nCommittee Allowed Withdrawal of Notifications to Avoid Investigations\n    Committee guidelines required member agencies to inform the \nCommittee of national security concerns by the 23rd day of a 30-day \nreview--further compressing the limited time allowed by legislation to \ndetermine whether a proposed or completed foreign acquisition posed a \nthreat to national security. According to one Treasury official, the \ninformation is needed a week early to meet the legislated 30-day \nrequirement. While most reviews are completed in the required 30 days, \nsome Committee members have found that completing a review within such \nshort time frames can be difficult--particularly in complex cases. One \nDefense official said that without advance notice of the acquisition, \ntime frames are too short to complete analyses and provide input for \nthe Defense Department's position. Another official said that to meet \nthe 23-day deadline, analysts have only 3 to 10 days to analyze the \nacquisition. In one instance, Homeland Security was unable to provide \ninput within the 23-day time frame.\n    If a review cannot be completed within 30 days and more time is \nneeded to determine whether a problem exists or identify actions that \nwould mitigate concerns, the Committee can initiate a 45-day \ninvestigation of the acquisition or allow companies to withdraw their \nnotifications and refile at a later date.\\18\\ According to Treasury \nofficials, the Committee's interest is to ensure that the \nimplementation of Exon-Florio does not undermine U.S. open investment \npolicy. Concerned that public knowledge of investigations could devalue \ncompanies' stock, erode confidence of foreign investors, and ultimately \nchill foreign investment in the United States, the Committee has \ngenerally allowed and often encouraged companies to withdraw their \nnotifications rather than initiate an investigation.\n---------------------------------------------------------------------------\n    \\18\\ Exon-Florio's implementing regulations permit companies to \nrequest to withdraw notifications at any time up to a presidential \ndecision. After the Committee approves a withdrawal, any subsequent \nrefiling is considered a new, voluntary notice.\n---------------------------------------------------------------------------\n    While an acquisition is pending, companies that have withdrawn \ntheir notification have an incentive to resolve any outstanding issues \nand refile as soon as possible. However, if an acquisition has been \nconcluded, there is less incentive to resolve issues and refile, \nextending the time during which any concerns remain unresolved. Between \n1997 and 2004, companies involved in 18 acquisitions withdrew their \nnotification and refiled 19 times. In four cases, the companies had \nalready concluded the acquisition before filing a notification. One did \nnot refile until 9 months later and another did not refile for 1 year. \nConsequently, concerns raised by Defense and Commerce about potential \nexport control issues in these two cases remained unresolved for as \nmuch as a year--further increasing the risk that a foreign acquisition \nof a U.S. company would pose a threat to national security.\n    For the other two cases, neither company had refiled at the time we \ncompleted our work. In one case, the company had previously withdrawn \nand refiled more than a year after completing the acquisition. The \nCommittee allowed it to withdraw the notification to provide more time \nto answer the Committee's questions and provide assurances concerning \nexport control matters. The company refiled, and was permitted to \nwithdraw a second time because there were still unresolved issues. When \nwe issued our report in 2005, 4 years had passed since the second \nwithdrawal without a refiling. In the second case, the company--which \nfiled with the Committee more than 6 months after completing its \nacquisition--was also allowed to withdraw its notification. At the time \nwe issued our report, 2 years had passed without a refiling.\nLack of Reporting Contributed to the Opaqueness of the Committee's \nProcess and Diminished Oversight\n    In response to concerns about the lack of transparency in the \nCommittee's process, the Congress passed the Byrd Amendment to Exon-\nFlorio in 1992, requiring a report to the Congress if the President \nmade any decision regarding a proposed foreign acquisition. In 1992, \nanother amendment also directed the President to report every 4 years \non whether there was credible evidence of a coordinated strategy by one \nor more countries to acquire U.S. companies involved in research, \ndevelopment, or production of critical technologies for which the \nUnited States is a leading producer, and whether there were industrial \nespionage activities directed or assisted by foreign governments \nagainst private U.S. companies aimed at obtaining commercial secrets \nrelated to critical technologies.\n    While the Byrd Amendment expanded required reporting on Committee \nactions, few reports have been submitted to the Congress because \nwithdrawing and refiling notices to restart the clock has limited the \nnumber of cases that result in a presidential decision. Between 1997 \nand 2004, only two cases--both involving telecommunications systems--\nresulted in a presidential decision and a subsequent report to the \nCongress. Infrequent reporting of Committee deliberations on specific \ncases provides little insight into the Committee?s process to identify \nconcerns raised during investigations and determine the extent to which \nthe Committee has reached consensus on a case. Further, despite the \n1992 requirement for a report on foreign acquisition strategies every \nfour years, at the time of our work there had been only one report--in \n1994. However, another report, in response to this requirement, was \nrecently delivered to the Congress.\n    In conclusion, the effectiveness of Exon-Florio as a safety net \ndepends on how the broad scope of its authority is implemented in \ntoday's globalized world--where identifying threats to national \nsecurity has become increasingly complex. While Exon-Florio provides \nthe Committee on Foreign Investment in the United States the latitude \nto define what constitutes a threat to national security, the more \ntraditional interpretation fails to fully consider factors currently \nembodied in the law. Further, the Committee guidance requiring reviews \nto be completed within 23 days to meet the 30-day legislative \nrequirement, along with the reluctance to proceed to an investigation, \nlimits agencies' ability to complete in-depth analyses. However, the \nalternative--allowing companies to withdraw and refile their \nnotifications--increases the risk that the Committee, and the Congress, \ncould lose visibility over foreign acquisitions of U.S. companies. The \ncriterion for reporting specific cases to the Congress only after a \npresidential decision contributes to the opaque nature of the \nCommittee's process.\n    Our 2005 report laid out several matters for congressional \nconsideration to (1) help resolve the differing views as to the extent \nof coverage of Exon-Florio, (2) address the need for additional time, \nand (3) increase insight and oversight of the process. Further, we \nsuggested that, when withdrawal is allowed for a transaction that has \nbeen completed, the Committee establish interim protections where \nspecific concerns have been raised, specific time frames for refiling, \nand a process for tracking any actions being taken during a withdrawal \nperiod. We have been told that some of these steps are now being taken.\n    Madam Chairwoman, this concludes my prepared statement. I will be \nhappy to answer any questions you or other Members of the Subcommittee \nmay have.\n\nScope and Methodology\n    Our understanding of the Committee's process is based on our 2005 \nwork but built on our review of the process and our discussions with \nagency officials for our 2002 report. For our 2005 review, and to \nexpand our understanding of the Committee's process for reviewing \nforeign acquisitions of U.S. companies, we met with officials from the \nDepartments of Commerce, Defense, Homeland Security, Justice, and the \nTreasury--the agencies that are most active in the review of \nacquisitions--and discussed their involvement in the process. Further, \nwe conducted case studies of nine acquisitions that were filed with the \nCommittee between June 28, 1995, and December 31, 2004. We selected \nacquisitions based on recommendations by Committee member agencies and \nthe following criteria: (1) the Committee permitted the companies to \nwithdraw the notification; (2) the Committee or member agencies \nconcluded agreements to mitigate national security concerns; (3) the \nforeign company had been involved in a prior acquisition notified to \nthe Committee; or (4) GAO had reviewed the acquisition for its 2002 \nreport. We did not attempt to validate the conclusions reached by the \nCommittee on any of the cases we reviewed. To determine whether the \nweaknesses in provisions to assist agencies in monitoring agreements \nthat GAO had identified in its 2002 report had been addressed, we \nanalyzed agreements concluded under the Committee?s authority between \n2003 and 2005. We conducted our review from April 2004 through July \n2005 in accordance with generally accepted government auditing \nstandards.\n    This is a work of the U.S. government and is not subject to \ncopyright protection in the United States. It may be reproduced and \ndistributed in its entirety without further permission from GAO. \nHowever, because this work may contain copyrighted images or other \nmaterial, permission from the copyright holder may be necessary if you \nwish to reproduce this material separately.\n\n    Ms. Jackson Lee. I thank all the witnesses, and I thank you \nfor your testimony.\n    I will remind each member that he or she will have 5 \nminutes to question the panel.\n    Let me also acknowledge the presence of Congresswoman \nEleanor Holmes Norton. We thank her for her presence here.\n    And, Mr. Bilirakis, we thank you.\n    Before I recognize myself for questioning, without \nobjection, I would like to insert into the record the \nCongressional Research Service report on ``Exxon-Florio Foreign \nInvestment Provision Overview of H.R. 556,'' from February 27, \n2007, and Ms. Calvaresi-Barr's GAO report No. 05686.\n    See committee file.\n    Ms. Jackson Lee. I will now recognize myself for questions.\n    First, Mr. Baker, I am interested in ensuring, this \ncommittee, I would hope is interested, and the full committee, \nChairman Thompson and the ranking member, Mr. King, in being \nvigorous in anything that we do.\n    I think when we look at incidences like Madrid and like the \nLondon bombing, we know that, as I said earlier, we are \ntelegraphed in what might happen.\n    Tell me how vigorous the Department of Homeland Security is \nin this process and, tell me, what is the missing element?\n    You, obviously, are the point person, meaning your office, \nwhen the call comes in that we are now engaged in the process. \nWe have a transaction. The participants are anxious and we need \nto move quickly.\n    What is the framework that is used? And you might also \nanswer, what is missing?\n    Mr. Baker. Madam Chairman, thank you very much. It is an \nexcellent question.\n    First, I should say we encourage companies to tell us long \nbefore they file that they are contemplating a transaction, so \nthat we can begin our work well before the 30 days begins, \nbecause 30 days is not enough time for a complex transaction \nwith serious concerns. So often we will get the call well \nbefore a filing date.\n    But as soon as we get the call, we will assign one of our \nCFIUS experts to the case. They will being doing research on \nit. We will gather open source information about the \ntransaction.\n    We will also alert the intelligence community and let them \nknow about the transaction. We will let Bob Stephan know about \nthe transaction so that they can begin looking at it, as well.\n    Once we get back some basic information on the parties to \nthe transaction, the nature of the field, we will begin doing \nour analysis from the point of view of what our existing \nauthorities are, what existing authority do we have to regulate \nthe company to make sure that it does maintain high security \nstandards.\n    If we think that there may be some gaps in our authority \nunder existing law to address all of the potential concerns, we \nwill begin asking, ``Well, do we need a mitigation agreement to \naddress those concerns?''\n    After 21 days, we will get an intelligence report that \ntells us whether there are any particular concerns about the \ncompany, its management, its ownership, the governments that it \nhas close relationships with, and that will allow us to focus \nvery carefully on particular threats.\n    At that point, we will put forward a mitigation agreement, \nif we think it is necessary, and often we will negotiate these \ndeep into the night and overnight, because we usually have \nfewer than 3 or 4 days to get agreement on those.\n    While we can extend that, typically, a week or less is how \nlong we will spend negotiating any agreement.\n    Ms. Jackson Lee. I appreciate that scenario. What is \nmissing? These agreements, these MOUs, are they missing, not \nincluded? Tell us what is missing.\n    Mr. Baker. We are very glad that the House and this \ncommittee are looking hard at mitigation agreements, because, \nin fact, the statute doesn't have anything to say about \nmitigation agreements, even though we rely on them very \nheavily.\n    The statute didn't contemplate them. They are something \nthat we have added to the process.\n    The new bill that is being considered here in the House \nwould add the recognition of those agreements and give them \nforce and enforceability in ways that will be very helpful to \nus.\n    Ms. Jackson Lee. Thank you.\n    Colonel Stephan, do you think, in the work that you do, \nthat we are not as conversant with the idea that critical \ninfrastructures are vast and that there is a need for extensive \noversight to ensure that elements that may include foreign \ninvestment are important to engage and to be able to assess the \ndanger that they might pose?\n    Colonel Stephan. Yes, ma'am. We are very intricately \ninvolved with the process led by the policy office under the \nleadership of my friend, Mr. Baker, here.\n    I have dedicated an increasing number of my staff and an \nincreasing amount of my time and energy actually to coalescing \na specialized team of experts, infrastructure analysis, to deal \nwith this issue.\n    I consider to be a very significant issue, something that \nwe have to study very carefully and we have to provide the \nleadership in terms of the analytical piece.\n    One person that is missing here that is a key part of all \nthis is Assistant Secretary Charlie Allen, with the INTEL and \nthe threat slice. We have jointly agreed to combine a certain \namount of our staff capability to focus on this problem.\n    In addition to the organic capability that we have in the \ndepartment between Charlie Allen and I, depending on the nature \nof the infrastructure sets or subsets involved in any potential \ntransaction, we also, through our guys, provide further \noutreach to the Department of Energy, Department of Defense, \nDepartment of Transportation, Commerce, others, to bring more \nanalytical focus to the problem.\n    My piece of this isn't really too full. I have to determine \nwhat the possible vulnerabilities are on a sector-by-sector \nbasis and on a cross-sector basis in terms of any proposed \ntransaction and, secondly, I have to determine what the \nrippling, cascading consequences might if we have a bad actor \nthat is, in fact, engaged in a process to acquire a particular \ninfrastructure or system of infrastructures of concern to us.\n    Again, more and more brainpower from within my shop, more \nand more cases, we see the caseload growing about 20 percent to \n30 percent a year over the past couple of years. So lots more \ntime and talents from my shop focused on this, ma'am.\n    Ms. Jackson Lee. Quickly, Ms. Calvaresi-Barr, we can't \nafford missteps, I believe, in this process, and I think \noversight is important. What would you consider the major \nmisstep or need for improvement pursuant to your report?\n    Ms. Calvaresi-Barr. I think that, as I mentioned before, it \nappears that there are certain changes that are currently under \nway.\n    I think some of the biggest concerns that we had are the \nfactors that are considered when you look at a threat to \nnational security and I think with the introduction and the \ninvolvement of the Department of Homeland Security in the \nprocess now, they have brought a new view to that and I think \nsome of those things that were considered previously by the \ncommittee as sort of outside of the scope of Exxon-Florio are \nnow getting increased attention as a result.\n    And I would like to just second what Mr. Baker said in \nterms of DHS's involvement in the process. We definitely did \nsee more rigor, even in our 2005 review, over monitoring \ncompliance with the agreements and putting some teeth into \nthose agreements. So we were pleased to see that.\n    In terms of what is missing, you can see that in 2005, we \nhad a number of findings and we had a number of concerns around \nnot only the factors looked at, but the sufficiency of time and \nthe extent to which these cases made it to a full \ninvestigation.\n    Since we haven't done work since that time period, I am not \nquite sure how things have improved, but I think we have heard \nhere today from some of the recent numbers that the number of \nfilings are up and, certainly, the number of mitigation \nagreements also appear to have increased.\n    But, again, GAO has not looked at the implementation of \nsome of those actions since our 2005 work.\n    Ms. Jackson Lee. I thank the witness.\n    And I yield to the distinguished gentleman from California, \nMr. Lungren.\n    Mr. Lungren. I thank you very much, Madam Chairwoman.\n    Secretary Baker, you mentioned that you folks are the \njunior ones, that is, most recently formed. You didn't exist \nwith the CFIUS process first started.\n    One of the concerns some people expressed during the Dubai \ncontroversy was whether or not the DOD and Homeland Security \nwere sufficiently--their concerns were sufficiently taken into \naccount.\n    How does the process work in that the secretary of treasury \nis the top guy? And the legislation we have that would make the \nhomeland security secretary the vice chair of that, something \nwe think is good, but is that mere window dressing or would \nthat actually make a difference in terms of the way the \nconsiderations are made and the final decision is made?\n    Mr. Baker. Thank you, Ranking Member Lungren.\n    Treasury is the chair and I know there have been times in \nthe past when treasury has been criticized as taking into \naccount too much the concerns of investors and not enough the \nconcerns of national security agencies.\n    We have no complaints of that sort. The Treasury Department \nhas been an evenhanded and fair-minded broker as difficult \nissues have been thrashed out.\n    The House bill does propose, I think, to make the \nDepartment of Homeland Security a vice chair of the committee. \nTo tell the truth, we have doubts about how valuable that would \nbe in terms of putting us in a different position from the \nposition we are in now.\n    We have a substantial amount of authority to pursue our own \ninterests and where the entire government has to be involved. \nWe have to persuade the rest of the agencies that we are right \nand I don't think any of that would change if we were the vice \nchair.\n    Mr. Lungren. Can you tell me how many DHS employees work on \nCFIUS issues?\n    Mr. Baker. It would be hard to give you an exact number, \nbecause we rely heavily on other parts of the agency, but it is \ncertainly in double figures. We have a number that work \ndirectly for me. HITRAC has dozens of people who, at one time \nor another, we would draw on for this.\n    Mr. Lungren. Do you need additional resources in order to \ndo this job, since we are having an increase in the number of \napplications and considerations?\n    Mr. Baker. We have increased our resources for this and I \nbelieve the 2008 budget request from the administration also \nreflects the request for additional resources.\n    So, yes, we would be delighted to get more resources.\n    Mr. Lungren. When CFIUS was first created under President \nFord, at his direction, we were still in the Cold War. We \nbasically were looking at other countries with an aspect \ntowards their alignment in the Cold War.\n    We now have a situation in which international terrorism is \na major concern, if not the major concern. Things can change \nquickly in terms of governments, in terms of the political \ndynamic in a particular country.\n    Is there a review process such that after a review has \ntaken place, with or without mitigation agreements, that 2 or 3 \nyears down the line, we take into consideration the change in a \ngovernment or the change in the influence of terrorist \noperatives with respect to particular economic interests that \nmay be involved with an agreement that has been made?\n    Mr. Baker. That is a very good question. If the transaction \nwas passed without a mitigation agreement, the general view has \nbeen we should not let markets think that we will be constantly \ninterfering in the transaction.\n    In fact, the principal reason people file in CFIUS is to \nget the good housekeeping seal of approval that means we won't \ngo back and reopen the deal.\n    But if there has been a mitigation agreement, we do have \nauthority to go back and see how it has been performed.\n    Mr. Lungren. How do you enforce that?\n    Mr. Baker. Well, we have been writing in tougher and \ntougher provisions to these agreements and--\n    Mr. Lungren. So how do you enforce the tougher and tougher \nelements?\n    Mr. Baker. Well, we can order people to obey. These days, \ntypically, we will ask for fine authority up to 15 or 20 or 30 \npercent of the actual value of the transaction, which certainly \nconcentrates people's minds.\n    In very rare cases--\n    Mr. Lungren. Has that ever occurred?\n    Mr. Baker. Have we ever assessed a fine?\n    Mr. Lungren. Yes.\n    Mr. Baker. No, we have not.\n    Mr. Lungren. Have we ever threatened to assess the fine?\n    Mr. Baker. We have not had to threaten to assess the fine, \nbut we have had circumstances in which someone we believed had \nnot been fully compliant with past agreements, where that has \nbeen a factor in our decision to say, ``You know, this next \ntransaction you want to do, don't do it.''\n    Mr. Lungren. Thank you very much, Madam Chairwoman.\n    Ms. Jackson Lee. Thank you very much, Mr. Lungren.\n    I am now pleased to yield 5 minutes to the distinguished \ngentlelady from New York, Ms. Clarke.\n    Ms. Clarke. Thank you, Madam Chair, Ranking Member Lungren.\n    Good morning to each of you, and thank you for your \ntestimony here today.\n    As the world economy increasingly globalizes, it is \nimportant that the United States pay close attention as to how \nthis could impact on our homeland security.\n    I come from New York City. I am a native New Yorker and it \nis indeed the most global city on the earth. Every day, as \nmarkets shift, as companies buy and sell goods and services, as \nnew businesses open and old companies are sold, there is more \ninternational commerce in New York than anywhere else.\n    Therefore, the issue of foreign ownership's impact on \nhomeland security is not just a question of protecting our \nhomeland, but for me and my constituencies, also a question of \nprotecting my hometown.\n    Though CFIUS was created to ensure that foreign investment \nor ownership of U.S. companies and infrastructure would not \nadversely affect America's security, the debacle that occurred \nlast year over management of U.S. ports puts the work of CFIUS \ninto question.\n    At that time, the nation learned that the approval process \nis highly secretive, that there is little input from the \noutside or no input from Congress.\n    We also learned that the process must happen so quickly \nthat the committee often fails to perform full investigations.\n    If this is not changed, someday a detail will be missed and \nAmerica's security will be put at risk.\n    Mr. Baker, I want to ask, we have heard from your testimony \nthat disagreement over the definition of national security has \nled to enforcement problems. In the past, some members of CFIUS \nhave felt that it is OK to allow a foreign company to have \nsensitive government technology and other secrets and have \ndecided that CFIUS should not get involved in an industrial \npolicy concern.\n    Other members of the group, such as DOD, have had strong \nreservations about this information getting out.\n    How does the department define national security in this \ncontext?\n    Mr. Baker. Thank you, Representative Clarke. My hometown \ntoo. I went to PS-196.\n    I think that that is an excellent question and one that \neach agency, at the end of the day, answers for itself. So I \ncan only speak for the Department of Homeland Security.\n    We take a very broad view of what national security \nentails. WE have to ask how could a creative enemy use this \ncapability, this investment against us and what can we do to \nmake sure that we have made the company and the assets as \nsecure as possible after the transaction.\n    And we are not limited to a Cold War view of national \nsecurity or a purely governmental view of national security. If \nwe think the terrorists could misuse access to an asset by \nvirtue of a transaction, then we will ask for action to make \nsure that that security hole is closed.\n    Ms. Clarke. Has there been any discussion about whether, in \nfact, a standard, a bar should be set amongst the agencies that \nwould interact with respect to these transactions?\n    Mr. Baker. That has been discussed, but there are some \ndifficulties with that from both the point of view of the \npeople who have a narrower view of national security and from \nour point of view, as well.\n    Homeland security concerns a lot of things. The food supply \nof the country, obviously, implicates homeland security. But \nthat doesn't mean that we want to regulate every time a farm is \nbought by somebody from outside the country and we wouldn't \nwant to imply that we were. At the same time, we wouldn't want \nto exclude agriculture and farming from our definition of \nhomeland security.\n    So we have had to play it, to some extent, by ear and be \nflexible about particular transactions. So I would not suggest \nthat we set a standard, because we could end up constrained by \nit or creating something that arouse unnecessary fears in \ninvestors.\n    Ms. Clarke. And let me just ask, are you at all concerned \nabout foreign companies and governments having control over \nhighly sensitive American technology?\n    Mr. Baker. Yes. You have to look at the particular \ntechnology. We are an importer of technology, as well as a \ndeveloper of technology these days and we want to be able to \ninvest abroad in technology firms.\n    But there are some technologies where the U.S. has a lead \nand it is important to our security and we should continue to \nmaintain that lead.\n    Ms. Clarke. Thank you for your responses to these \nquestions. And I did detect a little New York accent.\n    Thank you, Madam Chair.\n    Ms. Jackson Lee. Thank you for your constructive \nquestioning, Ms. Clarke, and thank you for your noting your \nrelationship between the PSes around here, public schools.\n    Mr. Lungren. Could I ask a question, as a westerner? Is \nthere a single New York accent? I am surprised.\n    Ms. Clarke. I think Brooklyn kind of supersedes every other \npart of the city.\n    Ms. Jackson Lee. We will make sure the clerk is getting \nthat exchange. Thank you.\n    Mr. Bilirakis, I don't know if there is a Pennsylvania \naccent, but we are delighted to yield to the distinguished \ngentleman for 5 minutes.\n    Mr. Bilirakis. We have got a little Florida, a little \nPennsylvania, a little Greek, whatever works. Thank you.\n    Ms. Jackson Lee. And it is Mr. Bilirakis of Florida, as he \nhas noted.\n    Mr. Bilirakis. Although my dad is from Pennsylvania.\n    Ms. Jackson Lee. I know that.\n    Mr. Bilirakis. Secretary Baker, I have one question.\n    In your written testimony, you state that the Committee on \nForeign Investment in the United States' authority is limited \nto investigations of mergers, acquisitions or takeovers by or \nwith foreign persons that could result in foreign control, or \npersons engaged in interstate commerce in the United States.\n    You have touched on this. Should the committee's authority \nbe expanded and if so, do you have any recommendations on \nexpansions of that authority which could be beneficial to the \nreview process?\n    Mr. Baker. On the whole, expanding the authority would \ngreatly expand our workload and the concerns among investors in \nwhether their transactions are going to be covered, and I am \nnot sure it would give us much more clout in investigating \nrisks to national security.\n    We have the authority to say, ``You are calling this a \nlease, but we think it is, in fact, an acquisition. You are \ncalling it a loan. We think it is really an acquisition.''\n    So we have a fair amount of authority where we think \nnational security is involved and that there really is a \ntransfer of control. And so we have not felt that we needed \nmore authority to investigate a number of things that could \nturn out simply to be ordinary commercial transactions.\n    Mr. Bilirakis. Thank you.\n    Thank you, Madam Chair.\n    Mr. Lungren. Would the gentleman yield? If I could ask a \nquestion on your time of Mr. Garcia.\n    That is a concern that I and other members of this \ncommittee and subcommittee have expressed over time has been \nthat both in the private and the public sector, we haven't \ntaken sufficient notice of the importance of cybersecurity, \nthat is, the cyber world embedded in so much of what we do.\n    Since that is a general observation, can you tell us \nwhether you are satisfied that CFIUS, as presently constituted, \nappreciates the role of the cyber world in these questions of \ncritical infrastructure and whether or not they have manifested \nthe technology understanding and fix to make those kinds of \nissues sufficiently reviewed in this overall process?\n    Mr. Garcia. Yes, sir. Thank you for that question, \nCongressman.\n    Yes, I am satisfied and I think it is important to note \nthat the threats and vulnerabilities facing our communications \nand cyber infrastructures are constantly evolving. So we need \nto constantly evolve our understanding and awareness of those \nvulnerabilities.\n    And my office, working in partnership with Secretary Baker \nand Secretary Stephan, looks really at two things. First, the \nextent to which an acquisition will result in or exacerbate \nvulnerabilities in the communications or cyber infrastructures \nspecifically, but also the extent to which those cyber and \ncommunications infrastructures can be used to create \nvulnerabilities or threats against physical infrastructures.\n    As you alluded, our cyber and communications infrastructure \nis a foundation, an operational foundation for virtually every \none of the critical infrastructure sectors. We depend on those \ncommunications and cyber infrastructures in order for us to do \nour work in all of the others.\n    So to the extent that any acquisition may result in \nadditional vulnerabilities to those physical infrastructures \nthrough control systems or other vulnerabilities, we have a \ndirect role and have participated in the CFIUS process to \nidentify what those vulnerabilities are.\n    Mr. Lungren. I thank you.\n    I thank the gentleman for yielding the time to me. \nAppreciate it.\n    Mr. Bilirakis. Thank you, Madam Chair.\n    Ms. Jackson Lee. Thank you very much, Mr. Bilirakis.\n    I am now delighted to yield 5 minutes to the gentlelady \nfrom the District of Columbia, Ms. Eleanor Holmes Norton.\n    Ms. Norton. Thank you, Madam Chair.\n    Ms. Jackson Lee. Who is in a battle all of her own about \nthe critical infrastructure of voting. We look forward to that \nmoving forward.\n    Ms. Norton. That is going to be over soon with a victory.\n    Madam Chair, this is an important hearing and I am very \npleased you have called it and called our attention to it.\n    Just before I get to my CFIUS question, could you give me \nsome context here?\n    The context I need has a lot to do with the Open Skies \nTreaty, which is still very controversial in another of my \ncommittees. It is still is going nowhere, in part, because of \nsecurity concerns.\n    I think everybody has come to grips with the fact that this \nis both a global economy and a technological economy all \nhappening at the same time. We are talking about investments, \ntransactions that normally the government would have nothing to \ndo with. They have to occur in real time.\n    Give me some context. Does the United States have \nownership, a fair amount of ownership in the critical \ninfrastructure of other countries and if so, what have they \ndone to protect, quote, themselves, not from us, but form the \nsame concerns we have?\n    Mr. Baker. I don't have the exact figures, but, yes, I \nthink that, first, probably 80 or 90 percent of the critical \ninfrastructure of the United States is in private hands and \nsimilar numbers are probably true throughout the Western world, \nand a number of our companies are big investors abroad, whether \nit is IBM or General Electric.\n    They own large chunks of the infrastructure?\n    Ms. Norton. They must own those in countries that have not \nonly similar concerns, but, frankly, some of them certainly in \nEurope--\n    Mr. Baker. That is right.\n    Ms. Norton. --had more, if I can call it, experience with \nterrorism than we have.\n    Have you learned anything from them? Have they proceeded \nsmoothly in this way, with or without something comparable to \nCFIUS?\n    Yes, Ms. Barr?\n    Ms. Calvaresi-Barr. Yes. You might be interested to know \nthat we were pressed by Senate Banking to actually look at \nforeign direct investment in other countries, the extent to \nwhich other countries have national security reviews, are they \nsimilar to what the United States has? How do they differ, if \nthey differ? Are we being too rigorous, things of that nature.\n    So just I response to that, I think, clearly, other \ncountries do have national security reviews. From work that we \ndid previously on this issue, it is rather dated now and that \nis why we have been asked to come back in and look.\n    Some of them kind of look like our process. Others are \nlittle bit more rigorous and some are a little bit lighter.\n    So we are going to go back in and we are going to take a \nlook and do a current assessment of what those other national \nsecurity?\n    Ms. Norton. I would appreciate it. They have been more \nvulnerable and closer to the sources of concern and, in some \nways, they have been ahead of us on security, witness, what \nsomehow we took credit for, but clearly was entirely a British \nmatter and that is the plane or the terrorist that almost got \non the plane that came here.\n    They just caught him and it was extraordinary to see.\n    I really have questions about cybersecurity in light of the \npace of technology. I mean, it is kind of pitiful when we see \nCongress try to regulate in a technological area, because it is \nvery hard to do.\n    It is very hard to do, because whatever you are regulating \nright from under you can change and that is inevitable.\n    What concerns me is that given that changing pace, I would \nhave to assume, in the cybersecurity area, that the United \nStates of America is not always ahead of the game, ahead of the \ncurve.\n    I have no reason to believe that other science, for \nexample, in the technological area is not, in some cases, even \nmore advanced.\n    Let me just give an example that has no relevance. I \nunderstand that Southern Europe laughed at our cell phones, \nbecause they consider them so backward.\n    Perhaps we are further ahead when it comes to other \ntechnology or the technology we are concerned about. But I have \nno reason to believe that we are ahead in terms of the \nscientific thinking of the Japanese, the Chinese or the \nEuropeans.\n    So here we are looking at cybersecurity at a moment in time \nand I understand what you said about not essentially monitoring \nthis every other moment. So with the changing nature of \ntechnology, with the unknown there, I am not sure why we should \nfeel secure in the cybersecurity area, unless there is some way \nto keep track of whether people who are--if you will forgive \nme--ahead of us I a number of technological areas, why we \nshouldn't assume that all kinds of things could happen that no \none even dreamed of, not investigated, even dreamed of.\n    That is what technology is about today.\n    If you would tell me why I should feel safe and secure in \nlight of those changes, I would be happy to hear it.\n    Mr. Garcia. Yes, Congresswoman, I would be delighted to \ntake a stab at that.\n    First of all, my belief is that the United States is the \nmost technological innovative country in the world.\n    Ms. Norton. Well, you know what? That is the kind of hubris \nthat could get us in trouble. Even if that is the case, there \nis no reason to believe, given the changes and given our allies \nand some who are not our allies, that that is, indeed, what we \nare up against.\n    It seems to me, as security officials, your job is to \nassume the opposite, to assume that some other country, perhaps \nnot the most secure, for that matter, some other investor, \ncould get ahead of us, at least temporarily.\n    Would you give us at least that in the security area?\n    Mr. Garcia. Absolutely. And my next point was to be that \nwhile we are technologically innovative, so, too, in the world \nof cybersecurity, are our adversaries.\n    We are acutely aware that there are increasing levels of \nsophistication among the adversaries as it pertains to the \nability to exploit vulnerabilities in our communications and \ncyber networks.\n    So we are constantly--it is, in fact, a technological chess \ngame. For every innovation that we have to better secure our \nnetworks, the hackers and other adversaries find ways to \nexploit--\n    Ms. Norton. See, how don't see you how you monitor that \nkind of stuff. Hackers, changes that are legitimate and that \nmay be trade secrets, I think--\n    Mr. Garcia. We are constantly monitoring networks for \nanomalous activity and analyzing what types of vulnerabilities \nare being exploited with what attacks, but I hasten to add that \nthe issue of cyber and communications security is not just a \ntechnological one.\n    We can have the best technology in place, but if we don't \nhave appropriate systems and appropriate training of the people \nusing those systems, then we are not going to really be truly \nsecure.\n    Cybersecurity is really about three things: It is about \ntechnology, it is about people, and it is about process. And in \nthe CFIUS process, we are looking not only at the technological \nvulnerabilities, but some of the basic questions we ask are, in \nthis particular acquisition, does the acquiring or the acquired \ncompany have good cybersecurity policies in place?\n    Do they have a person who is in charge of implementing and \nenforcing those cybersecurity policies? Are there sufficient \ncontrols on access to the systems and on access to the data? Is \nthere good personnel security? Does the company or companies \nhave good background checks on possible insiders who could do \nmalicious attacks on the networks?\n    What about the physical or environmental security \nsurrounding a particular facility? What about employee \ntraining? Is everyone using the network fully aware of what \nthey should and should not do in managing their information and \ntheir computer systems?\n    Does the company have a good monitoring and incident \nresponse capability in the event something bad does happen? Do \nthey have a disaster recovery business continuity process?\n    Ms. Norton. So the major technological change that was not \ncontemplated either in the CFIUS review or, for that matter, in \nthe imagination, because that is where technology is going, and \nis there some way in which that would be either be detected or \nreported to you?\n    Mr. Garcia. We are constantly monitoring changes in \ntechnology and working with the private sector to identify the \nkinds of vulnerabilities that can--\n    Ms. Norton. So when somebody hacks into a system, would you \nknow that?\n    Mr. Garcia. Yes. In my organization is an operational \nstrike team, called the USCERT, the computer emergency \nreadiness team. This is a group of technical professionals who \nhave a network of outreach, incident response, situational \nawareness capabilities with other federal agencies, with other \nprivate sector operational capabilities, federal, state, local, \nand international partners.\n    So we are constantly, in real time, monitoring all of the \nactivity, as much as the activity as we can on networks and--\n    Ms. Norton. I appreciate your answer. Could I just ask \nwhether or not, Ms. Barr--since GAO has had an opportunity to \nlook at this system? If she could just respond.\n    Ms. Jackson Lee. Answer the gentlelady's question briefly.\n    Ms. Calvaresi-Barr. Yes. I would be happy to respond. I am \nnot a cybersecurity expert.\n    We reviewed the CFIUS process. I will tell you that the \ncases that we looked at, now rather dated, though, 1995 running \nthrough 2004, we did find instances where there were concerns \nraised about purchases of Internet backbone companies.\n    This predated a lot of DHS's involvement, because they \nweren't involved in those cases at the time. But I can tell you \nthat some of those foreign acquisitions did pose a threat, one \nthat didn't always get addressed to the satisfaction of other \nmembers of the committee or mitigated.\n    But I will note that I think the addition of DHS to the \nCFIUS committee has brought a new vigorous look in that area.\n    Ms. Norton. I want to thank you again, Madam Chair. And I \ndo want to say that I think this area deserves very special \noversight just because we are all talking about what we don't \nknow anything about.\n    It is the unknown that concerns me and I appreciate what is \nbeing done to close those concerns. And I appreciate it, again.\n    Ms. Jackson Lee. Well, the gentlelady from the District of \nColumbia probably has firsthand knowledge, as the gentlelady \nfrom New York, on what terrorism can do to a community and, \ncertainly, I believe these questions are valuable and \nimportant.\n    I am going to ask a few more questions in a second round \nand I respect my members, but my preface to this is this is the \nbeginning of a series of hearings because we believe in the \ncruciality of vigorous oversight.\n    Ms. Calvaresi-Barr, we may be posing to GAO a study after \nthe fact, which is to assess CFIUS with DHS engagement and \ninvolvement.\n    The three secretaries--and, Mr. Garcia, I am going to pose \na question to you, because I believe that there is such a nexus \nin the knowledge which most Americans probably would not know \nthat 80 to 90 percent of critical infrastructure is in private \nhands.\n    They also might not understand that there is a question of \nwhether or not investment should also be equated to \nacquisition. And I will be raising that question with Mr. \nBaker, because there are entities where there is an operational \nfactor, where there is a 70-or 80-year lease and the lease is \npaid up front.\n    There are questions that we have not, I think, asked or \nanswered.\n    I would also argue whether revenue and buying and selling \nis more important than the security of America. And before this \ntime, as Ms. Clarke has indicated, we are cities of commerce. \nWe compete to be cities of commerce. We compete to account, \nthrough local officials and others, we account for or seek \nbragging rights of how much foreign investors we can secure for \nour own community, to sometimes the disadvantage of our own \ncitizens who live here that we are willing to, for example, \nsell tow ropes and lease them up front--when I say ``sell \nthem,'' in a leasing procedure.\n    And having experienced not a manmade disaster, but a \nnatural disaster, right after Katrina, when Rita panicked the \nGulf region and we saw thousands upon thousands, Colonel \nStephan, of individuals trying to escape by way of cars.\n    If, by some chance, the foreign operator that road had \nanother idea, another scheme, another method of traveling on \nthat road or we don't want to alter or participate in your \nevacuation process, and that is for a natural disaster, then \nare we yielding to the buck of selling off roads and bridges, \nwhich I believe, under the present scheme of things, don't get \ncovered by CFIUS?\n    And I would imagine Mr. Garcia will say some aspects of \nwhat he does and I am going to pose this first question, Mr. \nGarcia, because you are crucial. I am thinking of companies \nthat are sending data from one foreign site into the United \nStates.\n    Again, that may be questionable whether CFIUS has some role \nin determining whether that transaction is breaching any \nsecurity, but it is using a very important aspect of critical \ninfrastructure.\n    So I would like to ask a question that, as you have stated, \nthe emerging threats to our infrastructure arising from \ncyberspace pose an interesting problem to contend with.\n    Can you please comment on how you see the CFIUS process \nevolving, especially software manufacturing and how it could \nmove to offshore locations, whereby malicious code could be \ninstalled and do you have any suggestions for how to address \nthese concerns?\n    Mr. Garcia?\n    Mr. Garcia. Yes, Madam Chairwoman, an excellent question.\n    The issue you refer to we call the globalization of \ninformation technology and the IT sector is extremely \nglobalized in terms of services, management, supply chain.\n    Recently, an interagency committee prepared a review of the \nglobalization of IT and the extent to which there are \nvulnerabilities in a global supply chain in which, as you \nsuggest, malicious code can be inserted into software that is \ndeveloped overseas.\n    And we are looking at that closely and talking to the \nsoftware industry, understanding that what is paramount is \nexactly how does a software company go about managing the \ndevelopment of software in a secure way, regardless of where \nthe software is developed.\n    Malicious code can be inserted anywhere by anyone along the \ndevelopment supply chain.\n    So what is of most importance is working with the industry \nto devise best practices for secure development of software and \nhardware systems that are being used in our critical \ninfrastructure.\n    Ms. Jackson Lee. I think there are many scenarios. Of \ncourse, we don't want to telegraph of provide incentives to \nterrorists, but even the question of foreign investment by the \nUnited States, United States companies, and they then have to \ncommunicate back to the home office or the home office has to \ncommunicate back to them in a foreign site, which then some \nmalicious code may undermine, for example, oil transactions or \nnatural resource needs, water needs.\n    Again, this, I believe, points out, from my perspective, \nthat the security of America is far more important, though we \nmust balance it with the making of a buck.\n    And my concern is or my question is, and let me have \nColonel Stephan in it, but let me let you finish, I am really \ncontemplating of a more vigorous role for DHS, Secretary Baker, \nin this process.\n    Secretary Garcia?\n    Mr. Garcia. Yes, ma'am. We 100 percent agree. The most \nimportant priority for the Department of Homeland Security is \nthe homeland security, regardless of who benefits from an \ninvestment.\n    We look very closely at both the communications and cyber \ninfrastructures as subjects of acquisition, but also how those \ninfrastructures can be used against other physical \ninfrastructures.\n    One of my organizations--\n    Ms. Jackson Lee. Do you believe we should be vigorously \ninvolved in this process?\n    Mr. Garcia. Yes, ma'am. One of my organizations is the \nnational communications system, which is responsible for \nensuring the availability of our communications infrastructure \nin times of national emergency, that our government decision-\nmakers actually have an ability to communicate in the event of \na national emergency.\n    To the extent that any acquisition, foreign acquisition of \ntelecommunications infrastructure would, by our analysis, \nthreaten our ability to have that communication in the event of \na national disaster of any sort, we would take the appropriate \nsteps to ensure that controls are put in place or not to permit \nat all.\n    Ms. Jackson Lee. Colonel Stephan, can you explain and give \nan example of how your office works with Secretary Garcia's \noffice to address and mitigate physical and cyber-related \nthreats to infrastructure, including any recent example that is \nnot classified?\n    Colonel Stephan. Yes, ma'am. In the CFIUS process that is \nthe subject of this hearing, again, my responsibility is \ncoordinating the infrastructure analysis or analytical \ncomponents--\n    Ms. Jackson Lee. So you are the firefighter that jumps into \nthe fire?\n    Colonel Stephan. I am an integrator and coordinator and \nsometimes I get burned in the process.\n    Ms. Jackson Lee. I don't want you to have that happen to \nyou. But when you get the call, you have to move forward to \nmake the analysis.\n    Colonel Stephan. Yes, ma'am. We make the analysis and we \ncall in, depending upon what the transaction involves, a cyber \ncomponent, a component of the energy sector. I bring in the \nDepartment of Energy, the Department of Defense, the defense \nindustrial base.\n    So I am a coordinator and integrator of a very complex \nballet across the United States for every one of these risk \nanalysis pieces.\n    We just completed a round of very important, I think, \npioneer work in terms of the public-private sector partnership, \nin my world, infrastructure protection. We now have 17 sector-\nspecific plans that reflect the 17 infrastructure sectors \ndesignated in HSPD-7.\n    My colleague here and his staff have the unenviable task of \nreviewing every single one of those plans to make sure that the \ncyber components specifically dealing with control, processes, \nmechanisms and protocols for physical infrastructures that have \na tremendous cyber component to each and every one them, was \nthoroughly involved in the process of developing the cyber \npieces of every chapter of those plans.\n    So I think that would be a very positive example of some \nvery comprehensive legwork that my partner, Assistant Secretary \nGarcia, and his team and some very valuable capability they \nadded into the fight.\n    So for our chemical plan, our nuclear energy sector plan, \nour energy sector plan, very large, his guys' eyes on every one \nof those individual prizes to make sure that the cybersecurity \ncomponent was embedded inside those physical infrastructure--\n    Ms. Jackson Lee. Colonel Stephan, we will be seeking copies \nof those plans and, frankly, you have laid out the agenda for \nthis committee. We will, in fact, be looking at all of those \nsectors and so you will be hearing from this committee to \nsecure those plans, as well.\n    I know the time--let me try to quickly go to Ms. Calvaresi-\nBarr and then to Mr. Baker. And I will let you finish, Mr. \nGarcia, because you may want to answer on how you coordinate \nwith Colonel Stephan.\n    But, Ms. Barr, I, frankly, believe that the DHS should be \nmore vigorous in this process. I am not going to hide the \nconcern that I have, because we are in a new day.\n    And I believe you mentioned, as I looked at your four \nelements, we will be writing GAO, because we would like an \nafter-the-fact assessment now that DHS is involved. We would \nlike a more detailed overview of how is it working.\n    But did I understand that a key enforcement provision was \nremoved which might disallow the president from reopening? Was \nthat your point or could you expand on how we might \nstrengthen--I don't want to undermine the president's role in \nsecuring the homeland.\n    And so if we don't have an enforcement provision, why don't \nyou share with us how we can strengthen that?\n    Ms. Calvaresi-Barr. Well, I think from some of the cases \nthat we have looked at, as I said, in the past reviews that we \nhad done, we had seen a couple of instances where certain \nmember agencies had asked that language be inserted in the \nmitigation agreement that said, ``If you do not comply with the \nagreement set forth within, the president has the authority to \nreopen and re-look under Exxon-Florio,'' and we saw a number of \ncases in which that was a debate among CFIUS members.\n    And in a few cases, allowing that provision in the \nagreement was struck. It didn't occur. I think we heard today \nthat this is one of the views and certainly the positions that \nHomeland Security is bringing to the table to say that that \nhelps strengthen and helps keep in place these agreements, the \nforce of compliance with them, and it is a good thing to put in \nplace.\n    Again, we haven't looked at any new cases since our 2005 \nwork, but I think we heard today that we are seeing more \ninstances in which the reopening of a case is being inserted in \nthose mitigation agreements.\n    That is something, again, we would have to look at if you \nasked us to do so.\n    Ms. Jackson Lee. Well, I think the point that you are \nmaking is through administrative deliberation and shifting, \ndecisions were made to eliminate that provision, which some of \nus might think that it is minimally a provision that provides \nthe extra enhanced security and as industries and purchasers \nand others become more comfortable with our role, I would think \nthat that should not be waived.\n    And one could say if we are selling candy, what could \nhappen, but I would suggest that the security, again, goes \nabove and alongside of the traversing of commerce.\n    For that reason, Secretary Baker, let me share with you a \npoint of CFIUS that, frankly, I wonder whether we have \nconsidered.\n    Investment, which, as I indicated to you, which Ms. Clarke \nhas indicated to you, we compete against cities, each other, as \nto how much investment we can secure.\n    One of the challenges that has occurred is that our states \nand local jurisdictions have begun to assess their revenue \nbases on how much investment they can get in selling off \ncritical infrastructure, to the extent that roads are being \nsold, happily so.\n    So if you have an investment that is a lease of 70 years, \nto my understanding, CFIUS does not assess whether or not that \nkind of transferring of operation, of control should have a \nreview.\n    That is investment. That is not acquisition.\n    Would you care to speculate that it might be valuable to \nhave some standards by which you could review that kind of \ninvestment?\n    Mr. Baker. I would not necessarily rule out the idea that \nif the lease was for sufficiently long, that it would be the \nequivalent of an acquisition. And I agree with you that when \nroads and other infrastructure are privatized, the nature of \nthe concern about how to protect homeland security changes, \nbecause you move from governmental control, which is often very \nconcerned about risks of that sort, to private control, where \nthe concerns are focused on making sure that the quarterly \nprofit projections are met.\n    And that simply changes the nature of the kinds of measures \npeople are willing to take. I don't know that it is limited to \nforeign investment. And so one of the questions is, is this a \nbroader question than simply looking at foreign investment?\n    Ms. Jackson Lee. Well, clearly, this committee will look at \na range of investments and certainly--and when I say that, we \nwill look at critical infrastructure and how it is protected \nand what kind of security, if you will, plans are in place.\n    So clearly that can be the case. This obviously is a \ncommittee hearing addressing the question of foreign ownership \nand we are moving forward because our next hearing will also \ninclude investment.\n    But I think you raise a very valuable question and that is \nthe question before this committee.\n    Let me conclude with Mr. Garcia--thank you, Secretary--to \nsimply let you answer the question I asked Colonel Stephan, how \nyou are coordinating with his discipline and his area under \nDepartment of Homeland Security, between the two of you, and \nparticularly as it relates to the question before this \ncommittee.\n    Mr. Garcia. Exactly as he said. We have important \nintegration with all of the 17 critical infrastructure sector-\nspecific plans.\n    My organization was responsible for working with the \nprivate sector in producing the IT and the communications \nsector-specific plans, but we, as Secretary Stephan said, have \nhad visibility and input into each of the other SSPs to ensure \nthat there is a consistent level of attention to the \ncybersecurity dimension of all of the critical infrastructures.\n    Ms. Jackson Lee. Thank you very much.\n    And with that, let me yield to the gentlelady, for 5 \nminutes, from New York.\n    Thank you.\n    Ms. Clarke. Madam Chair, thank you.\n    I just wanted to get one more question in here, because \nthis has to be something that I am sure each of you gives some \nscrutiny to.\n    Once we enter into these agreements, is there a monitoring \nprocess, because you may be talking about an acquisition, you \nmay be talking about a lease, but these are private entities \nthat now have ownership and stake, that would detect \ncorruption?\n    An individual was now hired as part of this process of \nmaybe managing a port or what have you, that becomes a \ncorruptible element after the transaction has been done.\n    Is there something that we do through CFIUS or any other \nmeans, through the agencies, Mr. Secretary, that would enable \nus to detect that in any real tangible way?\n    Mr. Baker. Yes, there is. We have really pioneered in the \nuse of audits, to go into companies long after they have signed \nthese agreements to say, ``Let me see your training. Let me see \nhow you are implementing this. What did you do in this \ncircumstance?''\n    We have the authority to do background checks on many of \nthe employees or to require that they be done at the company's \nexpense and any adverse information provided to us.\n    So we actually have built a lot of controls into the \nfollow-on process of making sure people live up to their \npromises.\n    Ms. Clarke. And then, finally, in the initial stage, where \nyou do your 30-day investigation, is that part of the due \ndiligence, as well, in terms of identifying personnel or \nindividuals who may have some shady dealings?\n    And knowing that it is a 30-day process, with an \nopportunity to extend to 45 days, do you feel that this is an \nadequate amount of time for all of the investigations or would \nyou recommend a different timeframe?\n    Mr. Baker. Yes. In terms of the timeframe, it often is not \nenough time. Frequently, it is. Let me first address your first \nquestion.\n    Yes. We ask the intelligence community, and that would \ninclude law enforcement, to check or any adverse information on \nany of the people that are critical to the transaction and when \nwe find adverse action, we will usually try to address it in \nthe mitigation agreement or simply by saying no to the \ntransaction.\n    In terms of time, it sometimes is not enough. This is why \nwe ask companies to come in early and tell us about the \ntransaction. If they don't, it certainly counts against them, \nin our estimation, when we are evaluating the 30-day clock.\n    We can always ask the company to withdraw the petition and \nto re-file it after we have worked out the issues between us.\n    We are willing to do that and we have done that fairly \noften. That gives us the flexibility that we need.\n    So we have not generally supported extending the deadlines \nfor fear that if you give a government agency 45 days to make a \ndecision, they will take 44 at least. And so just extending the \ndeadline will delay everyone and we didn't want to do that.\n    Ms. Clarke. Madam Chair, thank you very much.\n    Ms. Jackson Lee. We thank you for your very important \ncontributions.\n    Let me just close with a question, Mr. Secretary.\n    I indicated that we were going to ask GAO to do a fresh \nstudy, but you noted the very, I think, instructive criticisms \nor analysis that was already made on the CFIUS process.\n    Again, I said I am of the position that DHS needs to be \nmore vigorous.\n    You know, we have heard this massive debate about security, \nborder security. I always believe that what we missed out in 9/\n11 is that we were not offensive or we were not able to fend \noff before the terrorists arrived here on this soil.\n    We can always stand back after they have arrived, maybe we \nwould be even lucky enough to prevent it as they arrive or as \nthey begin to plan.\n    But wouldn't it be better to be away ahead of the game?\n    And so the criticisms that have been offered or the \nanalysis that has been offered by GAO I think maybe warrant \nsome legislative fixes.\n    One of them, however, is an annual report and I would like, \nfor the record, your assessment on that. And you might also \ngive me your assessment on the mitigation aspect, giving the \npresident the continuous authority to reopen, not a waivable \nauthority, which is a decision made by the CFIUS committee, \n``We will decide to keep it in or we will not.''\n    I, frankly, believe that it should not be left up to \nchance.\n    Secretary Baker?\n    Mr. Baker. Very good. Let me address the second one first.\n    On authority to reopen transactions, it has some appeal, I \nunderstand, but it would raise real questions among investors \nabout whether, if they made an investment in the United States \nand the climate changed in 10 years, their deals might be \noverturned.\n    We do have the authority, if they lie to us, if they leave \nout a fact that they know is important to us and they just \ndon't tell us, in the CFIUS process, we can reopen the \ntransaction and we think that gives us a lot of authority, the \nability to say ``You violated the agreement which led us to \napprove this deal. So we are reopening'' is also one which we \nuse fairly carefully, but which has stood us in good stead on \nvery important transactions.\n    And so I think the value of a continuing permanent \nauthority to reopen transactions is not offset by the risks to \ninvestments.\n    As far as GAO's report, I thought it was a very thoughtful, \ndetailed report. Many of those recommendations are things that \nwe are now doing one way or the other.\n    An annual report raises some concerns about confidentiality \nof these transactions. Investors do not want their deals and \nthe doubts and concerns and negotiations that went into them in \nthe newspapers often.\n    We would have to be very careful about how a report like \nthat would end up being used. But we are certainly not opposed \nto giving this committee as much information about CFIUS as you \nwould like.\n    Ms. Jackson Lee. Well, let me thank all of the witnesses. I \nwould simply suggest to you that having been part, in my past \nlife as a lawyer, practicing in a number of areas, been looking \nover many, many tables with document scattered and wondering \nwhether the deal legally was going to be consummated.\n    I understand what apprehension these proponents or \nparticipants in the transaction may believe, but clarification, \nprotecting the kind of data that would be in the report, I \nthink, frankly, information is a score of points when it comes \nto protecting the homeland.\n    And, frankly, I would like to see some way of managing that \nin a way that does not do damage to the commerce and the \ncomings and goings of business here in the United States.\n    Again, this hearing started with the premise that if a \nhorrific manmade tragedy were to occur, I think that a \ncombination of Department of Homeland Security and this \ncommittee, more than any others, would be asked the question, \n``Why,'' and that means it is crucial that we continue to have \nvigorous oversight.\n    You have given us this morning a very, very good roadmap to \nbegin this journey of reviewing critical infrastructure across \nAmerican and foreign ownership and investments, as well as, \ngenerally speaking, the critical infrastructure, which, \nSecretary Baker, you said 80 to 90 percent is in the private \nsector.\n    Good news, but yet we have a responsibility to secure the \nhomeland.\n    I would like to thank the witnesses for their valuable \ntestimony and the members for their questions.\n    The members of the subcommittee may have additional \nquestions for the witnesses. We will ask you to respond \nexpeditiously in writing to those questions, and we will have \nseveral.\n    And hearing no further business, this committee will stand \nadjourned.\n    As I also thank the ranking member, Mr. Lungren, who had \nanother meeting, and the members of this committee for their \npresence here today in this very important challenge.\n    Thank you. The meeting is adjourned.\n    [Whereupon, at 11:49 a.m., the subcommittee was adjourned.]\n\n                                 <all>\n\x1a\n</pre></body></html>\n"