[House Hearing, 110 Congress] [From the U.S. Government Publishing Office] PRIVATE SECTOR INFORMATION SHARING: WHAT IS IT, WHO DOES IT, AND WHAT'S WORKING AT DHS? ======================================================================= HEARING before the SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK ASSESSMENT of the COMMITTEE ON HOMELAND SECURITY HOUSE OF REPRESENTATIVES ONE HUNDRED TENTH CONGRESS FIRST SESSION __________ JULY 26, 2007 __________ Serial No. 110-62 __________ Printed for the use of the Committee on Homeland Security [GRAPHIC] [TIFF OMITTED] TONGRESS.#13 Available via the World Wide Web: http://www.gpoaccess.gov/congress/ index.html __________ U.S. GOVERNMENT PRINTING OFFICE 48-957 WASHINGTON : 2009 ----------------------------------------------------------------------- For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800 Fax: (202) 512�092104 Mail: Stop IDCC, Washington, DC 20402�0900012009 COMMITTEE ON HOMELAND SECURITY BENNIE G. THOMPSON, Mississippi, Chairman LORETTA SANCHEZ, California, PETER T. KING, New York EDWARD J. MARKEY, Massachusetts LAMAR SMITH, Texas NORMAN D. DICKS, Washington CHRISTOPHER SHAYS, Connecticut JANE HARMAN, California MARK E. SOUDER, Indiana PETER A. DeFAZIO, Oregon TOM DAVIS, Virginia NITA M. LOWEY, New York DANIEL E. LUNGREN, California ELEANOR HOLMES NORTON, District of MIKE ROGERS, Alabama Columbia BOBBY JINDAL, Louisiana ZOE LOFGREN, California DAVID G. REICHERT, Washington SHEILA JACKSON LEE, Texas MICHAEL T. McCAUL, Texas DONNA M. CHRISTENSEN, U.S. Virgin CHARLES W. DENT, Pennsylvania Islands GINNY BROWN-WAITE, Florida BOB ETHERIDGE, North Carolina MARSHA BLACKBURN, Tennessee JAMES R. LANGEVIN, Rhode Island GUS M. BILIRAKIS, Florida HENRY CUELLAR, Texas DAVID DAVIS, Tennessee CHRISTOPHER P. CARNEY, Pennsylvania YVETTE D. CLARKE, New York AL GREEN, Texas ED PERLMUTTER, Colorado Jessica Herrera-Flanigan, Staff Director & General Counsel Rosaline Cohen, Chief Counsel Michael Twinchek, Chief Clerk Robert O'Connor, Minority Staff Director ______ SUBCOMMITTEE ON INTELLIGENCE, INFORMATION SHARING, AND TERRORISM RISK ASSESSMENT JANE HARMAN, California, Chair NORMAN D. DICKS, Washington DAVID G. REICHERT, Washington JAMES R. LANGEVIN, Rhode Island CHRISTOPHER SHAYS, Connecticut CHRISTOPHER P. CARNEY, Pennsylvania CHARLES W. DENT, Pennsylvania ED PERLMUTTER, Colorado PETER T. KING, New York (Ex BENNIE G. THOMPSON, Mississippi (Ex Officio) Officio) Thomas M. Finan, Director and Counsel Brandon Declet, Counsel Natalie Nixon, Deputy Chief Clerk Deron McElroy, Minority Senior Professional Staff Member (II) C O N T E N T S ---------- Page STATEMENTS The Honorable Jane Harman, a Representative in Congress from the State of California, and Chair, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment............. 1 The Honorable David G. Reichert, a Representative in Congress from the State of Washington, Ranking Member, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment..................................................... 2 The Honorable Christopher P. Carney, a Representative in Congress From the State of Pennsylvania................................. 26 The Honorable Charles W. Dent, a Representative in Congress from the State of Pennsylvania...................................... 44 The Honorable Norman D. Dicks, a Representative in Congress from the State of Washington........................................ 24 Witnesses Panel I Mr. R. James Caverly, Director, Infrastructure Partnerships Division, Infrastructure Protection and Preparedness Directorate, Department of Homeland Security: Oral Statement................................................. 13 Prepared Statement............................................. 15 Mr. James M. Chaparro, Deputy Assistant Secretary, Office of Intelligence & Analysis, Department of Homeland Security: Oral Statement................................................. 4 Prepared Statement............................................. 5 Ms. Melissa Smislova, Director, Homeland Infrastructure Threat & Risk Analysis Center, Department of Homeland Security: Oral Statement................................................. 9 Prepared Statement............................................. 10 Panel II Mr. Richard E. Hovel, Senior Aviation & Homeland Security Advisor, The Boeing Company: Oral Statement................................................. 35 Prepared Statement............................................. 36 Mr. Lester J. Johnson, Manager of Investigations and Crisis Management, SCANA Corporation: Oral Statement................................................. 29 Prepared Statement............................................. 30 Mr. John M. Meenan, Executive Vice President and COO, Air Transport Association of America: Oral Statement................................................. 33 Prepared Statemen.............................................. 34 PRIVATE SECTOR SHARING: WHAT IS IT, WHO DOES IT, AND WHAT'S WORKING AT DHS? ---------- Thursday, July 26, 2007 U.S. House of Representatives, Committee on Homeland Security, Subcommittee on Intelligence, Information Sharing, and Terrorism Risk Assessment, Washington, DC. The subcommittee met, pursuant to call, at 10:03 a.m., in Room 311, Cannon House Office Building, Hon. Jane Harman presiding. Present: Representatives Harman, Dicks, Carney, Reichert, and Dent. Ms. Harman. Good morning, everyone. We are pleased to be joined by our ranking member, Mr. Reichert, and our colleague, Mr. Dicks, and to welcome our panel and our second panel as well. A few years ago the Homeland Security Department put out an endless, embarrassing list of critical national infrastructure that included everything from miniature golf courses to public swimming pools; in other words, a list that was almost useless to the private sector and to first responders. Two days ago the subcommittee had a Top Secret briefing on the Department of Homeland Security's Office of Infrastructure Protection Tier 1, Tier 2 program, and a list that once made people roll their eyes has been transformed. This is a good news story, and I congratulate the Department for getting its arms around what infrastructure is truly vulnerable and merits scarce Federal financial support. Eighty-five percent of the Nation's critical infrastructure is owned by the private sector. It is not just the infrastructure, but most of the people of our country work in that infrastructure and most of the IT in our country is in that infrastructure. If we are to succeed in protecting that infrastructure and the people who work there, a better partnership between DHS and the private sector must be forged and it must work. The news is not all good, and at this hearing we will hear from private sector firms about their inability, despite trying very hard to engage the Department and to work with the Department as a team. As any good business person knows, good customer service means giving customers what they want and need. Most importantly, the private sector needs to know how to prepare for and hopefully to prevent attacks against facilities, the personnel who work there and the surrounding communities. This is common sense. What the subcommittee wants to know today is where the gaps are when it comes to this kind of private sector information sharing so we and the Department of Homeland Security can be effective in filling them. Here's the bottom line: If intelligence products don't tell businesses what actions to take in preparation for or in response to a threat, then it is not intelligence. It is not as though the Department hasn't tried to be fair. In 2005, the Department's Private Sector Information Sharing Task Force issued a report that detailed how Homeland Security information should be shared with the private sector and recommended key steps to make it happen. But we are not clear how much progress has been made. In 2006, the Department's National Infrastructure Advisory Council issued a separate report on public-private intelligence coordination with its recommendations. We are not sure how that is going. I am hoping our hearing today will shed some light on the status of these reports, but more important on how well the Department is implementing critical information sharing ideas with the private sector. Our first panel of witnesses represents the key drivers of private sector information sharing at the Department. The Office of Intelligence and Analysis, the Infrastructure Protection and Preparedness Division and HITRAC. I will ask, and I know all of our members want to hear, how each of your offices is doing to support private sector information sharing, how you are working together and where, if anywhere, there is duplication of effort. I also want to know how you are incorporating private sector input into the intelligence products you create, how successful those efforts are and what you are doing to improve on past performance. We have found that with respect to intelligence generally, if you include the people who are going to use the information in the design of the information products, it becomes more useful. This, as they say in the intelligence business, is a ``slam dunk.'' Our second panel will be private sector witnesses, and I hope that they will be listening carefully to what the government witnesses have to say and offer constructive criticism. The only way to ensure that relevant Homeland Security information is shared between the government and its customers, as I just said, whether they are law enforcement, first responder community or the private sector, is by working together to build a team. So I hope that after today our team will be stronger and all of you, next time you come back, will have good news to report. Again, I congratulate the Department for the progress it is making, and I now yield to Ranking Member Reichert for his opening remarks. Mr. Reichert. Thank you, Madam Chair. Thank you for your leadership on this issue and for holding this important hearing. And welcome to our witnesses this morning. Thank you for being here. Our hearing today is about information sharing with the private sector, a critical component of our Federal government's information sharing efforts. As you know, the Seattle area is home to many businesses that are critical to our Nation, include Boeing, Microsoft, Amazon.com and others. While these and other private sector companies need information, we must also remember that information sharing is a two-way street. I believe that the Federal Government has a duty to provide situational awareness and share information on threats and vulnerabilities to representatives of the private sector. Likewise, the private sector has similar responsibility to provide information and to share with the Federal Government. Oftentimes, the reason for not sharing is similar, the government or the company in question is concerned that a secret or a vulnerability will be revealed. The critical element to this relationship, I think we all recognize, is trust, specifically, cooperative partnerships that are based on trust. An essential element to building this trust is to protect the Critical Infrastructure Information Program, PCII. This program is designed to encourage private industry to share its sensitive, security-related business information by protecting information from public disclosure under the Freedom of Information Act, State and local disclosure laws and in civil litigation. It is essential that PCII is successful. I believe it is important to ensure businesses have the proper incentives to share information and trust their Federal partners. I will be interested in hearing today how PCII is progressing and what may be done to improve participation. I would also like to hear what all of our witnesses have to say about the Homeland Security Information Network, specifically the HSIN critical sector portal. I look forward to your testimony and very much appreciate your presence here today, taking the time out of your busy schedule to be part of this hearing. Thank you. I yield. Ms. Harman. I thank the ranking member and would point out that other members of the committee are permitted, under our rules, to submit statements, opening statements for the record. Ms. Harman. It is now time to welcome our first panel. Our first witness, Mr. James Chaparro, is the Deputy Assistant Secretary for Mission Integration in the Office of Intelligence and Analysis, that is, I&A, at the Department of Homeland Security. There is no possible way that fits on a business card. He is responsible for the direction and oversight of I&A's program development and strategic planning efforts, as well as I&A liaison and information sharing activities within the U.S. and foreign intelligence communities; Federal, State and local law enforcement agencies; and other components of the U.S. Government. Mr. Chaparro serves as the Executive Director for the Homeland Security Intelligence Council, which was established to oversee and direct intelligence integration efforts within the Department. Our second witness, Ms. Melissa Smislova, is the Director of the Homeland Infrastructure Threat and Risk Analysis Center, or HITRAC. HITRAC is a joint program office consisting of intelligence analysts from I&A and sector analysts from the Office of National Protection Programs Directorate and is charged with evaluating threats for homeland infrastructure. And, again, I think the Tier 1-Tier 2 effort has come from the bottom of a deep hole into a very impressive place. Our third witness, Mr. Jim Caverly, is the Director of the Infrastructure Partnerships Division, IPD, which resides within the Infrastructure Protection and Preparedness Directorate within the Department of Homeland Security. The Infrastructure Partnerships Division is responsible for sustaining core sector expertise, maintaining operational awareness and fostering working level relationships with industry, State and local government and Federal agencies representing vital infrastructure threats. Without objection, your full statements will be inserted in the record. I would urge each of you to look at the little clock and to summarize your statement in 5 minutes or less; and we will then ask a round of questions before moving to our second panel. Ms. Harman. We will start with Mr. Chaparro. STATEMENT OF JAMES M. CHAPARRO, DEPUTY ASSISTANT SECRETARY, OFFICE OF INTELLIGENCE & ANALYSIS, U.S. DEPARTMENT OF HOMELAND SECURITY Mr. Chaparro. Thank you, Chairman Harman and Ranking Member Reichert and distinguished members of the committee. I am pleased to have the opportunity to testify today about our information sharing efforts with the private sector. I will start off by saying the men and women of DHS intelligence work day and night, weekends, holidays under very difficult circumstances to do the work that we do to protect the homeland, but we will not tire. We cannot rest and we cannot fail in what we do. Our mission is important and the threats are very real. Just last week the Director of National Intelligence released a National Intelligence Assessment, or an NIE. An NIE, as you know, ma'am, offers a consolidated assessment of the Community and involves the work of the very best and brightest analytic minds that this country has to offer. The threats to the homeland outlined in the NIE, I just want to talk about a couple of the key judgments very quickly. Al-Qa'ida is and will remain a very serious threat to the homeland. Its central leadership continues to plot major plans or has plans for major plots against us. They will continue to intensify efforts to send operatives to the homeland, their plotting will likely continue to focus on prominent political, economic and infrastructure targets with a goal of producing mass casualties and visually dramatic destruction. They will continue to try to acquire chemical, biological and radiological capabilities, and they will not hesitate to use them. It is DHS's shared responsibility to ensure the private sector has the intelligence it needs to better understand the threats that it faces and to understand their vulnerabilities and develop mitigation strategies to counter those threats. We view the private sector as a vital partner in our efforts. I&A plays a critical role in providing threat intelligence to the owners and operators of our nation's infrastructure and key resources, or CI/KR, as it is commonly referred to. In many ways, I&A's role within the National Intelligence Community is unique in the way it interfaces with the private sector. Our success in serving the private sector hinges upon our ability to share relevant, actionable and timely intelligence with the owners and operators of CI/KR. They deserve absolutely nothing less. We have statutory obligations and department-wide responsibilities for assessing and analyzing intelligence threats, and we recognize that the private sector needs to be a key part of our production cycle. Close cooperation with the private sector allows us to help harvest key information that they see during their day-to-day interactions and also leveraging private sector information provides us a better understanding of their vulnerabilities and helps us fill critical intelligence gaps. We must, therefore, have a robust two-way flow of information. We focus a great deal of energy in working with the private sector, both through our State and Local Fusion Center Program Office and through HITRAC which--I will not delve too much into HITRAC, because you are fortunate to have Ms. Smislova today. Developing the actionable intelligence that the private sector needs is of little value if we cannot get that intelligence into the hands of the people who need it in a timely and efficient manner. So we have developed a very robust protection management division to disseminate our products and ensure that they wind up in the hands of the people who need to see them. This is a difficult task; the private sector is enormous and has many different sectors with many different needs. We use comprehensive e-mail dissemination lists, we post products in a variety of formats, including classified- unclassified portals. And given the fact that posting an e- mailing product never does the job completely, we also make sure that we engage in extensive outreach with the private sector; and we are often out briefing our products through both the State and Local Fusion Center Program, as well HITRAC. We are moving very rapidly with our fusion center program, thanks to great people in the support that we have received from this committee. We are rapidly expanding our deployment of officers to the field as well as our Homeland Secure Data Network, HSDN, and this is critical that we are able to interface at the local level with the private sector State and local law enforcement and State and local governments to be better able to carry out intelligence missions. In summary, what I want to say, because I am running very short on time, is that the private sector needs context; they didn't need to hear spun-up threats that make them run off and expend resources on threats that are not credible. We try and add context to those threats and ensure that they receive the information that they need. Thank you. Ms. Harman. Thank you, right on time. [The statement of Mr. Chapparo follows:] Prepared Statement of James M. Chaparro Thank you Chairwoman Harman, Ranking Member Reichert, and Members of the Sub Committee. I am pleased that you have provided me with the opportunity to appear before your Committee to discuss our role in sharing intelligence with the private sector, and to discuss the lessons we have learned. The Office of Intelligence and Analysis (I&A) is transforming the way that DHS performs its intelligence responsibilities. As you know, I&A has established five overarching and bold priorities to carry out this transformation. Each of these focus areas are designed to allow us to provide our customers with the highest quality intelligence available, to protect the homeland, and to serve as good stewards of the resources that the Congress has provided us to carry out our mission. Our priorities are:mproving the quality and timeliness of intelligence analysis across the Department; Integrating DHS Intelligence across its several components; Strengthening our support to state, local, and tribal authorities, as well as to the private sector; Ensuring that DHS Intelligence takes its full place in the Intelligence Community; and, Solidifying our relationship with Congress by improving our transparency and responsiveness. The Threats are Real and Our Work is Important: Just last week, the Director of National Intelligence released a national intelligence estimate (NIE) that described the nature of the threat that we face in the Homeland. An NIE represents the Intelligence Community's most authoritative views on national security issues, is the product of extensive research and coordination, and involves the work of the best and brightest analytic minds that this country has to offer. Among other things, the NIE assessed: Al-Qa'ida is and will remain the most serious terrorist threat to the Homeland, as its central leadership continues to plan high-impact plots, while pushing others in extremist Sunni communities to mimic its efforts and to supplement its capabilities; Al-Qa'ida will intensify its efforts to put operatives in the United States; Al-Qa'ida's Homeland plotting is likely to continue to focus on prominentpolitical, economic, and infrastructure targets with the goal of producing mass casualties, visually dramatic destruction, significant economic aftershocks, and/or fear among the US population. I&A plays a critical role in providing vital intelligence to the owners and operators of our nation's critical infrastructure and key resources (CI/KR). In many respects, I&A's role is unique within the U.S. Intelligence Community (IC). We view our statutorily created partnerships with the private sector as critical to the success of I&A, and critical to the success of DHS. I&A's success in serving the private sector hinges upon our ability to share actionable, timely and relevant intelligence. Our CI/KR owners and operators deserve nothing less. The Department of Homeland Security has been a leader in establishing new approaches of information sharing - including sharing with the private sector. To be fully effective in these approaches, we must partner not only with the private sector, but with other parts of the intelligence community such as the FBI, and with other agencies within DHS and the Federal government. Because of I&A's unique capabilities and department-wide responsibilities for assessing and analyzing all terrorism, homeland security, and related law enforcement and intelligence information received by the Department, Secretary Chertoff has designated I&A as the Department's executive agent for information sharing. In this capacity, we have created many mechanisms to bring together DHS' vast knowledge base and expertise to strengthen information sharing across the Department and, even more importantly, to share it with our external partners. I would like to impart upon you today some of the information sharing efforts that DHS is leading, as well as describing some of our efforts with our Federal and intelligence community partners. The central theme you will see throughout is that we view the private sector as a vital partner in our efforts, just as we view the FBI, and our state and local government partners. As I noted above, the NIE assesses that Al-Qa'ida's focus includes economic and infrastructure targets. A large number of these potential targets are owned and/or operated by our private sector partners. It is our shared goal--our shared responsibility--to ensure that the private sector has the intelligence it needs to better understand the threats they face, as well as the vulnerabilities that can be exploited by our enemies. The private sector is more than just a customer of our intelligence products; they are a critical part of our production cycle. Given the size, diversity and complexity of the private sector, close cooperation with them is key to helping us understand the threats and vulnerabilities that exist. The private sector provides us with windows into understanding the threat based on their day-to-day observations and interactions across the country, helps us better understand their intelligence needs, and provides us with unique perspectives that help us fill intelligence gaps. We must therefore ensure a robust two-way flow of information between the Department and our private sector partners, as well as between our federal, state, local and tribal partners Strengthening the Flow of Intelligence DHS has focused a great deal of energy to ensure that our private sector partners receive the very best intelligence available. A linchpin of this effort is the Homeland Intelligence and Threat Analysis Center (HITRAC), a three-way partnership between our Office of Infrastructure Protection, I&A and the Private Sector. I will not delve deeply into how HITRAC functions, because we are fortunate that Ms. Smislova, HITRAC's Director, is here to testify today. What I will say, however, is that HITRAC produces a variety of classified and unclassified intelligence products specifically tailored to serve private sector intelligence needs which is a unique effort within the Federal government. In addition to working with the DHS Office of Infrastructure Protection and its private sector partners, HITRAC closely coordinates its efforts with agencies such as the FBI, Transportation Security Administration, and the National Counter Terrorism Center. Good intelligence is of little value unless it can be put into the hands of those who need it. I&A has established a strong Production Management (PM) division to ensure that our intelligence products, including those produced by HITRAC, are disseminated in a timely and efficient manner. Just as HITRAC's customers are diverse, so too must be our intelligence dissemination methods. The I&A PM Division maintains comprehensive email dissemination lists, specifically designed to serve private sector partners at the unclassified level. Email distribution occurs using the Sector Coordinating Councils (SCCs), and when appropriate, Information Sharing and Analysis Centers (ISACs) list points of contact across the 17 CI/KR sectors : Chemical, Commercial Facilities, Dams, Emergency Services, Energy, Banking and Finance Agriculture and Food, Government Facilities, Public Health and Healthcare, National Monuments and Icons, Information Technology, Commercial Nuclear Reactors, Materials and Waste , Postal & Shipping, Telecommunications, Defense Industrial Base, Drinking Water and Water Treatment Facilities, and Transportation (including Aviation, Maritime, Railroad, Mass Transit, Highway),. In addition to the email to the SCCs and ISACs, products are sent to the DHS National Infrastructure Coordinating Center (NICC) for posting to the corresponding unclassified HSIN--Critical Sectors where more private sector partners can view the products. Similarly, products classified at the Secret level are posted on the Homeland Secure Data Network (HSDN)--a network that is rapidly expanding, thanks in part to our efforts in the State and Local Fusion Center (SLFC) program. However, sending emails and posting products is not enough. I&A's analysts also engage in extensive outreach efforts directly with private sector representatives, through HITRAC and the State and Local relationships. This effort generally is initiated by the State or locality itself and, is designed to push and pull information that directly relates to threats within a particular geographic region where, for example, that individual sector may be headquartered or maintain critical assets, such as plants or distribution centers. The response has been positive. Moreover, state and local fusion centers (SLFCs) are increasingly helping to bridge the gap between sector specific threats and geographic threats, by such efforts as involving plant managers and small businesses - not just corporate offices--in fusion center activities. The private sector wants relationships built on trust. I&A is taking full advantage of the fact that many SLFC officials have already built strong private sector ties in their communities. An example of this local dynamic is in Illinois, where the State Terrorism Intelligence Center (STIC) is using their State HSIN Portal as the primary tool for information sharing with the Private Sector. Major companies like Caterpillar, McDonald's, Cargill, and John Deere are part of this process, as well as smaller businesses that were identified through State incorporation listings. Maryland is another fine example. Maryland has formed a Private Sector Council that has leaders from a number of Maryland based companies--big and small--who advise the Maryland Coordination and Analysis Center (MCAC), Maryland's primary fusion center, routinely on their information needs. Maryland's Private Sector Council has been formally recognized by the MCAC and they meet monthly to discuss threat-related issues within Maryland and the National Capital Region. While the main conduit in these examples is through the State Fusion Centers, both involve support from and frequent interaction with DHS. The private sector needs a comprehensive understanding of the threats they face in order to develop mitigation strategies, to plan for continuity of operations in the event of an attack or disaster, and to protect its employees and assets. In addition to understanding credible threats, the private sector also needs to be aware of threats that lack credibility. I&A helps to add context to raw intelligence reporting to help the private sector better understand which threats are real and which ones don't necessarily require a response. This helps the private sector better manage its resources. Write to Release--But Protect Privacy DHS is participating in many federal efforts to further improve information sharing with the private sector. At the national level--DHS in conjunction with DOJ and the DNI, is creating the Interagency Threat Assessment and Coordination Group (ITACG). The ITACG is being established in response to the President's Guidelines for the creation and establishment of the Information Sharing Environment. The group will be part of the National Counterterrorism Center (NCTC) and will enable the development of intelligence reports on terrorist threats threat and related issues that represent a federally coordinated perspective and are tailored to meet the needs of state, local, and tribal governments. The ITAGC will be staffed by DHS and FBI personnel and will include representation from state and local entities. The coordination of counterterrorism information within NCTC ensures that products released from the Federal government will be of one voice and without delay. By including State and local partners as members of the ITAGC, the language appearing in federally disseminated products can be more focused or tailored in areas that are of greater interest and in a form that is most useful non-federal partners. Similarly, there are many indisputably legitimate reasons for protecting sensitive information--even information that is unclassified. For example, information which we refer to generically as Sensitive but Unclassified (SBU) or Controlled Unclassified Information (CUI). Examples of CUI include personal information, information that could compromise ongoing law enforcement investigations or endanger witnesses, information containing private sector proprietary information, and information containing private sector vulnerabilities and other security-related information that could be exploited by terrorists. Inappropriate disclosure of these types of information could cause injury to individuals, business, or government interests. We must balance the need to produce actionable intelligence, while protecting the liberties and rights of both individuals and businesses. DHS understands the importance of protecting private sector proprietary information. We have created handling controls to facilitate information sharing in a protected manner. Within DHS, there are three such information-protection regimes--``Protected Critical Infrastructure Information (PCII),'' ``Sensitive Security Information (SSI),'' and the newly established ``Chemical Vulnerability Information (CVI).''Congress mandated these categories of information be protected and DHS has promulgated regulations implementing these regimes. Each was specifically created to foster private sector confidence to increase their willingness to share with the federal government crucial homeland security-related information. To date, PCII and SSI have been successful in this regard and have been well-received by the private sector. Moreover, these designations are ready examples of how robust control of information can actually promote appropriate sharing. Additionally, DHS is working with the Program Manager of the Information Sharing Environment (PM-ISE) and key information sharing stakeholders on the SBU Coordinating Committee to implement the President's direction in Presidential Guideline 3, which, among other things, directs departments and agencies to provide recommendations to standardize sensitive but unclassified information handling and marking procedures so that federal agencies can more efficiently and effectively share SBU information with its many partners. Conclusion I appreciate the opportunity to share with you our efforts of sharing intelligence with the private sector. DHS recognizes the private sector not only as a critical customer, but a vital partner in protecting the homeland. I&A is dedicated to strengthening the information flow with our infrastructure threat analysis and the extensive distribution of theses products. DHS believes the private sector is an important part of our nation's intelligence cycle and actively engages them to help us understand real time requirements. We are building excellent private sector relationships through our State and local Fusion Centers. DHS is actively and collaboratively working with our Federal partners including DNI, FBI and others to ensure that the private sector can obtain the best available intelligence in a timely manner. We are dedicated to this important relationship and will continue to work to find new ways of strengthening it in support of homeland security. Ms. Harman. Ms. Smislova, you are now recognized to summarize your statement in 5 minutes. STATEMENT OF MELISSA SMISLOVA, DIRECTOR, HOMELAND INFRASTRUCTURE THREAT & RISK ANALYSIS CENTER, DEPARTMENT OF HOMELAND SECURITY Ms. Smislova. Thank you, ma'am. Good morning, Chairwoman Harman, Ranking Member Reichert and other members of this subcommittee. I am very happy to have this opportunity to talk with you about the progress that the Department has made and, in particular, HITRAC has made in sharing information with the private sector. I did, in fact, testify before this same subcommittee in November 2005. At that time, HITRAC, the Homeland Infrastructure Threat and Risk Analysis Structure, was only 8 months old, and so much of my testimony discussed what we had hoped to do, what our plans were, the initial outreach we had made to the private sector. Since November 2005, we have produced over 171 products that were aimed specifically for the private sector. In addition, we have conducted hundreds of threat briefings to different members of the private sector. Having said that, we do know that there is much that remains to be done; and we have learned quite a bit about our customer, we have learned much about what works and we have learned some about what doesn't work. First, though, I wanted to give you a brief update on where HITRAC is. Again, when I testified in November 2005, there were different changes in the Department of Homeland Security, and we have had an exciting several years. I am the Director of HITRAC, and I am an intelligence professional. I work for Mary Connell and Charlie Allen. My deputy, Brandon Wales, did brief you Tuesday evening on the Tier 1-Tier 2 program, and he is an infrastructure protection employee. We are a joint program office that is staffed by intelligence professionals, such as myself, and then nonintelligence professionals that have more insight into infrastructure requirements--security, as well as what the infrastructure looks like and what they may need to make informed decisions. I also am the Director of the Critical Infrastructure Threat Analysis Division. I only bring this up to underscore that intelligence information produced by the Department of Homeland Security all does go through the appropriate intelligence chain of command. So all of the intelligence information that HITRAC does send out is approved by Charlie Allen so as to ensure that the intelligence is valid and vetted. I wanted to talk first, briefly, about the kinds of products that we have learned work with the private sector. We started with a strategic sector assessment, and those are the products I discussed in my November 2005 testimony. They were intended to be baselines: What does the terrorist information say about their interest in attacking specific sectors, so that we would bring the private sector up to date on all the specific information that we had. In addition, we attempted to provide a portrait of this adversary to say what we believe the attack methods might be and what goals he might want to achieve, trying to provide the private sector with a better sense of whether or not they should protect against one specific attack over another. I am not sure who benefited more from the strategic sector assessments, us in dealing with the private sector and learning more about the United States railroad system or the oil and gas industry or the private sector. But we did accomplish that mission, and we did provide sector assessments for all of the critical infrastructure sectors as defined in HSPD-7. Our other products that have, I think, proven just as useful--and maybe in the future, even more--include infrastructure intelligence notes. They summarize events overseas, such as the chlorine-boosted VBIEDs; they discuss other tactics and other techniques that we are gleaning from terrorist activities overseas; and we update the private sector on items of interest, such as the London attempted bombing. We also help Mr. Allen with the CINT notes that go out and provide the private sector with specific immediate information about activities. In addition, we provide a great deal of threat briefings and outreach to the private sector. This proves to be one of our larger challenges. As you mentioned, Chairman Harman, 85 percent of the infrastructure is privately owned; and this is a large country, so that part has proven to be very, very challenging. People like to have a personal briefing, and we do that in conjunction with Mr. Caverly's infrastructure protection plan partnership model that has assisted us greatly. So, in closing, I think some of our challenges include educating the private sector on what we can and can't provide. They also include the outreach, trying to get everyone included in our outreach, as opposed to some people; and that part remains a challenge. Dissemination of our products is also a problem, again, given the size of the audience. But I am happy to report we have made significant progress, and I look forward to briefing you on successes in the future. Thank you. Ms. Harman. Thank you very much. [The statement of Ms. Smislova follows:] Prepared Statement of Melissa Smislova Introduction Good morning, Chairwoman Harman, Ranking member Reichert, and distinguished Members of this Subcommittee. I welcome the opportunity to speak again to this subcommittee on the progress of the Department of Homeland Security in sharing intelligence information with the private sector. I will also take this time to discuss the lessons we have learned during our outreach and inform you of our plans to improve information sharing. I manage both the Department's joint program office for assessing the risk to the critical infrastructure and key resources of the United States, known as the Homeland Infrastructure Threat and Risk Analysis Center (HITRAC), as well as the DHS Office of Intelligence and Analysis (I&A), Critical Infrastructure Threat Analysis Division (CITA), which supports HITRAC as its discrete, embedded intelligence component. Through my involvement with HITRAC and CITA, I am able to oversee the collocation of DHS intelligence analysts with the Department's infrastructure protection experts responsible for performing sector- specific risk assessments. The virtue of maintaining CITA's existence as a separate albeit embedded threat unit within HITRAC ensures that all intelligence production remains subject to the oversight and policies of the Department's Assistant Secretary for Intelligence and Analysis and Chief Intelligence Officer. Production Since I last testified to this subcommittee in November 2005 significant progress has been made in developing and disseminating products and briefings tailored specifically for the private sector audience. In that time, HITRAC/CITA has produced over 171 separate products for critical infrastructure protection analysts in the private sector, State and local homeland security agencies, and the law enforcement community. Of these, 40 were assessments jointly written and published with the Counter Terrorism Division of the Federal Bureau of Investigation. We have also systematically and routinely conducted classified and unclassified intelligence briefings for the private sector, largely through the National Infrastructure Protection Plan Partnership Model, but also through our discrete relationships with industry associations, our attendance at conferences, and outreach directly to individual private sector entities. While I am proud of our accomplishments and I believe the work done so far creates a good baseline, I do know that much work remains. As our relationship grows with the private sector and with the critical infrastructure community in State and local governments, we are increasingly learning about new requirements. The information needs of the private sector and of the States are diverse, and we are challenged to create products and briefings to meet them. One of the first lessons we learned was that private sector and the critical infrastructure protection officials in State and local law enforcement community's work closely together yet sometimes have different information requirements. We began our HITRAC/CITA production efforts with assessments aimed at addressing known and potential threats to sectors--or systems--of like critical infrastructure. While we found that those products were well received by some our private sector customers, States were more interested in regionally focused analyses. We have responded by expanding our product lines and outreach efforts to address, in addition to core sector specific concerns, the broader, cross-sector regional issues. Intelligence Information Designed for the Private Sector We produce classified assessments and do regularly give classified briefings to members of the private sector. The Department of Homeland Security and FBI have sponsored many of our customers for clearances to receive classified information. We also disseminate these assessments at various classification levels, modified, of course, to adhere to all applicable classification rules and other requirements for protecting sensitive information, but with the goal of reaching as many customers as possible. However, our interaction with the private sector has underscored their interest in the details of intelligence reports vice source information. Much of what makes a report classified is its reference to collection. Because of that focus we have been very successful in working with the intelligence community to ensure the downgrading of key information on terrorist tactics, techniques and procedures. Many of our products use information we have first worked to downgrade from classified to unclassified. Another lesson learned was that many within the critical infrastructure information sharing community were interested in reporting about numerous sectors. Thus, we expanded dissemination. Our product lines now respond to what we have gathered about private sector needs and continue to evolve with private sector involvement. We continually reach out to a broad spectrum of private sector representatives to refine the scope of our assessments, and have come to learn that private sector information requirements are not only numerous, but have become more complex as our private sector partners have become more knowledgeable about intelligence and terrorism generally. Thus, where in the beginning many of our products summarized merely what was known about existing terrorists' interest in certain types of infrastructure as potential targets, our product lines now reflect our customers expanded interests in more detailed analysis of terrorist tradecraft, including especially surveillance techniques and attack methods. Many of our products have benefited from the insight and, in many cases, direct input of members of the private sector as those products are being developed. In addition, this direct interaction with the private sector has also assisted the Department in clarifying, or putting into better context, vague or incomplete threat reporting. Some of our current product lines include: Quarterly and Annual Suspicious Activity Assessment (SAA): These assessments provide strategic, national-level analysis of suspicious incidents reported to DHS. They use information provided by the private sector and are an attempt to provide industry with trend and pattern analysis of incidents noted at their facilities. This represents a genuine and valued partnership between the government and private industry. With the direct involvement and knowledgeable support of the private sector, we have been able to establish a baseline of ``suspicious activity'' reflected in these assessments. For example, when we recently received reports that electrical power towers were possibly being sabotaged, private sector electrical industry professional familiar with that particular region suggested to us that the activity was more likely illegal, albeit non terrorist related, tampering often seen in that area of the country during hunting season--i.e., elements of the power towers are used illegally to create deer blinds. Similarly, we believe we have been able to better educate the private sector about terrorist surveillance techniques and alert them when suspicious activity might indicate pre- operational terrorist activity. CINT Notes--In conjunction with notes regularly sent out by the Chief Intelligence Officer, Charlie Allen, concerning current threat activities or information, we communicate directly with all stake-holders, including the private sector, to inform them of what we know about incidents as they unfold. CINT notes and follow up coordination with relevant partners concerning the recent attempted attacks in London and Glasgow is a good example of this means for sharing pertinent information. Mr. Allen also makes direct phone calls to US companies if they are specifically mentioned in intelligence reporting. Infrastructure Intelligence Note (IIN)--Generally a short product that provides the infrastructure owners and operators and State and local partners with a timely perspective on events, activities, or information of importance to support security planning. These products differ from the CINT notes in that they entail more research and time to craft. Some Infrastructure Intelligence Notes are generated directly by calls from private industry based upon specific sector questions or concerns. We also use the Infrastructure Intelligence Note to discuss lessons learned from terrorists' attacks overseas. These assessments are provided to enhance our critical infrastructure protection community's understanding of evolving terrorist tactics, techniques, and procedures. Joint Homeland Security Assessment--Products written with the Counter Terrorism Division of the Federal Bureau of Investigation. These assessments communicate intelligence information that affects the security of U.S. citizens or infrastructure. Provides information on training, tactics, or terrorist strategies, and analyzes incident trends and patterns. This product also may recommend protective measures. During the last two years we have built a valued and productive relationship with our colleagues at the FBI. This partnership not only produced more comprehensive assessments, but ensures that the government speaks with one voice to our customers. * Strategic Sector Assessments--These were our first unique HITRAC products and were intended to provide a baseline analysis of the threats and risks to the entire critical infrastructure. These products are written at multiple classification levels, detail our analysis of the intentions and capabilities of known terrorists, and integrate relevant threat information. Some of the sector-specific assessments include discussion of the unique vulnerabilities and consequences unique to that sector. State and Regional Threat Assessments--As I mentioned, one of our lessons learned is that elements of the critical infrastructure community are interested in regionally focused assessments. This is an area of production we are working on with the support of private sector and State partners. While we have created several regional assessments, our efforts are in the beginning stages. Lessons Learned and Future Opportunities We continue to modify our processes and products based on customer feedback and other lessons learned. We believe these modifications have made us more responsive to our stakeholders and have enabled us to create better products. Integration with State and Local governments. While our initial efforts were focused on the CI/KR owners and operators, we have dramatically increased our work for and with State and local authorities who have significant responsibilities for security, risk mitigation and incident response around the nation CI/ KR. We now have an aggressive outreach plan that includes State and local as well as private sector critical partners to identify information needs and to tailor analyses and products to meet these requirements. As part of this outreach plan, we are regularly meeting with Homeland Security Advisors and their staffs to integrate State information and their analysis into the creation of state critical infrastructure threat assessments. By doing this we hope to gain a more comprehensive appreciation for the threats in the states. Specific Outreach initiatives. We initiated and continue to participate in weekly conference calls with multiple critical infrastructure sectors as well as an analytic exchange between DHS intelligence analysts and State and Local Fusion Centers. Conclusion In conclusion, I believe partnering intelligence professionals with sector experts and security personnel has proven successful for developing better threat assessments. I believe we have made significant progress developing product lines and briefings that provide tailored intelligence information to the private sector, States and law enforcement communities. We are excited about improving our analytic understandings of the various threats to critical infrastructure. We understand that working in partnership with the private sector, States, and local governments is the way to achieve that improvement. Our goals for the future include enhancing our regionally focused assessments and better integrating vulnerability and consequence data into our analysis. Thank you. Ms. Harman. Now, Mr. Caverly, you are recognized for 5 minutes. STATEMENT OF R. JAMES CAVERLY, DIRECTOR, PARTNERSHIPS AND OUTREACH DIVISION, OFFICE OF INFRASTRUCTURE PROTECTION, DHS Mr. Caverly. Thank you, Madame Chairman, Ranking Member Reichert and members of the subcommittee. It is a pleasure to be here today to talk about the framework and the structure that we have put in place to be able to share information with the private sector and to allow them to share information with us. Building trust in an effective working relationship is critical to being able to share that information. It is not only about being able to get the information out there, but the ability to have the trust that is necessary. I believe the subcommittee is well aware, in the National Infrastructure Protection Plan we have defined a very good structure for sector partnership and also for information sharing. And we have taken that forward from the development process and implemented as fully as I believe we can at this stage. Sharing information with 17 different sectors is difficult because each of the sectors is different, and we have to tailor the structure of the mechanisms and, ultimately, the product to each sector, because talking to a nuclear power plant is different than talking to a railroad. We know information sharing has to be two ways. We know that between government and the private sector we need to share information on trends of threat, criticality, the consequences of things, the vulnerabilities based on those emerging threats, protection priorities and best practices. That sharing back and forth is what enhances both what the government needs to do to protect critical infrastructure and what the owners and operators need to do. That information has to inform things at three levels: We have to be able to give them strategic information that informs their investments in their planning and structures with the long lead times; We have to be able to give them situational assessments that let them know what is going on right now; and The third piece is, we have to be able to provide them the tactical level of information that says to a security director, based on what you told me, I either do or don't need to do something differently. We have some challenges in that. We have the challenges of classification information, we have the challenges of ways to communicate to get directly to those owners and operators. We think we have put some of those in place. As I mentioned, our sector partnership model with a sector coordinating council gives us the ability to shape our products and structures in a way that is relevant to each of the infrastructure sectors. We also know, through our CIPAC activity, our Critical Infrastructure Partnership Advisory Council, using the authorities Congress gave us in 871, we have been able to create an environment in which we can share the sensitive information without the risk of its being disclosed inadvertently to places it shouldn't go. I believe everybody agrees that vulnerability data is not well served by being in the public domain, Chairwoman, as you mentioned, the National Infrastructure Advisory Committee did a very good study on information sharing. A range of those recommendations have been implemented. I understand there was testimony yesterday to another subcommittee from a member of the advisory committee of NIAC who, in fact, complimented the implementation of the recommendation. We set in place a couple of things that are quite important to understand. We put the National Infrastructure Coordinating Center in, which is a 7-by-24 operation, a hub for our interaction and communications with the private sector. It is part of the National Operations Center. Its job is to provide the always-there connectivity to the private sector. All of our information goes out through it, and it provides them the ability to reach in and connect with us any time from any place. You mentioned the Homeland Security Information Critical Sector. It is a critical system for us because we believe that there has to be the capability of a common platform that serves not only the individual sectors, but also the cross sectors. It is equally important; I think it is the government's function to provide that platform. The reason is, if we ask the private sector to provide it, there would be barriers to participation from those companies and small entities that don't have the resources to participate. So we have gone down the path of building a structured mechanism that will serve all the members of the sector and have barrier-free access. You mentioned the Protected Critical Infrastructure Information Program. As you are aware, this past spring we issued the final regulations. We now have over 5,000 different elements of information that have submitted under the PCII program. We believe that as the private sector gains the government's ability to protect that information and not have it disclosed inadvertently, we will have more participation in the program. We have to be able to convince the private sector that, A, we need the information and tell them why and what will happen with it and then make sure that we carry through on that. So we think that is a program that will grow totally on trust. The last thing I would like to mention briefly is, we have embarked on a program from the beginning of providing clearances to members of the private sector. We are expanding that. We have over 1,000 members now that have the clearance, but that is essential to being able to share sensitive information with the people who have to be able to do the decision-making, so that is an important part of our activities. The last thing, there is a major initiative under the Intelligence Reorganization Act for the information sharing environment, of which we are a major component of that. And, in fact, in dealing with the sharing of information in private sector out of the DNI's office and the program manager's office, they have taken our structure in the NICC for the Sector Coordinating Councils and the private sector relationship to be the basis on which they are exploring that issue. Thank you. [The statement of Mr. Caverly follows:] Prepared Statement R. James Caverly Thank you Chairwoman Harman, Ranking Member Reichert, and Members of the Subcommittee. It is a pleasure to appear before you today to discuss the Department of Homeland Security's (DHS's) perspective on private-sector information sharing, specifically with the nation's Critical Infrastructure and Key Resources (CI/KR) stakeholders. The challenge of protecting the nation's CI/KR is daunting. Human, physical, and cyber assets, systems, networks, and functions are spread across 17 critical infrastructure and key resource sectors, diverse in their composition, cultures, regulatory regimes, and operational processes. In aggregate, the CI/KR sectors represent almost 50 percent of the nation's Gross Domestic Product, with a majority of assets, systems, and networks owned and operated by the private sector. The protection of the nation's CI/KR represents a shared responsibility by owners, operators, and all levels of government through complementary commitment of resources, knowledge, and capabilities. Building trust and effective working relationships with the private sector to facilitate information sharing is essential for effective CI/ KR protection. The Sector Partnership model and other information- sharing mechanisms and tools described in the National Infrastructure Protection Plan (NIPP) provide the structure and processes within which public- and private-sector security partners share vital information to mitigate the nation's CI/KR risks. The Challenge of Information Sharing The NIPP defines the nation's CI/KR as ``those systems and assets, whether physical or virtual, so vital to the United States that the incapacity or destruction of such systems and assets would have a debilitating impact on security, national economic security, national public health or safety, or any combination of those matters.'' The wide scope of this definition of CI/KR underscores the wide variety in the 17 sectors' approaches to information sharing. Sectors differ in business characteristics and their sensitivity to risk taking; the assets, systems, networks, and functions involved; their previous experience in working with government; and the specific risk- management characteristics of the sector. One factor that all CI/KR sectors have in common, however, is that in their public-private partnerships necessary for CI/KR protection, the desired outcome is a safer, more secure, and more resilient sector. Information sharing is effective when it clearly and directly supports this outcome. Because information sharing is valued by both the CI/KR owners and operators and by the government, a collaborative approach enables public and private security partners to determine how best to apply their respective resources and capabilities to the entire spectrum of risk-management activities: prevention/?deterrence; protective programs; preparedness; response and crisis management; and, recovery, restoration, and reconstitution. Information Sharing and CI/KR Decision Making Information sharing by both public- and private-sector security partners on threat trends, criticality (consequences), possible vulnerabilities based on emerging threats, protective priorities, best practices, and strategic solutions enables CI/KR risk management and must support several levels of decision making: (1) Strategic planning and investments in preparedness and protective programs by both CI/KR owners and operators and government at all levels. (2) Situational awareness and decision-making coordination during the execution of planned preparatory actions, protective measures, and response/recovery efforts. (3) Operational/tactical decision making through the exchange of incident or suspicious activities information and the timely and accurate transmission of alerts and threats to CI/KR owners and operators to catalyze protective actions. In the complex, dynamic environment that is characteristic of CI/ KR-protection decision making, effective information sharing must be centered on clearly defined ``knowledge networks'' of public- and private-sector professionals and senior managers with the ability and authority to make decisions and act on critical, focused information. The bottom line for CI/KR information sharing is to get the right information to the right people who can make decisions and take the correct actions to protect the CI/KR and to mitigate consequences. The Sector Partnership The Sector Partnership model described in the NIPP is the foundation for effective information sharing with the owners and operators of facilities and systems in the CI/KR sectors. The scope of activities for CI/KR protection requires valid, two-way information sharing, which requires the trust that can only come with the implementation of a real partnership between the sectors and government. The Sector Partnership provides a national forum for requirements identification, planning and policy coordination, and the mutual path forward for implementation and operations for effective information sharing among the CI/KR owners and operators, federal agencies, and state, local, and tribal government. The components of the Sector Partnership provide the policy, planning, coordination, and implementation of CI/KR protection programs and its supporting information sharing environment. These components include the following. Sector Coordinating Councils (SCCs) serve as the government's principal point of entry into each sector to address the entire range of CI/KR protection and risk-management issues. SCCs are self- organized, self-governing entities consisting of a broad base of sector infrastructure owner-operators and their representatives from sector trade associations. Often chaired by a sector owner-operator, SCCs serve as ``honest brokers,'' facilitating sector-wide harmonization and coordination of the sector's CI/KR protection policy development, planning, program implementation, and monitoring activities. Each SCC identifies and supports the information-sharing mechanisms, needs, and capabilities most appropriate for its sector. Government Coordinating Councils (GCCs) serve as the governmental counterparts to the SCCs. Each GCC is chaired by the Sector-Specific Agency (SSA) for the sector, as designated by Homeland Security Presidential Directive 7 (HSPD-7) and the NIPP, and includes representatives from DHS, the SSA, and other appropriate supporting government agencies. GCCs are non-regulatory in nature, are intended to maximize interagency coordination and information sharing at the operating level, and are tasked to institutionalize a true partnership with DHS and other government partners. GCCs provide coordinated communication, issue-development services, and initiative implementation among government partners. Each GCC engages and supports its corresponding SCC's efforts to plan, implement, and execute the necessary sector-wide measures for CI/KR protection, including information sharing within the government and with the sector. The Partnership for Critical Infrastructure Security (PCIS) serves as the cross-sector council for the CI/KR owners and operators. It coordinates cross-sector initiatives in support of public and private efforts to promote assured and reliable provision of critical infrastructure services in the face of emerging risks to economic and national security. PCIS membership consists of one or more members and their alternates from each of the SCCs. The Federal Senior Leadership Council (FSLC) is an interagency group that consists of senior representation from each SSA. The Council addresses common issues, dependencies, and impacts that cut across the sectors. The formation of the FSLC enhances communications and coordination among federal departments and agencies with a role in implementing the NIPP and HSPD-7. The State Local Tribal Territorial Government Coordinating Council (SLTTGCC) serves as a forum to coordinate and communicate among state, local, and tribal homeland security advisors or their equivalents, and to ensure that they are fully integrated as active participants in national CI/KR protection planning and implementation activities. With the implementation of the SLTTGCC, state, local, and tribal homeland security leadership can engage with the national security leadership of the CI/KR owners and operators and the federal government to identify and implement an effective framework for cooperation and coordination. The result can then be tailored for regional differences that will integrate the capabilities of national CI/KR protection programs with those implemented at the regional, state, or local level. The Government Cross-Sector Council serves to coordinate government activity across sectors. It is made up of two sub-councils: the FSLC and the SLTTGCC. Mechanisms for Policy and Strategy Coordination Advisory committees are a way of ensuring public and expert involvement and advice in federal decision-making. The Critical Infrastructure Partnership Advisory Council and the National Infrastructure Advisory Council allow government and owner-operators to undertake collaboration and information sharing to support policy/ strategy, planning, and requirements identification. The Critical Infrastructure Partnership Advisory Council (CIPAC) membership consists of the CI/KR owners and operator members of all SCCs and their corresponding GCC organizations. It employs a special exemption (pursuant to Section 871 of the Homeland Security Act) to the Federal Advisory Committee Act. This exemption protects SCC and GCC discussions containing sensitive CI/KR information from public disclosure, thereby facilitating regular, ongoing, and multi- directional communications and coordination. The National Infrastructure Advisory Council (NIAC) is the President's principal advisory panel on critical infrastructure protection issues spanning all sectors. It comprises up to 30 CEO-level leaders from private industry and state and local government. The NIAC is charged with improving the cooperation and partnership between the public and private sectors in securing critical infrastructure and advising on policies and strategies that range from information sharing to roles and responsibilities between public and private sectors. In October 2005, the NIAC issued its recommendations for implementing the Sector Partnership, many of which were subsequently adopted by DHS. In addition, in July 2006, the NIAC issued recommendations regarding the Intelligence Community's coordination with CI/KR owners and operators. As a result of the collaboration between the Director of National Intelligence, the Program Manager of the Information Sharing Environment, the DHS Office of Intelligence and Analysis (OIA), and other members of the Intelligence Community, there have been significant advances toward meeting the intent of those recommendations. Support Mechanisms A series of operational mechanisms exists to support information sharing with the CI/KR sectors. These mechanisms consist of the organizations, processes, and personnel that support the exchange of information among DHS, other Federal agencies, State, local and tribal governments, and the CI/KR sectors. Efforts can be categorized into four broad areas 1. Content Development Homeland Infrastructure Threat and Risk Analysis Center (HITRAC) is a partnership between OIA and the Office of Infrastructure Protection (OIP) within DHS. It provides tailored risk assessment products for CI/ KR sectors, fusing consequence and vulnerability information from infrastructure protection communities collected through OIP with threat information from intelligence and law enforcement communities. It has access to a network of sector experts through the SSAs and SSCs, to specialists, and to field-deployed Protective Security Advisors to obtain CI/KR Sector expertise. Products include: (1) strategic risk assessments for each CI/KR sector; (2) threat handbooks; (3) information bulletins; and (4) analytic reports on suspicious-activity reports to sectors. Initial experience and feedback from the sectors using HITRAC products strongly indicate that it is a mechanism that delivers useful, actionable information. Office of Infrastructure Protection Division, as a part of their CI/KR protection mission responsibility, this office develops information products on vulnerability, consequences, interdependencies, and protective strategies, as well as recommended effective practices. This information, combined with threat analysis provided through the Office of Intelligence and Analysis, results in information used by the CI/KR sectors. The Sector Specific Agencies (SSAs) as mentioned above, are the Federal departments and/or agencies identified in HSPD-7 as responsible for CI/KR protection activities in specified CI/KR sectors. Along with other CI/KR relevant functional agencies, they bring expertise, authorities, experience, and content in participating as partners within the CI/KR information-sharing environment. Particularly in hazards risk management beyond terrorism, many SSAs have long traditions of working with their CI/KR sector counterparts, as well as deep-seated expertise. Consequently, they have information products useful to the CI/KR sectors. The SSAs are also fully engaged as partners in the development of the Homeland Security Information Network sites, which DHS has provided each of the sectors as an information-sharing tool. 2. Information Delivery Mechanisms The National Infrastructure Coordination Center (NICC) is the round-the-clock watch mechanism through which the National Operations Center (NOC) maintains situational and operational awareness, communications, and coordination with CI/KR partners. It provides a centralized process for coordination and delivery of information between the government and the CI/KR sectors, particularly the SCCs, GCCs, and the sector-based Information Sharing and Analysis Centers when they exist for a sector. The NICC serves as a DHS focal point for CI/KR suspicious activity and incident and status reporting; receives, logs, and tracks requests for information and assistance from the owners and operators of the CI/KR; and provides industry partners with Web-enabled access (via the Homeland Security Information Network) to DHS Situation Reports, bulletins, and other products. The NICC uses the Executive Notification System to provide rapid turn-around notifications of needed action, such as alerts and warnings. The Homeland Security Information Network-Critical Sectors (HSIN- CS) is the primary technology tool to facilitate the information sharing necessary for coordination, planning, mitigation, and response. HSIN-CS is an Internet-based platform that enables secure, encrypted, Sensitive-But-Unclassified/For-Official-Use-Only-level communications between DHS and vetted members of the CI/KR sectors, as well as within and across the sectors. DHS fully funds and maintains HSIN-CS, thereby removing the obstacles of cost and day-to-day efforts required to support systems implementation, operations, and maintenance. DHS supports the unique requirements, outreach, and program-support needs of the CI/KR users to create robust, sector-specific information- sharing hubs for each sector. HSIN-CS includes a separate site for each CI/KR sector, designed and implemented in collaboration with the sector's GCC and SCC to best meet sector-specific needs. It also provides a top-level publishing capability to share applicable DHS and other information resources with all sectors simultaneously. HSIN-CS directly supports the building of trusted, reliable, and valued public- private sector partnerships, as well as two-way sharing of information. Critical Infrastructure Warning Information Network (CWIN) provides a survivable network, not susceptible to service disruptions, to connect entities essential to restoring the nation's infrastructure during incidents of national significance. It connects key operational CI/KR sector entities, emergency operations centers of the 50 states, the District of Columbia, and the NOC. 3. Relationship Management Sector-Specific Agencies (SSAs) As mentioned previously, the SSA's have the responsibility of working with each sector to implement the NIPP framework and guidance, as tailored to the sector's specific characterisitics and risk landscape. They serve as the key point of contact between the sector and the federal government to coordinate critical infrastructure protection, incident response, and infrastructure recovery. Sector Specialists develop and sustain relationships at the national level with sector stakeholders to build trust and promote partnership. The Sector Specialist maintains extensive situational awareness of infrastructure issues and priorities. They keep a finger on the pulse of sector activities (economic, political, technological, and structural) to assess their implications on sector operations and security. The Sector Specialists are housed within the Office of Infrastructure Protection and HITRAC. Protective Security Advisors provide field-deployed support to CI/ KR owners and operators on specialized CI/KR security topics. They facilitate, coordinate, and/or perform vulnerability assessments in support of CI/KR owners and operators; they also assist with security efforts coordinated through state homeland security advisors, as requested. 4. Enabling Programs for CI/KR Information Sharing The Protected Critical Infrastructure Information (PCII) Program provides a structure and processes to ensure that voluntarily submitted critical infrastructure information will be exempt from public disclosure, will not be used for regulatory purposes, and will be properly safeguarded. To implement and manage the program, DHS has created the PCII Program Office within the Infrastructure Partnerships Division in OIP. The PCII Program Office receives and evaluates critical infrastructure information to determine whether it qualifies for protection under PCII. The Office also manages a certification program for other Federal agencies and States to receive and manage PCII-protected information. CI/KR Classified Security Clearance Program provides a capability whereby the federal government can discuss and share classified information--on vulnerability and consequences, as well as threats-- with the owners and operators of the CI/KR. The owners and operators of the CI/KR will always have the primary responsibility for managing the risks of their own assets, systems, and functions. They also have current information on their operational and business processes, the usage and application of technology in their CI/KR sector, and what is most critical to their operations, including dependencies on other sectors and locality to locality variations. The Classified Security Clearance program is sponsored, coordinated, and funded by OIP. It is implemented through DHS's Office of Security and its policy and procedures framework. CI/KR-Unique Policy and Legal Framework For CI/KR owners and operators, sharing information with government at all levels creates a range of risks affecting the viability and efficiency of their business operations, including liability risk, antitrust risk, and competitive risk. The risks associated with liability and competitiveness are the primary reasons that infrastructure owners and operators seek ownership and control over CI/KR data that they submit to government. They want to know who gets the information, what is done with it, and how is it protected from inappropriate disclosure. These assurances, to the extent possible, are necessary for building trust in government institutions and processes that receive and handle voluntarily submitted CI/KR information. The Information-Sharing Environment Our information-sharing efforts are part of the broader Information-Sharing Environment (ISE) created by the President in accordance with the Intelligence Reform and Terrorism Prevention Act of 2004. The purpose of the ISE is to measurably improve information sharing between and among the Federal government, appropriate State, local, and tribal officials, and private-sector entities. In recognition of the important work under way in this area under the NIPP framework, the program manager for ISE, in coordination with the Information Sharing Council, has officially designated the CI/KR NIPP process (as described above) as the mechanism in which the private sector will be incorporated into the ISE. In this role, the NIPP Partnership Framework provides guidance for the private sector to engage in ISE-related policy, governance, planning, and operational coordination, as well as a forum for identifying and satisfying information requirements. Particularly critical is the coordination of CI/KR information sharing at the national level with that at the local level, where most decisions are made and actions taken to support CI/KR protection. The implementation of the ISE and the formation of the State, Local, and Tribal Government Coordinating Council as a key component of the Sector Partnership are critical to this necessary coordination. Consequently, the integration of the CI/KR information sharing framework into the ISE as its private-sector component strengthens the foundation for effective coordination. In addition, OIP works closely with and supports Assistant Secretary Charles Allen and OIA in DHS's efforts to use and integrate into State and Local Fusion Centers. The OIP exchanges information with the Fusion Centers using existing channels such as the NICC and HITRAC. Sustainable Information Sharing The foundation for sustainability of CI/KR information sharing comes from leveraging the structures, processes, and mechanisms for responding to natural disasters and accidents. When there is a terrorist incident, the tools will already be in place, the training will be complete, and the familiarity and experience required to efficiently implement defined procedures will already be established. The NICC has undertaken a comprehensive effort to identify relevant and useful all-hazards information available from agencies within DHS to populate CI/KR portals on HSIN-CS. The NICC is the DHS CI/KR hub to ensure that DHS-sourced information remains current. Additionally, OIP has undertaken a project to generate various operational products for CI/KR derived from resources freely available in the public domain. These will include specific products requiring open source research and analysis, as well as a currently available daily reports. The sectors themselves determine appropriate and useful content for their sector. Some of the SSAs produce sector-specific, non-terrorism related informational products that other sectors find useful for situational awareness and management of incidents related to their CI/ KR. Both public and private partners within the sector work with DHS to identify the functional and security capabilities to enable the storage and management of their information on HSIN-CS, as appropriate. Measurement of Effective Information Sharing The goals for information sharing in the CI/KR environment are effective and efficient protection, preparedness, response, and mitigation of consequences to incidents that could disrupt the nation's CI/KR. The Sector Partnership represents the foundation for these activities and the information sharing that supports them. Change is a constant: the threat evolves; industries evolve, and the environment within which businesses must operate and provide services and products to the nation evolves. Information requirements will change accordingly. Successful information sharing is measured by the outcomes associated with protection, the efficiency and effectiveness of actions taken, and the adaptability of the entire structure of the Sector Partnership and its supporting information-sharing mechanisms. With a clear focus on the desired outcomes of protection, and a foundation for systematic engagement and relationships based on trust, an information-sharing environment for CI/KR can sustain itself, adapt, and protect the nation's CI/KR and its citizens. In closing, I would like to assure you that DHS is relentless in its work to continue building a strong, positive partnership with the private sector in which valuable, actionable information can be shared with the right people at the right time to ensure the protection of our nation's most valuable CI/KR. Our country deserves nothing less. I thank you for your time and appreciate the opportunity to answer any questions you may have. Ms. Harman. Thank you all. I will now yield 5 minutes to myself for an opening round of questions, and all will participate on the same basis. Mr. Chaparro, I appreciated your opening comment that the mission of your department is 24/7 to protect the security of Americans. I think that is the mission of the members here, too, and I would hope that you see this hearing exercise as a collaboration. We want you to do your jobs better, and I hope you want us to do our jobs better because this is a hard task. I did read the 50-page NIE last week, I thought it was a very good work product, but as we all know it doesn't have names, addresses and serial numbers. The threat is greater, but we don't know where attacks could come. I am one who is quite pessimistic about our ability to keep our entire country safe from those attacks if those who want to attack us are prepared to take their own lives, which they are. So we all have to collaborate better, and we certainly have to get information to the private sector that is as good as we can field. In that connection, let me make two comments. First, a thank you to your Secretary, Michael Chertoff for, spending last Friday at the Port of Los Angeles and in some other meetings in Los Angeles. We were talking about the need to resume trade promptly should the port complex of LA in Long Beach be attacked, either a terrorist attack or some natural disaster. And I think that all of us are learning together that what needs to be done in the private sector plays a major role. So a public thank-you to Michael Chertoff for spending the time in my area. Loretta Sanchez, a member of this committee, who chairs our Port Subcommittee was also present, as was another member, Dana Rohrabacher, who represents the physical port infrastructure. At any rate, thank you for that. Second comment, as a member of the Intelligence Committee for 8 years in the House, I have read a lot of intelligence products, and I always used to say that some of the best information I got was not from them, but was from watching television, these major news channels, CNN and others. In that connection, you will hear--I assume you are sticking around for the second panel--some testimony from Lester Johnson, who is the Manager of Investigations and Crisis Management at the SCANA Corporation, a $9 billion Fortune 500 energy-based holding company. Let me quote from his prepared remarks: ``I am forced to rely on the open sources of information to receive most of the situational awareness information available. I have found a television tuned to a cable news network provides the most efficient, timely and accurate information to my company. Considering the amount of investment our country has made toward the sharing of information among government agencies and the public sector, I find this reprehensible. We are certainly capable of embracing technology and conducting ourselves better than that.'' Now, I take this as a constructive comment, and I would like to ask the entire panel to comment on it. Mr. Chaparro. I think that he's absolutely right, there are a lot of things that we need to do better. We do rely on open source information to help inform our analysis. The threats that we see, as you pointed out, are often nonspecific, and we must continually balance the need between putting out information that will help people take relevant steps to mitigate threats versus creating a panic atmosphere that will cause people to expend resources unnecessarily. Oftentimes, the reports that we see in the news media, as you are well aware, are very, very good and sometimes the facts aren't quite all there, and we have to--before the government steps in and releases information, we need to try and make sure that information is as accurate as possible, while trying to maintain the timeliness and relevance. Ms. Harman. Thank you. Mr. Chaparro. Clearly, we have work to do. Our dissemination mechanism is not as efficient as putting something out over the airwaves. We sometimes wish they were, and do face challenges in that area. Ms. Harman. Do the other witnesses have comments, as well, briefly? Ms. Smislova. Yes, ma'am. We do attempt to contribute to the body of information that's available to the private sector, to the news media, by providing something that we think is more authoritative and more value added. A point that I forgot to mention in my opening statement is that over the last 2 years HITRAC has done many of our products, over 40, with the FBI. Many of those deal with the events that the media is covering. We try to get more information that is not readily available to the private sector from the media. Ms. Harman. Thank you. Mr. Caverly. Mr. Caverly. I don't think we will ever have the agility of a cable news network for the very simple reason, they are on the scene, we still have to get the reporting in. As I pointed out, there are different levels of information, so there is that tactical immediate information which we and them are learning from what is happening. I would argue, the strategic information is something different; that is where the analysis fits in. If you think back to the early 1990s you were worried about an abandoned car sitting in front of your factory. Then you were worried about the car that came that came screeching up and somebody ran away. You are now worried about somebody driving through your gate. Those are all evolutions on the strategic level, and I think our analysis is the supporting information that gets out to the strategic level, so there is a mix in what you are discussing. Ms. Harman. Thank you very much. My time has expired, I now yield 5 minutes to Mr. Reichert. Mr. Reichert. Thank you, Madame Chair. And thank you again for being here this morning. I understand the complicated process of gathering intelligence and looking at leads and figuring out which leads are important, which leads should be shared with members of our community. In a case that I worked back in the 1980s, it took us 19 years to solve, with 40,000 suspects and 10,000 items of evidence; it was a complicated case. And sorting out information is tough; and who to share it with is the other thing and trying to keep it from the people trying to get it is a whole other matter. I noticed a couple of times our witnesses, our panel this morning, mentioned the information must be relevant, actionable, it must be timely; and another way it was phrased was situational information, situational assessment, strategic information and tactical, actionable information. But then I hear that these things are critical. But did I misunderstand you when you mentioned--I am sorry, I am not going to pronounce your name correctly, ma'am--that all information flows through Charlie Allen? Ms. Smislova. All intelligence information, if it is intelligence. Then we are under the same rules as the rest of the Intelligence Community. Mr. Reichert. Does that include every classification of intelligence that goes through Mr. Allen? Ms. Smislova. Most of what we produced is at the FOUO level, over 80 percent of our production. Much of that, however, is based on classified intelligence information. It has been downgraded. And that is another key role we believe we are serving for the private sector. I have access to all available information about this particular terrorist enemy, but I am able to broker some of the information to be downgraded to an unclassified level, the actual data about specifics, about attack methods, et cetera, not sources and methods. Mr. Reichert. I just wonder if--that is, when we talk about timely information, if we have one person who it is flowing through, whether that is a little bit of a choke-point. Ms. Smislova. It has improved considerably. We did very well with the London timelines. Mr. Reichert. Yes, you did. I have had experience with that in my previous career. There is also mention of a National Coordination Center where information flows out. How does that operation work? Mr. Caverly. The NICC is a watch and warning center. They are a hub. We use them as our operational entity to move information out to the private sector, whether it is going to sector--lists of participants in the sector given by the sector coordinating council, participants in an information and sharing analysis center and other people. We have built lists' connectivity and expanding that, working with each of the councils, to make sure we can get down to the operational level. We think with the institution of fusion centers, which operate at that local level, we will expand that reach significantly. Mr. Reichert. So as we begin to share and learn what information we can share, an important thing, as Mr. Chaparro mentioned, was the mitigation strategy and the input of the private sector. What is your plan to improve that process? And of course, Mr. Caverly, you mentioned it was built on trust. I think, all three of you, there is a need for this mitigation strategy; that is, the key part of this whole thing in sharing the information is to mitigate the events. What are your future thoughts on how that program would come together? Mr. Chaparro. Well, the keys have to be multiple. The private sector is very diverse and has multiple needs, everything from technical, what is happening now, to what do we need to do 5, 10 years from now. The relationships must be built on trust, and there are a number of governance mechanisms through the ISACs, for example, where we are in constant exchange with the private sectors. But also we are really aggressively reaching out through the State and Local Fusion Center Programs because we can do that at the local level, which is where the action really takes place and where people need to really know that information. By putting people forward in fusion centers, we will have the ability to establish those trusted relationships that Mr. Caverly mentioned as being so important. Mr. Caverly. Let me also point out, prior to 9/11 and the creation of the Department, that the structure that was being used was one in which we take an intelligence product and fundamentally throw it over the transom to a group of experts in the sector for them to work a second time. With standing up HITRAC, with being able to give security clearances, we didn't feel we needed a two-step method. We bring in those experts from the sector, so we are working together to figure out, is it both relevant to their concerns and is it communicated in a way that makes sense to them. Because as I said, talking to a nuclear power plant operator, I am using a very different vernacular than someone in a water system. So we bring them into HITRAC. As we get more experts, we will expand that base, but that is the point of structure of what we have put in HITRAC is to be able to do that and do it collaboratively. Mr. Reichert. Thank you. Madame Chair, I have seen a great deal of improvement, and I am happy to hear you use the fusion center as your conduit. I yield. Ms. Harman. The gentleman's time has expired. I now yield 5 minutes to Mr. Dicks for questioning. Mr. Dicks. The National Coordination Center, Information Sharing and Analysis Center, Sector Coordinating Council, specific sector agencies, the Department's private sector office, HITRAC, HISN, FEMA's emergency support function, ESF and others. In a word, it is not one-stop shopping. Would you agree with that or do you think this has gotten-- I mean, aren't there a lot of different places people go? Mr. Caverly. I don't think it is so much a question of different places where people go--again, they go to the people they know. What it really is, is there are different roles played by participants in the process and different equities. If I am responding to a natural disaster, FEMA is bringing expertise that is different from the Intelligence Community if it is not a terrorist event. The Sector Coordinating Councils for executive bodies, they give us senior guidance that allows us to look to see what is appropriate for the water sector or the nuclear sector. The ISACs provide a framework in which we can communicate with and provide the channel for that communication. So while it looks confusing, we believe that as we continue to work through the model we have put together, each of those people has a role to play. I recognize there are some processes over time, but again, my responding to a strategic terrorist threat is probably very different than I will be responding to a catastrophic event or something else; and we need those different expertises and mechanisms in a coordinated fashion and that is what we're working very hard to do. Mr. Dicks. How does a private sector company know which outlet is the right one to go to not only to obtain information about a threat, but also to feed relevant information to the Department? Mr. Caverly. That is exactly why we established the NICC as the one 7/24/364 center that they can plug into. It is our job to direct them to the right people. So between the NICC and my sector specialists who support them, we facilitate that conversation and get them to the right place. It should be our job to understand the internal workings of the Department, and we should support the private sector when it gets a problem. Mr. Dicks. Ms. Smislova, is the focus of HITRAC intelligence products more on the operational side, meaning, do they tell folks in the private sector what to do or are they aimed more at providing situational awareness? Ms. Smislova. They are focused primarily on providing the private sector with information about the adversaries so that is information that can lead them to decisions about what to do. We do occasionally offer our assessment of what mitigating factors would work, but I would say it is difficult to characterize all of our products one way or another. We have several different kinds of products, but mostly we are in the business of providing the private sector with intelligence-derived information about the international terrorists and their affiliates, information that the private sector does not have ready access to. Mr. Dicks. Ms. Harman, the Chair, got into this, but I want to go through it again. There is concern in the private sector that HITRAC is not providing reports in a timely fashion. What are you doing to work on that? I mean, do you talk to the private sector about this? Ms. Smislova. We do. We do. And then after an event such as the attempted bombing in London and Glasgow, we have canvassed our private sector customers to ask them to reevaluate what we did and how we did it. At that particular event, we changed some of our own processes. In working immediately with the FBI--we have developed a very close relationship with our sister office at the FBI that also analyzes threats to infrastructure, so we had developed some better processes. We are aware of a request for more timely information. Again, we do view our role as being more authoritative, when we do say something we try to have more information than is available in the media. Although if we don't, then we will just report that. In addition to---- Mr. Dicks. You said Charlie Allen is doing better. Did you give him a speed reading course or what did you do? Ms. Smislova. No. No. Some of that is delegated. I want to make sure that people understand HITRAC isn't its own little office without allegiance to the regular intelligence requirements that all of us in the Intelligence Community are supposed to adhere to, so all of our products are properly vetted and properly sourced and then go out in a proper fashion with the correct classification. Mr. Dicks. I am glad to hear that you are cooperating and working with the private sector. I find that DHS has some difficulty in other areas doing that effectively; and it bothers me that there is kind of--I sense a rigidness in the agency in terms of being responsive and taking into account what the private sector is saying and a lot of our fields talk about fingerprinting and the border security issues, things of that nature. But I think it is very important that you work with your customer. I think anybody who does a good job listens to their customer. Ms. Smislova. Yes. Mr. Dicks. Thank you. Mr. Caverly. Madame Chairwoman, I just want to underscore one thing we have and take very seriously in the Department: the duty to warn and the responsibility we are given with legislation. There are a large number of incidents in which we have specific information that affect a specific entity. In that case, I believe that the speed at which we get to those people is very good. It is not in the public domain; they are very focused when you have the name of a specific target or specific organization. We go out, we use the ability, Mr. Allen is on the phone with them very quickly, we can use our PSAs. That is a piece that doesn't see the light of day and we are happy that it doesn't. Mr. Dicks. That is good to hear. Ms. Harman. I thank you for that additional comment. A lot of the successes of the Intelligence Community are not known and that is how it should be. It is a little tough when one's perception--the perception of many is that there are only failures, those of us know there are also successes. I think you have pointed out some areas of real progress. I appreciate your testimony, Mr. Caverly, about the security clearances. One of the things we want to work on here is to change our classification system so that it is simpler and so that it is not used as a turf protection system. Things should only be classified to protect sources and methods; I know you all understand that. We do support protecting sources and methods, but we are preparing legislation here, and will hopefully introduce it soon, based on a careful hearing record that will make that system easier to navigate. Meanwhile, it is very important that the private sector have access, as appropriate, to classified material. I now yield 5 minutes to Mr. Carney for questions, and will point out to this panel and to the second panel that I have to leave in 5 minutes to go to a markup at another committee, and Mr. Carney will assume the Chair. Mr. Carney, 5 minutes. Mr. Carney. Thank you, Madame Chair. Mr. Caverly refers to the one-stop shop. Is that NICC, is that how you describe it? Mr. Caverly. What I would say, the one-stop shop that is the central place you go into. The products--if we are sending something out, I send it through there, but if I have to connect somebody who has a question about a specific thing to that, so it is a central point, that then reaches into the Department. Mr. Carney. So as a private sector individual or business leader, I would go to the NICC for information? Mr. Caverly. For issues relative to infrastructure protection and those issues, yes. Mr. Carney. So in a sense, to use sort of the techie vernacular, you are kind of a router, NICC is a router of information? Mr. Caverly. As I said, I don't believe we should expect the private sector to understand the arcaney of the Department. Mr. Carney. Thank God, we all struggle with that. I worked for DOD myself so I could navigate that. One other question I had: How much duplication of effort is there? There seems to be a lot of potential--this is for everybody, by the way--crossover here. How do we sort that out? Is there a snarl that we can do better with? Mr. Caverly. There is no doubt there are areas of duplicated effort in what we are talking about today, because the leadership had the foresight to set up HITRAC where we put together both the intelligence function and the capability of getting--if you want the expertise of this sector, I think we have eliminated the duplication, because they work well together and they have the ability out of HITRAC to reach back into the deeper parts of the organizations that support them to get deeper. So the whole point of HITRAC was to ensure that we had the coordination, got it to be efficient and eliminate that if you want competitive duplication. Mr. Carney. Is it working? Mr. Caverly. I believe it is working and the products we turn out to the private sector are a good indication of that. Mr. Carney. Ms. Smislova. Ms. Smislova. I also agree that it is working, and for the most part, there is no duplication. We are one of the few Intelligence Community entities that writes for the private sector, and that does mean that our products look different than many of our other Intelligence Community colleagues. Our customer is much more interested in what the enemy is learning--tactics and techniques and procedures--and they are not as interested in the sources or methods. Again, that does help us facilitate the production of FOUO material, but they are very specific in their interests and I think that is very useful for us in avoiding its duplication. As Mr. Caverly mentioned, I am in charge of the IA part, as well as the IP portion of HITRAC, and I ensure that we are not doing the same work. We are not large enough to do that. Thank you. Mr. Chaparro. I don't think Ms. Smislova has the resources to duplicate efforts. If there is a challenge that we face with HITRAC, as I said earlier, the private sector is so diverse, and the types of information that are needed, for example, in the nuclear sector versus what is needed in the agricultural sector or the finance sector really pull in different directions. But the fortunate thing about HITRAC is that you are marrying up Intelligence Community officers, professionals, along with sector specialists who understand the vulnerabilities, who understand how the systems work, how they interrelate and how they operate. You are marrying together the understanding of the threat and what the adversary is trying to do, along with the expertise from the critical infrastructure sectors, and generating products specifically for the private sector; and that is unique, and I think that is what is working. Ms. Smislova. I wanted to add, if I may, that I also believe it makes us much more efficient than many of my other colleagues, because we do have that synergy and it has proven to be very effective. Mr. Carney. How much of a dialogue is there with the private sector? I know you push out information, but how receptive are you to information from them? Ms. Smislova. We are interacting with different members of the private sector daily. Some of the private sector entities have organized conference calls which we conduct weekly, for example, with the chemical sector. The nuclear industry arrives monthly for a classified briefing; we brief the Sector Coordinating Councils; whenever we are asked, we send people to different private sector conferences to specific companies, so I would say daily. In addition, we are talking to the States about their critical infrastructure. Mr. Caverly. I was in a meeting of the water sector coordinating council. We were giving them the classified brief earlier this week, and what was pleasant about the brief was a discussion about a specific issue in which the analyst talked about how she had reached back down to the local level, talking both to utility and to law enforcement to pull together and get the information appropriately. Can we do more of it? Of course we can as we get better and get the networks built. I think the foundation is very solid and the structure that we have put in place is the structure that lets us now amplify that and get to a much broader base. Mr. Carney. That is absolutely important, that we have the avenues by which local and State officials certainly and the private sector can give you assay as well. Your job is to provide them assay, and they do the same. Mr. Caverly. Well, I think one of the most important things is the ability to turn a product out that, in essence, informs the private sector, and they understand the information they have goes in and they get something back for what they give us, they get the analysis. That has not been, historically, something government has done well. We are working hard to do that, because they devote the time to give us something, we owe them. Hey, it means something or it doesn't mean something; that is a new track for us. They do it very well, but it is also a self-fulfilling prophecy, the more that they give us, the more we give them back answers; the more we give them back answers the more they give us. And we are building that. Ms. Harman. I think we will leave the first panel on that note. Mr. Dicks. Are you sure? You said there was a dialogue there that you didn't have enough people to do both. Ms. Smislova. No. We are growing, we continue to grow. Mr. Dicks. Do you have a lot of positions unfilled? Ms. Smislova. No, I do not, but we are continuing to grow and our mission continues to expand. All the critical infrastructure of the United States is in a State, so in addition to talking to the private sector, if we go to a State, then we do talk to the State officials as well. Ms. Harman. Thank you. And thank you for inviting an ongoing dialogue. I hope you can stick around for the testimony of the private sector and maybe a conversation with some of the private sector witnesses, because the goal here is for all of us to do a better job, 24/7, of keeping America safe. This panel is excused, and Mr. Carney will take over the Chair for the second panel. Thank you. Mr. Carney. [Presiding.] We will begin the second panel now. I would like to welcome, first of all, Mr. Lester Johnson, who serves as the Manager of Investigations and Crisis Management at the SCANA Corporation. Mr. Johnson leads a staff of professional investigators who conduct investigations, internal corporate compliance issues, criminal violations against the corporation's property or personnel, executive protection, background investigations and risk reduction efforts on behalf of the corporation. Mr. Johnson is responsible for the development and continual assessment of security risk management and reduction plans for the critical infrastructure operated by his company. Our second witness is Mr. John Meenan. He serves as Executive Vice President and COO at the Air Transport Association of America, ATA. He is responsible for ATA operations, with a particular focus on technical safety, security, environmental, economic and legal policy issues impacting the airline industry. Mr. Meenan joined the association as Assistant General Counsel in 1985 following 9 years with the U.S. Secret Service. Our third witness, Mr. Rich Hovel, is a Senior Aviation Homeland Security Advisor to the Boeing Company. Prior to his tenure with Boeing, Mr. Hovel served as the Federal Security Manager for the FAA, Aviation Security Operations Division at the Seattle Takoma International Airport. Mr. Hovel began his law enforcement career with the Albuquerque Police Department; afterwards he worked for the Idaho State Police as a trooper and supervisor and criminal investigator. Without objection, the witnesses' full statements will be inserted in the record. Mr. Carney. I now ask each witness to summarize his statement for 5 minutes, beginning with Mr. Johnson. STATEMENT OF LESTER J. JOHNSON, JR., MANAGER OF INVESTIGATIONS AND CRISIS MANAGEMENT, SCANA CORPORATION Mr. Johnson. Thank you, sir. Chairman, it is truly an honor and privilege to appear before you, and I appreciate the invitation to do so. We have for some time been challenged, I think for all of us, the people here with me now, the panel prior to me, this is a very challenging issue which all of us face. Mr. Johnson. And it is a very difficult issue, and I want to recognize that the members of the panel before me I think spoke very eloquently and the fact that they are making progress and that we are very appreciative of their work. We understand the difficulties they face. We too face difficulties. We are charged with the protection and the security surrounding some of the most critical infrastructure that this country has, and we too take that very serious as well. I know that they are very inept and attuned to what our needs and they are working diligently with each of these sectors. And as many of them said today that there are very many of those and they all have very differing needs and requirements. But we still have work to do, no question. I think in the area that was brought up by one of the committee members earlier, I call it almost portal fatigue. We are in a position now that with information being pushed back into homeland security as being sent out in a sundry of ways in a lot of different portals and it takes a tremendous amount of effort and time on our staff's part to go out and I call it chase or find this information, versus having made potentially a role-based security where that information could come into a dashboard that we could go to one place and feed the information that we require or any of our other sectors may require and go to one place and have that pushed down to us I think is something that we all need to focus on and work toward. We have done this successfully in other areas within our corporation and I know some governments have done this as well, so I know the technology exists to do that, and we just need to put our heads together and work toward that effort. The flow of information and the timeliness is probably the area that I have the most heartache with. It is very common that when I find information out, it is through open source information such as Cable News Network and other entities, and then it is very difficult to go back in and to find information or a contact person at that point to assure that that information being reported is accurate and timely. We are not so much as concerned about the analysis of that information as we are being aware of an event and being able to take mediation steps to secure any of our like infrastructure that may be under attack or may be a subject of interest in other areas, both domestically and internationally. I don't want to wait until we have an issue to respond to it. And my goal is that we proactively go out and make that target hardened to the point that no one is going to come after it. And it is very important from our standpoint that we know about those events quickly and accurately so that we can respond in that way and secure that information. The information sharing of the private sector, we are very fortunate in our State. Our State homeland security adviser is very attuned to this. Having the experience of working for the State law enforcement division for 28 years in my State, I have had the opportunity to serve on both sides of this issue, to both provide these services to State and local law enforcement and private sector and now from the private sector side as being involved in forwarding that information back. We have an excellent relationship on the State level. I will tell you that I think we are one of any other possibly that has a presence in our State fusion center representing our corporate and our private sector within the State. This is tremendously beneficial, and one that I would encourage Homeland Security to take that as a role model and to push that out to other States because we receive a great deal of benefit from that. We have eyes and ears in that fusion center that are getting realtime information, but we are still not getting that timely report back out from Homeland on some of the analytical information that we are looking for when that comes back. [The statement of Mr. Johnson follows:] Prepared Statement of Lester J. Johnson, Jr. Madam Chairwoman Harman, Ranking Member Reichert, and distinguished members of the subcommittee, I appreciate the invitation to appear before you today, as it is both an honor and a privilege to be here today. I would respectfully request that my written testimony be submitted into the record. I appear before you today to share some insights I believe are critical to the private sector information sharing and to highlight those areas in need of improvement and those which are on the path to success. The private sector currently has sole possession of approximately eighty-five percent of the vital critical infrastructure in existence today, upon which all of us depend on daily. For a number of years now, we have been focusing on how to build trusted relationships and processes to facilitate information sharing; overcome barriers to information sharing, clarifying roles and responsibilities of the various government and private sector entities that are involved in and charged with protecting critical infrastructures. In order to protect our nation's critical infrastructure and key assets (CI/KA), the full support, cooperation and engagement of Government and the private sector partners at all levels is required. I have the unique opportunity to speak to this issue from both the government and private sector due to my previous employment history with the South Carolina Law Enforcement Division (SLED) and my current employer in the private sector. I had the opportunity to participate in the delivery of services with respect to Homeland Security in South Carolina as SLED is the designated agency responsible for Homeland Security and Chief Robert M. Stewart serves as the State Homeland Security Advisor. The importance of trusted relationships between Government and private sector in South Carolina has been recognized and established on several levels. Private sector representation exists on both the regional and state Counter Terrorism Councils and in the all source Fusion Center. I will elaborate more on these initiatives later in my testimony. Below, I will be identifying areas of both concern and success, as it is my intent to be a part of the solution to these areas. Information Flow: The flow of information between the Government and private sector are interpreted to be a one way investment for the private sector. While there is a great effort on the Government's part to solicit situational awareness, timely and actionable and proprietary information from the privates sector, there still exists a significant deficiency on the Government's part to share the information back to the private sector. Information provided by the private sector with regard to suspicious activity is received by the Government and subjected to an analytical process which I am told includes a human and technological assessment, often taking weeks or months to complete. During this time, the information is not shared among the peers of the sector due to the lack of a complete analysis being available. Disparately, should the same information be collected by a peer member who does not forward it to the Government, there is no link identified since the Government chooses to hold the information instead of sharing it across the sector. The process I described creates an atmosphere of difficulty for the private sector to adequately place a remediation plan into effect. I made a valiant effort to seek input from my peers in the industry who are not present here today before the committee. I have been educated on several instances where information was discovered; often months after the Government learned it, where no one the industry was made aware of an existing threat or vulnerability that could have an enormous negative impact on the industry. Portal Fatigue: The industry as a whole has been besieged by the number of information sharing portals from the various Government agencies and some private as well, in attempt to go and find the information. Each portal has a separate vetting process which must be adhered to, a separate user name and password, a unique URL, and to some degree each contains the same information with regard to its informational value to the user. As I am sure you aware, in the private sector, time is equated to money. There is no effort among the Government to coordinate the efforts among the various agencies to simplify this process in any way. Actually, there appears to be competition to see which agency can turn out the most portals in a given amount of time. The idea of posting the information, particularly information with no or little classification, to site for all to come to is at best a backwards approach to information sharing. One would consider the Government as the provider of information in this scenario, yet the provider creates technology requiring the end user to come to the Government instead of the Government pushing the information to the end user. A definite confusing demonstration of a product chain and certainly one the private sector is weary of. Perhaps consideration may be given to using the existing technology to develop a ``role based security dashboard'' atmosphere. A role based security dashboard would have an individual vetted for all the existing Government portals. The Government would then feed the information into a dashboard which would be accessed by the end user. All the information pushed to the dashboard would be available at one location, requiring one user name and password, and would provide a timely and accurate assessment of all information and could also provide tools for data mining the information based on the user instead of the provider. Private Sector Information Sharing: The private sector has found success in utilizing services from other private sector organizations that provide situational awareness and information on a variety of topics and services. These services, while costly to an organization, are very timely and efficient. The services allow the sector to choose the type of information they wish to receive and allow information to be vetted by the distance from a facility or city. I have personal experience with one such organization and found the services to be very beneficial. These organizations leverage technology in various formats to push this desired information out to the end user and have demonstrated an uncanny ability to learn of potential threats, delays and risks in record time. I am forced to rely on the open sources of information to receive most of the situational awareness information available. I have found a television tuned to a cable news network provides the most efficient, timely and accurate information to my company. Considering the amount of investment our country has made toward the sharing of information among our Government agencies and the public sector, I find this reprehensible. We certainly are capable of embracing technology and conducting ourselves better than this. At a minimum, perhaps the Government should consider contracting the services of one of companies who have perfected this and make the services available to the end users who require it. The Southeastern Emergency Response Network is another example of a creation of a private sector initiative which became necessary due to the failure of a Government effort. Homeland Security Information Network--XXX was an original effort to provide a means of information sharing between the Government and private sector. I was approached on the State's behalf to develop the program in South Carolina. I received the organizational chart for the critical infrastructure and contacted our local private sector and sought the commitment to serve in the leadership capacity for the required vetting among the sectors. Once in place, I delivered the chart as requested only to find there had been technological setbacks that would delay the initiation of the project. Some years later I was finally notified that the program would be replaced with anew program which to date has yet to be introduced. Many of my peers and I have begun a very basic method of information sharing among ourselves as a result of not receiving the intelligence we desire from our Government sources. We have resorted to a telephone tree of sorts to ensure each of us share the information in a timely fashion and develop actionable plans for remediation where appropriate. Dam Sector Working Group: Several members of our industry were recruited to participate in a working group to develop the Homeland Security Information Network--Dam Sector (HSIN-DS) and the Asset Identification Database. These efforts were met with great enthusiasm by the sector and several individuals provided a great amount of resources toward this effort. Unfortunately, the Government has not provided the same level of enthusiasm and effort. As a result the project has been at a stand still for some period of time. Initially, there were technology setbacks which over time were able to be corrected. The vetting process presented difficulties over which process would be used by both entities. Due to difficulties arising from the PCII, private sector representatives are skeptical about placing the information into the system. As you can see, there are a number of issues outstanding concerning this project, which is paramount to the safety of one of our most critical infrastructures. HITRAC: The creation of a partnership between the Department of Homeland Security's Office of Infrastructure Protection and the Officer of Intelligence and Analysis to provide a tailored risk assessment product for CI/KR sectors fusing consequence and vulnerability information with threat information is an excellent plan of action. We continue to fall short on the timely sharing of the information generated from this program. We have been told to expect informational bulletins, analytical reports and annual reports and to date we have not received any. The sectors can only respond to strengthen and protect our infrastructure if we receive the information derived from the process below. Without the benefit of this, we have relied heavily on our own resources and our peers for information. Additionally, the lack of communication creates a large void of information flow from the private sector to the Government. Infrastructure Information and Collection Program: The Protected Critical Infrastructure Information (PCII) has failed to demonstrate the Government has the ability to provide a safe and secure atmosphere for descriptive and proprietary information to exist in a repository. Efforts to identify and prioritize national and sector level CI/KR information have yet to demonstrate to the private sector that the information can be maintained in a confidential manner. Recently, this was demonstrated to a peer of mine while attending a meeting, at which time a document that had been provided under the protection of this program was produced by an individual who should not have had access to the document. Incidents such as this are many and cause the private sector to withhold information which in any way may be considered private or proprietary. South Carolina All Source Fusion Center: Among the difficulties we face every day, there are efforts which demonstrate the success and progress we have reached at the State and local level. The creation of the Fusion center in South Carolina is a foundation for the development of a trusted relationship between Government and the private sector. I received notification only three days ago that the Department of Homeland Security State and Local intelligence Community of Interest has cleared the way for private sector representatives to be co-located within the State Fusion Center. A program such as this will greatly enhance the flow of information between Government and the private sector. South Carolina Information Exchange: Homeland Security in South Carolina developed the South Carolina Information Exchange (SCIEx) within the State operated all source Fusion Center. SCIEx is an excellent example of information sharing in a near real time environment. Law Enforcement agencies within the state have participated in this project by allowing the information contained in incident reports created in an automated environment to be replicated to a data warehouse with SLED and allowing for the querying of the information contained therein through a secure web browser. The sharing of this information is a tremendous resource for both the state and the private sector. Information derived from these reports can easily be placed into geographical information software and immediately demonstrate a potential threat and vulnerability to our facilities throughout the state. The technology for accomplishing this feat was developed with the assistance of the National Law Enforcement and Corrections Technology Center--Southeast, which is funded in part by the National Institute of Justice. The software code for this is an open source product, making it available to entities free of charge, resulting in the State of Tennessee initiating a project to replicate the success there as well. I have no reservation recommending this technology be used to better facilitate information sharing among the private sector. There is a success there waiting to happen without the demand of additional tax dollars and development time. Conclusion: In conclusion, I feel that it is imperative for the committee to understand the commitment and dedication of the private sector has with regard to the sharing of information. We realize there are great benefits to be reaped by both the sector and the Government in the presence of a trusted partnership. There have been many, too many actually, attempts to develop and implement a program where this type of exchange can be conducted and the information shared can be relayed and maintain the integrity necessary for the public sector. I and many of my peers are fully prepared to again tackle these difficult issues so long as there is the same level of commitment from our Government counterparts. Until such time, we will continue to make progress with our State Government partners and our industry peers to ensure we have the necessary information to complete our duty to protect the critical infrastructure of the United States of America. Mr. Carney. Thank you. I now recognize Mr. Meenan to summarize for 5 minutes. STATEMENT OF JOHN M. MEENAN, EXECUTIVE VICE PRESIDENT AND COO, AIR TRANSPORT ASSOCIATION OF AMERICA Mr. Meenan. Mr. Chair, members thank you very much. I am pleased to be able to report that from the perspective of the airline industry, the information sharing system in place today is working very effectively, in part because of the business that we are in and the focal area of activity that has been post-9/11 has had the benefit of working very closely with both TSA and DHS literally from their startup, and as a result, the system that we have developed is working I think quite effectively. I would mention, for example, that the day of the Glasgow bombing, before I heard the report on the radio, we were already called to a conference call with TSA to discuss the implications of that for the industry. The flow of information is very good. The exchange of information is very good. We, in fact, report security incidents on a regular basis to the government. They are processed. They are looked at for a variety of different reasons, and then submitted back to the industry with the assessments necessary for everybody to understand the implications of them. I think our concern that I identified in our testimony is that we don't want to disrupt that system as a consequence of building analogous programs for other sectors. What we would like to do is share our experience with anyone who is interested to help them understand what works for us. It may not work as effectively for other sectors. But we don't want to disrupt what we have already accomplished. Beyond that, I think we are more than pleased with what is going on today, and we simply want to continue that. Thank you. [The statement of Mr. Meenan follows:] Prepared Statement of John M. Meenan Madam Chairman and members of the subcommittee let me begin by thanking you for the opportunity to appear today. On behalf of our airline members, I would note at the outset that the focus of this subcommittee on information sharing and the associated application of analytical tools to understanding, managing and mitigating the risks of terrorism, is of paramount importance. The Air Transport Association and our member airlines are committed to providing you with our full support. With specific reference to the subject of today's hearing--the sharing of critical homeland security information--I am pleased to report that from the perspective of the airline industry, that system is working very effectively and efficiently. Over the past six years since 9/11, the relationships, lines of communication, timeliness, quality and mutuality of the information exchange between government and industry has developed very positively. While we fully appreciate the principle behind the development of a more structured Homeland Security Information Network (HSIN), we are very concerned that, in doing so, we do not in any way inhibit or interfere with the effective system we rely upon today. The relationship between the airline industry, the Transportation Security Administration (TSA), the Department of Homeland Security (DHS) and the broader law enforcement and intelligence communities is, of course, significantly more developed than that of other sectors. For some forty years we have been the subject of federal government regulation and direction relating to aviation security matters. Since 9/11, and with the establishment of both TSA and DHS, that relationship, of course, has reached even higher levels of sophistication. We currently have in place well established conduits for the flow of information back and forth between industry and government. These conduits include routine reporting, telephone and electronic exchanges of information, the posting of Sensitive Security Information (SSI) on a TSA secure Web board, and classified briefings to the industry on a regular basis, as well as ``need to know'' briefings on developing situations. In addition, airline-specific information is conveyed through direct, secure communication (STU calls), as well as through local security briefings. The Security Directive system and emergency program changes are communicated electronically to provide real-time updates resulting from actionable intelligence. Joint DHS and Federal Bureau of Investigation reports are provided to the industry as deemed necessary along with Homeland Infrastructure Threat and Risk Assessment Center reports. Finally, of course, the airlines are the only sector we are aware of that is required to provide TSA, are with reports of suspicious activity. These reports, once scrutinized, analyzed and processed by TSA then returned to the industry in the form of weekly suspicious incident reports. In sum, the system we have in place is highly developed and specialized to accommodate the unique relationship between the airline industry and the responsible government authorities. We appreciate the importance of developing analogous systems for other sectors, and would welcome the opportunity to share our experience. We would, however, caution against any well intentioned but misguided effort to conform this specialized aviation system with a ``one size fits all'' approach applicable to all critical infrastructure sectors. We would be very concerned with requirements, through HSIN or in other ways, for duplicative, unnecessary or extraneous reporting--or any requirements that either slow the flow of information or inhibit the candid exchanges that are the hallmarks of our existing system. Our government's approach to civil aviation security is multilayered. This is the most sensible response to the shifting threats that our nation confronts. An integral element of that approach is the government's collection and analysis of passenger information for both domestic and international flights. Vetting passengers against government watch lists--in accordance with strict procedures that recognize that such lists need to be carefully ``scrubbed''--safeguards customer privacy and provides redress opportunities, substantially enhancing security for passengers and crew members alike. These information-centric passenger vetting programs are expanding--both here and overseas. They will create substantial new demands on governmental agencies, airlines and travelers. The problem is that these governmental passenger-information requirements, thus far, have only produced a mosaic. It remains to be seen if a coherent a picture will emerge. Given the security threats confronting civil aviation, there is no reason to believe that that the government's passenger-information needs will abate. Passenger data will be required for the Secure Flight Program and is currently required for CBP's Advance Passenger Information System and CBP's passenger reservation information access program. Moreover, foreign governments are imposing similar demands on airlines flying to their countries, including U.S. air carriers. This unmistakable international trend is most evident with the ever increasing number of countries that require APIS information but also is reflected in the Canadian requirement for access to passenger reservation information for international flights bound for Canada, including flights from the United States. Finally, the Centers for Disease Control has proposed a rule that would require that airlines collect and store broad new categories of passenger contact information. Information management is precisely where the government should be able to achieve a coherent policy. The continued absence of a comprehensive, governmentwide passenger information access policy is a matter of real concern to us. Nor is there any indication that any element of the federal government is inclined to assume the responsibility to develop and oversee such a comprehensive policy. This needs to change quickly. The U.S. government must produce a uniform passenger-information collection policy that applies to all of its civil aviation security and facilitation programs. Our government should also lead an effort to create such a policy for worldwide application. A uniform policy is indispensable to the efficient collection, retention and use of passenger-information. Multiple, uncoordinated information demands do not advance aviation security. Instead, they create unneeded complexity, wasteful duplication and unjustifiable costs to the government, customers and airlines. In conclusion, I would reiterate that from the perspective of the airline industry, we believe that our highly evolved information- sharing system is working very efficiently and effectively. Given the extensive experience that has gone into its development, we believe it could well serve as a guide to facilitate appropriate sharing by other sectors. We look forward to continuing to adjust and fine-tune our system in close consultation with our TSA and DHS counterparts. We would, however, caution strongly against any program that seeks to force changes in this highly functional system simply for the sake of cross-sectoral consistency. At the same time, with respect to the collection of passenger data as opposed to the sharing of intelligence or suspicious incident reporting, we believe that better coordination between government agencies is imperative. Thank you very much for the opportunity to express our views on this important matter. Mr. Carney. Thank you, Mr. Meenan. Mr. Hovel for 5 minutes, please. STATEMENT OF RICHARD E. HOVEL, SENIOR AVIATION AND HOMELAND SECURITY ADVISOR, THE BOEING COMPANY Mr. Hovel. Congressman Carney, Ranking Member Reichert, Congressman Dicks, it is a pleasure to be able to once again testify before this subcommittee on a topic that is so vital to industry. I had the honor of appearing before this subcommittee at your field hearing in Seattle just last May. As has been stated, I have over 35 years of cumulative law enforcement and aviation security experience, and I would like to mention including working closely with, among the subcommittee members, Congressman Reichert when he was sheriff of King County, Washington. We at Boeing are glad that we are having this hearing. We believe it is essential for the collective security of this Nation and the public and private sector to work together and share information we have about threats to our infrastructure, and I would like to highlight simply three this morning. One, the critical need for the fusion center partnership. This partnership is a multi-agency platform used by the government and the private sector to share vital threat information that could affect critical infrastructure here in the United States and abroad. In working together, it is vital that the public and private sector establish a bottom-up approach by integrating not only the information sharing requirements of industry but also the vast amount of information that industry can provide. For example, Boeing is a key producer of aerospace and defense products that are an important part of our economy. Given some of the products we make, we know we are a target for terrorist elements that would like to disrupt our ability to provide these products to our commercial customers as well as to the U.S. Government. The fusion center allows us to work with Federal, State, local law enforcement to identify potential threats to our facilities, assets and operations. For the safety and well-being of our company, many other companies and the Nation, it is essential that we continue the cooperation the fusion center has generated. Secondly, the private sector is acutely aware of the interdependencies and preparedness gaps that lie within the various elements of the critical infrastructure. But because of the complex nature of each of these elements as well as their interdependencies, it is vital that we have access to as much information as early as possible, both classified and unclassified. As my good friend the honorable Congressman Reichert well knows from his exemplary career in law enforcement, it is essential to have all the information available in dealing with the criminal element, which for the very same reasons is equally essential to the private sector. That is the information beyond what might be threat-specific, indicative of a long-term threat, or tactics and methods utilized by our adversaries. Third, we would like to thank Congress for passing the Critical Infrastructure Information Act of 2002. In addition, we are pleased with the final rule issued by the Department of Homeland Security on procedures for handling critical infrastructure information and the protection of it on September 1, 2006, in response to that very act. This law encourages the private sector to voluntarily share security- related information about critical infrastructure and by providing special protection for that information. Going forward, it is extremely important for the public and private sectors to work together to protect our national security, economy, and public welfare. Similarly, passage of the Safety Act of 2002 is an essential enabler for participation and information exchange. This gives providers of anti-terrorism technology and services a system of risk management that limits potential legal liability. Without this protection, the private sector could not participate in this activity. Again, I thank you and certainly stand ready to answer any questions you might have. [The statement of Mr. Hovel follows:] Prepared Statement of Richard E. Hovel The US Department of Homeland Security has defined the concept of a fusion center as a collaborative effort of two or more agencies that provide resources, expertise, and/or information to the center with the goal of maximizing the ability to detect, prevent, and respond to criminal, terrorist and other activity as affects our Critical Infrastructure Key Resources (CI/KR). To meet this challenge, fusion centers are evolving to an all-threats, all-crimes, all-hazards approach. Their intended function is to compile, blend, analyze, and disseminate information of various types such as Criminal Intelligence, Threat Assessments, Public Safety, Law Enforcement, Public Health and Social Services, to name a few. To establish this successfully, a ``bottom up'' approach is necessary, integrating information requirements of the private sector to form the program foundation. Once accomplished, measurable progress will be dependent upon mutually understood expectations, capitalizing on already-existing relationships between the public and private sector partners. According to the recently released National Intelligence Estimate (NIE), the ability to detect broader and more diverse terrorist plots in our current environment is certain to challenge existing US defensive efforts, as well as the tools we use to detect and disrupt these plots. To meet this challenge will require a greater understanding of how suspect activities at the local level relate to strategic threat information, and how best to identify indicators of terrorist and other criminal activity in the midst of legitimate interactions. The private sector can offer fusion centers a variety of resources, including industry-specific subject-matter experts who can provide expertise when threats have been identified. This could include information pertinent to cyber crimes, risk assessments, suspicious incidents and activities, as well as information relative to the location of CI/KR. However, understanding and responding to the myriad of CI/KR interdependencies as well as preparedness gaps that exist between them, depends upon having the latest and most complete information available. Similarly, success in the public sector in these extremely sensitive areas is predicated on a thorough understanding of the far-reaching damage that a successful attack on CI/KR could have. Industry, as a whole, is acutely aware of the vital role one element may have in the successful continuity of operations of other elements. Because of the difference and complex nature of each element of the CI, as well as their already stated interdependencies, access to all information both classified and unclassified, which potentially or actually threatens them, is vital. One of the fundamental principals of fusion center partners should be the identification and sharing of terrorism-related leads, that is, any nexus between crime-related and other information collected by state, local, tribal and private sector entities suggesting the presence of a terrorist organization and/or likelihood of an attack. A clear understanding of the links between terrorism-related intelligence and terrorism-related information, e.g. flight training school, drug trafficking, etc, must be understood so as to identify those activities or events that are precursors or indicators of an emerging threat. It is essential that a partnership between public and private sector officials be solidified, so public sector representatives may become much more familiar with prevailing vulnerabilities and consequences in the private sector, of possible terrorist attacks. Likewise, the private sector must be better educated to the methods likely utilized by terrorist organizations, and the equipment and substances needed/ used to carry out an attack with associated planning activities. An outreach to non-government experts in academia and the Private sector can also add the advantage of alternative analyses and new analytic tools to broaden and deepen the intelligence community's perspective. Other information necessary, both classified and unclassified that is vital to the private sector is that which is threat-specific, indicative of a long-term threat and tactics and methods used by terrorist organizations to perpetrate an attack. One objective is the production of value-added intelligence products than can support the development of performance-driven, risk-based prevention, response and consequence management programs that will support specific protective measures to identify and disrupt potential terrorist attacks during the planning and early operational stages. Benefits of this will be realized in the improved flow of information from a common operating picture, which supports private sector resiliency while satisfying public sector mission requirements. More specific information needs attendant to individual elements of the CI/KR may best be the product of Key Resource Sector Councils, the American Society for Industrial Security (ASIS) or other OSAC-like groups that can speak to the more in-depth characteristics of each element. On a related note, Boeing would like to thank Congress for passing the Critical Infrastructure Information Act of 2002. We are also pleased with the Final Rule issued by the Department of Homeland Security (DHS) on Procedures for Handling Critical Infrastructure Information, on September 1, 2006, in response to that Act. This law encourages the private sector to voluntarily share security-related information about critical infrastructure by providing special protection for that information. Going forward it is extremely important for the public and private sector to work together to protect our national security, economy, and public welfare. The type of information that Boeing provides includes assessment of the vulnerabilities of our aviation infrastructure, which includes our airplanes. Boeing believes that this information and the thorough risk management analysis that TSA and Boeing are working on with others in government and industry are critical to improving security, safety and efficiency in U.S. commercial aviation. The U.S. aviation infrastructure remains a potential target for future terrorist strikes and the government and private sector need to keep a collective watchful eye. The PCII protections are essential to this work. According to the NIE, Al-Qa'ida's homeland plotting is likely to continue to focus on prominent political, economic and infrastructure targets with the goals of producing mass casualties, visually dramatic destruction, significant economic aftershocks and/or fear among the US population. It goes without saying that Al-Qa'ida will continue to try to acquire and employ weapons of mass destruction (WMD) and would not hesitate to use them if it develops what it deems is sufficient capability. There are increasingly aggressive internet sites espousing anti-US rhetoric and actions, and a growing number of radical, self- generating cells in Western countries, indicating that the radical and violent segment of the West's Muslim population is expanding within the US. Other non-Muslim terrorist groups will also most likely conduct attacks over the next three years given their violent histories. To date, the bulk of the deadly attacks experienced, have been directed toward the private and quasi-private sectors. The loss of lives and damage to property suffered both domestically and overseas has been astronomical, giving companies a vested interest in joining in the fight. Currently, the resources of the private sector are hardly being tapped. Instead for the most part, businesses are (still) sitting on the sidelines relying on the US government for protection. This not only weakens our ability to eliminate terrorism, but it overlooks the fact that this is a shared problem that involves us all. The chance of winning the fight against terrorism exists, but we all need to contribute to the solution--a solution that necessitates expansion of the intelligence gathering role beyond its limits to date, and overcoming the crippling attitude that this menacing threat is the responsibility of the government alone. Mr. Carney. Thank you, Mr. Hovel. And I would like to thank the panel for their testimony. I will now recognize myself for 5 minutes or so for questions, and we will continue the questions with the rest of the panel. My first question is, Mr. Johnson, on the timeliness issue. How from your perspective do we fix it? What needs to happen to improve the timeliness? Mr. Johnson. Well, I think on several fronts. One is that I think we are moving in the right direction to determine what information each of these sectors needs to receive. But the other is, is that we have to develop an atmosphere where that when there is an incident, whether it is domestic or international, when this occurs, that that information regardless of how well we have been able to go back and ensure that it is accurate and that those things take time, from our standpoint we are looking for a remediation plan. Do I need to step up protection if there are some things that I need to take place now to ensure that that doesn't happen to any of our infrastructure? So speaking at it from that standpoint, the quicker we have that information that is pushed to us that we are not relegated of calling a phone number to find out information about, but we all have numerous devices now that connect us to information. And by pushing that information out versus putting it there for us to come find it I think is the one change that I think would benefit us greatly, is that we get notified of the incident that there be continual updates providing information. As that analytical part goes on, if they determine that the information is not accurate, what is going out on the open source areas and they can provide that to us, that too is of utmost benefit, but waiting to do that until they have had an opportunity to assess it often puts us in a position that we are having to make decisions about whether we are expending more moneys to protect certain infrastructure or whether we are not. And obviously we need notification of those issues as quickly as we can. Mr. Carney. Let me ask you from this perspective then, does SCANA, for example, have somebody or an office that monitors the Web sites that sees what is being pushed out? Mr. Johnson. We do. We have individuals that we have that go to that. Primarily our quickest asset that we have found of discovering of breaking news and information is the cable news networks. That is where we find things out and we are then relegated to find our contacts within the various communities of interest and different areas of homeland and Federal and State law enforcement. Our fusion center is a huge assistance to us, but they currently are not 24/7. When they are there, we get good notification. But they too are trying to find a methodology by which they are going to get pushed out. Mr. Dicks. If you will just yield briefly on that point for a second. Mr. Johnson. Yes, sir. Mr. Dicks. Does your fusion center have Federal officials in it? Or is that a State fusion center? Mr. Johnson. The implementation is, this summer, of a DHS official present in our fusion center. That is very new and recent. Mr. Dicks. Is the FBI there, other Federal agencies? Mr. Johnson. There is a Federal figure, they call the--the actual intelligence group has a representative there as well. Yes, sir. Mr. Dicks. Thank you, Mr. Chairman. Mr. Carney. Thank you. You will be happy to know that, for example, over at the Pentagon they also have CNN on and FOX News too. Mr. Johnson. I am sure they do. Mr. Carney. This is for everyone. How much information do you push up? Mr. Johnson. I can speak to ours. Any incident that we have of suspicious activity around any of our facilities that have critical infrastructure, as it has been deemed critical by our assessment, we push that information to our fusion center. Certainly we have plans in place that should we have any kind of an obvious sabotage or an attack, Federal law enforcement is notified along with our State homeland security and law enforcement officials and the Department of Homeland Security would be notified in that respect as well should that occur. Mr. Carney. Mr. Meenan. Mr. Meenan. From the airlines' perspective, we are actually under regulation required to report suspicious incidents, not that we wouldn't do that anyway. It really becomes a matter of making sure that what we are reporting is significant, is important enough to--I mean, you have to sort through these things. You can't so overburden the system with every anomaly that you end up losing any perspective on what you are reporting. So I would say we have struck a good balance at this point. We are very satisfied. Mr. Carney. I will get right to you, Mr. Hovel. But along that same vein, when we see blocks of cheese with wires wrapped around them going through airports, is that considered not anomalous or how-- Mr. Meenan. That I think is a good example of a report that draws a lot of public attention that is more in the nature of a routine report that we receive with great regularity. That is one I think TSA indicated some 90 reports of things going on. That is why it is important that the experts, the intelligence community, the law enforcement community be looking at these things to determine what is more significant and what isn't? It is also, I think, one of the reasons that we are concerned that this information be handled with the appropriate amount of discretion as well. Mr. Carney. Mr. Hovel. Mr. Hovel. Similarly, we too are governed by the requirements to run the information by the Department of Defense. But aside from that, we are in a little bit different situation in that my office is unique in the sense that it represents both the classified side of the house to Department of Defense as well as the commercial side. Consequently, my office deals with all matters of counterintelligence, counterespionage and counterterrorism, all three of those, which you can see quickly and easily are obviously all driven by information. So it is extremely vital to us to have the same information as early as possible without waiting for it to be vetted as to whether it is even actionable or not. Consequently, we do report incidents that take place up to the various chains both on the defense side and on the commercial side to the levels and in the verbiage where it is appropriate to the audience, where it is warranted. But it also gives us the opportunity to analyze that intelligence ourselves with respect to our own operations to determine the relevancy. Mr. Carney. Thank you. I now recognize the subcommittee's ranking member, Mr. Reichert. Mr. Reichert. Thank you, Mr. Chairman. Welcome to all of you. Mr. Hovel, nice to see you again. I wanted to touch on-- Mr. Meenan, you suggested that the airline industry is having success in communicating with the Federal Government. What do you think that success is due to? Mr. Meenan. I think it is due to--fundamentally it is due to relationships. I mean from the very start of TSA's activity and indeed under its predecessor functions over at the FAA, we have a lot of personal relationships, a lot of solid business relationships that have grown into the kind of communication that I think is critical to developing the right flow between the industry and government. Those are obviously supplemented at this point with a wide array of support that has come, as you heard from the first panel, from other government agencies and entities, and the mechanisms to do it. We have got the electronic communications capability, everything from you know routine e-mails to there was a classified Web site with sensitive security information that is available to our folks. It is a very comprehensive system, and it is I think at this point quite productive. It improves daily, and we want to continue to improve it. Mr. Reichert. It sounds kind of simple. Build a relationship, build some trust, and then you build a system to share the information. Mr. Meenan. It has worked that way for us. Mr. Reichert. So in this process, where do you get your information from? Is it from TSA? Mr. Meenan. Primarily from TSA. But we also receive routine reports, high track reports, we receive FBI briefings, we receive from a variety of different sources of information. But our principal focus obviously for the airline industry is with TSA. Mr. Reichert. Have any members of the panel identified any chokepoints in sharing information back and forth? I know the question has already been asked about timely. But if it is not timely, why isn't it timely? Where is the roadblock if there is one? Mr. Hovel. Congressman Reichert, it is a chokepoint for us where we find that information is not passed along to us because of one or another reasons. One, it is possibly not deemed as actionable. Second of all, and most importantly, it may well not be understood by those who are evaluating the information, and that leads back to my previous comments concerning the interdependencies. Because of the intricate nature of each of the elements of the critical infrastructure and their significant interdependencies upon each other, it is vital that we be able to get as much information as quickly as possible to look at that information relative to these various elements. Then and only then are we going to be able to analyze it to see what implication, what relevancy it might have as well as what dangers it might pose. Aside from that, other information that we get is coming to us in a timely manner. Mr. Reichert. Is the fusion center a benefit for your--and I know you have recently become a member. Mr. Hovel. Yes, it certainly has. In fact, sitting behind me is a gentleman that is our intelligence analyst that is assigned to the fusion center. Mr. Reichert. I have no further questions. Thank you. Mr. Carney. Thank you, Mr. Reichert. The Chair now recognizes the gentleman from Washington, Mr. Dicks. Mr. Dicks. Mr. Meenan, one thing that has troubled me, maybe you can help me on this and maybe you can't, one of the issues that, you know, we talk about this relationship with TSA and we have airplanes flying to the United States. One of the problems has been getting the names checked before the airplanes take off. Can you explain that to us? That seems to me to be one of those things that we have just got to fix. And is it being fixed? Mr. Meenan. It is being worked on every day. Actually, the names are checked before the airplanes take off. The information is exchanged. In my prepared remarks, I mentioned it is an area of difficulty for us because unlike on the intelligence and information sharing side of things, the industry is hit with multiple different requests from various government agencies for data elements about our passengers, our customers. There is very little effective coordination between all of the government agencies involved there, and it is a matter then of trying to satisfy multiple different masters. We have urged the Department of Homeland Security to work across the government to try to minimize the duplication that is going on, make it as streamlined as possible, agree on what the data elements are, and let us build a system once and for all that works to supply all these agencies with what they need, rather than these pop-ups that we are dealing with today. Mr. Dicks. And that still hasn't happened? Mr. Meenan. It has not happened at this point. But I will say people are trying to address it. It is a very complicated set of information involved. Mr. Dicks. Do you have any time frame on which you think this will get resolved? Mr. Meenan. Not at this point. But it is being addressed every day. There are, as I say, levels of complication to it. We will be happy to come by and brief you in more detail on it, but it is something that we are working on, and I think the government is working on as well. Mr. Dicks. One area of concern to the Congress has been the fact that we go through all this complicated procedure to check all the passengers, but we don't do it with the workers at the facility. What is your take on that? Or we don't do it to the same extent. Mr. Meenan. I think that is something of a misinterpretation. We actually know a lot about the workers. We do a lot of checking of the workers. But what we are concerned about is there is talk, there is discussion about 100 percent screening, for example, of employees moving to and from secure areas at the airport. Many of those are the pilots who fly the airplanes, who we trust to fly the airplanes. We don't know that that is an effective and efficient use of government resources to screen them to make sure that, you know--we want them to be fundamentally screened. But there are limits to what should be done. Same thing with mechanics, people who are bringing tools onto airplanes. You know, we let them do that, and yet we are saying they need to pass through a checkpoint on the back side of the airplane to go to work. There again, some practicalities associated with that that we think just need to be thought about very carefully. Mr. Dicks. Well, as someone who has been on this committee for a number of years, and you look at what the consequences of 9/11 were economically to the country and what we have had to do in order to try to better secure the country, I mean the ramifications of this are just immense, especially for the airline industry and for Boeing, who was adversely affected when their customers can't buy airplanes because people have stopped traveling. It is a major, major problem, and one that has concerned us. And we want to try to work with Homeland Security to improve this process. And again, I think when we have these hearings we should have the private sector people first and get all the issues. Mr. Chairman, I know it wasn't your decision. And then bring the government witnesses up so that they can have the benefit of having heard the people from the private sector first. But I think as you have suggested, all of you, that this is a work in progress. And I am hopeful that we can continue by having oversight hearings which I think even the previous Congress did a good job on, had a lot of hearings which brought these issues out. And when you do that, then sometimes, most of the time the agencies will respond, because they recognize they want to do a better job. At least we hope so. Mr. Meenan. And if I might, it is one of the reasons we find the work of this committee so important. The key to good security is risk analysis, understanding the risk and applying the resources as efficiently as you can to achieve the goal you are seeking. And I think that is something that we are all learning to do better over time. And it is going to continue to improve. Mr. Dicks. You can't defend against everything. You have got to pick out the ones, the truly big possibilities where-- and the airlines unfortunately represent that kind of a possibility, as we learned on 9/11 and subsequent to that, that it is something that is continuing to be a problem. So anyway, we appreciate your testimony, and we appreciate your working with the agencies to try to help them improve. Thank you, Mr. Chairman. Mr. Carney. Thank you, Mr. Dicks. I just have a couple of questions before we wrap it up today. Mr. Johnson and Mr. Hovel, does the private sector trust the government with proprietary information? I mean, is this an impediment to the relationship of information sharing? Is it a facilitator of it? Are there barriers we need to work on here? Mr. Johnson. I can speak for our sectors and the peers that I have spoken with that there are still some issues. There was an incident that I outlined in my testimony that was provided to you earlier where a representative of or sector was in a meeting with some contractors. And during that conversation a document was presented that was absolutely protected and proprietary and had been provided under the PCII status, yet that document was out. Those incidents obviously make it very difficult. I think there is a desire to work with and trust the government with that information. But in some of those instances, some of that information is so crucial to our business units standpoint that there is still some--and will continue to be some concern about arbitrarily turning that document over from that standpoint. Mr. Carney. Mr. Hovel. Mr. Hovel. We too have some concern. We have not had any problems, however, with that. We have been very, very happy with the protections afforded us by the law that has been enacted. We look very forward to putting into place the ACAMS element of Operation Archangel to feed the information into the database. We are right on the threshold of accomplishing that. Mr. Carney. Okay. Again, I heard when Mr. Dicks was asking his questions the phrase ``duplication of effort'' again, and we assured the previous panel that that was really not happening. But it is happening from your perspective? Mr. Hovel? Mr. Hovel. Yes, it is happening but it is not necessarily a bad thing. Because oftimes we may not be privy to a particular channel of information that comes in. If there are multiple channels, then the law of averages is going to catch us sooner or later to be able to get that information in front of us. At the same time it is interesting to hear the different variations of interpretation of incidents too. So it is a critical thinking---- Mr. Carney. Well, is it interesting or perplexing? Mr. Hovel. It can be both. It certainly has in the past. Mr. Carney. Understood. Mr. Meenan. Mr. Meenan. It is something we are concerned about, but I must say I was reassured with the testimony from the first panel today that some of our concerns about the development of the HSIN network may be misplaced. We haven't been fully briefed on it. We have a meeting set I think next week and we just want to ensure that it is run as efficiently as possible. Mr. Carney. Okay. Thanks. Mr. Johnson. Mr. Johnson. I concur with the earlier speakers. But I will tell you I probably have more concern about not so much the duplication of efforts as it is to complete a project. We have had multiple issues, particularly with HSIN that have begun only to find that during a period of time there seems to be a lull that we are now moving in a different direction. It appears that we are constantly working to reinvent what we discussed and talked about before. And that seems to be the more duplicative part than it is duplicative efforts among the various parts of the Department. Mr. Carney. Okay. I understand. I have no further questions. I will, however, recognize my good friend, Mr. Dent, from Pennsylvania for 5 minutes or so. Mr. Dent. Thank you, Mr. Chairman. I appreciate that. And I guess my question would be to Mr. Meenan and to Mr. Hovel, especially with respect to the information that you are currently receiving or that is being made available to you from the Homeland Security Information Network, the HSIN. Are there any suggestions that you can make to DHS that would essentially help that agency provide you with more useful realtime information and intelligence? From your perspective and maybe from the association's perspective. Mr. Hovel. Certainly. There are some things that could be done to--one of the key factors is expediting the issuance of information in a more timely fashion. One of the problems that we have experienced in the Northwest is with what is called Northwest Warning and Alert Response Network, NWWARN. At first our network in NWWARN was attached to the greater communication platform of HSIN CI, and we found it was not robust enough. So we have consequently gone with another platform that does have the flexibility and the resiliency that is necessary to continue operating what it is that we believe and feel is necessary for at least our part of the country. Mr. Meenan. From the airline's perspective, I think because we have been so central to a lot of the post-9/11 activity at both DHS and TSA, our information sharing and the products we receive I think are pretty well developed and are pretty sophisticated at this point. From an industry perspective and down to the individual airline perspective, there are lots of close daily, hourly communications. And obviously we are always looking for areas to improve. But right now I think if anything, our sector could probably be more helpful to some of the others in understanding how to develop their own mechanisms rather than putting too much more input into that. It is working pretty well at this point. Mr. Johnson. Mr. Congressman, I too would go back and concur with the comments provided by my colleague with Boeing. We too have had the same situation with the Southeast side of HSIN CI. There was a great deal of work, diligent work on both the Federal Government side and the private sector side to identify these sector representatives, to vet these individuals, and to go out and market and sell that program among the various critical infrastructures, only to find that the actual platform now was not robust enough to allow us to continue on it, and now we are going down a different road where we have a spin-off from the Southeast Emergency Response Network, SERN, that we are now having to go back and try to remarket and go back to the same individuals where we have already been that we did not produce to try to encourage them to participate in yet another program. And that becomes more difficult each and every time we have to go back and do that. There is only so much commitment and trust that these individuals are going to put into their time. When you are dealing with the private sector, they are used to determining what an issue is, finding the answer and moving forward, not keep coming back and revisiting the same information again and again and again. Mr. Dent. So are you basically suggesting that the information that you are being asked to provide to DHS creates an undue burden for your company in many cases? Mr. Johnson. In circumstances, that would be correct. Mr. Dent. Is that the sense of Boeing, too? Mr. Hovel. Yes, sir, that is the case. Mr. Dent. What can we do--why don't you just elaborate on what you think we can do to make our compliance requirements less burdensome? What should we be doing? Mr. Johnson. In our area what I am speaking to is not so much compliance as it is encouragement to utilize. Take this technology provided by the government to collaborate and exchange and receive information. I don't know if we have missed the ball going into it from an assessment standpoint or what the technology needs to be and exactly how much information there is. I almost come to the point that I feel we need to look for small successes instead of large failures. Let's take the low hanging fruit. It may not be 100 percent of what we need. But let's find something that we can complete and say that it is a success and then build off of that to get to where we need to be. Maybe instead of trying to take the entire tree, let's take the apple first and work our way up, may be a suggestion that I would have. Mr. Hovel. Congressman Dent, there is another element that factors into this as well, and the distinguished colleague from ATA was able to bring that element to light, and that is the differences that exist from ATA operating in a regulated environment from a security standpoint to, say, SCANA or the Boeing Company, which does not operate in a regulated environment. We are finding the balance of information that does get transmitted to the regulated side far and away exceeds that of what is received otherwise by us included. So just the information that is shared and the time of it that it is shared within is critical to us. But because we are not regulated, we don't get a timely response necessarily in all circumstances. Mr. Johnson. Congressman, just for your benefit, we too work in a regulated area. Obviously we have nuclear as well as FERC and other things that we work within. And certainly from the compliance standpoint, the exchange and flow of information there is much better than on the business units we have that may not be so heavily regulated. And I can speak from other sides of the private sector and other areas which do not have those compliance issues. These are the ones we keep coming back to again and again, asking them to participate and provide. It is just--that is the hard part, is to keep going back to the same individuals over and over. Mr. Carney. Thank you, Mr. Dent. To continue along this course just for a moment, how do we convince them to come back? What can we do? What can the government do? What can Congress do from your perspectives to allay their fears? Mr. Johnson. I can only speak from our successes that we have had in our State of South Carolina. On the State level, we have made good progress with sharing information. We have demonstrated our ability to do that among our law enforcement agencies where all of their incident reports are now shared into a common data warehouse, that they can come in for the first time and be able to query that information from other agencies. That has never existed before. We did that through the assistance of the National Law Enforcement and Corrections Technology Center Southeast, funded by the Federal Government through the National Institute of Justice, who are tremendous brokers of--an honest broker of technology for law enforcement. I think we can replicate that throughout the private sector. Getting the ability to access that assistance is something Congress can make happen that I think will assist us. There are success stories there on the State level where we look and derive for particular intelligence and information from our fusion center to push out to the members of our private sector and the State. But it takes a great deal of effort, obviously, to do that, where the Federal Government can come in and whether they contract with someone to push this information out on a timely basis, whether it be situation awareness information, those things are all there. It may not be in the best interests of the timing of both the customers and the government for the government to take that role. We need to look at what areas we can contract out and utilize that where it benefits us, I think would be an area that we certainly ought to consider. Mr. Carney. Anybody else care to comment? All right. Well, I want to thank the panel for their valuable testimony this morning. It is enlightening from both perspectives, from all perspectives. Please be aware that there is a possibility that the committee and members will have further questions that we would like a timely response to. It is not always the case, but we would like a timely response. Hearing no further business before the subcommittee, we stand adjourned. [Whereupon, at 11:40 a.m., the subcommittee was adjourned.]