[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]



 PARTNERING WITH THE PRIVATE SECTOR TO SECURE CRITICAL INFRASTRUCTURE: 
HAS THE DEPARTMENT OF HOMELAND SECURITY ABANDONED THE RESILIENCE-BASED 
                               APPROACH?

=======================================================================

                                HEARING

                               before the

                SUBCOMMITTEE ON TRANSPORTATION SECURITY
                     AND INFRASTRUCTURE PROTECTION

                                 of the

                     COMMITTEE ON HOMELAND SECURITY
                        HOUSE OF REPRESENTATIVES

                       ONE HUNDRED TENTH CONGRESS

                             SECOND SESSION

                               __________

                              MAY 14, 2008

                               __________

                           Serial No. 110-114

                               __________

       Printed for the use of the Committee on Homeland Security
                                     

[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]


                                     

  Available via the World Wide Web: http://www.gpoaccess.gov/congress/
                               index.html

                               __________






                     U.S. GOVERNMENT PRINTING OFFICE

43-939 PDF                 WASHINGTON DC:  2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office  Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800  Fax: (202) 512-2250 Mail Stop SSOP, 
Washington, DC 20402-0001


























                     COMMITTEE ON HOMELAND SECURITY

               Bennie G. Thompson, Mississippi, Chairman

Loretta Sanchez, California          Peter T. King, New York
Edward J. Markey, Massachusetts      Lamar Smith, Texas
Norman D. Dicks, Washington          Christopher Shays, Connecticut
Jane Harman, California              Mark E. Souder, Indiana
Peter A. DeFazio, Oregon             Tom Davis, Virginia
Nita M. Lowey, New York              Daniel E. Lungren, California
Eleanor Holmes Norton, District of   Mike Rogers, Alabama
Columbia                             David G. Reichert, Washington
Zoe Lofgren, California              Michael T. McCaul, Texas
Sheila Jackson Lee, Texas            Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin    Ginny Brown-Waite, Florida
Islands                              Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina        David Davis, Tennessee
James R. Langevin, Rhode Island      Paul C. Broun, Georgia
Henry Cuellar, Texas                 Candice S. Miller, Michigan
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey

       Jessica Herrera-Flanigan, Staff Director & General Counsel
                     Rosaline Cohen, Chief Counsel
                     Michael Twinchek, Chief Clerk
                Robert O'Connor, Minority Staff Director

                                 ______

 SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION

                 SHEILA JACKSON LEE, Texas, Chairwoman

Edward J. Markey, Massachusetts      Daniel E. Lungren, California
Peter A. DeFazio, Oregon             Ginny Brown-Waite, Florida
Eleanor Holmes Norton, District of   Gus M. Bilirakis, Florida
Columbia                             Paul C. Broun, Georgia
Yvette D. Clarke, New York           Peter T. King, New York (Ex 
Ed Perlmutter, Colorado              Officio)
Bennie G. Thompson, Mississippi (Ex 
Officio)

                     Erin Daste, Director & Counsel
                   Natalie Nixon, Deputy Chief Clerk
                 Coley O'Brien, Minority Senior Counsel

                                  (II)






























                            C O N T E N T S

                              ----------                              
                                                                   Page

                               Statements

The Honorable Sheila Jackson Lee, a Representative in Congress 
  From the State of Texas, and Chairwoman, Subcommittee on 
  Transportation Security and Infrastructure Protection..........     1
The Honorable Daniel E. Lungren, a Representative in Congress 
  From the State of California, and Ranking Member, Subcommittee 
  on Transportation Security and Infrastructure Protection.......     4

                               Witnesses

Colonel Robert B. Stephan, Assistant Secretary, Infrastructure 
  Protection, Department of Homeland Security:
  Oral Statement.................................................     7
  Prepared Statement.............................................     9
Mr. Jonah J. Czerwinski, Senior Fellow, Homeland Security, IBM 
  Global Leadership Initiative:
  Oral Statement.................................................    14
  Prepared Statement.............................................    15
Mr. Shawn Johnson, Vice Chairman, Financial Services, Sector 
  Coordinating Council:
  Oral Statement.................................................    17
  Prepared Statement.............................................    19
Mr. William G. Raisch, Director, International Center for 
  Enterprise Preparedness, New York University:
  Oral Statement.................................................    22
  Prepared Statement.............................................    24
Dr. Kevin U. Stephens, M.D., Director, Health Department, City of 
  New Orleans:
  Oral Statement.................................................    30
  Prepared Statement.............................................    33



























 
 PARTNERING WITH THE PRIVATE SECTOR TO SECURE CRITICAL INFRASTRUCTURE: 
HAS THE DEPARTMENT OF HOMELAND SECURITY ABANDONED THE RESILIENCE-BASED 
                               APPROACH?

                              ----------                              


                        Wednesday, May 14, 2008

             U.S. House of Representatives,
                    Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure 
                                                Protection,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 2:22 p.m., in 
Room 311, Cannon House Office Building, Hon. Sheila Jackson Lee 
[chairwoman of the subcommittee] presiding.
    Present: Representatives Jackson Lee and Lungren.
    Ms. Jackson Lee [presiding.] Good afternoon. Let me thank 
the witnesses for their indulgence. The subcommittee will come 
to order.
    The subcommittee is meeting today to receive testimony on 
partnering with the private sector to secure critical 
infrastructure. Has the Department of Homeland Security 
abandoned the resilience-based approach?
    Importantly, this testimony will discuss what the Office of 
Infrastructure Protection has done to promote the concept of 
resiliency throughout the 17 critical infrastructure sectors.
    I am proud to convene today's hearing, which will focus on 
private sector participation in securing our Nation's critical 
infrastructure. Among our goals today is to determine the 
applicability of resilience to this mission, to what extent the 
Department is promoting it, and what we as a Congress can do to 
support these efforts.
    At the outset, I wish to thank Chairman Thompson for 
declaring May Resilience Month for our committee.
    In support of Resilience Month, today's hearing will focus 
on an area ripe with resilience-related issues. Perhaps nowhere 
is resilience more relevant to homeland security than the area 
of critical infrastructure protection, which I think could be 
more accurately termed critical infrastructure protection and 
resilience.
    After the attacks on September 11, most of the record $80 
billion in economic losses was suffered by the private sector. 
The consequences of Hurricane Katrina and Rita caused 
extraordinary damage, as well. The magnitude of the hurricanes' 
actual impact was rivaled only by the catastrophic failure of 
the Federal Government to adequately respond to the resulting 
suffering.
    I am proud to be focusing on critical infrastructure 
resilience, but I know that others have also advocated this 
position for some time. A task force of the Homeland Security 
Advisory Council on Critical Infrastructure released a report 
in 2006 stating that the focus should be shifted from 
protection to resilience, because it made a more convincing 
business case to companies.
    I might add that we want to hear from those here today to 
find a way to balance protection and resilience. I believe we 
can.
    The report said that resilience offers an effective 
metric--time--companies can measure how long it will be down in 
the wake of a particular disaster and can work to minimize that 
time. Resilience, I must say, is not capitulation, we in no way 
are saying that our guard should be taken down, to assert that 
we are mere political theater.
    Instead, we are honestly saying to the American people that 
we cannot protect everything all of the time. So if we are hit 
or one of our suppliers is hit, we plan to ensure that we can 
recover quickly so grave damage is not done to our economy.
    Our most recent examples--and we are very grateful that we 
have not had a terrorist attack since 9/11. We applaud all of 
the front-liners and certainly the Department of Homeland 
Security and the diligence of this Congress. But we also use as 
a backdrop of experience some of the tragedies that have 
occurred over the last couple of years.
    For example, Hurricane Katrina is a prime example of the 
lack of resiliency. Who knows what will happen with the 
terrible excess of tornadoes that have occurred over the last 
couple of days and last couple of weeks and the damage that has 
been done to major geographic areas, including the obliteration 
or elimination of a whole city?
    What is the resilience there? That is a very good example 
for us to use as a backdrop. What is the resilience in 
countries, of course, with different political systems? What 
will be the resilience of a China or a Burma?
    These are questions that we should be asking so that we are 
prepared for what may happen to us here in the United States.
    It is my belief that the Department should utilize 
resilience as a means of which to encourage private owners and 
operators to secure their infrastructure for three reasons.
    It requires the provision of information that demonstrates 
to companies that there is an actionable threat to their 
infrastructure.
    Most of the time, this information is not available and, as 
a result, companies do not see the justification of these 
expenditures in the absence of a threat.
    Related to the first, companies have been trained by this 
economy to have no expenditures that do not produce profit 
within a few months. Protective and preventative measures to 
defend against a terrorist act likely do not generate such a 
profit.
    Third, a focus on protection prevention is not measurable. 
We have no metric for quantifying whether something is 
protected. Without being able to quantify when enough is 
enough, industry is more reluctant to act.
    However, I might issue a warning: Failing to do this, 
failing to do this is the storybook tragedy for failure and for 
a long, drawn-out journey of recuperation. Look to see how hard 
the people of New Orleans are working, but because of the 
failed actions of the Federal Government, resilience, 
recuperation has been long in coming.
    A strategy based upon resilience is not a silver bullet, 
but it does support the critical infrastructure security 
objectives. Beyond encouraging preventative and protective 
measures, it asks companies to ensure that they can bounce back 
due to a disruption, which may include a terrorist attack.
    This will support communities' supply chains and our 
national psyche. Furthermore, a focus on resilience can 
increase the profitability of our companies. For example, a 
2007 report by the Council on Competitiveness, entitled ``The 
Resilient Economy: Integrating Competitiveness and Security,'' 
asserting that the 835 companies that announced a supply chain 
disruption between 1989 and 2000 experienced 33 percent to 40 
percent lower stock returns than their industry peers.
    Those companies that were resilient, and thus able to 
effectively deal with and bounce back from disruptions, were 
the ones which grew in market share and saw increased returns.
    In many ways, last week's full committee hearing was eye-
opening. I do believe that the Department is doing more with 
resilience than was mentioned at the hearing. I look forward to 
hearing from Assistant Secretary Stephan about those programs 
under his auspices, and where and why, and why not, and he sees 
resilience as being more effective.
    This committee has not shied away from promoting private-
sector security. The 9/11 bill passed last August included a 
voluntary private-sector preparedness accreditation and 
certification program.
    By no means is this program regulatory, but it does provide 
for a conversation between the Department and the private 
sector about security.
    Led by Chairman Thompson, we included language that called 
upon the Department to work with Sector Coordinating Councils 
under Assistant Secretary Stephan to develop the standards for 
the voluntary program.
    I look forward to hearing more about this program today and 
hearing whether the contemplated standards will include an 
element of resilience.
    This subcommittee is not interested in blame or bashing. 
This subcommittee cares only about securing our critical 
infrastructure and having a constructive dialogue with the 
Department.
    We believe that this hearing is a part of that dialogue and 
look forward to learning from Assistant Secretary Stephan and 
our other witnesses. Resilience may not be the silver bullet, 
but a real discussion about it may make us more secure in our 
days, weeks, months and years.
    Who knows? There may be legislative penalties for those who 
don't see this as a constructive aspect of their business. We 
have to be able to save lives; we have to be able to save the 
economy; we have to be able to move forward during this time of 
crisis. To do so, we need the involvement of the public and 
private sector.
    Once again, I would like to thank everyone for their 
participation today, and I look forward to hearing from each of 
the witnesses.
    At this time, I would like to enter into the record the 
2006 Homeland Security Advisory Council report on critical 
infrastructure. Hearing no objections, so ordered.*
---------------------------------------------------------------------------
    * The information has been retained in committee files.
---------------------------------------------------------------------------
    The Chair is now pleased to recognize the distinguished 
Ranking Member of the subcommittee, the gentleman from 
California, Mr. Lungren, for an opening statement.
    Mr. Lungren. Thank you very much, Chairwoman Jackson Lee.
    Thank you, members of the panel, for coming here to 
testify. But more importantly, thanks for the work that you 
have been doing.
    I certainly share the chairlady's interest and concern over 
the challenges this Nation faces to secure critical 
infrastructure. You probably know as well as anybody, those of 
you on the panel, it is an enormous job because of the 
thousands of critical infrastructure assets we enjoy, 
stretching from coast to coast and beyond.
    Pursuant to Homeland Security Directive 7, the Department 
of Homeland Security developed the National Infrastructure 
Protection Plan, NIPP, to identify these vital assets and 
coordinate protection efforts across 18 critical infrastructure 
sectors.
    Assistant Secretary Stephan, we thank you for the work that 
you have done in leading this effort on behalf of homeland 
security. Also, I recall when you came and asked for delay of 
its issuance until it met, by your judgment, the high standards 
that you thought were required.
    By identifying critical assets and interdependencies, 
coordinating risk-based protection programs, and ensuring 
information, the NIPP provides the blueprint, I believe, for a 
safer, more secure, more resilient America. It sets national 
priorities, goals and requirements for effective distribution 
of funding and resources to help ensure that our government, 
economy and public services continue in the event of a 
terrorist attack or other disaster.
    Because the private sector owns or operates approximately 
85 percent of the Nation's critical infrastructure, partnering 
with the private sector is absolutely essential. To a great 
extent, we found the private sector has focused on ensuring its 
systems and networks were resilient and able to withstand 
disruption, manmade or natural, because of commercial and 
economic benefits.
    I guess one of the questions we have is: How do we ensure 
that continues or, in those cases where it is tough to make it 
justified by the bottom line, how do we change the analysis so 
that people understand that to be important?
    After 9/11, when the financial markets quickly resumed 
normal activity, Homeland Security began fostering public and 
private partnerships to perfect our country's critical 
infrastructure, with each sector bringing strength to the 
partnership.
    The government provides access to critical threat 
information, and I think that is as important as anything else 
we do. If you don't have the proper information, it is very 
difficult to calculate what the threat is out there and very 
difficult for you to respond to that threat.
    The government also provides grants, which each sector 
controls its own security programs, research and development, 
and other resources that are more effective when shared.
    Another example, I believe, of the Department promoting 
resiliency is the creation of the National Infrastructure 
Simulation and Analysis Center. It identifies 
interdependencies, the consequence of infrastructure 
disruptions, and suggests remedial action across all critical 
infrastructure sectors.
    It just seems to me that the four key mission areas of the 
Department of Homeland Security--preventing, protecting 
against, responding to, and recovering from terrorist attacks 
or natural disasters--are equally important, whether we use the 
rubric of resiliency or not.
    I would prefer to prevent an attack, as I am sure we all 
would, rather than respond and recover from one. However, if 
there is another attack or natural disaster, we must ensure 
that the Department and its governmental and private-sector 
partners can respond to and recover from such an incident.
    So we thank you for being here. I look very much forward to 
the testimony from our witnesses.
    If I were still chairperson, I would invite you to speak. 
But a funny thing happened on the way to the ballot box a 
couple years ago.
    With that, I would yield back the balance of my time.
    Ms. Jackson Lee. The gentleman has yielded back his time.
    I welcome our panel of witnesses. Our first witness, 
Assistant Secretary Robert Stephan, was appointed to serve as 
the Assistant Secretary of Homeland Security for Infrastructure 
Protection in April 2005. In this capacity, he is responsible 
for the Department's efforts to catalogue our critical 
infrastructure and key resources and coordinate risk-based 
strategies and protective measures to secure them from 
terrorist attack.
    I would like to especially thank Colonel Stephan for his 
participation today. I understand--and he has been on and been 
between two international trips. I might say--I don't know if I 
want to say for the record, because he looks very well to me--
but we will put it in the record so that he is covered. He is 
fighting off jetlag.
    But he has always been very gracious in his relationship 
with this committee and the Congress but, more importantly, 
very dutiful and attentive to his responsibilities at Homeland 
Security. This committee recognizes and appreciates his 
dedication to the Department and this very important topic.
    Our second witness is Mr. Jonah Czerwinski. Jonah 
Czerwinski is Managing Consultant, Global Business Services at 
IBM, and a Senior Fellow for Homeland Security in IBM's Global 
Leadership Initiative.
    First, we are glad that the private sector has seen fit to 
establish such an initiative, and we look forward to hearing 
his testimony. He is responsible for developing policy, 
guidance for the global movement management campaign at IBM. He 
also served on the Council on Foreign Relations Study Group on 
Strategies for Defense Against Nuclear Terrorism.
    From 2001 to 2004, he directed the center's homeland 
security roundtable, which regularly convened senior homeland 
security leadership of the executive branch and Congress with 
leaders of the think-tank community, academia, and private 
sector to discuss critical homeland security issues. He is the 
primary contributor to the Homeland Security Blog, 
www.hlswatch.com.
    Our third witness is Mr. Shawn Johnson. Mr. Johnson is a 
Managing Director of State Street Global Advisors. He is the 
Chairman of the SSGA Investment Committee and Director of 
Institutional Fiduciary Services.
    Shawn is also a member of the State Street Corporation's 
Major Risk Committee, as well as the SSGA's independent 
fiduciary committee, and the SSGA Tuckerman Real Estate 
Investment Committee.
    In addition to managing SSGA's team of economists and 
strategists, Shawn oversees SSGA's advanced research center, 
product engineering, as well as private equity investments, 
including CitiStreet, Wilton, ABCM, and SSGI Italy.
    He is also responsible for SSGA's merger and acquisition 
activities globally. Additionally, Shawn is currently the Vice 
President of the Financial Services Sector Coordinating 
Council, the private-sector organization that coordinates 
homeland security issues with Federal and financial regulators.
    We need not go any further than 9/11 to recognize the 
impact on the financial services industry, particularly Wall 
Street, to know how important the testimony is today.
    Our fourth witness is William Raisch, Director of the 
International Center for Enterprise Preparedness, Intercep, at 
New York University. He founded the center with initial funding 
from the U.S. Department of Homeland Security, as the world's 
first academic research center dedicated to private-sector 
emergency preparedness and resilience.
    His work with Intercep focuses on the development of actual 
strategies and policies in this arena through active engagement 
of key stakeholders. Topical concentrations reflect an emphasis 
on the what and the why of resilience and include best 
practices, standards, metrics, assessments, information flow, 
public-private partnerships, and the economic impact of 
resilience, including the role of incentives for business.
    In addition to strong involvement with the U.S. business 
sector, the center has an international outreach actively 
working with a diversity of multinational corporations, as well 
as representatives from various national governments and NGOs 
globally.
    You are welcome.
    Our fifth and final witness is Dr. Kevin Stephens, Health 
Director for the city of New Orleans. He has served in this 
position since 2002. His responsibilities for public health in 
New Orleans include managing six divisions and 30 programs, 
encompassing a wide range of health issues.
    Dr. Stephens served as Health Director both before and 
after Katrina and knows firsthand the importance of health care 
infrastructure resiliency.
    Dr. Stephens serves on the clinical faculty of Xavier 
University, Dillard University, LSU Medical School, and Tulane 
Medical School. He is a member of the Louisiana Bar Association 
and has worked as a consultant to many local and State and 
Federal agencies.
    It is my great hope, Dr. Stephens, that as we know that you 
are certainly wanting to commend and celebrate the great 
progress that has been made in New Orleans--and let me, for the 
record, acknowledge that--I want you to be, if you will 
unabashedly forward and forceful on the state of the health 
infrastructure in New Orleans.
    I will place in the record my appreciation and respect for 
the hard work that the people of New Orleans and the municipal 
leaders have engaged in. Today, however, we want the raw facts 
of where you are today.
    So I welcome all of the witnesses. Without objection, the 
witnesses' full statements will be inserted in the record.
    I now ask each witness to summarize his statement for 5 
minutes, beginning with Assistant Secretary Stephan.
    You are recognized and welcome for 5 minutes.

 STATEMENT OF COLONEL ROBERT B. STEPHAN, ASSISTANT SECRETARY, 
   INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND SECURITY

    Colonel Stephan. Thank you, Madam Chairwoman, Ranking 
Member Lungren. I appreciate the opportunity to be before you 
today.
    I also appreciate your ongoing leadership and focus in this 
very important subset of the homeland security overall mission 
area. I know you have heard previous testimony from some of my 
department counterparts, as well as key private-sector 
stakeholders, on this topic.
    I also hope from my heart that you received a resounding 
``no'' from them in response to the question that is titling 
this hearing, ``Has the Department of Homeland Security 
abandoned the resiliency-based approach?''
    This is not about abandoning a resiliency-based approach. 
The Department fully embraces the concept of resiliency. It is 
not about protection versus resiliency. It is about both.
    It is about achieving an appropriate balance, Madam 
Chairwoman, as you said in your opening statement. That is what 
this is all about, because we understand the incredible 
necessity of being able to absorb an attack of Mother Nature, 
of Al Qaeda, or some other emergency, and being able to 
respond, recover, reconstitute quickly.
    But we also feel that, in some cases, some of the more 
extreme advocates of the resiliency construct dismiss the 
importance of an upfront prevention and protection piece that 
absolutely has risk as a critical component so that we can 
direct our energies and resources appropriately.
    We cannot afford to protect everything, but we cannot 
simply stand by and protect nothing. So we have to do things in 
advance, and we have to do things after the fact to make sure 
that we are saving American lives, limiting disruption to the 
economy, and getting American society back on its feet as 
quickly as possible. That is what this debate is all about, 
from my perspective.
    Our focus on the Nation's critical infrastructure includes 
actions to mitigate overall risk to assets, systems, networks, 
functions, and their interconnecting linkages resulting from 
any type of hazard, whether it be a terrorist attack, and 
attack by Mother Nature, or a major safety incident.
    This includes actions to deter threats, mitigate 
vulnerabilities, and minimize consequences. Protection can 
include, in the scope of a national infrastructure protection 
plan, a wide range of activities, such as hardening facilities, 
building resiliency redundancy, incorporating hazard resistance 
into facility or system or network design, initiating active or 
passive countermeasures, installing security systems, promoting 
workforce security programs, and implementing cyber measures, 
among various other precautions.
    There cannot be a one-size-fits-all approach, as some would 
advocate. Rather, we have devised a national-level approach 
based on a combination of consideration that reflects an 
understanding of vulnerabilities, interdependencies, and 
priorities in this all-hazards context.
    We view protection as an overarching risk management 
strategy that is supported by very important and specific 
congressional and executive branch authorities that fully 
acknowledge the concept of resiliency where it offers the best 
solution to managing a particular set of risk at the facility, 
system, sector, or enterprise level.
    Since the 9/11 attacks, we have made significant efforts to 
define the scope of work required to establish the processes 
and mechanisms to secure and mitigate the vulnerability of our 
infrastructures, ensuring their functionality and resiliency in 
a post-attack or post-incident mode, as well.
    Because the private sector owns and operates most of the 
Nation's infrastructures, DHS has pursued a framework in which 
government and the private sector work together with our State 
and local partners in a common approach to set goals and 
priorities, identify risks, assign roles and responsibilities, 
allocate resources, and measure progress across this framework. 
The concept of resiliency is absolutely critical across this 
framework.
    We also recognize that adopting, however, a one-size-fits-
all construct would possibly create a very important imbalance. 
Specifically, we must make sure that our approach incorporates 
a resiliency-based response and recovery component, as well as 
an upfront risk-based, risk-directed prevention and protection 
component.
    The chemical, nuclear and energy sectors are prime examples 
of the need to balance our concern about infrastructure 
restoration after an incident, with our ability to prevent the 
release of dangerous chemical substance in the populated areas 
in the context of these sectors.
    After all, preventing the loss of American lives, innocent 
lives, must remain our No. 1 goal and concern. Our efforts and 
accomplishment to date, in partnership with many others, 
reflect this need for a balanced approach between prevention, 
protection, and resiliency.
    In June 2006, we released the National Infrastructure 
Protection Plan, again, a balanced approach between resiliency, 
protection, response and recovery activities, and upfront 
prevention.
    The NIPP addresses the importance of resiliency over 52 
times throughout the course of the document, and it is the 
national unifying framework for understanding and managing 
risks to our Nation's critical infrastructures.
    The 17 critical infrastructure plans that were promulgated 
about a year ago are the product of 18 months of joint effort 
by CIKR owners and operators, State and local, tribal and 
territory officials, and Federal officials to make sure that we 
get this right.
    The diversity of the sectors means that different types of 
protection activities may be most effective for each. Certain 
sectors are most likely to embrace resiliency as an overarching 
approach, given their inherent characteristics, while others 
may focus on specific types of physical protection or 
cybersecurity or rapid response, to minimize consequences.
    Ma'am, I appear with your staff on multiple occasions 
various elements of the sector-specific plans. Just to 
highlight some examples, in banking and finance, resiliency 
integrated in 48 times, communications sector 55 times, dams 10 
times, defense industrial base 14 times, energy 34 times, I.T. 
24 times, postal and shipping 23 times, transportation 86 
times, water 20 times.
    The construct and concept of resiliency, working in 
partnership with upfront, risk-based protection, prevention is 
thoroughly engrained, embedded and indoctrinated into all the 
national-level strategies and plans that we have been working 
on for the past 3 years.
    In addition, I brought a copy of the National 
Infrastructure Protection Plan appropriately marked with all 
the resiliency pieces of the puzzle flagged for your staff to 
look at.
    I brought recently, last night issued, while I was flying 
back from overseas, our national hurricane analysis that really 
focuses on pre-event, pre-landfall hurricane infrastructure 
impacts, as well as what we think might happen post-landfall, 
passed that out to our private-sector counterparts.
    We recently promulgated the critical infrastructure, 
resiliency, protection, security, information sharing annex to 
the national response framework that we will use to guide 
ourselves and the Nation through hurricane season, as well as a 
terrorist attack.
    Finally, pandemic influenza across the 17 critical 
infrastructure sectors, in a guide that we built with the 
private sector, to highlight the need to focus on this type of 
pestilence from a resiliency perspective.
    So I believe that the documents alone at the national level 
speak to the effort that we have put in to making sure we get 
this right and to achieve the balance that you spoke to at the 
beginning of the conversation.
    Ma'am, those are my opening remarks. We look very much 
forward to the discussion and the dialogue with you today and, 
again, appreciate your collective leadership on this issue.
    [The statement of Colonel Stephan follows:]
                Prepared Statement of Robert B. Stephan
                              May 14, 2007
    Thank you, Chairwoman Jackson Lee, Ranking Member Lungren, and all 
of the distinguished members of the subcommittee. I appreciate the 
opportunity to address you on the role of the Office of Infrastructure 
Protection (IP) and our many partners, including the private sector, in 
securing and enhancing the resiliency of the Nation's critical 
infrastructure and key resources (CIKR). I know you have heard from my 
counterparts within the Department of Homeland Security on this topic, 
and I trust you have also received from them a resounding ``No'' in 
response to the question titling this hearing, ``Has the Department of 
Homeland Security Abandoned the Resilience-Based Approach?'' Since we 
have been in the process of adjusting to a major change in the American 
way of life since September 11, 2001, I think it is fair to say that 
there is resilience built into practically everything that the 
Department of Homeland Security (DHS) does. In fact, DHS defines 
resilience as ``the ability to recover from, or adjust to, adversity or 
change.'' I would like to focus today on how IP works with its partners 
to ensure that a comprehensive, multifaceted framework exists to 
support the partnership dedicated to securing and enhancing the 
resiliency of the Nation's CIKR.
    I believe that a recent article in the publication Foreign Affairs 
provides a good explanation of what we mean by ``resiliency.'' The 
article stated that there are four factors, that when committed to in a 
sustained manner, result in resilience.\1\ The first is robustness, the 
ability to keep operating or stay standing in the face of disaster. 
Second is resourcefulness, which involves skillfully managing a 
disaster once it unfolds. Third is rapid recovery, defined as the 
capacity to get things back to normal as quickly as possible after a 
disaster. Fourth is the statement that resilience means having the 
ability to absorb the new lessons that can be drawn from a catastrophe. 
Again, I think that DHS' efforts to date reflect these tenets, and, 
particularly for the CIKR protection mission, a sustained commitment is 
an absolute requirement of all members of the partnership.
---------------------------------------------------------------------------
    \1\ ``America the Resilient,'' Stephen E. Flynn, Foreign Affairs, 
March/April 2008.
---------------------------------------------------------------------------
    The CIKR protection mission includes actions to mitigate the 
overall risk to assets, systems, networks, functions, or their 
interconnecting links resulting from exposure, injury, destruction, 
incapacitation, or exploitation. In the context of the National 
Infrastructure Protection Plan (NIPP), this includes actions to deter 
the threat, mitigate vulnerabilities, or minimize consequences 
associated with a terrorist attack or other incident. Protection can 
include a wide range of activities, such as hardening facilities, 
building resiliency and redundancy, incorporating hazard resistance 
into the design of a facility, initiating active or passive 
countermeasures, installing security systems, promoting workforce 
surety programs, and implementing cyber security measures, among 
various others. There cannot be a one-size-fits-all approach to CIKR 
protection, and we have to devise a strategy based on a combination of 
considerations that reflects an understanding of vulnerabilities, 
interdependencies, and priorities in an all-hazards context. We view 
protection as an overarching risk-management strategy that fully 
acknowledges and supports the concept of resiliency where it offers the 
best solution to managing a particular risk or set of risks.
    Since 9/11, significant efforts have been underway to define the 
scope of work required to establish the processes and mechanisms to 
secure and mitigate the vulnerability and ensure the functionality of 
CIKR across our country. The private sector has made substantial 
investments to boost resiliency, increase redundancy, and develop 
contingency plans. To support these efforts, the Department has 
provided nearly $14.8 billion in risk-based grant funding--with another 
$2.5 billion to be distributed this year--to deter threats, reduce 
vulnerabilities, and build resiliency.
    Because the private sector owns and operates most of the Nation's 
critical infrastructure, DHS has successfully pursued a voluntary 
partnership approach, where government and the private sector work 
together under a common framework to set goals and priorities, identify 
key assets, assign roles and responsibilities, allocate resources, and 
measure our progress against national priorities. As important as 
resiliency is to a number of our critical sectors, we recognize that 
adopting a ``one-size-fits-all'' solution could create an imbalance. 
The chemical, nuclear and energy sectors are prime examples of the need 
to balance our concerns about infrastructure restoration after an 
incident, with our ability to prevent the release of dangerous 
substances into populated areas. Preventing the loss of human life must 
remain our No. 1 goal. Our efforts and accomplishments to date in 
partnership reflect this need for a balanced approach.
    In June 2006, DHS released the NIPP, the overarching goal of which 
is to ``Build a safer, more secure, and more resilient America by 
enhancing protection of the Nation's CIKR to prevent, deter, 
neutralize, or mitigate the effects of deliberate efforts by terrorists 
to destroy, incapacitate, or exploit them; and to strengthen national 
preparedness, timely response, and rapid recovery in the event of an 
attack, natural disaster, or other emergency.'' The NIPP, which uses 
the word ``resiliency'' or a variant of it over 50 times, is the 
national unifying framework for understanding and managing the risk to 
the Nation's infrastructure through the creation of partnerships with 
the private sector. The 17 CI/KR Sector Specific Plans (SSPs) required 
under the NIPP were issued on May 21, 2007. They are the product of 
almost 18 months of joint effort by the CI/KR owners and operators; 
State, local, territorial and tribal governments; and the Federal 
Government to identify and address sector specific risks and implement 
tailored risk strategies, to include tailored resiliency components.
    Specifically, the NIPP provides the coordinated approach to 
establish national CIKR priorities, goals, and requirements so that 
Federal funding and resources are applied in the most effective manner 
to reduce vulnerabilities, deter threats, and minimize the consequences 
of terrorist attacks, natural disasters, and other incidents. It 
provides an integrated, risk-based approach to focus Federal grant 
assistance to State, local, and tribal entities, and to complement 
relevant private sector activities. It clearly identifies roles and 
responsibilities of all partners, and includes mechanisms to involve 
private sector partners in the planning process and supports 
collaboration among security partners to establish priorities, define 
requirements, share information, and maximize the use of finite 
resources. The NIPP serves as the unifying framework to ensure that 
CIKR investments are coordinated and address the highest priorities, 
based on risk, to achieve the homeland security mission and ensure 
continuity of the essential infrastructure and services that support 
the American government, economy, and way of life.
    Achieving the NIPP goals requires meeting a series of objectives 
that include understanding and sharing information about terrorist 
threats and other hazards, building security partnerships, implementing 
a long-term risk management program, and maximizing the efficient use 
of resources. IP focuses on programs, projects, and activities that are 
aligned with the NIPP's objectives of Identification and Analysis, 
Coordination and Information Sharing, and Risk Mitigation Activities. 
This framework and its goals are foundational to what IP does. Every 
day, we work with State, local, tribal and territorial leaders and with 
private sector owners and operators to pursue a common goal of securing 
the Nation's CIKR against terrorist attacks, natural disasters and 
other emergencies.
    The NIPP provides a Sector Partnership Model through which such 
coordinated planning and program implementation can take place. The 
SSPs, developed under the umbrella of this Partnership, reflect the 
entire range of activities intended to accomplish the goal of security 
and resiliency for the sectors, and by doing so, increased 
preparedness. While this may sound like a relatively basic undertaking, 
it represents probably the first time that the government and the 
private sector have come together on such a large scale--literally, 
across every major sector of our economy--to develop a joint plan for 
how to protect and prepare our CIKR for natural and terrorist-related 
incidents. The SSPs define roles and responsibilities within each 
sector, catalog existing security authorities, institutionalize 
security partnerships already in place; and set clear goals and 
objectives to reduce risk, much of which also helps to prepare for 
disasters and set the stage for a resilient approach.
    The diversity of the CIKR sectors means that different types of 
protection activities may be most effective for each. Certain sectors 
are most likely to embrace resiliency given their inherent 
characteristics, while others may focus more on specific types of 
physical protection or training or rapid response to minimize 
consequences; most represent a combination of various approaches. Some 
examples of activities focusing on resiliency include:
   In May of each year, the National Infrastructure 
        Coordinating Center (NICC), the 247 watch center for 
        coordination and communication with the CIKR sectors, 
        disseminates a series of documents to the CIKR sectors, which 
        includes scenario-driven hurricane impact analyses prepared by 
        the National Infrastructure Simulation and Analysis Center 
        (NISAC).
     This year, NISAC has prepared 10 separate scenario 
            analyses for simulated hurricanes making landfall in 
            regions at high risk based on historic hurricane activity, 
            population, and potential CIKR impacts. These pre-season 
            analyses are intended to assist the CIKR sectors with 
            enhanced situational awareness and response and recovery 
            planning, based upon simulated impacts to each CIKR sector 
            in those geographical areas, as well as a better 
            understanding of cross sector interdependencies.
   Currently, 24 States have active Water/Wastewater Agency 
        Response Networks (WARN) organizations, with eight more 
        scheduled to develop WARN organizations by the end of the third 
        quarter of 2008. The WARN system development is a direct result 
        of the sectors third goal from the SSP ``Maintain a Resilient 
        Infrastructure.''
   The Communications SSA, the National Communications System 
        (NCS), participates in various programs that are aimed at 
        building awareness or educating a greater community about the 
        problem of critical infrastructure assurance and resiliency.
     An example, the Route Diversity Forum periodically helps 
            educate NCS member departments and agencies about improving 
            communications resiliency.
     To reach out to the broadcast industry, NCS works through 
            the Federal Communications Commission (FCC), trade 
            associations, and the FCC's Media Security and Reliability 
            Council, which is developing best practices to ensure 
            optimal reliability, robustness, and security of broadcast 
            facilities. The NCS also is reaching out to other sectors 
            with which it shares interdependencies and is assisting 
            them in reviewing how their plans address communications 
            interdependencies.
   As part of the Nation's electricity supply infrastructure, 
        the nuclear sector works with regulators and other security 
        partners to ensure that full operations are resumed as safely 
        and quickly as possible following an incident which requires a 
        supply reduction. Furthermore, the sector is working with its 
        security partners to address medical radioisotope supply 
        resiliency in the event of a disruption in the radioisotope 
        supply chain.
     Under the auspices of its SCC, the Nuclear Sector has 
            completed a pilot of its proposed Prompt Notification 
            program. The Prompt Notification capability will prepare 
            the sector and nearby CIKR assets to defend against a 
            geographically coordinated terrorist attack by providing a 
            real-time mechanism for emergency communications to the 
            Nuclear Sector, Federal entities, and critical 
            infrastructure community partners in the vicinity of a 
            security incident. This program will provide immediate 
            situational and operational awareness in the event of an 
            incident, and to enable more effective response and system 
            restoration.
   The Commercial Facilities Sector represents one of our most 
        diverse sectors. Yet, under the NIPP, it has come together 
        through its SCC, in recognition of its shared risk and shared 
        interest in protecting its assets. The participation within its 
        council shows that there is a strong business case to be made 
        for making investments of this kind. The companies and 
        facilities that take steps to protect assets and plan for 
        emergencies are often the ones that can more quickly recover 
        from a disruption. Joint activities for this sector include:
     The Commercial Facilities Sector Specific Agency 
            collaboration with the Meridian Institute during their 
            development of the Southeast Region Research Initiative), 
            which includes the Community & Regional Resilience 
            Initiative. These initiatives are intended to develop the 
            processes and tools needed for communities and regions to 
            achieve their highest measurable levels of resilience 
            against disruptions resulting from natural and man-made 
            disasters. Focus is placed on the ability to quickly return 
            citizens to work, reopen schools and businesses, and 
            restore the essential services needed for a full and swift 
            economic and social recovery. Selected cities in the 
            Southeast Region are participating in these initiatives. 
            The ultimate goal of this effort is to strengthen the 
            capability to withstand, prevent, and protect against 
            significant multi-hazard threats so that a community, 
            State, and region, and its private sector partners, can 
            rapidly restore critical services, re-establish the area's 
            economic base, and return to ``normal'' as quickly and 
            effectively as possible.
     DHS conducting site assistance visits that incorporated 
            industry feedback into a set of educational reports that 
            owners and operators can use to identify vulnerabilities.
     DHS providing security training as well as courses on 
            increasing terrorism awareness around commercial 
            facilities. To date, DHS has provided a total of 408 
            courses for the private sector.
     Joint participation in major exercises covering terrorism, 
            hurricane preparedness, and pandemic planning.
     Joint working group between DHS and the National 
            Association for Stock Car Auto Racing (NASCAR) produced a 
            planning guide for mass evacuation and a template for 
            NASCAR facilities to use in coordinating with State and 
            local stake holders and planning. The partnership at each 
            of these sessions included private sector, State, local, 
            Federal partners.
   The Chemical Sector has numerous programs and initiatives 
        which increase the Sector's resiliency. In particular the 
        Sector's dedication to exercises enables the preparation 
        necessary for a real incident.
     The Chemical Sector has participated in numerous national-
            level exercises including Top Officials (TOPOFF) and 
            National Level Exercise 2-08 (NLE 2-08). The Chemical 
            Sector was active in the Cyberstorm II exercise with a 
            dozen private sector participants. Exercises like Cyber 
            Storm II build not only response capability, but also 
            strong organizational and individual connections that help 
            ensure the prevention and mitigation of attacks against our 
            critical systems and networks.
     Developed the Pandemic Flu Guideline for the Chemical 
            Sector--This Annex to the Pandemic Influenza Preparedness, 
            Response, and Recovery Guide for Critical Infrastructure 
            and Key Resources will assist the Chemical Sector plan for 
            a severe pandemic.
   The Dams SSA is participating in the development of a pilot 
        study on regional disaster resilience and risk mitigation for 
        the Columbia River Basin. This effort is conducted in 
        collaboration with the Pacific Northwest Economic Region 
        (PNWER), which leads the coordination efforts. The focus of the 
        pilot is on interdependencies and the cascading impacts 
        associated with disruptions of dams, locks, and levees along 
        the Columbia River Basin. In the event of natural disasters, 
        man-made events, aging infrastructures, and sub-standard 
        conditions, failure of these key assets could affect maritime 
        transportation, energy, agriculture, manufacturing, the overall 
        economy, health and human safety, and national security. The 
        goal of this multi-year effort is to identify a holistic 
        approach with States, localities and relevant key public and 
        private stakeholders.
    As per the National Response Framework, the Office of 
Infrastructure Protection has also instituted the Infrastructure 
Liaison (IL) to provide the private sector a vital resource during 
disasters, in part by enhancing the communications that are so vital to 
resilient systems and sectors. The IL acts as the principal advisor to 
the Joint Field Office Coordination Group regarding all national and 
regional CI/KR incident-related issues and assists the Principal 
Federal Official in the prioritization of protection and restoration 
efforts. The IL coordinates CI/KR-related issues and actions with the 
appropriate Emergency Support Functions (ESFs) and other State and 
local components represented in the JFO, providing valuable reach-back 
to DHS headquarters and the operational components of the National 
Operations Center (NOC), including the NOC Watch, the NICC, and the 
National Response Coordination Center (NRCC). Additionally, the IL 
provides impacted private sector partners with an established mechanism 
and process to address requests for information and assistance, either 
directly or via the NICC, in compliance with applicable policies and 
laws.
    Finally, the CIKR sectors just completed participation in National 
Level Exercise (NLE) 2-08, which involved both a hurricane making 
landfall and a chemical terrorism threat. The exercise provided the 
opportunity for all participants to assess where they have or need 
redundancy for business continuity, and the ability to deal with 
significant potential power outages and distribution systems 
disruptions.
    Additionally, we focus on CIKR with the activities of the Homeland 
Infrastructure Threat and Risk Analysis Center (HITRAC), a joint 
infrastructure-intelligence fusion center with the Office of 
Intelligence and Analysis (OI&A). HITRAC analyzes and monitors risks to 
U.S. CIKR, allowing IP to provide DHS decisionmakers, the Federal CIKR 
community, owners and operators of CIKR, as well as State, local, and 
tribal and territorial authorities with actionable analysis and 
recommendations to manage risk. Analytical products are developed at 
the asset, sector, region, and national level and provide an 
understanding of the threat, CIKR vulnerabilities, the potential 
consequences of an attack, and the effects of risk-mitigation actions.
    Again, protection can include a wide range of activities. There 
cannot be a one-size-fits-all approach to CIKR protection, and we work 
with a variety of partners in a dynamic risk landscape to prioritize 
activities and devise a strategy based on a combination of 
considerations that reflect an understanding of vulnerabilities and 
interdependencies in the all hazards context. We view protection as an 
overarching risk management strategy that fully acknowledges and 
supports the concept of resiliency where it offers the best solution to 
managing a particular risk or set of risks. The NIPP and its supporting 
SSPs chart the path forward for continuous improvement of security and 
resiliency of our critical infrastructures, and the focused activities 
of IP in concert with all of our CIKR partners ensures their 
preparedness.
    Thank you for your attention and I would be happy to answer any 
questions you may have at this time.

    Ms. Jackson Lee. I thank the Assistant Secretary. Without 
objection, we will put his entire testimony, including his 
documents, in the record.
    Thank you again. I now recognize Mr. Czerwinski to 
summarize his statement for 5 minutes.
    Welcome.

   STATEMENT OF JONAH J. CZERWINSKI, SENIOR FELLOW, HOMELAND 
           SECURITY, IBM GLOBAL LEADERSHIP INITIATIVE

    Mr. Czerwinski. Given the unique risks of 21st century, 
resiliency is a necessary goal. The balance you spoke of is 
key.
    I am a senior fellow at IBM's Global Leadership Initiative, 
where I work on public-sector homeland security challenges from 
a private-sector perspective, much of it on resilience. For the 
past 15 months, I have worked on a framework for strengthening 
commerce, security and resiliency.
    Today, I would like to touch upon three things. First, 
resilience and its definition, which can be an elusive concept, 
meaning different things to different stakeholders; second, the 
unique role served by the private sector; and, third, a 
recommendation for how DHS can engage the private sector in 
making this a more resilient Nation.
    Chairman Thompson said that we all have a role to play, 
because resilience is the responsibility of the Federal 
Government, States and localities, academia, and the private 
sector.
    The first step toward accomplishing this is establishing an 
agreed-upon vision for how we as a Nation can become more 
resilient. That vision rests upon a clear understanding of what 
is meant by resilience.
    Resilience is the ability to reduce the risk and impact of 
a terrorist attack or disruption, while also improving the 
facilitation of trade and travel. In the context of natural 
disasters, resilience enables people closest to the crisis to 
act, provides them with the authorities and information 
necessary to succeed, and employs an effective governance 
framework.
    However, redundancy is not resiliency. Having costly back-
up systems or two of everything is the easy, yet most expensive 
way for infrastructure to bend and not break.
    Finally, the private sector is an asset first and a 
vulnerability second. It is an asset because the goods, people, 
conveyances and information that comprise private-sector 
activity interact at critical nodes that must be both protected 
and viewed as a source of resilience.
    This is a critical step toward being able to make the case 
for private-sector engagement and to establish the form of 
partnership this committee rightly calls out as a priority.
    At IBM, we have been working on the issue of resilience in 
the global trade system for the past several years. We found 
that the global trade system can be organized and viewed as a 
circulatory system of goods, people, conveyances, money and 
information.
    While many things that move through our systems of 
transportation, immigration and trade are monitored a lot, 
isn't monitored at all, even fewer things are monitored in 
conjunction with one another. Yet it is those linkages that 
often give us the clearest picture of what is going on and what 
might be going wrong.
    A robust framework that embraces the fundamental complexity 
and networked nature of these systems will identify critical 
interrelationships, inefficiencies, and vulnerabilities across 
the flows. Staying within the stovepiped systems puts our 
competitiveness and possibly our security at risk.
    IBM recently released our paper, entitled ``Global Movement 
Management: Commerce, Security, and Resilience in Today's 
Networked World,'' in which my co-authors and I outline an 
analytical framework we developed to strengthen the global 
trade system by helping to identify and address vulnerabilities 
in and across the elements that make up our global movement 
system. It brings those interrelationships into focus.
    This framework requires a partnership between the 
government and the private sector, because it involves an 
integrated and evolving mix of preemptive, preventive, 
preparatory and responsive measures across three vital areas: 
human capital, technology, and governance.
    Individuals within companies and governments face 
increasingly complex choices about how to perform and address--
how to improve performance and address risk.
    Strategic human capital requires leaders to employ emerging 
techniques for managing in a networked environment, some of 
which are highlighted in my written statement.
    We also need to change how we use technology to seek 
efficiencies. By sharing greater volumes of information, 
companies and governments can take advantage of open-source 
techniques to drive innovation and help make the global systems 
more efficient, resilient and secure.
    Governance in this context requires that participants in 
the global movement systems embrace a more comprehensive set of 
factors to understand and a means by which to organize their 
efforts to address the actual risks, costs and benefits that 
accrue to an organization in today's networked environment.
    Our research shows that organizations have successfully met 
the challenges of organizing efforts across national 
boundaries, but not yet across sectors.
    In summary, to create a system in which security 
improvements and performance improvements are not mutually 
exclusive, but mutually reinforcing requires a partnership 
between the owners and operators of this movement system and 
the Federal homeland security enterprise.
    For this reason, today's hearing represents a productive 
step forward. With a common vision, better information, with 
the right technology and well-trained government and commercial 
employees who are empowered to take action, a more resilient 
Nation is within reach.
    Thank you very much for having me. I look forward to your 
questions.
    [The statement of Mr. Czerwinski follows:]
               Prepared Statement of Jonah J. Czerwinski
                              May 14, 2008
    Chairwoman Jackson Lee, Ranking Member Lungren, distinguished 
Members of the subcommittee, I am pleased to appear before you today. I 
commend you on your leadership to focus on a resilience-based approach 
to securing the homeland. Given the unique risks of the 21st century, 
resilience is a necessary goal.
    I am a Senior Fellow with IBM's Global Leadership Initiative where 
I work on public sector homeland security challenges from a private 
sector perspective, much of it on resilience. I am also Managing 
Consultant for IBM's Global Business Services practice. For the past 15 
months I have worked on a framework for strengthening commerce, 
security, and resiliency.
    Today, I thought it would be useful to focus on three things.
   First, really defining resilience, which can be an elusive 
        concept meaning different things to different stakeholders;
   Second, the unique role served by the private sector; and
   Third, a recommendation for how DHS can better engage the 
        private sector in making this a more resilient Nation.
    Chairman Thompson said that ``we all have a role to play'' because 
resilience is the responsibility of the Federal Government, States and 
localities, academia, and the private sector.
    The first step toward accomplishing this is establishing an agreed 
upon vision for how we as a Nation can become more resilient. That 
vision rests upon a clear understanding of what is meant by resilience.
                         i. defining resilience
    Resilience is the ability to reduce the risk and impact of a 
terrorist attack or disruption while also improving the facilitation of 
trade and travel. In the context of natural disasters, resilience 
enables people closest to the crisis to act, provides them with the 
authorities and information necessary to succeed, and employs an 
effective governance framework.
    Resilience helps to avoid unintended consequences: Resilience--if 
done right--affords the decisionmaker the enhanced ability to focus 
response efforts on the part of the system that is actually stressed 
and limits the risk of over-reacting, which often times leads to 
unintended consequences.
    Many suggest that resilience is the ability to ``bounce back.'' And 
it is, but resilience is different from response and recovery.
    Redundancy is not resiliency. Having costly back-up systems or two 
of everything is the easy yet most expensive way for infrastructure to 
``bend and not break.'' If done correctly, resiliency is more akin to 
the concept of Intelligent Immunity that we put forth in the most 
recent IBM report on Global Movement Management, and which I'll touch 
upon in a moment.
                 ii. unique role of the private sector
    Finally, the private sector is an asset first, and a vulnerability 
second: It is an asset because the goods, people, conveyances, and 
information that comprise private sector activity interact at critical 
nodes that must be both protected and viewed as a source of resilience. 
This is a critical step toward being able to make the case for private 
sector engagement and to establish the form of partnership this 
committee rightly calls out as a priority.
    At IBM we have been working on the issue of resilience in the 
global trade system for the past several years. We found that the 
global trade system can be organized and viewed as a circulatory system 
of goods, people, conveyances, money, and information.
    While many things that move through our system of commerce are 
monitored to a greater or lesser extent, a lot isn't monitored at all. 
Even fewer things are monitored in conjunction with one another.
    And yet it is those linkages that often give us the clearest 
picture of what's going on and what might be going wrong.
    A robust framework that embraces the fundamental complexity and 
networked nature of these systems will identify critical 
interrelationships, inefficiencies, and vulnerabilities across the 
flows. Staying within a stovepiped system puts our competitiveness and 
possibly our security at risk.
  iii. a framework to support dhs leadership in building a resilient 
                                 nation
    IBM recently released our paper entitled ``Global Movement 
Management: Commerce, Security, and Resilience in Today's Networked 
World,'' in which my coauthors and I outline an analytical framework we 
developed to strengthen the global trade system by helping to identify 
and address vulnerabilities in and across the elements that make up our 
global movement system. It brings the interrelationships into focus.
    This framework requires a partnership between the government and 
the private sector because it involves an integrated and evolving mix 
of preemptive, preventive, preparatory and responsive measures across 
three vital areas: Human Capital, Technology, and Governance.
Strategic Human Capital
    Individuals within companies and governments face increasingly 
complex choices about how to improve performance and address risk. 
Individual managers and employees face unprecedented volumes of 
information, new technologies and competitive pressures that complicate 
their work. At the same time, in a networked economy, decisions made at 
the individual level can have increasingly global ramifications. 
Strategic human capital requires leaders to employ emerging techniques 
for managing in a networked environment. These techniques include 
improved collaboration, latitude to reach across and outside 
organizational boundaries, investment in organizational transformation, 
enhanced technology and, above all, greatly improved training.
Technology
    We need to change how we use technology to simplify work processes 
and seek efficiencies. By sharing greater volumes of information, 
companies and governments can take advantage of open-source techniques 
to drive innovation and help make global systems more efficient, 
resilient, and secure. Upstream companies can be better equipped to 
provide warnings of supply shortages or other disruptions before they 
affect downstream partners. Downstream companies can provide early 
warnings about demand or delivery disruptions to those upstream. 
Governments can augment counterterrorism efforts with more accessible 
commercial data while also providing a higher degree of protection for 
privacy and civil liberties than is currently the case.
Governance
    Governance in this context can be characterized by the lack of a 
coordinated approach that is necessary to address networked risk. Call 
this a ``governance gap.'' To bridge this gap, participants in the 
global movement systems need to embrace a more comprehensive set of 
factors to understand the actual risks, costs, and benefits that accrue 
to an organization in a networked environment. Moreover, participants 
need a means by which to organize their efforts to address these risks, 
costs, and benefits. Our research shows that organizations have 
successfully met the challenges of organizing efforts across national 
boundaries but not yet across sectors.
                               conclusion
    In summary, to create a system in which security improvements and 
performance improvements are not mutually exclusive, but mutually 
reinforcing, requires a partnership between the owners and operators of 
this global movement system and the Federal homeland security 
enterprise. For this reason, today's hearing represents a productive 
step forward.
    With a common vision, better information, with the right technology 
and well-trained government and commercial employees who are empowered 
to take action--a more resilient nation is within reach.
    Thank you.

    Ms. Jackson Lee. We thank you for your testimony.
    I now recognize Mr. Johnson to summarize his statement for 
5 minutes.

STATEMENT OF SHAWN JOHNSON, VICE CHAIRMAN, FINANCIAL SERVICES, 
                  SECTOR COORDINATING COUNCIL

    Mr. Johnson. Thank you. Thank you, Chairwoman Jackson Lee, 
Ranking Member Lungren, and members of the committee.
    I am Shawn Johnson, chairman of the Investment Committee 
for State Street Global Advisors and vice chairman of the 
Financial Services Sector Coordinating Council, or FSSCC, a 
volunteer position.
    My comments today focus on efforts to improve resilience in 
the financial services sector, and in particular the 
resilience-based related activities of the FSSCC.
    Thought established at the request of the Department of 
Treasury, the FSSCC is a private-sector coalition working to 
improve the financial sector's resilience to terrorist attacks, 
manmade and natural disasters, cyber attacks, and other 
threats.
    In general, the U.S. financial services sector has 
performed well in times of crisis. While events such as 9/11 
and the attacks have revealed some weaknesses in the resilience 
of our financial systems, industry and government have 
responded and work cooperatively to address these weaknesses.
    Some of the government's resilience activities have been in 
the form of specific regulatory proposals, such as the issuance 
of the best practices white paper by the Federal Reserve, the 
OCC, and the SEC in 2003, addressing contingency planning and 
backup facilities for clearing and settlement activities.
    Implementation of the white paper has required significant 
changes in business practices and substantial investment by 
financial investment firms. But the result has been a more 
resilient financial services system.
    The government participates in other, less formal 
activities, such as working with local public-private 
partnerships to sponsor resilience exercises, which simulate 
flu pandemic, natural disasters, or other terrorist events, and 
provide valuable lessons to both the public and the private 
sector.
    Much of the work of FSSCC, of which I am currently vice 
chair, has focused on resilience.
    For example, the FSSCC has been working to improve industry 
access to emergency credentials, which are critical in times of 
emergency. We have also worked to expand the GETS program, 
which provides access to priority telephone services during a 
crisis.
    We held a cybersecurity summit in February 2008 with 
private- and public-sector participation, and the FSSCC and 
FBIIC have since each launched new cybersecurity committees.
    The FSSCC maintains relationships to help align academic 
research with real-world business needs and offers programs 
such as the FSSCC SMART program, which provides subject matter 
expertise from financial institutions to R&D organizations.
    The FSSCC is an active participant in the Partnership for 
Critical Infrastructure Security, which is dedicated to 
coordinating cross-sector initiatives.
    Our infectious disease forum develops and communicates 
information and strategies the private sector can employ to 
prepare for an avian flu pandemic or other infectious disease 
outbreak. In addition, all FSSCC members are active with their 
own resiliency efforts aimed at their particular segment of the 
financial services industry.
    These efforts are summarized in the FSSCC's annual report, 
which can be found on the FSSCC Web site.
    I would like to conclude my testimony today by describing 
one of the largest financial services industry resilience 
exercises to date, the FBIIC-FSSCC Pandemic Flu Exercise of 
2007.
    The exercise was a public-private partnership, sponsored by 
the FBIIC, the FSSCC, and SIFMA. It was conducted in the fall 
of 2007 and simulated a pandemic flu impacting the financial 
services sector.
    More than 2,700 financial services organizations 
participated. Participation was voluntary, free of cost, and 
open to all organizations within the U.S. financial services 
sector.
    The results were aggregated, with anonymity provided by the 
participating institutions. Participants were given scenarios 
to implement that represented an escalating pandemic flu 
epidemic. At the height of the exercise, for example, absentee 
rates in some cases reached 49 percent, a level sufficient to 
stress even the best contingency planning efforts.
    The performance of the financial services sector under the 
conditions simulated by the exercise was laudable, but not 
perfect. In general, it appeared that, while there would have 
been significant impacts to the financial sector, it would have 
continued to cope and operate.
    Perhaps more important than the immediate results of the 
exercise, however, is the reaction of the participants: 99 
percent of participants found the exercise useful in assessing 
their organization's business-planning needs; 97 percent of 
participants said the exercise allowed their organization to 
identify critical dependencies, gaps, and seams that warrant 
additional attention; and 91 percent said their organization 
planned to initiate additional all-hazard plan refinements.
    Full details of the exercise are provided in the after 
action report.
    Overall, I think the pandemic exercise provides a good 
example of the potential benefit of the strong public-private 
partnership that exists. While continuity and resilience 
planning are certainly key regulatory and enforcement issues, 
it is clear to me, as a representative from the private sector, 
that the quality of the data obtained was considerably improved 
by the cooperative and anonymous nature of the exercise.
    As a result, both the private and public sectors were able 
to obtain insights that would have been difficult or impossible 
to obtain through standard regulatory channels.
    Once again, thank you for providing me the opportunity to 
testify on behalf of the FSSCC. I will be pleased to answer any 
questions you have.
    [The statement of Mr. Johnson follows:]
                  Prepared Statement of Shawn Johnson
                              May 14, 2008
     Chairwoman Jackson Lee, Ranking Member Lungren, and members of the 
Subcommittee on Transportation Security and Infrastructure, I am Shawn 
Johnson, Chairman of the Investment Committee of State Street Global 
Advisors and Vice-Chairman of the Financial Services Sector 
Coordinating Council (FSSCC). I am pleased to submit this testimony 
today on behalf of the FSSCC.
    I appreciate the subcommittee's invitation to testify at this 
hearing, titled ``Partnering with the Private Sector to Secure Critical 
Infrastructure: Has the Department of Homeland Security Abandoned the 
Resilience-Based Approach?'' Given my position with the FSSCC, my 
comments today focus on the experience of the financial services sector 
with regard to resilience, and, in particular, resilience related 
activities in which FSSCC has participated.
    The FSSCC was established at the request of the U.S. Department of 
the Treasury in 2002 in response to Homeland Security Presidential 
Directive 7, which required sector-specific Federal department and 
agencies to identify, prioritize, and protect United States critical 
infrastructure and key resources. We are a private sector coalition of 
financial services firms and trade associations working to reinforce 
the financial sector's resilience to terrorist attacks, man-made and 
natural disasters, cyber attacks, and other threats to the sector's 
critical infrastructure.
    The FSSCC closely interacts with its Sector Specific Agency (SSA), 
the Department of the Treasury, it public-sector counterpart, the 
Financial and Banking Information Infrastructure Committee (FBIIC), and 
the Department of Homeland Security. Membership lists for the FSSCC and 
the FBIIC are attached.
    We also strongly support regional public/private partnerships, such 
as ChicagoFIRST, DFWfirst, and numerous others. These organizations 
address homeland security and emergency management issues at the local 
level, where many catastrophic events are primarily managed.
    In general, the U.S. financial services sector has performed well 
in times of crisis. While events such as the 9/11 attacks have revealed 
some weaknesses in the resilience of our financial systems, industry 
and government have responded, and worked cooperatively to address 
these weaknesses.
    Some of the government's resilience activities have been in the 
form of specific regulatory proposals, such as the issuance of the 
Interagency White Paper on Sound Practices to Strengthen the Resilience 
of the U.S. Financial System in 2003 by the Federal Reserve, OCC and 
SEC.
    The White Paper addressed the importance of resilience in financial 
clearing and settlement activities critical to U.S. financial markets, 
and is intended to reduce systemic risk created when primary and back-
up facilities and staffs are located within the same geographic region. 
Implementing the requirements of the White Paper has required 
significant changes in business practices, and substantial investment, 
by financial services firms--but the result has been a more resilient 
U.S. financial system.
    Formal rulemaking, however, is not the government's only means of 
improving the resiliency of our financial infrastructure. For example, 
the Department of the Treasury has worked with local public/private 
partnerships to sponsor several resilience exercises, including:
   A pandemic exercise in Chicago in December, 2006 (with 
        ChicagoFIRST),
   A pandemic exercise in San Francisco in May, 2007 (with 
        BARCfirst),
   A radiological attack exercise in Tampa Bay in July, 2007 
        (with FloridaFIRST), and
   A hurricane exercise in Alabama in March, 2008 (with Alabama 
        Recovery Coalition for the Financial Sector).
    Other similar exercises are being planned, including a terrorist 
attack simulation involving all of the regional coalitions (through RPC 
FIRST) in San Francisco this week.
    Much of the work of the FSSCC, of which I am currently Vice-
Chairman, has also focused on resilience. FSSCC resilience-related 
activities include:
   Emergency Credentialing.--The ability of the private sector 
        to obtain security credentials during times of emergency is a 
        critical element to the financial services sector's resiliency. 
        The FSSCC has been involved in efforts to encourage States to 
        adopt credentialing programs, and expansion of the GETS 
        program. The GETS Program allows critical infrastructure 
        operators to gain priority telephone service during a crisis.
   Cyber Security.--A Cyber Security Summit was held in 
        February, 2008 with information technology leaders from across 
        the public and private sectors, to discuss threats to the 
        financial sector from cyber vectors. The FSSCC and FBIIC have 
        since each launched new cyber security committees, whose 
        mission is to work with the financial services sector to 
        strengthen cyber security and resilience of current and future 
        IT operations.
   Research and Development.--The FSSCC and its R&D Committee 
        encourage alignment of research into infrastructure protection 
        through outreach to academic institutions, and programs such as 
        FSSCC SMART, which provides subject matter expertise from 
        financial institutions to research and development 
        organizations.
   Cross-Sector Cooperation.--FSSCC is an active participant in 
        the Partnership for Critical Infrastructure Security (PCIS), 
        which is dedicated to coordinating cross-sector initiatives to 
        improve the security and safety of U.S. financial 
        infrastructure.
   Infectious Disease Forum.--A long-standing FSSCC work group 
        is the FSSCC Infectious Disease Forum. The purpose of the 
        Infectious Disease Forum is to develop and communicate 
        information and strategies that FSSCC members and their member 
        organizations may employ to prepare for an avian flu pandemic 
        or other infectious disease outbreak.
    These ongoing efforts, and others, demonstrate the FSSCC's strong 
commitment to resiliency. In addition, all FSSCC members are active 
with their own resiliency efforts, aimed at their particular segment of 
the financial services industry segment. These efforts are summarized 
in FSSCC's annual report, which can be found on the FSSCC Web site 
(https://www.fsscc.org/fsscc/reports/2007/annual_report_
2007.pdf).
    I'd like to conclude my testimony today by describing one of the 
largest financial services industry resilience exercises to date, the 
FBIIC/FSSCC Pandemic Flu Exercise of 2007.
    This exercise, conducted in Fall 2007, simulated a pandemic flu 
impacting the financial services sector, and was intended to:
   Enhance the understanding of systemic risks to the financial 
        sector;
   Provide an opportunity for firms to examine the 
        effectiveness of their pandemic plans; and
   Explore the effects of a pandemic flu on other crucial 
        infrastructures impacting the financial services sector.
    The exercise was a public/private partnership, organized by the 
FBIIC, the FSSCC, and the Securities Industry and Financial Markets 
Association (SIFMA), the trade association representing the securities 
industry.
    By all accounts, the execution of the exercise was a success. More 
than 2,700 financial organizations participated. Participation was 
voluntary, free of cost, and open to all organizations within the U.S. 
financial sector. Results were aggregated, with anonymity provided to 
participating institutions. The exercise was intended to simulate the 
medical, financial, and societal impacts of a pandemic flu, and gather 
information about how financial institutions were able to react to such 
scenarios. At the height of the exercise, for example, absentee rates 
in some cases reached 49 percent, a level sufficient to stress even the 
best contingency planning efforts.
    The performance of the financial sector under the conditions 
simulated by the exercise was laudable, but not perfect. In general, it 
appeared that while there would have been significant impacts to the 
financial services sector, it would have continued to cope and operate.
    Perhaps more important than the immediate results of the exercise, 
however, is the reaction of the participants:
   99 percent of participants found the exercise useful in 
        assessing their organizations business planning needs;
   97 percent of participants said the exercise allowed their 
        organization to identify critical dependencies, gaps, and seams 
        that warrant additional attention; and
   91 percent said their organization planned to initiated 
        additional all-hazard plan refinements based upon lessons 
        learned during the exercise.
    The After Action Report, issued in January 2008, provides 
considerable detail on the results of the exercise, both in aggregate 
and by industry segment, as well as numerous illustrations of possible 
opportunities for further improvement, for both the public and private 
sector. One such area for improvement is in the area of regulatory 
relief. Discussions between the private sector and the regulators 
continue regarding possible regulatory relief during a pandemic. The 
industry recently started developing an internet-based application to 
facilitate the collection of information to better gauge the health of 
the sector.
    Overall, the pandemic exercise provides a good example of the 
potential benefit of strong public/private cooperation and 
collaboration. While continuity and resilience planning are certainly 
key regulatory and enforcement issues, it is clear to me as a 
representative of the private sector that the quality of data obtained 
was considerably improved by the cooperative, and anonymous, nature of 
the exercise. As a result, both the private and public sectors were 
able to obtain insights that would have been difficult or impossible to 
obtain through standard regulatory channels.
    Once again, thank you for providing me the opportunity to testify 
on behalf of the FSSCC. I would be pleased to answer any questions.
                                APPENDIX
                             fsscc members
    American Bankers Association; American Council of Life Insurers; 
American Insurance Association; American Society for Industrial 
Security (ASIS) International; BAI; BITS/The Financial Services 
Roundtable; ChicagoFIRST; Chicago Mercantile Exchange; The Clearing 
House; CLS Group; Consumer Bankers Association; Credit Union National 
Association; The Depository Trust & Clearing Corporation (DTCC); Fannie 
Mae; Financial Information Forum; Financial Services Information 
Sharing and Analysis Center (FS-ISAC); Financial Services Technology 
Consortium (FSTC); Freddie Mac; Futures Industry Association; ICE 
Futures U.S.; Independent Community Bankers of America; Investment 
Company Institute; Managed Funds Association; The NASDAQ Stock Market, 
Inc.; National Armored Car Association; National Association of Federal 
Credit Unions; National Association of Securities Dealers (NASD); 
National Futures Association; NACHA--The Electronic Payments 
Association; The Options Clearing Corporation; Securities Industry 
Automation Corporation (SIAC); Securities Industry and Financial 
Markets Association (SIFMA); State Street Global Advisors; VISA USA 
Inc.
                             fbiic members
    American Council of State Savings Supervisors; Commodity Futures 
Trading Commission; Conference of State Bank Supervisors; Department of 
the Treasury; Farm Credit Administration; Federal Deposit Insurance 
Corp; Federal Housing Finance Board; Federal Reserve Bank of New York; 
Federal Reserve Board; National Association of Insurance Commissioners; 
National Association of State Credit Union Supervisors; National Credit 
Union Administration; North American Securities Administrators 
Association; Office of the Comptroller of the Currency; Office of 
Federal Housing Enterprise Oversight; Office of Thrift Supervision; 
Securities and Exchange Commission; Securities Investor Protection 
Corporation.

    Ms. Jackson Lee. Mr. Johnson, thank you very much for your 
testimony.
    I now recognize Mr. Raisch to summarize his statement for 5 
minutes.

STATEMENT OF WILLIAM G. RAISCH, DIRECTOR, INTERNATIONAL CENTER 
        FOR ENTERPRISE PREPAREDNESS, NEW YORK UNIVERSITY

    Mr. Raisch. Chairwoman Jackson Lee, Ranking Member Lungren, 
and distinguished members of the subcommittee, thank you for 
inviting me this afternoon to testify on the vital issue of 
private sector resilience and, in particular, the Voluntary 
Private Sector Preparedness Certification Program called for by 
the implementing recommendations of the 9/11 Commission Act of 
2007.
    I am most honored to join you from the International Center 
for Enterprise Preparedness at New York University. As you 
mentioned, the center serves as the first academic center 
focused specifically on private-sector resilience and 
preparedness.
    I am also most honored to have served as a private-sector 
adviser to the 9/11 Commission.
    More importantly, though, I am here to reflect on the 
perspective garnered from 12 forums on this specific voluntary 
certification program held since this past fall involving over 
550 private-sector representatives and current five different 
working groups, with over 250 participants in the private 
sector.
    Let me clearly state that there is substantial and growing 
interest and also concern in the private sector on this 
program. That being said, also, in preface, I would like to say 
that it is my personal opinion that this single program has the 
potential for doing more to institutionalize or economically 
embed private-sector preparedness than much of the outreach, ad 
campaigns, and other well-meaning and perhaps productive public 
affairs efforts to date.
    However, this is achievable if and only if two items are 
addressed in priority. One, it must focus on enabling real 
economic value to businesses. Further, it must actively and 
directly involve and engage the private sector in the 
development and ongoing implementation of the program itself.
    Allow me to outline, perhaps, a couple of key 
considerations for this program going forward and to 
acknowledge, as well, that much good work has been accomplished 
by a variety of organizations in the arena of public-sector 
preparedness and resilience.
    At our center, we have tried to reflect on this and really 
present you with perhaps some key themes in that respect.
    From that, we see four basic themes evolving.
    They are, one, firstly and foremost, with respect to this 
program, we need to assure that voluntary certification in this 
program is a private-sector-led effort, that it specifically 
addresses private-sector needs through the ongoing engagement 
of key stakeholders. This engagement must involve both DHS and 
the ultimate accrediting body to be chosen.
    Secondly, it must build on existing efforts, specifically 
those efforts in certification, standards, and elements of 
accrediting bodies. These basic building blocks already exist 
for the program. The program should seek to integrate them and 
focus them on private-sector preparedness.
    There are existing standards that have been developed by 
the private sector. Further, there are existing accreditation 
and certification processes that have been utilized in private-
sector voluntary certification in such areas as quality 
management, the ISO 9000 accreditation program, and 
environmental management, the ISO 14000 program.
    These processes were developed with active involvement of 
the private sector and have evolved with private-sector 
application for over 2 decades, in many cases.
    There is also an existing accrediting body, ANAB, which has 
administered private-sector certification for years, as well. I 
am happy to note that this body has been preliminarily 
designated by DHS as the appropriate body for the program 
itself.
    Thirdly, the program should allow for flexibility, 
potentially utilizing a high-level umbrella or framework 
approach that can be used independently to relate multiple 
focused standards and practices, which business may already be 
using.
    Key organizations in the private sector have already 
developed a seminal work on this, the framework for 
preparedness, on a voluntary basis, sponsored by the Alfred P. 
Sloan Foundation.
    A real effort must be made to recognize, also, and accredit 
effective activities already in practice by each key sector. 
These sectors must be brought directly into the process.
    Fourthly and finally, that we must enable potential market-
based incentives through the involvement of their stakeholders 
and needs. First and foremost, business practitioners must be 
actively involved in the development of this program to assure 
that the program has real operational value.
    Secondly and as importantly, potential incentive 
stakeholders should be directly involved in the process, 
including supply chain management community representatives, 
legal counsel, insurance companies, rating agencies, and other 
reporting entities.
    Key action items for government are an opportunity in this 
respect. I would suggest they are as follows, and I would 
preface it by the fact that I would underline government in 
this case can truly be a catalyst, it can be a convener, and it 
can be, if you will, an investor, at least from a seed-funding 
perspective on this important process.
    Firstly, both DHS and ultimately the accrediting body it 
designates must actively and consistently engage the private 
sector in the development implementation of the program. 
Specific considerations and issues are identified in my written 
remarks in this respect.
    DHS must also continue to maintain its integrated approach 
to supporting this program, which includes FEMA currently as 
program lead, but also active involvement by infrastructure 
protection, science and technology, and the DHS private-sector 
office, as well as others, as appropriate.
    Additionally, other agencies in the executive branch, 
including Commerce and SBA, should have involvement.
    Congress should provide the resources, also, to enable 
ongoing commitment by DHS to this program. It is an investment 
that will yield substantial benefits, in terms of societal 
resilience, given the role the private sector plays in backbone 
critical infrastructure and dramatic impacts on the overall 
economy.
    Additionally, DHS should continue to evaluate the overall 
opportunity for voluntary participation in the program by the 
critical infrastructure business sectors. This community can 
bring much insight to the program and may find significant 
value in the assessment capability of the program.
    Furthermore, the program may provide a very valuable tool 
in cross-sector cooperation and assessment. A common reference 
platform--a Rosetta Stone, of sorts--could aid in sharing best 
practices and crosspollination across sectors.
    Education and tools must also be developed by key 
stakeholders, optimally with government support, to enable 
businesses, large and small, to pursue program assessment and 
implementation with minimal cost and disruption. Key trade and 
professional associations may be very helpful in this regard.
    In addition and finally, Congress should consider enabling 
incentives for the program, including potentially facilitating 
effective public reporting and appropriate acknowledgement of 
proactive companies in this respect.
    Additionally, Congress should consider legal liability 
protections for those proactive firms that undertake 
certification, perhaps including safe harbors and privilege for 
vulnerability assessments.
    Finally, enabling key industries, such as the insurance 
industry, to consider industry-wide incentives or initiatives 
in this regard around the issue of resilience, without concern 
of antitrust considerations, should also be addressed by 
Congress.
    I welcome your questions. Thank you.
    [The statement of Mr. Raisch follows:]
                Prepared Statement of William G. Raisch
                              May 14, 2008
    Chairwoman Jackson Lee, Ranking Member Lungren, and distinguished 
members of the subcommittee, thank you for inviting me to testify on 
the vital issue of private sector resiliency and the Voluntary Private 
Sector Preparedness Certification Program called for by Title IX, 
Section 524 of Pub. L. 110-523, The Implementing Recommendations of the 
9/11 Commission Act of 2007.
    As with many undertakings in the private sector, this new program 
offers both substantial opportunity and significant risk, most 
especially if the private sector is not effectively engaged. It will be 
the balancing of these two elements that will determine the ultimate 
success or failure of this program. It is an effort though that I 
believe to be well worth undertaking for sake of both the individual 
businesses and our wider society.
  the 9/11 commission's private sector recommendations focused on the 
                  ``what'' and ``why'' of preparedness
    As you may be aware, our Center, the International Center for 
Enterprise Preparedness (or InterCEP) at New York University is the 
first academic research center dedicated to private sector resilience. 
Our activities regularly involve outreach to hundreds of businesses, 
much of it through interactive forums focused on key issues.
    The Center takes its primary focus from the private sector 
recommendations of the 9/11 Commission, which I was honored to advise 
on private sector preparedness.
    The Commission's recommendations and thus InterCEP's research focus 
on promoting private sector preparedness through the linking the 
``what'' and the ``why'' of preparedness/resilience. The 9/11 
Commission clearly understood that absent a compelling bottom-line 
rationale for preparedness, businesses would not invest the funds and 
other resources necessary to develop a preparedness program. The 
Commission sought to leverage basic market-based economics, bottom-line 
orientation, to promote effective private sector preparedness 
activities by business. They did so with an initial focus on two key 
elements:
    1. Identifying a consensus-based industry standard for business 
        preparedness (the what to do); businesses were looking for a 
        high-level set of criteria that represented best practices in 
        preparedness yet allowed the business flexibility as to how to 
        achieve particular outcomes.
    2. Identifying potential incentives for businesses to voluntarily 
        conform with that standard (the why to do it) including 
        mitigating legal liability after an event, potential insurance 
        recognition, and encouraging rating agency acknowledgement (all 
        in addition of course to the basic rationale of continuity of 
        the business in the aftermath of a crisis).
  there is a need for a measurement approach/tool to assess business 
                              preparedness
    Since establishing our Center in October of 2004 and the extensive 
research and interface with business that followed, it has become clear 
that the linkage of the ``what'' and ``why'' of preparedness often 
requires measurement or assessment to determine if the ``what'' to do 
of preparedness has been or is being accomplished so that the ``why'' 
to do it can be confirmed or rewarded. Thus, there is a third key 
element that our research with the business sector has identified as 
critical to successfully promoting private-sector preparedness:
    3. A method to measure or assess achievement of preparedness 
        objectives, i.e., identifying ``if preparedness is being 
        achieved.''
    Measurement is important for several reasons. Internally, there are 
multiple benefits:
   First and foremost, a business needs a yardstick to assess 
        if it is achieving its preparedness goals for which it may have 
        invested effort and resources to assure its business 
        continuity.
   Measurement may also have reputational benefits for 
        corporations that wish to demonstrate to their customers and 
        other stakeholders that they are prepared.
   Measurement may additionally help advance corporate 
        governance goals, especially in validating risk management 
        efforts.
    External to the firm, potential ``incentives stakeholders'' such as 
supply chain partners, insurance underwriters, rating agencies and the 
legal community need a credible confirmation that preparedness efforts 
have been undertaken. These communities generally grant that there is 
value in preparedness efforts by businesses, and these stakeholders may 
be disposed toward acknowledging or rewarding preparedness in their 
activities.
    These potential incentives stakeholders do not however wish to 
undertake the actual assessment or measurement of preparedness on their 
own on a business-by-business basis. They do not want to nor do they 
have the resources to send out assessors to a business to ascertain if 
a particular business's program conforms to a particular industry 
standard. Yet, if there was a credible program which indicated 
compliance with such a standard, these stakeholders may consider 
rewarding it, at least over time. Thus, external benefits to 
measurement include:
   Measurement could promote resilience of supply chains by 
        supplying a common approach and tool for assessing supplier 
        preparedness.
   A common measurement program may make it easier for various 
        business incentive communities to acknowledge the value of 
        effective preparedness (e.g., insurance, legal, rating agency, 
        etc.) overtime.
   Measurement to a commonly recognized standard may help 
        facilitate exchange of best practices, enabling business to 
        more easily compare practices across industries and sectors 
        which may have distinct terminology and approaches but lack a 
        ``rosetta stone'' or common set of criteria to compare their 
        efforts.
   A common measurement program may also enable more consistent 
        benchmarking to other firms both within and industry and 
        potentially across sectors--including potentially the critical 
        infrastructure sectors.
  the developing voluntary private sector preparedness certification 
                                program
    It is in light of these three elements: (1) what to do, (2) why to 
do it, and (3) a measurement of achievement that I would like to 
discuss the developing Voluntary Business Preparedness Certification 
Program.
    This new program is proving to be a distinct catalyst, with 
significant initial and potential impact on private sector 
preparedness. It is also a program that nonetheless must be guided by 
key considerations and private sector input to assure its success.
    This new program could potentially integrate:
   The ``what to do'' in the form of one or more preparedness 
        standards to be designated under the legislation,
   An evolving ``why to do it'' by proactively identifying the 
        business case for preparedness and integrating its elements 
        into the program where possible including potential incentives 
        stakeholders in the process of program development and 
        implementation,
   A credible measurement/assessment methodology based upon 
        historic experience with other voluntary certification programs 
        such as those in quality management (ISO 9000) and 
        environmental management (ISO 14000) which have been 
        implemented in and by the private sector for decades.
    The announcement of this program has already to date provided a 
catalyst for business sector activity. Despite the legislation's 
annunciation that the program is to be voluntary, the perceived threat 
of potential government regulation along with other concerns has 
motivated significant private sector activity. Much of it based on the 
presumption that the private sector must take the lead in this process 
to assure that the outcome has positive value and not onerous impact.
    For example, one remarkable effort involved four key professional 
organizations coming together to define the core elements of private 
sector preparedness based on existing standards and professional 
practices across multiple disciplines. This effort was sponsored by the 
Alfred P. Sloan Foundation which is a key funder of InterCEP's 
activities and involved representatives from ASIS International (a key 
security association), the Disaster Recovery Institute International (a 
key business continuity association), the National Fire Protection 
Association (which maintains the Standard on Disaster/Emergency 
Management & Business Continuity referenced in the legislation and 
endorsed by both the 9/11 Commission and DHS) and the Risk & Insurance 
Management Society (a leading risk management society for businesses). 
These organizations collectively defined a framework for voluntary 
preparedness that supports a flexible approach to assessing 
preparedness potentially including multiple standards reflecting a 
common core set of preparedness elements. The final report is available 
at www.sloan.org.
    Additionally, other organizations have begun forums to discuss the 
program including the U.S. Chamber of Commerce among others. As an 
example, InterCEP currently has dozens of businesses actively engaged 
in five different Working Groups which initially address key potential 
incentive areas for program acknowledgement:
   Supply chain management;
   Legal liability mitigation;
   Insurance;
   Rating agency acknowledgement;
   Business reporting acknowledgement/crediting.
         key considerations and concerns of the private sector
    Key considerations and concerns identified by the private sector 
through a diversity of forums hosted by the Center are outlined in the 
Appendix. The key themes include:
    1. Assure that the program is private sector led and addresses 
        private sector needs through ongoing engagement of key 
        stakeholders.
    2. Build on the existing including existing standards, proven 
        accreditation/certification processes and established industry 
        practices--key building blocks already exist.
    3. Allow for flexibility potentially utilizing a high-level 
        umbrella or framework standard which can be used independently 
        or to relate multiple more focused standards and practices 
        which business may already be using.
    4. Enable potential market-based incentives through involvement of 
        their stakeholders and concerns.
               action items for government going forward
    It will be vital to the ultimate success of the program that 
government take the initiative as a catalyst and investor in this 
process:
   Both DHS and the ultimate accrediting body to be designated 
        by it must actively and consistently engage the private sector 
        in the development and implementation of the program. Specific 
        considerations and issues are identified in the Appendix.
   DHS must continue to maintain its integrated approach to 
        supporting this program which includes FEMA as program lead but 
        also includes active involvement by Infrastructure Protection, 
        Science & Technology and the DHS Private Sector Office (and 
        others as appropriate).
   Congress should provide the resources to enable an ongoing 
        commitment by DHS to this program. It is an investment that 
        will yield substantial benefits in terms of societal resilience 
        given the role that the private sector plays in backbone 
        critical infrastructure for our Nation.
   DHS should continue to evaluate the voluntary application of 
        the program to critical infrastructure as this community may 
        find significant value in the capability of the program. 
        Furthermore, the program may provide a very valuable tool in 
        cross-sector cooperation and assessment.
   Education and tools must be developed by key stakeholders 
        (optimally with government support) to enable business (large 
        and small) to pursue program assessment and implementation with 
        minimal cost and disruption.
   Appendix.--Summary of InterCEP Research to Date On the Voluntary 
           Private Sector Preparedness Certification Program
    per title ix, section 524 of pub. l. 110-523, the implementing 
           recommendations of the 9/11 commission act of 2007
                              may 14, 2008
Key Points & Considerations
    Four basic themes are reflected in the following considerations, 
they are:
    1. Assure that the program is private-sector-led and addresses 
        private-sector needs through ongoing engagement of key 
        stakeholders.
    2. Build on the existing including existing standards, proven 
        accreditation/certification processes and established industry 
        practices--key building blocks exist.
    5. Allow for flexibility potentially utilizing a high-level 
        umbrella or framework standard which can be used independently 
        or to relate multiple more focused standards and practices 
        which business may already be using.
    6. Enable potential market-based incentives through involvement of 
        their stakeholders and concerns.
Specific Considerations
   Early and continuing stakeholder involvement must be 
        maintained to assure that the program is private-sector led.--
        While government can play a catalytic role in the early 
        development of the program, ultimately the program should be 
        market-driven as has been the case with the continuing 
        voluntary certification programs in quality and environmental 
        management. Key to assuring that the voluntary certification 
        program has real operational value to business is to involve 
        the full-spectrum of the business sector in the development and 
        ongoing implementation of the voluntary certification program.
   There is concern within the private sector that the program 
        could develop into a mandatory requirement by government.--
        Similar concerns exist about whether the program will be truly 
        voluntary once market pressures force firms to pursue 
        certification in order to remain competitive.
   There are concerns about the potential costs and liabilities 
        associated with the program.--It will be important to contain 
        the implementation costs and minimize the bureaucracy 
        associated with the certification process.
   The program should build on existing voluntary accreditation 
        and certification processes. There are lessons to be learned 
        from historical experience with existing voluntary 
        certification programs in quality and environmental 
        management.--Current voluntary certification programs in 
        quality management and/or environmental management utilize 
        established processes for accreditation and certification. 
        These could potentially be utilized in the development of the 
        preparedness certification program thereby avoiding significant 
        time and effort as well as benefiting from substantial 
        historical application. Furthermore, opportunities and 
        efficiencies might potentially be achieved by businesses that 
        currently have existing quality and environmental programs by 
        building upon them (i.e., existing management processes). For 
        example, the program should be informed by lessons learned from 
        C-TPAT and pandemic planning regarding the best way to minimize 
        impacts on business and maximize benefits to business.
   Existing efforts of key vertical industries, such as the 
        financial services sector, should be acknowledged and 
        incorporated into the voluntary certification program.--Some 
        business sectors have a long history in preparedness activities 
        and robust programs in place. The financial services sector is 
        one. The new law specifically calls for existing industry 
        efforts, standards, practices and reporting in the area of 
        preparedness not be duplicated or displaced but rather 
        recognized and integrated where appropriate. Opportunities 
        should be evaluated with each sector to see not only how their 
        existing efforts can be credited in the process but also how 
        the new certification program can address unique issues 
        important to their sector. Sector coordinating councils and key 
        industry associations should be involved.
   A ``maturity model'' or multi-level approach should be 
        considered.--A ``maturity model'' approach should be considered 
        which could acknowledge various levels of preparedness and 
        depth of program; for example: Level 1, Level 2, Level 3, etc. 
        This could be helpful in several ways. Depth of program 
        capacity could vary based on how critical a particular 
        organization is in a supply chain. Levels could also be used as 
        targets for progression over the course of time to allow for a 
        step progression from a lower level of preparedness to a higher 
        level. Furthermore, levels may be appropriate in considering 
        expectations for small, medium and large organizations with 
        their varying levels of size, complexity and resources.
   The voluntary certification should credit/integrate other 
        business reporting requirements when valuable.--Based on the 
        functions of a business, its vertical industry and public or 
        private ownership, there are a variety of reporting 
        requirements that businesses have to shareholders, customers, 
        partners, the government and others. As reflected in the 
        enabling legislation, efforts should be made to acknowledge and 
        existing reporting activity where appropriate so as to avoid 
        duplication and excess effort. Certification activity may be 
        able to ``piggy-back'' on some existing auditing efforts.
   The program should support self-assessment by businesses as 
        well as external second party and third party assessments.--
        Businesses should be able to apply elements of the program to 
        self-assess their operations and self-declare (first party 
        assessment) as well as utilize it in assessing related parties 
        such as suppliers (second party assessment). Third party 
        certification by unrelated certifiers should also be an option. 
        First, second party and third party assessments could be 
        valuable in assuring business preparedness in supply chains.
   The corporate governance & corporate social responsibility 
        (CSR) areas should be evaluated for past lessons learned and 
        possible synergies with the voluntary certification program.--
        In an increasingly risky business environment, risk management 
        is a growing concern among boards of directors and executive 
        management. The voluntary certification program might 
        potentially be structured to address these concerns at least in 
        part by assessing the state of business preparedness.
   In designating one or more preparedness standards for use in 
        the program, a constellation of standards or framework approach 
        should be evaluated. An umbrella standard should be considered 
        in this regard to assure core consistency among various 
        standards.--There are multiple preparedness guidance documents 
        with significant value to one or more business sectors. Some 
        are general or program level; others may be more functionally 
        oriented, for example, risk assessment-focused. Consideration 
        should be given to structuring a certification process which 
        accommodates the assessment of the business against one or more 
        standards but in a unified framework. Such a framework could 
        acknowledge a common core of program elements potentially 
        utilizing an ``umbrella standard.''
   The program and chosen standards should be applicable on an 
        international basis to have the most value to multinational 
        corporations.--The program may involve a number of standards, 
        but whichever standards are chosen, they should be capable of 
        being applied on an international basis in order to accommodate 
        the needs of multinational firms.
   Special considerations should be made for small businesses 
        that wish to pursue voluntary certification. The involvement of 
        industry associations and large-to-small business mentoring 
        should be considered.--Clearly not all small businesses will 
        see value in pursuing the voluntary certification. This is to 
        be expected. For those that do, the new certification program 
        must be economically and operationally achievable. Separate 
        classifications and methods of certification for small 
        businesses should be established as appropriate and in 
        consultation with small business representatives and 
        organizations. Supply chain mentoring should be explored to 
        consider how larger companies might assist their critical 
        suppliers that are small businesses.
   Potential ``incentives stakeholders'' should be welcomed 
        into the process from the beginning to assure that the 
        voluntary certification program has value to them in 
        potentially acknowledging and rewarding business preparedness 
        efforts.--A major rationale cited in the testimony for the 
        program was the need to enable a closer link between 
        preparedness and benefits for business. Key stakeholders in 
        such areas as supply chain management, legal liability, 
        insurance and rating agencies have generally concurred that 
        business preparedness is valuable and should be acknowledged 
        more widely but to date there has been no generally accepted 
        methodology to confirm that preparedness exists in a business 
        so that it could be acknowledged. This program could supply 
        such a method, and so the process should involve these 
        potential incentives stakeholders as well as others early in 
        the development of the program. Following are considerations in 
        this regard:
     As rating agencies potentially widen their review of 
            enterprise risk management in their analysis of businesses, 
            the rating agency perspective should be invited into the 
            development and ongoing operation of the certification 
            program.--This could potentially facilitate greater 
            recognition of effective corporate preparedness. Rating 
            agencies are increasingly focusing on enterprise risk 
            management in their analysis including business continuity 
            and emergency management programs by the corporation. 
            Including rating agency input into the voluntary 
            certification program might allow for these agencies to 
            acknowledge this voluntary certification more readily in 
            their own analysis and thereby effectively reward 
            preparedness by corporations.
     Supply chain resilience is a growing concern among 
            corporations. The voluntary certification program offers 
            value in assessing supplier resilience. The supply chain 
            management perspective should be included in the 
            development and ongoing operations of the certification 
            program.--There is an increasing focus on supply chain 
            resilience and the preparedness of critical suppliers. 
            Firms frequently require supply partners to adhere to 
            certain preparedness requirements. Some firms promote 
            preparedness-related best practices through mentorship, 
            training, education and joint exercises with supply 
            partners. Corporations are looking for tools to assess the 
            resilience/reliability of the suppliers of critical goods 
            and services. From the supplier perspective, some firms are 
            noting significant time spent on interfacing with multiple 
            customers assuring each of the business' preparedness 
            status. A voluntary certification program could potentially 
            provide a commonly-accepted verification of preparedness 
            and thereby avoid multiple customer queries. Similarly, 
            customers could use the certification to minimize their 
            supply assessment efforts.
     Insurance company and related input should be incorporated 
            into the voluntary certification program to support 
            increased recognition of business preparedness in the 
            future.--It can be argued that the insurance industry on 
            the whole understands the general value of business 
            preparedness to minimize losses to both the individual 
            businesses and the insurance company. However, how and if 
            insurance companies measure preparedness varies 
            significantly. Current efforts to correlate preparedness 
            actions to loss reductions are largely focused on property 
            risk. The insurance market is stratified, with larger 
            companies receiving relatively more attention and greater 
            flexibility from underwriters than smaller companies. A 
            commonly-accepted third party assessment of business 
            preparedness could be a valuable indicator of risk which 
            might be used by insurance companies in their underwriting 
            potentially. This could possibly result in a greater 
            recognition of preparedness in the future. The audit 
            processes involved with the certification program may 
            provide underwriters with data they cannot access otherwise 
            due to lack of time or expertise, helping them to 
            systematize their understanding of business continuity. In 
            addition, a voluntary certification program could also 
            begin to build a historical record that over time could 
            inform a closer understanding of what preparedness measures 
            best minimize future insurance claims. Challenges that need 
            to be addressed include how preparedness standards would 
            fit into underwriting guidelines. State insurance 
            regulators may also consider how to promote the 
            incorporation of elements of the certification program in 
            the underwriting process. Another possibility for driving 
            the development of insurance incentives for preparedness is 
            to approach it from a consumer demand standpoint. Insured 
            companies may take individual and/or collective action to 
            demand acknowledgement of preparedness efforts by insurers.
     Representatives from the corporate counsel and wider legal 
            community should be incorporated in the development and 
            implementation process of the program to support a 
            potential role of certification in minimizing legal 
            liability for the impacts of emergencies.--Negligence tort 
            and other legal liability can be a major exposure for 
            companies of all sizes in the aftermath of an emergency. 
            When another party is impacted by the event, it is often 
            argued that the company did not do enough to prepare for 
            emergencies. Yet, it can be difficult to ascertain how much 
            preparedness is enough given the diversity of risks that 
            face a company. Advance and documented compliance with an 
            established recognized standard for preparedness can serve 
            to support an affirmative defense to liability claims after 
            an emergency. The certification program will be centered on 
            voluntary compliance with one or more industry standards. 
            Thus, the certification program should optimally be 
            structured to minimize legal liability of the business 
            which pursues preparedness in compliance with it. The 
            development of statutory guidelines would provide 
            additional legal motivation to pursue certification. On the 
            other hand, there is a potential disincentive pertaining to 
            undertaking preparedness certification and the related 
            documentation of preparedness actions undertaken by a 
            company, especially with respect to the identification of 
            risks to the company and its current vulnerabilities. 
            Legislation providing safe harbor from litigation to any 
            certified firm would provide a major incentive for 
            certification, as would the development of what is called 
            ``self-evaluative privilege'' to ensure that the findings 
            of the certification process would not be used in court 
            against a proactive corporation.

    Ms. Jackson Lee. Thank you very much for your testimony.
    I now recognize Dr. Stephens for 5 minutes. Dr. Stephens, 
you may also summarize your statement and be recognized for 5 
minutes. Thank you.

  STATEMENT OF DR. KEVIN U. STEPHENS, M.D., DIRECTOR, HEALTH 
                DEPARTMENT, CITY OF NEW ORLEANS

    Dr. Stephens. Thank you, Chairwoman Jackson Lee, the 
Ranking Member Lungren, and other members of the committee and 
guests.
    Thank you for your invitation and, of course, your most 
gracious introduction.
    New Orleans is one of America's most beloved and culturally 
distinctive cities. As you are all aware, it has faced many 
challenges in recovery and the rebuilding after the--and 
perhaps our worst natural and manmade disaster to occur in the 
United States of America.
    Please know that I speak for our entire community when I 
say that we are grateful for all that Congress has done. We are 
very happy to have you help us recover from Hurricane Katrina 
and the subsequent flooding. We are truly appreciative of your 
continued concerns about our progress in caring for our 
citizens, while we work diligently towards resolving our 
longer-term recovery challenges.
    Thank you for providing this opportunity for us to share 
with the committee our unique perspective on the concept and 
implementation of resilience, particularly regarding the 
critical health care infrastructure of a community.
    Being resilient means having the ability to withstand a 
blow and to bounce back, a capacity which must be built on an 
already-solid foundation. Our community suffered a catastrophic 
disaster that destroyed most of its private and public health 
care infrastructure when the levees broke, flooding 80 percent 
of the land area in our city.
    We continue to struggle to rebuild the health care 
foundation and cover basic medical needs for our citizens. We 
still have excessive waits at our emergency rooms. We have a 
shortage of mental health inpatient beds. We have a lack of 
primary care clinics to provide day-to-day health care for the 
indigent and uninsured and minimal medical surge capacity, even 
though we are ranked high in vulnerability, in terms of 
terrorism and natural disaster.
    Below are some of the major challenges we have encountered 
to building resilience in the greater New Orleans health care 
community, as well as some suggested solutions.
    One of our challenges in the recovery and building 
resilience that plagues our health care providers is the 
duality that they face, as victims, as well as responders in a 
critically needed system. It is quite difficult to play both of 
these roles simultaneously.
    Many of our providers lost everything, including their 
offices, their medical diagnostic equipment, medical and 
financial records, and their homes. Provisions must be made for 
providers to resolve their personal difficulties before they 
can begin to provide critically needed services.
    Even for those providers and institutions left standing 
after the disaster, a significant number of them experienced 
losses in revenues and a scattering of their patients. Many of 
our regional hospitals decided not to re-open their facilities, 
and those that remain have a drastically reduced number of 
inpatient beds.
    This reduced capacity and capability has left doctors with 
no place to admit their patients. Faced with a decreased 
population pool and no reliable source of income, many had no 
choice but to relocate, resulting in a further damage of an 
already decimated health care system.
    It should be noted that several local and regional 
hospitals stayed open and re-opened immediately following 
Hurricane Katrina. These hospitals have incurred tremendous 
financial losses, primarily due to the number of increased 
patients of uninsured individuals seeking health care.
    While we owe a debt of gratitude to our community partners 
for assisting our citizens in a time of need, financial relief 
needs to occur for these institutions to continue to provide 
quality health care services.
    Many of our private-sector hospitals realized that rather 
quickly following Hurricane Katrina that their financial risks 
were tremendous. These institutions faced higher labor costs, 
higher insurance costs, higher provider cost, higher uninsured 
numbers, and higher construction costs.
    It was evident that if they re-opened that they would be 
likely to lose millions of dollars. Hence, four of our regional 
health care facilities have decided not to re-open.
    As mentioned earlier, in providing care in the increasing 
indigent and uninsured population, due to dislocation, job 
loss, and other financial woes stemming from the disaster, has 
been one of the greatest financial liabilities in our private 
hospital facilities.
    Federal laws require emergency departments to accept and 
treat patients regardless of their financial capability. With 
the collapse of a State-run charity system immediately after 
the hurricane, private hospitals were forced to assume the care 
of the uninsured.
    Some compensation for these services was provided by the 
State at a later date, however, but according to many CEOs it 
has been late in coming and woefully inadequate.
    Following Hurricane Katrina, there was no readily 
accessible database of patient health information available to 
providers. But we would like to thank the American Medical 
Association and other organizations who put together a database 
that enabled patients to access their pharmacy information and 
get badly needed prescriptions filled.
    While this database proved to be an invaluable service, 
much more health information is needed in a disaster situation 
in order to provide excellent care to our citizens.
    So we have just basically three solutions, starting with 
the patients. It would be great to develop a national 
continuity of care record system, which would allow patients to 
access critical health care information at the time of a 
disaster.
    Entrepreneurs have also identified this and are flooding 
the market with various forms of mobile personal data archiving 
systems. While many health care provider associations have 
agreed to the critical fields in a continuity of care record, a 
federally standardized approach is warranted.
    One must ask: Why we can access our e-mail accounts, 
banking information, and other critical data while we are 
abroad, but no such means for accessing our medical data 
exists?
    No. 2, for our providers, some of our action reviews that 
were performed after Hurricane Katrina response cited a need 
for a mechanism where providers can easily access across State 
boundaries in a response to a disaster.
    An avenue for expediting medical licenses and 
certifications needs to be in place to facilitate the 
credentialing and responding health care providers. A national 
practitioner database could be used to meet this goal.
    While we are aware of the Department of Health and Human 
Services, that they created the Emergency System for Advance 
Registration of Volunteer Health Professionals in response to 
9/11, we need more emphasis linking various States, because 
this is primarily a State-run program. We need a national 
registry of providers.
    For the hospitals, the health care community is pleading 
for a more reliable and predictable reimbursement mechanism for 
providers and hospitals that respond to a disaster, as declared 
by the president.
    The private sector must also have some assurances upfront 
that they will be reimbursed for their contributions. Health 
care services can be quite costly, and the health care 
community should not be expected to absorb all of the expenses 
incurred after a disaster.
    For example, Medicaid payments should be made portable 
during the time of a declared disaster so that health providers 
in another State----
    Ms. Jackson Lee. Mr. Stephens, if you could--I don't know 
how much more you have. If you could summarize for us, please. 
Thank you.
    Dr. Stephens. Yes. The other stats would basically give 
full faith and credit to their whole State Medicaid insurance 
card.
    Finally, we do acknowledge that we have a whole lot of 
initiatives organized and authorized by Congress in the UASI 
and the metropolitan response system. They are underfunded, and 
we will suggest that they will be continued funding for the 
local and State agencies.
    So thank you very much for allowing me time to speak, and I 
look forward to your questions.
    [The statement of Dr. Stephens follows:]
              Prepared Statement of Dr. Kevin U. Stephens
                              May 14, 2008
    Chairman Thompson, Ranking Member King, Chairwoman Jackson Lee, 
Ranking Member Lungren, and other distinguished members of the 
committee and panel: I am Dr. Kevin U. Stephens, Director of the New 
Orleans Health Department. New Orleans is one of America's most beloved 
and culturally distinctive cities, but as you are all aware, it is 
facing the challenge of recovering and rebuilding after the worst 
natural and man-made disaster to occur in the United States of America.
    Please know that I speak for our entire community when I say that 
we are grateful for all that you in Congress and that the people of the 
United States have done to help us recover from Hurricane Katrina and 
the subsequent flooding. We truly appreciate your continued concern 
about our progress in caring for our citizens while we work diligently 
toward resolving our longer-term recovery challenges.
    Thank you for providing an opportunity for us to share with the 
committee our unique perspective on the concept and implementation of 
resilience--particularly regarding the critical healthcare 
infrastructure of a community. Being resilient means having the ability 
to withstand a blow and to bounce back--a capacity that must be built 
on an already solid foundation. Our community suffered a catastrophic 
disaster that destroyed much of its private and public healthcare 
infrastructure when the levees broke, flooding 80 percent of the land 
area of our city. We continue to struggle to rebuild the healthcare 
foundation and cover the basic medical needs of our citizens. We still 
have excessive waits at our emergency rooms, a shortage of mental 
health inpatient beds, a lack of primary care clinics to provide day-
to-day healthcare for the indigent and uninsured, and minimal medical 
surge capacity, even though we are ranked high in vulnerability for 
terrorism and natural disasters.
    Below are some of the major challenges we have encountered to 
building resilience in the Greater New Orleans Healthcare community, as 
well as suggested solutions.
                               challenges
    One of the challenges to recovery and building resilience that 
plagues our healthcare providers is the duality they face as victims as 
well as responders in a critically needed system. It is quite difficult 
to play both of these roles simultaneously. Many of our providers lost 
everything, including their offices, medical diagnostic equipment, 
medical and financial records, and their homes. Provisions must be made 
for providers to resolve their personal difficulties before they can 
begin to provide critically needed services.
    Even for those providers and institutions left standing after the 
disaster, a significant number experienced loss of revenues and a 
scattering of their patients. Many of our regional hospitals decided 
not to reopen their facilities and those that remain have a drastically 
reduced number of inpatient beds. This reduced capability has left the 
doctors with no place to admit their patients. Faced with a decreased 
population pool and no reliable source of income, many had no choice 
but to relocate, resulting in further damage to an already decimated 
healthcare system.
    It should be noted that several local and regional hospitals either 
stayed open or reopened immediately following Hurricane Katrina. These 
hospitals have incurred tremendous financial losses primarily due to 
the increased number of uninsured individuals seeking healthcare. While 
we owe a debt of gratitude to our community partners for assisting our 
citizens in a time of need, financial relief needs to occur in order 
for these institutions to continue to provide quality healthcare 
service.
    Many of our private sector hospitals realized rather quickly 
following Hurricane Katrina that their financial risks were tremendous. 
These institutions faced higher labor costs, higher insurance costs, 
loss of providers, higher uninsured numbers and higher construction 
costs. It was evident that if they reopened, they were very likely to 
lose millions of dollars. Hence, four of our regional healthcare 
facilities have decided not to reopen.
    As mentioned earlier, providing care to the increasing indigent and 
uninsured population (due to dislocation, job loss and other financial 
woes stemming from the disaster) has been one of the greatest financial 
liabilities to our private hospital facilities. Federal laws require 
Emergency Departments to accept and treat patients regardless of their 
financial capability. With the collapse of the State-run ``Charity'' 
system immediately after the hurricane, private hospitals were forced 
to assume the care of the uninsured. Some compensation for these 
services was provided by the State at a later date, but according to 
many CEOs it has been late in coming and woefully inadequate.
    Following Hurricane Katrina, there was no readily accessible 
database of patient health information available to providers. We would 
like to thank the American Medical Association (AMA) and other 
organizations that put together a database that enabled patients to 
access their pharmacy information and get badly needed prescriptions 
filled. While this database proved to be an invaluable service, much 
more health information is needed in a disaster situation in order to 
provide excellent care to evacuated citizens.
                               solutions
    Some of the after-action reviews that were performed on the 
Hurricane Katrina response cited the need for a mechanism where 
providers can easily cross State boundaries in response to a disaster. 
An avenue for expediting medical licenses and certifications needs to 
be in place to facilitate the credentialing of responding healthcare 
providers. A national practitioner database could be used to meet this 
goal. While we are aware that the Department of Health and Human 
Service's (HHS) created the Emergency System for Advance Registration 
of Volunteer Health Professionals (ESAR-VIP) program in response to 
September 11, more emphasis needs to be placed on the agency's ultimate 
goal of linking these various State-managed ESAR-VIP programs into one 
national database. This will ensure that healthcare providers are not 
caught in bureaucratic red tape when citizens are in need of the 
services that they can provide.
    The healthcare community is pleading for a more reliable and 
predictable reimbursement mechanism for providers and hospitals that 
respond to disasters declared by the President. The private sector must 
have some assurances up front that they will be reimbursed for their 
contributions. Healthcare services can be quite costly and the 
healthcare community should not be expected to absorb all of the 
expenses incurred. For example, Medicaid payments should be made 
portable during the time of a declared disaster so that health 
providers in another State could receive reimbursement for services 
rendered. One possible way to achieve this would be for States to give 
full faith and credit to the Medicaid insurance card from the disaster 
affected locality. The host State would allow their providers to bill 
their Medicaid program for the care of evacuees. The host State 
Medicaid program would then bill the disaster-affected State for 
reimbursement. This would also allow for evacuees to obtain medical 
care as well as medications in the event of an evacuation.
    The Nation should develop a national CCR (Continuity of Care 
Record) system which would allow patients access to critical health 
information in the time of a disaster. Entrepreneurs have also 
identified this need and are flooding the market with various forms of 
mobile personal data archiving systems. While many healthcare provider 
associations have agreed to the critical fields needed in such a 
record, a federally standardized approach is warranted. One must ask 
the question why we can access our email accounts, banking information 
and other critical data while we are abroad, but no such means for 
accessing our medical data exists.
    It is important for Congress to authorize and continue to fund the 
major grant programs that communities use to build resilience into 
their critical infrastructure. Programs such as the Urban Area Security 
Initiative (UASI), and the Metropolitan Medical Response System (MMRS) 
support medical surge capacity, mass fatality prophylaxis, and other 
key needs. Specific to the healthcare community, the Hospital 
Preparedness Program (HHP), under the U.S. Department of Health and 
Human Services, is a key provider of funding for hospitals and 
healthcare systems' all-hazards preparedness and response capability. 
During the past five funding years of the HPP grant, significant 
improvements have been made in our area regarding interoperable 
communication, surge capacity, decontamination capabilities, training, 
and education. It is important to note that funding for these programs 
has been reduced and their existence is constantly threatened every 
budget year. For our community, the current allocation of funds for 
healthcare preparedness as well as additional financial support is 
needed to bring our healthcare infrastructure back.
    We also advocate that Congress make provision for communities hit 
by catastrophic disasters to have automatic access to funding to 
rebuild what is lost or damaged by a disaster. Our Office of Emergency 
Preparedness is faced with the daunting task of redeveloping our 
medical surge, decontamination, triage and pre-hospital treatment 
capabilities utilizing the MMRS grant. Many of the non-disposable items 
that were purchased by this grant to support the 11 Target Capability 
Focus Areas, outlined in the MMRS grant guidance document, were either 
utilized or destroyed during the aftermath of Hurricane Katrina. 
Additional grant dollars would greatly assist this initiative to return 
our city's level of preparedness to our pre-Katrina standards.
                               conclusion
    Ladies and gentlemen, thank you for allowing me to speak with you 
on the status of our recovery and the challenges we and the Nation face 
to make our homeland more resilient. I believe the proposals outlined 
in this document will accelerate our recovery and assist others to 
rebound faster and more effectively after a disaster of catastrophic 
proportions. We thank you, the Homeland Security Committee, the 
Subcommittee on Transportation Security and Infrastructure Protection 
and Congress, for your continued support as we rebuild our city and 
region. Though we still face historic challenges, we are hopeful that 
with your assistance, we can solve the remaining problems and build a 
better and stronger community for everyone.

    Ms. Jackson Lee. I thank you very much for your testimony. 
I thank all the witnesses for their testimony.
    I remind each member that he or she will have 5 minutes to 
question the panel.
    I now recognize myself for 5 minutes.
    Assistant Secretary Stephan, we hear the number 85 percent 
over and over again of the critical infrastructure that is 
owned and operated by the private sector. Among that 85 
percent, with what percentage of the Department continuously 
engage for critical infrastructure security purposes?
    Because many of these assets are not regulated for security 
purposes, what is the business case the Department makes to 
these entities to secure their assets? What are the carrots you 
use to get them to do the right things?
    Do you encourage the private sector to be resilient and be 
able to bounce back to effective operations? How do you do 
that?
    Colonel Stephan. Yes, ma'am. To answer your first question, 
I do not have an exact percentage for you, but we routinely 
engage with all 17--actually, now 18 critical infrastructure 
sectors that are defined in the National Infrastructure 
Protection Plan from communications, electricity, oil and gas, 
I.T., transportation, you name it.
    We have sustained governance mechanism that allows very 
frequent meetings between our different entities, as well as an 
information sharing, where virtually every day we are passing 
either threat information or operationally-related information, 
based upon what is happening with our infrastructures on a 
daily basis, train derailments, bridges collapsing, the 
wildfires in California and Florida that we are monitoring 
today, ongoing activities and relationships.
    Resiliency is built in as part of our organizing framework, 
in terms of national level documents that we have built in 
voluntary partnership with the private sector over the past 3 
years, all the way down to our facility-level security plans 
and buffer zone security plans that resiliency, redundancy, 
robustness, redundant command post-type considerations that are 
built into those frameworks.
    The other piece on incentivization, as Congressman Lungren 
pointed out, the threat piece is key. We can bring a lot of 
people to the table with respect to providing them information 
on what exactly the threat is.
    If we have an emerging, credible threat in the sector, we 
do everything we can to develop tearline information with the 
intelligence community, get it into the hands of the owners and 
operators.
    Where we don't have that type of information, we have got a 
special team of analysts in my shop, and Charlie Allen's shop, 
that work on lessons learned from abroad. If the terrorists 
start attacking hotels and discos and transit systems here, 
they are certainly doing it abroad almost every day somewhere. 
Iraq, Afghanistan, Indonesia, Jordan, Egypt, you name it, there 
they are.
    We are capturing those lessons learned, learning the 
techniques and procedures, and exporting that information 
across our private-sector information network.
    Ms. Jackson Lee. Let me quickly ask another question. You 
have submitted a lot of documents. Do you have an internal 
white paper or managerial directive dealing with infrastructure 
protection that define resiliency and how it is going to be 
implemented?
    If you have those, we would like to have those submitted to 
the committee.
    Colonel Stephan. Yes, ma'am. The definitions of protection 
and resiliency and all of its other components are included in 
the National Infrastructure Protection Plan that I have 
provided or brought with me today to submit to the committee.
    Ms. Jackson Lee. Do you have how it can be implemented? Is 
that----
    Colonel Stephan. Ma'am, it is all part and parcel of the 
framework. For me, this is all about trying to drive--not you, 
not members of this committee, but there are academics and 
think-tanks out there that would like to drive a wedge and 
cause us to make a choice between protection, prevention, and 
the response and recovery side, or the resiliency side.
    I would argue, as I heard you also argue, ma'am, in your 
opening testimony, there isn't a choice to make. It is how do 
we combine the two imperatives, how do we blend them? On the 
prevention and protection side, we have to do it on a risk-
based approach or else we could be spending a lot of resources, 
a lot of money in areas that don't provide bang for the buck.
    We are not for that. Risk-based approach to the upfront 
components, combined with the capability to absorb a strike and 
respond adequately, that is what this Nation is all about.
    Ms. Jackson Lee. Well, let me get Mr. Czerwinski and Mr. 
Johnson, Mr. Raisch, to respond to that.
    Mr. Czerwinski.
    Mr. Czerwinski. Thank you, Madam Chairwoman. The Assistant 
Secretary makes a very clear and important point, that is, that 
the balance is critical.
    The way in which resilience ought to be considered in this 
context of the private sector is that risk has changed to the 
point where prevention, yes, is critical and protection is 
indispensable, but the resilience component has to evolve to 
reflect the interconnectivity between the different sectors 
themselves, so that, as we go through the process of educating 
the sectors about the threats that they face and the risks that 
are peculiar to those different sectors, the other side of the 
coin is for us to identify the ways in which these different 
sectors are actually interdependent themselves.
    I know there are already efforts underway in this domain. 
But there could be a great deal that we could gain from a 
framework that might develop the information-sharing to the 
next level, such that there is different kind of resiliencies 
evolved.
    The redundancy is a part of it that the Federal Government 
has to embrace, but the redundancy is not the sort of thing the 
private sector is going to be too enthusiastic about. So there 
is still some opportunity to drill into that.
    Ms. Jackson Lee. You think that the Federal Government can 
do a better job?
    Mr. Czerwinski. Well, I am an American citizen. I always 
think the American government can do a better job. But I think 
the--I think the Department of Homeland Security has been given 
the authority and freedom to work with the private sector and 
has created some engagement mechanisms that enable that. We 
participate in some of them at IBM.
    The way in which the opportunity resides, though, I think, 
is actually to look at this framework that embraces a broader 
picture of human capital technology and governance, not just 
threat information.
    Ms. Jackson Lee. If we can't get the private sector to give 
us a good give-and-take, Mr. Czerwinski, we can't get to a 
better product.
    So, Mr. Johnson, please don't hold back. We are not here to 
sugarcoat, nor are we here to suggest that Colonel Stephan does 
not have a strong constitution and can accept constructive 
criticism. So we would like to see what your thoughts are, 
please.
    Mr. Johnson.
    Mr. Johnson. Thank you, Madam Chair.
    The issue of resiliency in the financial services sector is 
one that is longstanding. In fact, we are, in some ways, a bit 
of a unique sector in that, in order to efficiently operate, 
every one of the competitors in our private sector must trust 
each other to operate efficiently as we pass money around the 
system. Indeed, it goes out beyond the United States.
    So resiliency is really core to what we do, and we are only 
as strong as our weakest link. So we have to always ensure that 
we are resilient in what it is we do, because we are so 
interconnected.
    That is different, potentially, in other sectors. As far as 
what the public sector can do or do better, I don't have a 
strong point of view that that is anything that needs to be 
done in addition. I think most of what I see is the private-
sector organizations realizing how important resiliency is in 
what it is we do every day and spending money because it is the 
right thing to do.
    Ms. Jackson Lee. Is that the industry spending money?
    Mr. Johnson. That is the industry spending money.
    Ms. Jackson Lee. Can the government do more in assisting 
that? Is there the interaction between the government on 
resiliency with the private sector from the financial services' 
perspective?
    Mr. Johnson. On financial services, there is a great 
relationship between us and our sector-specific agency, which 
is the U.S. Treasury. Lots of discussions about, as Secretary 
Stephan said, a prioritization on the front end, or risk 
assessment on the front end for protection, as well as a 
resiliency perspective on day-to-day operations.
    Ms. Jackson Lee. Well, can you point us to written 
documents where you have received from the U.S. Department of 
Treasury that focuses on resiliency? Do you have those?
    Mr. Johnson. I do not have those with me, no, but I can 
provide you guidance that comes from the Federal Government, as 
well as our sector-specific plan--thank you, Secretary 
Stephan--which articulates across the entire sector, from 
banking to insurance.
    Ms. Jackson Lee. Well, let me do this. I mean, a document 
that has already been submitted into the record is fine. The 
question is whether there is interaction that focuses on 
resilience.
    Let me yield to Mr. Raisch. I thank you for your answer, so 
I can yield to the distinguished ranking member from 
California.
    Mr. Raisch. Thank you, Chairwoman.
    A few very brief comments. I would say, firstly, I don't 
think it is an either-or, prevention versus resiliency. This is 
a continuum. I mean----
    Ms. Jackson Lee. We agree on that.
    Mr. Raisch. Got that.
    Ms. Jackson Lee. But we want to know whether the Federal 
Government can do better. That is what we would like to hear.
    Mr. Raisch. Certainly, and I would think the Assistant 
Secretary would agree, we can always improve.
    Ms. Jackson Lee. The secretary is not the singular 
representation of the Federal Government. So I know you are 
sensitive to his presence on the panel.
    Mr. Raisch. Very good. I think we can all do more to 
leverage the economic rationale. We can call for business and 
government to do--to be more prepared. Quite frankly, that is 
right up there with apple pie, mom and pop, and so forth.
    At a certain point, businesses have a responsibility to 
their stakeholders to essentially make rational economic 
choices. As such, I think DHS and other elements of government, 
Congress included, can help clarify some of the business case 
incentives, develop, perhaps, new ones.
    As I mentioned in my testimony before, I think this 
certification program that was recently passed has an 
opportunity to link good practice with direct economic benefits 
in a way that has not happened in the past. We have directly 
worked in the past with elements of, if you will, the external 
stakeholders, those being insurance, rating agency, legal 
liability community.
    Many of them are disposed towards acknowledging resiliency, 
but have not had an effective measure to date to acknowledge 
it. If you can't acknowledge it or measure it, you can't reward 
it.
    So I think there is a real opportunity in moving forward 
this voluntary certification program, particularly with an 
emphasis towards economic value to business.
    Ms. Jackson Lee. I thank you.
    Dr. Stephens, I am going to hold my questions for you.
    I yield to the distinguished gentleman for his time of 
questioning from California.
    Mr. Lungren. Thank you very much.
    I think the panel is to be commended for resisting the 
temptation to treat Colonel Stephan as a pinata here.
    Colonel, I happen to think that you have done a very good 
job and the Department has done a good job in launching this 
effort. That is what we have done: We have launched the effort. 
There still remains a lot to be done.
    Mr. Johnson, you made a very obvious point, but something 
that we often overlook. The very nature of the financial 
services industry is one of dependence on resilience. I mean, 
if you go down for a day or two, your business essentially has 
been drastically punished or suffered. I would say the same 
thing with the communications industry, for instance.
    But when we get into some of the other industries, I don't 
think the resilience aspect is as obvious and, therefore, as 
obvious to the bottom line and, therefore, as justifiable to 
shareholders. It seems to me that is the nexus that we need to 
sort of reach.
    So let me posit this question to you, Mr. Raisch. Is that 
the proper way to pronounce Mr. Raisch?
    Mr. Raisch. Yes.
    Mr. Lungren. Mr. Czerwinski.
    Let's presume the government--the answer is not going to be 
a lot more government money. Let's just set that aside, because 
that is an easy one to say. ``Well, we will give you more 
grants. We will do this.''
    Setting aside money, what are the kinds of things that can 
most effectively, efficiently and quickly allow that kind of 
economic value to be realized by sectors other than the 
financial services sector or the communications sector?
    I mean, what are the keys to getting other parts of 
American industry to have resilience as a part of--and it is 
more than resilience, it is also protection and prevention from 
terrorist attack or natural disaster?
    Mr. Czerwinski. Well, I will go first. Thank you for that 
question. This gets to the real critical point, which is, how 
does this issue become portable across different sectors?
    What we tried to look at, actually, was the cargo 
container, flow of cargo and container traffic across maritime, 
for example, if you were to take that, you could look at this 
from a double bottom-line concept, where there is a way in 
which you could find economic efficiencies to create better 
system visibility, that is, understand what is going on from 
end to end for a container cargo ship.
    That is obviously useful from a regular bottom-line 
perspective, because it gives you the understanding of where 
disruptions exist or inefficiencies are.
    But if you look at this from a double bottom-line, that is, 
the resiliency component, that same system visibility--which, 
by the way, is never perfect, and usually that information 
resides in different sectors--could also enable this 
decisionmaker to say, ``This disruption is actually unique. 
This is not a situation where we are looking at a derailment of 
a certain cargo, but we are looking at something completely 
new.''
    Without the ability to have that visibility, that 
decisionmaker wouldn't be able to say, ``We need to react 
differently,'' or, ``We need to re-route this,'' just taking 
the cargo one, for example. So in that case, you could have 
both resiliency and efficiency resulting in a double bottom-
line.
    I hope that answers your question.
    Mr. Lungren. Mr. Raisch.
    Mr. Raisch. In reference to really the governmental role 
that can add a new equation to this, I think--let's look at 
businesses. They are organized as individual organizations and, 
as such, that is their focus primarily.
    I think government can bring a wider perspective. I think 
we have touched on some other issues where we looked at 
critical dependencies across sectors and across businesses and 
so forth.
    The reality of this is, right now, globalization is most 
compelling bottom-line argument for a lot of resilience. 
Organizations that we deal with daily have supply chains that 
reach from here through Mumbai in India to Shanghai and back 
again.
    As such, I think businesses are learning the lesson, to the 
extent they have a wider geographic footprint, if you will, for 
any one adversity, whether the manmade or natural disasters to 
occur.
    But I think government can play a role in perhaps 
distilling some of those lessons, reinforcing also the ability 
to cross-pollinate across various elements of business. There 
is a lot of good learning that has happened, particularly in 
the critical infrastructure areas, under Assistant Secretary 
Stephan, but also, quite frankly, I think cross-pollination 
across those sectors, those 18 sectors now, can be facilitated.
    I think the ability to, again, communicate in some common 
elements of preparedness, defining, if you will, as I mentioned 
earlier, that Rosetta Stone. I think this--again, getting back 
to this certification program, I think that offers a tremendous 
opportunity to do so.
    So I think facilitating crosspollination across various 
sectors, so we are sharing our insights in an effective manner, 
providing an understanding of the societal dependencies, that 
certainly the experience in New Orleans underscored 
dramatically, that no company, no entity, no household is an 
island, and, in fact, we are all very much integrated.
    I think that is very much a governmental role in that 
respect and one that, I think, provide assistance. The other 
thing, I think, on a low-cost basis, I think the provision of 
some common tools, based upon those key elements, preparedness.
    In this electronic environment--and there are some good 
things being done now on ready.gov, but I think we can move 
forward and have a truly robust resource from an electronic or 
Web-based environment that facilitates business preparedness 
across the Nation.
    Mr. Lungren. Dr. Stephens, I asked the others not to 
consider money, but I want to change that with respect to a 
question for you, and that is that, on the Federal side, we 
have, in terms of the reimbursement we give to hospitals and 
medical institutions, factored in a number of different things. 
We have factored in and factored out costs of education, 
training, et cetera.
    Is there, on the part of the Federal Government, in terms 
of reimbursement for expenses by medical institutions, 
particularly hospitals, any consideration at the present time 
of the resiliency factor, and particularly, if we do an 
analysis of a hospital, and we try and analyze whether or not 
there are sufficient beds to take care of a pandemic or other 
natural disaster?
    Dr. Stephens. No, unfortunately, we don't take that into 
consideration, in terms of resiliency. In New Orleans 
particularly, we are so busy trying to just mine day-to-day 
that to get to resilient is not high on the radar.
    I think it should be, though, because I think that the 
ability to respond in the midst of a disaster is dependent upon 
your ability to have resilience.
    Mr. Lungren. See, I recall over about a 25- or 30-year 
period of time Federal Government decisionmaking drove 
hospitals to be more ``efficient'' and, in the process, we 
actually caused hospitals to reduce the number of available 
beds they had.
    One of the ways we did that was making sure the patients 
got up sooner, rather than later. I have seen it in communities 
across America.
    We prided ourselves on making our health care system more 
efficient, and one of the indices was, hey, we have fewer beds 
sitting out there. That is great, unless you need the beds.
    So I think one of the things we have to deal with from a 
governmental standpoint is, as we have tried to make the 
medical system more efficient, we have created conditions that, 
if we have a tremendous impact on a health care system in a 
particular area, we don't have the infrastructure we had 40 
years ago when we had so many beds available. I am not sure we 
have totally dealt with that question.
    Dr. Stephens. Your point is highlighted with the mental 
health beds. You not only in New Orleans, in the State of 
Louisiana, we have basically zero availability of mental health 
beds, so our patients have to be transferred out-of-State to 
get resources. That is private and public, so that point is 
well taken.
    Mr. Lungren. I yield back the balance of my time. Thank 
you.
    Ms. Jackson Lee. I thank the gentleman and yield myself an 
additional 5 minutes.
    Dr. Stephens, can you tell me how many hospitals, public 
and private, were in New Orleans prior to Hurricane Katrina?
    Dr. Stephens. Approximately 11.
    Ms. Jackson Lee. What do you have now?
    Dr. Stephens. Open, we have four.
    Ms. Jackson Lee. Okay. Do you have a public Charity 
Hospital open?
    Dr. Stephens. Yes, we do. We have University Hospital, 
which is our Charity Hospital.
    Ms. Jackson Lee. The hospital--one of the hospitals that 
was open before that is now closed, was that a Charity 
Hospital? You indicate you had 11; there are now four.
    Dr. Stephens. Yes. One of the hospitals--Charity Hospital 
has had two hospitals, University, and the old Charity, as we 
knew it.
    Ms. Jackson Lee. It was open prior to----
    Dr. Stephens. Yes, they both were open.
    Ms. Jackson Lee [continuing]. Katrina?
    Dr. Stephens. Now, only the University Hospital, which has, 
as I understand it, maybe 200 beds is open now.
    Ms. Jackson Lee. I didn't hear you. Pardon me?
    Dr. Stephens. University, University Hospital.
    Ms. Jackson Lee. Has how many beds?
    Dr. Stephens. Two hundred.
    Ms. Jackson Lee. How many did Charity have?
    Dr. Stephens. Totally, they had 539, as I recall.
    Ms. Jackson Lee. Is that building still standing?
    Dr. Stephens. It is still standing.
    Ms. Jackson Lee. All right. So, in actuality, if we looked 
at the practicalness of what has happened, you had 11 hospitals 
pre-Hurricane Katrina, is that correct?
    Dr. Stephens. That is correct.
    Ms. Jackson Lee. You now have four?
    Dr. Stephens. Correct.
    Ms. Jackson Lee. Now, one could put on the record that you 
obviously have had a decrease in population, but I assume that 
every effort that the city government is making and corporate 
fathers and mothers are to build back your population by many 
returning New Orleanians?
    Dr. Stephens. Correct.
    Ms. Jackson Lee [continuing]. People from New Orleans, is 
that correct?
    Dr. Stephens. That is correct.
    Ms. Jackson Lee. So, in essence, if you were to go back to 
full capacity of your population, you would have and may have 
now a health crisis?
    Dr. Stephens. We do. We currently have a--in fact, to go 
from beds, we had 2,250 beds available in New Orleans before 
Katrina. Now we have less than 1,000 available.
    Ms. Jackson Lee. There was a MASH unit that was in, I 
believe, the Hyatt. Has that been closed?
    Dr. Stephens. Yes, it has been.
    Ms. Jackson Lee. Where do those patients now go?
    Dr. Stephens. To the University Hospital system, which is 
the 200-bed facility that I mentioned.
    Ms. Jackson Lee. Would you suggest that your health system 
is at capacity or even beyond?
    Dr. Stephens. Yes, we are bursting at the seams. We have 
basically no available beds anywhere in the city.
    Ms. Jackson Lee. So what could have been--and you have made 
your appropriate statements. We thank you for recognizing the 
hard work of this Congress in a bipartisan way. We accept that.
    But what could have been more effective from a resilience 
perspective, one, as you look at it, as a medical professional, 
what could have been done pre-Katrina, but now, as we look at 
post-Katrina, resilience also is the ability to get back in 
operation?
    Where did the resilience aspect of fixing the health care 
system in New Orleans fall after Hurricane Katrina? What was 
missing to put you in near-capacity?
    Dr. Stephens. Well, I think the big thing is reimbursement, 
the predictability and reliability of reimbursement.
    We had several hospitals that opened up, but we couldn't 
tell them, for the uninsured, when our Charity Hospital system 
closed, we had a lot of uninsured patients that would show up 
at your doorstep.
    There was no predictable, reliable way that hospitals would 
know, ``If I treated this person, I would get $1 or anything 
for treatment of this patient,'' because--laws require that, if 
somebody shows up in your emergency room, you have to see them, 
but there are no revenues associated with that treatment.
    So without having a predictable, reliable source of income, 
the private-sector hospitals chose not to open, because the 
hospitals that stayed open--I think I heard like $135 million 
was lost last year among five hospitals that were open.
    So without a predictable, reliable source of income, the 
private sector says they are for-profit, they have to show----
    Ms. Jackson Lee. But there is an aspect to resiliency that 
deals with a revenue stream.
    Dr. Stephens. Absolutely.
    Ms. Jackson Lee. So, if we were to look at that sector, we 
need to be assured that we have an immediate revenue stream or 
some bridge that would keep them going?
    Dr. Stephens. Absolutely.
    Ms. Jackson Lee. What was the difficulty in opening--what 
was the missing resiliency that would allow you to have opened 
the other Charity Hospital with 539 beds?
    Dr. Stephens. Well, the other Charity Hospital, as I 
understand it, from the flooding, we had structural integrity 
problems. In fact, there is a group now--looking at that 
facility to see what impediments are preventing this one from 
being opened or not.
    But it was an old facility, grant you. They had many 
problems. But I am not really sure. That is a very hot potato, 
if you will.
    Ms. Jackson Lee. But there was no capacity for you to sign 
or to collaborate to have other resources to immediately find a 
substitute location for those 539 beds?
    Dr. Stephens. That is correct.
    Ms. Jackson Lee. So there was a crack in the resiliency, 
the start-up of getting back to where you were?
    Dr. Stephens. Bigger than a crack.
    Ms. Jackson Lee. Okay.
    Let me pose a question to you, Mr. Czerwinski. Your 
testimony clearly states that a resilience-based approach to 
disruptions, including intentional human-made attacks, is a 
company's best interests. How broadly practiced is such an 
approach within the private sector? How can it be promoted?
    As Colonel Stephan is not a good pinata, I hope that you 
will give us a good critique of what we may do better in the 
Federal Government in answering the question.
    Mr. Czerwinski. Understood. Thank you, Madam Chairwoman.
    Is it the case that the entire private sector embraces this 
idea that resilience is in their economic interest? Likely not.
    However, there is no doubt that the current efforts at the 
Department of Homeland Security to engage these separate 18 
sectors to communicate to them the importance of understanding 
the threats that face them and the ways in which they can 
protect themselves is sinking in.
    There is no question that there are some sectors that are 
absolutely more receptive to this than others. The financial 
services sector, let's say, or the I.T. sector, they understand 
their vulnerability and their criticality.
    However, the next step beyond that is to be even more 
proactive to suggest that, in fact, there is a way we can 
bridge these different sectors to identify where these sectors 
are dependent upon one another. If we can do that, we can 
identify a different level of vulnerability that is no doubt 
part and parcel of the 21st century type of risk we are facing.
    How that would be incentivized could be taken in a few 
different ways. One would be to provide a framework that 
allowed these private-sector participants to gain some 
different kind of treatment, let's say, when it interfaces with 
the government.
    Customs and Border Protection does this now, where they 
work with multiple different sectors in their automated customs 
environment. They share information across different sectors. 
They, therefore, facilitate the flow of travel.
    What that also provides them is the ability to see any sort 
of aberrations that may be threats themselves.
    Ms. Jackson Lee. Let me ask Mr. Raisch, does he have any 
examples through his research of companies who have done a good 
job at resilience? In your certification pilot or idea, does 
there need to be assessments--I hate to use the word punitive 
measures--but does there need to be a stronger assessment of 
whether or not there is a resilient plan?
    Does there need to be some punitive measures, some fines 
assessed for those who don't have them? Is it that important?
    You need to use as a backdrop Dr. Stephens, who indicated 
that pre-Katrina there were 11 hospitals. There are now four in 
New Orleans.
    Mr. Raisch. Clearly----
    Ms. Jackson Lee. Some of that is private, and some of that 
is public, and we understand the challenges. But just use it as 
a backdrop, that there was a problem with being resilient in 
New Orleans in the medical sector, and so if you would respond.
    Mr. Raisch. You bring in a very good point, assessment. I 
mean, the question, as I think someone else mentioned earlier, 
the issue is, what is preparedness or how much preparedness do 
we need?
    It is a difficult situation to assess, just given the fact 
that many of us have different other operation 
responsibilities. Nonetheless, speaking to your issue of 
assessment, I think there is an opportunity, utilizing existing 
private-sector standards, to assess the level of preparedness.
    These are standards that developed through common practice 
over the course of many years, input by corporations, 
professionals in this area. So I think the criteria exist 
currently to define effective preparedness.
    The 9/11 Commission in particular recommended a particular 
standard in SK 1600 that was developed some--I guess early 
1990s--as one of those standards. There are other ones out 
there, as well.
    But what has been lacking in the past is a measurement 
methodology. That is what, essentially, the legislation that 
this Congress passed--I am sorry, last Congress passed in 2007, 
and the focus there specifically was on one of developing an 
assessment methodology that was built upon existing historical 
experience.
    In the world of business, there is quality management. ISO 
9000 is a type of certification manufacturers have gotten since 
the early, the mid-1980s, when quality was a problem in our 
manufacturing firms. We can leverage that, and I think that is 
what this program offers in the way of potential.
    Relative to your other issues, I think you have 
specifically focused on, what can government do better, and 
particularly what can DHS do better?
    I think the opportunity to be a convener--we don't have all 
the answers at this table. There are very learned individuals 
here, without doubt. I would like to say that there are pearls 
of wisdom that would roll out of each of our lips.
    At the same time, I think the answer probably is resident 
out there. I think, just as this committee is convening 
experts, I think DHS could do a--increase its activities in 
convening, but convening with a specific focus, not only what 
should be done, but why should it be done, really getting 
Congress, congressional representation there, as well, to look 
at what both legislative issues, as well as market-based 
incentives are important.
    We can't just look for these. We need, in some cases, to 
create them. By bringing together private sector, bringing 
together, I think, the congressional and legislative branch, 
and the executive branch, I think there is an opportunity, 
perhaps, to really define some, if you will, bottom-line 
rationale and develop it over time.
    Ms. Jackson Lee. So you don't think the certification 
should have a fine component to it?
    Mr. Raisch. Well, I think it is unrealistic at this point. 
Quite frankly, I don't think there is the political will to 
move this to a mandatory stage.
    I think, quite frankly, though, there is a market-based 
punitive element to it, to the extent--let's give supply chains 
as an example. Many corporations out there right now, for their 
critical suppliers--we have financial services here as an 
example--they are regulated already to bring their offices up 
and their operations up within 4 hours, many of them my primary 
market-maker.
    At the same time, for them to do that, they need critical 
suppliers, in I.T., in telecom, in other elements of power 
generation. They are looking, in many cases, for tools, a 
measurement that would allow them to define whether or not 
those particular suppliers in their supply chain can be there 
for them when they are needed.
    Now, if there is an effective measure out there and if 
their suppliers that they are currently using don't meet that 
measure, then you are going to see an economic impact, an 
economic punitive, if you will, element, that will suggest, 
``Jeez, if you are not prepared, I am going to go with this 
other entity over here that has validated its preparedness 
efforts.''
    This was done in the manufacturing industry, again, with 
quality management. It is done in environmental management. So 
I think there is good precedent there.
    I think we should look for--the opportunity here is for 
government to be a convener and, if you will, to be a catalyst 
in creating and accessing this in the way of bottom-line 
incentives.
    Ms. Jackson Lee. Let me--I ask unanimous consent to move 
without a quorum--let me continue the other questioning. We are 
moving toward the floor for a vote.
    Mr. Johnson, the financial services industry, because of 
Wall Street, I think, showed itself very much in tune with 
resilience. Is there one singular aspect of what happened 
during that time frame and what you have done since that you 
think is very important for us to have on the record as it 
relates to resilience and as you have seen it in the financial 
services industry?
    Mr. Johnson. Thank you, Madam Chairman. I would say one 
thing that we have done and continue to do is test. I think if 
there is one lesson learned out of 9/11 is to--you can't test 
every scenario, but you can test.
    I think that that is something that goes beyond financial 
services to, indeed, other sectors.
    Ms. Jackson Lee. So during the ongoing existence of your 
business, you are repeatedly testing your ability to be 
resilient?
    Mr. Johnson. That is absolutely correct. Whether it was 
required by a regulation or not, it is done, because all of the 
financial services companies have, if you will, a motivation to 
ensure they can continue to operate.
    If there is something that I think we have learned, testing 
does pay dividends. That would be my answer.
    Ms. Jackson Lee. Let me ask, Colonel Stephan, Secretary 
Stephan, to tell us what incentives DHS is providing to the 
public, to the public and private, private sector, to encourage 
more organizations to be resilient.
    I know the documentation reports, but what is the 
engagement? What is the thought of having a chief that deals 
particularly with assessing risk, that companies may have 
within the DHS shop?
    Colonel Stephan. Well, what we have done is--the 
infrastructure that we have identified to be most at-risk from 
various threat vectors across the country, they number about 
2,800 to 3,000. We are very focused on----
    Ms. Jackson Lee. I didn't--what is 2,800 to 3,000?
    Colonel Stephan. The infrastructures that we have 
determined to be the most at-risk across the country on a 
steady-state basis, lacking any specific----
    Ms. Jackson Lee. That is in the private sector?
    Colonel Stephan. The private sector mostly, although there 
is----
    Ms. Jackson Lee. Focused on what incentives you are giving 
them to move toward resilience?
    Colonel Stephan. Yes, ma'am. What we do is we have 
vulnerability assessment programs in concert with them, and we 
have buffer zone protection programs in concert with that. 
Where we do security planning, that facilitates interaction 
between the private-sector security folks, owners and 
operators, and local, State law enforcement and National Guard.
    The incentive there is that, with DHS facilitation, we 
build a team of security and resiliency. Resiliency is 
embedded, built into the security plan template--so is cyber 
security, for that matter--rolling in there and facilitating 
the interaction and getting the private sector, local law 
enforcement, State law enforcement and the National Guard to 
pony up to the plate based upon this nucleus of critical 
individual facilities, assets, systems and networks that we 
work together to identify.
    That is one example. The exercise piece, bringing people 
together very routinely, whether it is tabletop or full-scale 
boots on the ground activity, like we did last week, we have 
invited private-sector folks inside our National Infrastructure 
Coordinating Center for the first time last week, during our 
big national-level continuity of operations exercise, figuring 
out the resiliency piece, the security requirements, the 
information-sharing requirements, who needs what, based upon 
what type of disaster.
    Last week, we dealt with the double-headed monster of a 
terrorism attack, as well as a major Category 4 hurricane 
hitting the national capital region.
    Ms. Jackson Lee. Mr. Secretary, let me ask that in writing 
if you will focus on--and I have heard the sort of give-and-
take, and I think that we will ask staff to review closely the 
documents that you are submitting--but if you can give some 
particular corporate examples where DHS has interacted and, in 
the letter, writing of companies that are under a particular 
sector, showing the incentives and showing the give-and-take, 
and seeing the progress of resiliency being built under our 
present structure, I would appreciate it.
    Colonel Stephan. We would be happy to do that.
    Ms. Jackson Lee. I want the record to be clear that 
Assistant Secretary Stephan is here, but he doesn't represent 
the wholeness of America, the wholeness of the Department of 
Homeland Security, though we appreciate his patriotism.
    He is well able to engage in give-and-take to make things 
better. Is that my--and I hope that that clears the record.
    Dr. Stephens, let me close by simply acknowledging your 
delegation with Melancon and Mr. Jefferson and others who have 
been diligent on working on New Orleans. We thank you.
    We expect that you will be able to give us some very good 
insight. I would ask--I know your testimony has been put in the 
record--but I would ask to be able to follow up with you on the 
reason why, beyond the revenue stream, what the Federal 
Government has not done to ensure that the resiliency of your 
public health system, such as Charity Hospital, could not be in 
place 3 years after Hurricane Katrina, particularly the 
physical plant.
    Maybe you could put that for me in writing. Would that be 
all right? I thank you so much.
    As I do for all of the witnesses, I thank them very much 
for their testimony, valuable testimony. The members of the 
subcommittee may have additional questions for the witnesses, 
and we will ask you to respond expeditiously in writing to 
those questions.
    Having no further business, the subcommittee stands 
adjourned. I will say thank each and every one of you for what 
has been an instructive, but, I am sorry, abbreviated hearing.
    Thank you very much.
    [Whereupon, at 3:50 p.m., the subcommittee was adjourned.]

                                 
