[Senate Hearing 110-317]
[From the U.S. Government Publishing Office]
S. Hrg. 110-317
PRIVATE SECTOR PREPAREDNESS
=======================================================================
HEARING
before the
AD HOC SUBCOMMITTEE ON STATE, LOCAL,
AND PRIVATE, SECTOR PREPAREDNESS
AND INTEGRATION
of the
COMMITTEE ON
HOMELAND SECURITY AND
GOVERNMENTAL AFFAIRS
UNITED STATES SENATE
ONE HUNDRED TENTH CONGRESS
FIRST SESSION
__________
JUNE 21, 2007
PART I: DEFINING THE PROBLEM AND PROPOSING SOLUTIONS
__________
JULY 12, 2007
PART II: PROTECTING OUR CRITICAL INFRASTRUCTURE
__________
Available via http://www.access.gpo.gov/congress/senate
Printed for the use of the Committee on Homeland Security
and Governmental Affairs
U.S. GOVERNMENT PRINTING OFFICE
36-615 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY AND GOVERNMENTAL AFFAIRS
JOSEPH I. LIEBERMAN, Connecticut, Chairman
CARL LEVIN, Michigan SUSAN M. COLLINS, Maine
DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska
THOMAS R. CARPER, Delaware GEORGE V. VOINOVICH, Ohio
MARK L. PRYOR, Arkansas NORM COLEMAN, Minnesota
MARY L. LANDRIEU, Louisiana TOM COBURN, Oklahoma
BARACK OBAMA, Illinois PETE V. DOMENICI, New Mexico
CLAIRE McCASKILL, Missouri JOHN WARNER, Virginia
JON TESTER, Montana JOHN E. SUNUNU, New Hampshire
Michael L. Alexander, Staff Director
Brandon L. Milhorn, Minority Staff Director and Chief Counsel
Trina Driessnack Tyrer, Chief Clerk
AD HOC SUBCOMMITTEE ON STATE, LOCAL, AND PRIVATE SECTOR PREPAREDNESS
AND INTEGRATION
MARK L. PRYOR, Arkansas, Chairman
DANIEL K. AKAKA, Hawaii JOHN E. SUNUNU, New Hampshire
MARY L. LANDRIEU, Louisiana GEORGE V. VOINOVICH, Ohio
BARACK OBAMA, Illinois NORM COLEMAN, Minnesota
CLAIRE MCCASKILL, Missouri PETE V. DOMENICI, New Mexico
JON TESTER, Montana JOHN WARNER, Virginia
Kristin Sharp, Staff Director
Michael McBride, Minority Staff Director
Amanda Fox, Chief Clerk
C O N T E N T S
------
Opening statements:
Page
Senator Pryor................................................ 1
Senator Akaka................................................ 2
Senator Sununu............................................... 19
WITNESSES
Thursday, June 21, 2007
Alfonso Martinez-Fonts, Jr., Assistant Secretary, Private Sector
Office, U.S. Department of Homeland Security................... 4
Marko Bourne, Director of Policy and Program Analysis, Federal
Emergency Management Administration, U.S. Department of
Homeland Security.............................................. 7
F. Duane Ackerman, Former Chairman and CEO, BellSouth
Corporation, Business Response Task Force, Business Executives
for National Security (BENS)................................... 10
Hon. John Breaux, Former U.S. Senator from the State of
Louisiana, Co-Chair, Business Response Task Force, Business
Executives for National Security (BENS)........................ 12
Richard Andrews, Ph.D., Senior Advisor for Homeland Security,
National Center for Crisis and Continuity Coordination......... 15
Thursday, July 12, 2007
Colonel Robert B. Stephan, Assistant Secretary for Infrastructure
Protection, U.S. Department of Homeland Security............... 37
Eileen Regan Larence, Director, Homeland Security and Justice
Issues, U.S. Government Accountability Office.................. 42
Lieutenant Colonel Kenneth C. Watson, (Retired), Vice Chairman,
Partnership for Critical Infrastructure Security, Inc., and
Senior Manager, Critical Infrastructure Assurance Group, Cisco
Systems, Inc................................................... 45
Alphabetical List of Witnesses
Ackerman, F. Duane:
Testimony.................................................... 10
Prepared statement........................................... 85
Andrews, Richard, Ph.D.:
Testimony.................................................... 15
Prepared statement........................................... 97
Bourne, Marko:
Testimony.................................................... 7
Prepared statement........................................... 72
Breaux, Hon. John:
Testimony.................................................... 12
Prepared statement........................................... 91
Larence, Eileen Regan:
Testimony.................................................... 42
Prepared statement........................................... 115
Martinez-Fonts, Alfonso, Jr.:
Testimony.................................................... 4
Prepared statement........................................... 59
Stephan, Colonel Robert B.:
Testimony.................................................... 37
Prepared statement........................................... 104
Watson, Lieutenant Colonel Kenneth C.:
Testimony.................................................... 45
Prepared statement........................................... 140
APPENDIX
``Getting Down to Business: An Action Plan for Public-Private
Disaster Response Coordination,'' The Report of the Business
Response Task Force, January 2007.............................. 148
Responses to Questions for the Record from:
Mr. Bourne................................................... 208
Mr. Ackerman................................................. 223
PART I: DEFINING THE PROBLEM AND PROPOSING SOLUTIONS
----------
THURSDAY, JUNE 21, 2007
U.S. Senate,
Ad Hoc Subcommittee on State, Local, and
Private Sector Preparedness and Integration,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:06 p.m., in
Room SD-342, Dirksen Senate Office Building, Hon. Mark Pryor,
Chairman of the Subcommittee, presiding.
Present: Senators Pryor, Akaka, and Sununu.
OPENING STATEMENT OF SENATOR PRYOR
Senator Pryor. Let me convene our inaugural meeting of the
Subcommittee and welcome my colleagues. Senator Sununu is on
his way. I want to thank the panel for being here today.
This is a new Subcommittee of the Homeland Security and
Governmental Affairs Committee. It was created with the start
of this Congress to focus attention on the coordination between
the American business community and the government in disaster
preparedness and response.
When you look at Hurricane Katrina, you see that some
Federal agencies were prepared--for example, the National Guard
and the Coast Guard--while others weren't. We all remember
stories about ice trucks driving around the country or people
overpaying for things when they could have been given for free.
We are not here to revisit all of that today, but we really
want to learn lessons from the private sector to get ideas on
how the government can be more prepared and also how we, as a
Nation, can be more prepared for disasters.
Hurricane Katrina was one of the most horrific natural
disasters in our Nation's history, but one of the good news
stories that came out of it was that there were 254 different
companies contributing $1 million or more in connection with
Hurricane Katrina. Wal-Mart, one of my home State companies,
provided $13.5 million to employees affected by the storm, $17
million to non-employee disaster relief funds, and almost $4
million in merchandise and in-kind donations. But like I said,
there were 254 companies that made over $1 million of
contributions in one way or the other, so the American business
community has a lot that it can be proud of.
And we have seen for years good working relationships in
the business community with the government in various ways. One
example is the Highway Watch Program, basically was started in
the 1990s when law enforcement agencies approached the trucking
industry to help report road hazards, to be the eyes and ears
out there on the roads when the law enforcement agencies
weren't around. And now, the American Trucking Association and
Department of Homeland Security together train nearly every
trucker on the road to watch for suspicious terrorist activity.
So we know that public and private partnerships work. We
know there is a great track record when we work together and I
am very pleased to mention that in June 2006, a non-partisan
business executive group, the Business Executives for the
National Security (BENS), formed a task force to specifically
address the integration of public and private preparedness.
They came out with a report, which I think we all have copies
of, called ``Getting Down to Business: An Action Plan for
Public-Private Disaster Response Coordination.''
There is a lot in this report, but basically, there are
three main findings.
One, is that the private sector must be systematically
integrated into national preparedness and response efforts.
Two, is that commercial supply chains can provide a wider range
of goods and services than government entities. And three,
regulatory and credentialing improvements should be made, and
these recommendations have sparked a lot of interest and
discussion about public-private partnerships, which I think is
very healthy.
The hearing today will examine the current state of public-
private collaboration. Our witnesses will talk about how they
view the current state of public-private partnerships. It is my
understanding that DHS and FEMA have embraced many of the
recommendations and have taken some initial steps on that. The
Subcommittee would love to have a progress report on how that
is going and how you see that unfolding over the next few
months.
And I also hope that today's review will help us determine
whether the government and the private sector have the tools
they need to continue to improve our response capabilities.
Senator Akaka, would you like to make an opening statement?
Go ahead.
OPENING STATEMENT OF SENATOR AKAKA
Senator Akaka. Thank you very much, Mr. Chairman. I want to
join you in welcoming our witnesses, all of you here, to this
hearing. Also, I want to note my good friend and colleague John
Breaux. John, will you please give my aloha to Lois. We have
had many good years together here in the House and in the
Senate.
I want to thank you, Mr. Chairman, for organizing this
important hearing to begin discussions on how the public and
private sectors can collaborate more effectively to prepare for
and respond to natural and manmade disasters.
Despite the catastrophe of September 11, 2001, and the
renewed focus on disaster planning in its aftermath, Hurricane
Katrina starkly demonstrated that much more must be done at all
levels of the government and the private sector to plan and
prepare for disasters. We need innovative approaches to
incident management.
The government cannot succeed without forging a partnership
with the private sector. The private sector owns approximately
85 percent of our Nation's critical infrastructure. The private
sector has the expertise and the resources to play a leading
role at every stage of response and recovery. With improved
disaster planning and response, cooperation between the two
will result in a reduction in the loss of life and property,
which is the overall goal of emergency management.
Because of its unique geography, my home State of Hawaii is
at risk of many natural catastrophes. Just last year, an
earthquake measuring 6.7 on the Richter Scale caused extensive
property damage on the big Island of Hawaii as well as on Maui.
I am acutely aware of the need for an all-hazards approach to
disaster preparedness and response, and I believe that in order
to be effective, this approach must include public, private,
and non-profit cooperation in the development of guidance,
standards, plans, and solutions.
I hope today's witnesses will address their agency and
organizational efforts to ensure that disaster preparedness and
emergency response planning is inclusive of all stakeholders
affected by disasters.
I also was interested in the conclusion of the BENS task
force that the government should do a better job of tapping
commercial supply chains to get relief to those in need after a
disaster. This type of collaboration is especially important to
Hawaii. Because of our separation from the mainland, it takes
much longer for relief to be sent by other States to reach
those in need.
My Subcommittee on Oversight of Government Management,
which recently held a hearing on procurement at DHS, has taken
a keen interest in government procurement practices. It is
essential that DHS work closely with FEMA to put contracts into
place with the private sector that can ensure that when
disasters strike, we have the resources necessary to respond
and that we can move supplies quickly to where they are needed.
I look forward to hearing more about this topic. Dialogues like
this are an important part of ensuring that when the next major
disaster strikes, we will have systems in place to provide
needed relief in a way that is swift, comprehensive,
coordinated, and cost-effective for the American people.
Again, Mr. Chairman, I thank you for holding this hearing.
I look forward to learning more about the private sector
preparedness initiatives that are being considered and
implemented. Thank you very much.
Senator Pryor. Thank you, Senator Akaka. Thank you for
being here. We will have other Senators join us. We have a
quorum call on the floor right now and they are trying to work
out some amendments down on the floor, so it is a busy day, but
hopefully we will have people coming in and out of the
Subcommittee hearing.
What I would like to do now is take a couple of minutes to
introduce all five of our panelists and then I thought I would
allow you all to make your opening statement, and then we will
have questions.
Our first witness will be Alfonso Martinez-Fonts, Assistant
Secretary for the Private Sector Office at the Department of
Homeland Security. Mr. Martinez-Fonts works to provide
America's private sector with a line of communication to the
Department.
Our second panelist will be Marko Bourne, Director of
Policy and Program Analysis for the Federal Emergency
Management Administration. He has had over 20 years of
experience in governmental and legislative affairs, marketing,
and the emergency services and management fields.
Our next panelist will be Duane Ackerman, member of the
BENS Business Response Task Force and former Chairman and CEO
of BellSouth Corporation. Mr. Ackerman is the immediate Past
Chairman of the National Council on Competitiveness and the
National Security Telecommunications Advisory Committee.
Next, the panelist who needs no introduction here, Senator
John Breaux, a very respected member of the Senate family. He
is a former Senator of Louisiana and Co-Chairman of the BENS
Business Response Task Force. He is currently Senior Counsel at
Patton Boggs, where he has provided strategic advice on public
policy matters since his retirement from the U.S. Senate in
2005.
And last but not least is Dr. Richard Andrews, Senior
Advisor for Homeland Security at the National Center for Crisis
and Continuity Coordination. Dr. Andrews is also a member of
the President's Homeland Security Advisory Council, the World
Bank's Disaster Management Operations Group, and former
Director of the Office of Homeland Security for the State of
California.
Mr. Martinez-Fonts, we will turn it over to you.
TESTIMONY OF ALFONSO MARTINEZ-FONTS, JR.,\1\ ASSISTANT
SECRETARY, PRIVATE SECTOR OFFICE, U.S. DEPARTMENT OF HOMELAND
SECURITY
Mr. Martinez-Fonts. Thank you, Mr. Chairman. Chairman
Pryor, Members of the Subcommittee, thank you very much for the
opportunity to appear before you today.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Martinez-Fonts appears in the
Appendix on page 59.
---------------------------------------------------------------------------
My written statement goes into great detail on how the
Department and specifically the Private Sector Office, which I
head up, communications and collaborates with the private
sector. We also illustrate how we work with the component
agencies like FEMA to promote the creation and sustainability
of public-private partnerships.
In my remarks before you today, I would like to first give
you some background on the statutory mandate of the Department
of Homeland Security's Private Sector Office. Then I will talk
about how we approach partnership building with the private
sector. And finally, I would like to conclude my remarks by
illustrating how we work with FEMA, CVP, and ICE,
IP, and other component agencies at the Department,
encourage and foster public-private partnerships which assist
in the integration of the private sector in emergency
preparedness, response, and recovery while maintaining the
economic health of the economy.
To begin with, let me introduce to you the unique function
of Homeland Security's Private Sector Office. As part of the
2002 Homeland Security Act, specifically Title I, Section
102(f), Congress created the position of Special Assistant to
the Secretary for the Private Sector. Comprised of a staff of
14 employees, the Private Sector Office executes outreach,
research, and analysis based on its statutory mandates to
communicate, engage, and cultivate partnership-building with
the private sector. We also act as an advocate for the private
sector when we advise the Secretary on the impact of the
Department's policies, regulations, processes, and actions.
In order to carry out our mission and to reach
approximately 30 million businesses in America, we must have
partners. Our principal partners in this task are trade
associations and Chambers of Commerce that businesses belong
to. Without them, we really simply can't do our job. These
associations and Chambers of Commerce include the U.S. Chamber
of Commerce, the Business Roundtable, the National Association
of Manufacturers, Business Executives for National Security
(BENS), National Federation of Independent Businesses, and
hundreds of others. We believe partnership-building enhances
our Nation's ability to prepare for, respond, and recover from
acts of terrorism and natural disasters.
Public-private partnerships cover a range of purposes and
members. They come together to exchange information, facilitate
dialogue, or focus on a particular set of issues. They can be
diverse in composition, ranging from individual businesses to
non-governmental organizations.
Partnerships, like organizations, have characteristics
which lend to its success. We believe there needs to be a
defined mutual goal, a champion on each of the two sides of the
partnership, and a business case for action.
As with any collaborative effort, there are challenges
which can make a public-private partnership vulnerable. There
are three areas that we consider to be potential risks. One is
the issue of liability and who bears it. The second is the lack
of commitment to the partnership. And the third one is a
conflict of interest, which can be real or perceived, that
prevents the private sector from fully engaging with the
government for fear of losing an economic opportunity.
Homeland Security actively promotes and coordinates public-
private partnerships.
It is woven into the very fabric of our mission. We reach
out across our Department to our components, who assist them in
the outreach efforts to the private sector.
For example, we work with the Office of Infrastructure
Protection and their Sector Coordinating Councils where private
sector partners represent the 17 critical infrastructures and
key resources. We also work with the Office of Intelligence and
Analysis to encourage States to include private sector
representatives in their Fusion Centers, and we have helped
them to develop a model on how to include them.
The Private Sector Office staff is assigned to a portfolio
that cover all of the operating components, such as Customs and
Border Protection, Immigration and Customs Enforcement, TSA,
and Coast Guard within the Department of Homeland Security. The
Private Sector Office often acts as a catalyst with Homeland
Security component agencies to cultivate and foster these
public-private partnerships.
We especially work with component agencies to assist in
establishment of relationships, integration, and partnership
building with the private sector.
What I would like to do today is take FEMA as an example.
We have detailed a senior staff person from our office to
assist FEMA in their efforts to integrate the private sector
into their communications, operations, and logistics. We
currently are working to develop a Loaned Executive Program
where FEMA can benefit from private sector expertise in
logistics and other missions.
We are implementing lessons learned. For example, the
Private Sector Office created the National Emergency Resource
Registry (NERR), as a result of the 2004 Florida hurricanes.
This electronic system was created to manage offers of
unsolicited goods and services. However, a year later during
Hurricane Katrina, NERR was operational, but was unable to
adequately handle all of the offers made to the system. To
replace NERR and to address the need for a robust donation
management system during a crisis, we assisted FEMA in reaching
out to AIDMATRIX, a nonprofit organization who through a grant
from FEMA has created a virtual superhighway for all levels of
government, private sector, and nonprofits to connect and share
unsolicited offers of products, services, and volunteers.
Subsequently, the NERR framework has been retooled to create
FEMA's Debris Contractor Registry. We are also working with
FEMA's National Exercise Program to incorporate private sector
in major exercises like TOPOFF 4.
In addition to working with FEMA, we also reach across the
Department to find ways where we can encourage the use of
standards and best practices just to get things done.
We also work to encourage the adoption of the NFPA 1600 at
the local level. For example, we recently held with the U.S.
Chamber of Commerce a pilot initiative to create a Regional
Business Preparedness Summit in Charlotte, North Carolina. This
event brought together local leaders in the emergency
management area, public health, and the private sector.
We also collaborate with our Federal partners, for example,
with the Office of Infrastructure Protection. We reached out to
the Department of Energy to encourage owners and operators of
gasoline stations to wire and install generators to operate
fuel pumps in case of a power outage.
Public-private partnerships are not disguised charity by
the private sector. Good public-private partnership provides
common ground towards working towards mutual goals. Public-
private partnerships are not a means to shift the public burden
away from the government. However, a partnership in its truest
state is where both partners contribute their skills and
services as a joint effort. This collaboration creates an
environment which builds trust, communication, and cooperation.
These results only enhance our Nation's ability to better
prepare for, respond to, recover from, and mitigate against an
act of terrorism or natural disaster.
This concludes my opening remarks. I look forward to
answering any questions that you may have.
Senator Pryor. Thank you. Mr. Bourne.
TESTIMONY OF MARKO BOURNE,\1\ DIRECTOR OF POLICY AND PROGRAM
ANALYSIS, FEDERAL EMERGENCY MANAGEMENT ADMINISTRATION, U.S.
DEPARTMENT OF HOMELAND SECURITY
Mr. Bourne. Thank you, Mr. Chairman, Members of the
Subcommittee, and thank you for the opportunity to appear here
today on behalf of FEMA and the Department of Homeland
Security. My written statement goes into a lot of detail on
many of the new business and management processes that we are
putting in place at FEMA in what Administrator Paulison calls
the new FEMA. In my remarks to you, though, I would like to
focus on some of the key elements of our strengthening
relationships with the private sector and our other partners
that we are already beginning to see the benefits of.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Bourne appears in the Appendix on
page 72.
---------------------------------------------------------------------------
We are working diligently to build a new FEMA that is
stronger and more nimble. With expanded authorities and
resources provided to us by this Congress and the
Administration, we have implemented a reorganization which I
had the privilege to lead, and that we have begun to strengthen
our existing structure and fully incorporate the core elements
of the former DHS Preparedness Directorate into our
organization as part of the new FEMA.
One of the first ways we used our relationships in the
private sector can be seen in how we got the ball rolling on
many of these organizational reforms. At the end of last year,
Administrator Paulison instituted a series of 17 independent
assessments. They were agency-wide and they reviewed our
existing processes and business practices and included
recommendations for reform that were built upon public and
private sector best practices. FEMA has already instituted many
of the recommendations and we are continuing to do so for the
remainder of this year and into the next fiscal year. These
assessments have also been an essential resource during our
reorganization process.
With our new structure in place, today, FEMA is focused on
improving its relationships with the private sector in key
areas, such as preparedness partnerships, internal
organizational assessments, enhanced supply stream management,
logistics, contracting, catastrophic planning, strong community
coalition building, and industry fairs and outreach programs.
As the Subcommittee considers private sector preparedness
efforts and challenges, at FEMA, we are working closely with
the Private Sector Office, the Office of Infrastructure
Protection, the Office of Public Affairs, and others to
strengthen the outreach to our critical partners in our
response to any emergency.
I am happy to note that it has been a two-way street. Many
of the businesses that we reach out to and work with are taking
active steps to implement recommendations contained in the
Ready Business Program, which FEMA had a part in creating, and
we are looking at more ways for business to reach out to
emergency management at the community, State, and Federal level
to participate in planning for disasters that may affect the
cities and regions in which they work and serve.
FEMA is also engaging the private sector to assist us in
our efforts to build an even stronger emergency management
system. We are doing so through our Infrastructure Protection
Programs, which consists of legacy grants, namely the Port
Security Grant Program, Transit Security Grant Program, the
Inner City Bus Security Grant Program, and the Trucking
Security Program, as well as through our exercises and training
venues. The details of many of those programs are contained in
my written testimony.
Increasingly, we are leveraging the resources and expertise
of our partners in the private sector and nonprofit world, even
above and beyond the important role they played in the past.
This increased reliance comes about because the new FEMA is
developing some innovative ways to move forward to be forward-
leaning, quicker to respond appropriately to disasters and
emergencies as a partner to our State and local emergency
management partners.
One way we are doing this is through a dramatic increase in
our pre-scripted mission assignments and our pre-negotiated
contracts to provide the necessary resources. Since Hurricanes
Katrina and Rita, FEMA has worked aggressively to award
hundreds of pre-negotiated competed contracts and these are in
place and ready for the 2007 hurricane season. This is allowing
us to be prepared ahead of a disaster so we are not negotiating
contracts in the heat of battle. Contract agreements are in
place covering all aspects of FEMA's disaster management, to
include logistics, mitigation, individual assistance, recovery
programs, management, and integration center support.
Perhaps the most visible example of how the private sector
has influenced FEMA's reorganization is through the creation of
our Logistics Management Directorate. Our goal is to have our
logistics management look at business practices that are in
place and understood by the community across the country rather
than reinventing the wheel ourselves. We are moving towards an
increased ability not only to track the commodities that we do
keep and maintain, but to begin to shorten our supply chains
and look to third-party logistics to handle the majority of the
resource needs in a just-in-time delivery. We have looked at
AIDMATRIX and adopted it to support our supply of donated goods
and services.
Through our Citizen Corps Program, we are bringing
community and government leaders together in all-hazards
emergency preparedness planning. There are 2,200 Citizen Corps
Councils with a presence in every State and territory. Councils
are encouraged to include business representation and to work
with business to integrate those resources with community
preparedness and response plans.
As we look to FEMA's preparedness efforts, we believe the
private sector should continue to build upon their preparedness
efforts in several key areas. First of all, to continue their
development of strong business continuity plans for all of
their locations and critical data centers. Develop employee
support plans for their employees' office locations that are
damaged or if they have employees that have lost their homes.
Part of the issue in quick recovery from a disaster, or quicker
recovery, is the element of getting people back to work as soon
as possible in the affected areas.
We encourage them to engage in prudent risk management
practices and have strong health and safety programs, working
closely with their local emergency managers and first
responders and elected officials to be involved in disaster
planning that begins at the local level and builds to the
State. To build protocols to assist with recovery efforts
before a disaster strikes.
Through business associations, we are continuing to work
with State emergency management and FEMA to support
preparedness planning, disaster response, and donation
management. The private sector has also engaged FEMA and State
emergency management and offered to provide liaisons to State
Emergency Operations Centers, Joint Field Offices, and we are
working with the Chamber of Commerce, BENS, and the Business
Roundtable and others in developing a private sector
association liaison, which we hope to be able to put into the
National Response Coordination Center here in Washington.
FEMA is also integrating the private sector in a myriad of
initiatives across the agency. For example, we are working
closely with Homeland Security's Private Sector Office to
utilize their concept of relationship and partnership building.
We have welcomed the Homeland Security Private Sector Office
Staff as part of our senior advisors. And a number of
initiatives that we are undertaking will involve communications
outreach and operations in mission critical areas, like
logistics.
Just a highlight of our new approach to the private sector
include many things which also involves a meeting next week
that we had scheduled prior with BENS, BRT, and the Chamber
together to discuss new initiatives that we can take to move
this agenda forward. We want to take a proactive approach to
leading the way for the private sector to be incorporated in
our emergency operations and especially working for ways to
find access that we can bring in association representatives
into the Joint Field Office and Regional Response Coordination
Centers.
We are incorporating private sector expertise by creating a
new FEMA Loaned Business Executive Program. We hope to, in the
next few days, close an agreement with a business foundation
which we will name after we have the agreement finally signed
which would bring a seasoned expert from the private sector
into FEMA operations to serve as an advisor and collaborator on
mission critical programs. This is a start of a program we hope
to expand in the future after we have had an opportunity to see
how it works.
Private sector participation in our Regional Emergency
Communication Coordination Groups, which we will be standing up
over the next several months, is also critical.
We are developing a Memorandum of Understanding with the
Stadium Owners and Operators Association for sheltering.
We have funded a pilot program in Denver with InfraGard and
BENS to support a resource registry that can be utilized at the
local level to improve the private-public partnership.
We encourage mutual aid programs for businesses. We can
provide mutual aid training through our online systems at the
Emergency Management Institute, and we can provide a pilot
website to serve as a repository to post information about all
of the above activities, training opportunities, and business
continuity programming.
Our regional offices have been reaching out to the business
community. For example, Verizon wire and wireless has met with
our Region 1 office in the last 2 weeks with regard to
hurricane planning, and our Region 5 office is working with
ChicagoFIRST on preparedness planning for financial
institutions.
We are also going to be establishing a credentialing
working group within the NIMS Integration Center to pinpoint
some of the issues on credentialing and develop some viable
options to address the credentialing concerns.
There will certainly be a continuing role for the private
sector in the future at FEMA. FEMA needs to ensure that we are
adapting to new conditions and the ever-changing needs. It is
important that as we build these relationships, we continue
that effort so that it is understood by all parties that you
can't just show up on game day and expect to play without being
part of the practices. Our job is to make those practices
available, open, and valuable for both us and the private
sector. FEMA realizes that a successful, robust, coordinated
response is needed and that the private sector, both
horizontally and vertically across the full spectrum of
emergency management, is a partner.
Thank you for the opportunity to be here today and I look
forward to answering any questions you might have.
Senator Pryor. Thank you. Mr. Ackerman.
TESTIMONY OF F. DUANE ACKERMAN,\1\ FORMER CHAIRMAN AND CEO,
BELLSOUTH CORPORATION, BUSINESS RESPONSE TASK FORCE, AND MEMBER
OF BUSINESS EXECUTIVES FOR NATIONAL SECURITY (BENS)
Mr. Ackerman. Mr. Chairman, Members of the Subcommittee, I
want to thank you for the opportunity to be here today. When I
think about the work that has been done on the task force, I
did have the privilege of serving on this task force and
developing the report which you have had. And while we don't
have time to go through every single detail, I would like to
just stipulate, or I would like to ask that my written
testimony be submitted along with the complete report for the
record. Then I would like to focus my time on this issue of the
public-private partnership and some of the work that we did on
the task force to look at the private sector and examine its
role in disasters.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Ackerman appears in the Appendix
on page 85.
---------------------------------------------------------------------------
First of all, we found that on a local scale, disasters do
happen right regularly, and business routinely plans and
interacts with first responders and collaborates on those
disasters at the local level. We have also found that after
securing their own businesses, they invariably turn towards the
rest of the community because without community continuity and
without business continuity, surely there is no recovery in
that community and there is no business done. So it is clear
that business does have an interest that goes beyond their own
operations.
We have dealt with many hurricanes, but indeed, Hurricane
Katrina was different, as has been mentioned and talked about
over the years. It was a terrible tragedy, but I think there
are some very key issues that evolved from Hurricane Katrina
that are instructive to us as we look forward to what may lie
before us.
It had many characteristics that a large natural and/or
manmade disaster will have as we go forward. Major damage to
critical infrastructure. Contamination--in the case of
Hurricane Katrina, it was water. In the future, it could be
other things, such as nuclear, biological, or chemicals.
Overwhelmed law enforcement and the breakdown of civil order
was present and Federal help was required; but there was no
real plan for integrating all of the concerned entities for a
response. The Federal Government has a plan. Certainly the
State has a plan. Local has a plan. Business has a plan. But
there is no plan for all of these entities in terms of how they
are going to operate and function together at the time of
crisis.
I think all of the above conditions would be present in a
disaster that impacted a significant portion of any major metro
area, whether it is a natural disaster or manmade.
Our Subcommittee looked at known problems from Hurricane
Katrina. We looked at recommendations that came from over 100
interviews that were made with the private sector. We drew on
the knowledge of both the public and private sector in order to
pull our study together. We conducted face-to-face meetings in
Washington, DC. Various meetings were held and we brought all
that back together in order to produce the report, ``Getting
Down to Business.''
The overall conclusion was the private sector must be
included in the planning, practice drills, and execution of a
disaster response scenario. I would certainly like to emphasize
practice in this regard, because I think it is one thing to
have a plan, but until you have had the Federal Government,
State government, and local authorities and the private sector
at the table, certainly, I don't believe we have accomplished
the task, and there are a lot of reasons for this.
First of all, the private sector owns much of the
infrastructure. The private sector has experience, skills,
information, and capabilities that are critical to a successful
response to a major disaster. And we believe that once local
and State capability is overwhelmed, the Federal Government
always will be called on and will be expected to help, and when
they come to help, that interface with the other entities and
how they will make decisions and how they will partner becomes
very important.
We use this term public-private relationship frequently,
but when you think about what it means in this case, it
absolutely means that most of the States have an Emergency
Operations Center and what we are suggesting with the BENS
report is that there be a companion Business Operations Center
either at the State or the regional level at the same time, and
that needs to be able to expand to incorporate the Joint Field
Office when it comes with the Federal agencies so that all
parties can collaborate along with the private sector on the
immediate challenges, threats, and the solutions that must be
implemented.
So we believe that the National Response Plan needs to
include the private sector. It needs to support joint planning,
joint practice drills, and when an event occurs, joint
execution. Joint in this case means local, State, Federal, and
the private sector.
Practice, again, is extremely important, because by
conducting joint drills, we constantly turn up new issues, new
problems that must be overcome and must be overcome together.
It is my hope and the sincere recommendation of the BENS
Task Force that you will acknowledge, encourage, and support
the building and exercising of enduring public-private
collaborative partnerships that integrate the private sector
into the National Response Plan and the National Response
Infrastructure. In turn, the private sector must have a
reliable government partner, and the emphasis there is on the
word ``partner'' because viable regional and Federal actors in
all phases of the operations must relate to each other in
balanced proportions in order to come out with a successful
ending.
If this structural reform is indeed adopted, it will
greatly facilitate all of the other recommendations in the
report of the BENS Business Response Task Force. Thank you.
Senator Pryor. Thank you. Senator Breaux.
TESTIMONY OF HON. JOHN BREAUX,\1\ FORMER U.S. SENATOR FROM THE
STATE OF LOUISIANA, CO-CHAIR, BUSINESS RESPONSE TASK FORCE,
BUSINESS EXECUTIVES FOR NATIONAL SECURITY (BENS)
Mr. Breaux. Thank you very much, Chairman Pryor and Senator
Akaka. Thank you for making time in your very busy schedules
today for us to make this presentation, and also Senator
Sununu, thank you for coming back. The place looks a lot better
since the last time I was here. The chairs are much more
comfortable, I want to tell everybody, but we will not overstay
our welcome and make it as brief as we can.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Breaux appears in the Appendix on
page 91.
---------------------------------------------------------------------------
I would like to ask unanimous consent that my full
statement be made part of the record. I will just try and
summarize, if that is all right.
Senator Pryor. Sure.
Mr. Breaux. I accepted and volunteered after Duane
Ackerman, our chairman, called me and asked me to volunteer,
and you can't tell Duane Ackerman no, to serve as co-chair with
Newt Gingrich of this effort, which I think has been very
productive and hopefully very helpful to the Members of
Congress who are looking for ways to try and find out what we
can learn from natural disasters that occur.
A natural disaster, as bad as it is, is terrible, but if we
don't learn anything from it, it is a double disaster, and I
think that now that we have had time to reflect on Hurricane
Katrina as one of the largest natural disasters in the history
of the United States, there are things that we can recommend
that we know that can be done to make sure that the next time
these things happen, that we can be in a better position to
respond effectively and quickly and be helpful to the citizens
of this country.
We can work in Congress to prevent disasters like what
happened on September 11 by having stronger national security,
and by having a strong military. We can help prevent September
11s. But we can't, no matter what we do, ever prevent another
hurricane. We can't prevent another flood. We can't prevent
another earthquake. But we can, through Congress, try to make
sure that we are better prepared to respond to these type of
natural disasters when they occur, and I know your
Subcommittee, Mr. Chairman and Senator Sununu, are working hard
to come up with recommendations, and hopefully what we are
presenting to you can be helpful in that regard.
One of the things that I think that we would like to
recommend is that this involvement of the private sector needs
to be better institutionalized. Director Marko Bourne and
Secretary Al Martinez-Fonts, I am delighted to hear what you
all have done to integrate the private sector. That is real
progress that they have talked about here this morning.
But I think that, in addition to that, the process has to
be more formalized. It has to be institutionalized. It has to
be in writing. It has to be out there so that the private
sector can know exactly what the rules and what the regulations
are when a natural disaster occurs, and I think that this
Subcommittee could be particularly helpful in focusing on
institutionalizing an effective and sustainable role for the
private sector, and that is incredibly important.
We made recommendations in three principal, substantive
areas. Mr. Ackerman talked about the public-private
collaboration, incredibly important. Government can't do this
by ourselves. The private sector must be involved. After
Hurricane Katrina, people talked about, well, what we ought to
do is have government facilities, distribution centers by the
government set up around the country. We don't need government
distribution centers. We have got private sector distribution
centers. Senator Pryor, Wal-Marts are in every State in the
Union. Whether it is a Wal-Mart or a Home Depot or a Lowe's or
any of the large distribution centers, they are already there.
The challenge for government is to incorporate the government's
work with the private sector to make full utilization of the
supplies that are already around the country located in key
areas that are very accessible and already there.
We also are making recommendations on surge capacity for
the private sector goods and services.
How do you gear up quickly for a natural disaster? I think
the two government witnesses have made good comments in that.
I would like to focus quickly on the legal and regulatory
environment. I think that is important. Businesses require some
type of a predictable legal regime before they get involved in
helping. We had people that came down from Arkansas and people
that came down from all over the country. They didn't know what
the rules were in Louisiana. They didn't know what the laws
were in Mississippi or along the coast. They didn't know what
they could do and how they could do it. There has to be some
type of a system in place for these private sector groups, and
when they want to come down and help, they know what the rules
are going to be.
We also have to, I think, reform to a large extent the
legal allocation of risk to private companies when they are
willing to help. We heard from a lot of companies, Mr.
Ackerman, that said, look, we wanted to be involved, but we
didn't know what our liability was. So if we come down there
and we do something not quite right, what is our legal
responsibility? As a result, some private sector companies
said, well, we are not going to do it because we don't know
what the risks are. It is not a reasonable risk for us to
accept on behalf of our stockholders.
I will give you a real example of that. When New Orleans
was under water with about seven, eight, to ten feet of water
throughout the city, contracts were issued by the government to
do what we call de-watering of the city, and what they were
ordered to do was to take the water in the city and pump it out
into Lake Pontchartrain. Nobody got a permit. There wasn't an
EPA permit or a Corps of Engineers permit to do that. And the
companies were saying, well, what if we do it, we don't have a
permit, and somebody is going to sue us after for polluting the
lake? Well, there is a question of priorities. The city was
under ten feet of water and people were drowning and you are
going to say, well, we can't do it until we get a permit from
the government and go through the permitting process? That
can't be done.
But companies, when they approach these emergency
situations, have to have a very clear understanding of what the
legal requirements are when they become involved, as a
volunteer in many cases or as a private contractor in others,
but they have to know what their legal exposure is and so they
will have a clear ability to make the right decision. I think
that is something that we could do very well with amendments to
some of the laws that are in place.
We would like to, in other words, enact a national disaster
law. We have the Stafford Act, a great program, and all of you
folks and the staff are very familiar with it. But we would
like to suggest that the Stafford Act also has to include the
private sector. It can't just be local governments and State
governments. The private sector ought to be incorporated and
brought into the Stafford Act so they will know under that Act
of Congress exactly what their roles can be, what their
exposure can be, and how they can be greater involved.
I think it would be just absolutely terrific if this
Subcommittee could focus on some hearings on the Stafford Act.
You can't do it really quickly. You have to do it carefully.
This is a law that has been around for a long time. I served
with Senator Stafford when he was here and wrote this and I
think that it served us greatly, but it ought to be changed in
order to bring in the private sector and make it a part of the
Stafford Act, as well. It covers State and local. It needs to
cover private sector, as well.
Finally, let me just suggest that a lot of the things that
we are talking about to get the locals and the States involved,
I mean, you could require that when you get a Federal grant
under FEMA that a State have in place, without any cost to
Congress right now, a mechanism to incorporate the private
sector. Every State ought to have a clearly defined plan that
when a natural disaster occurs, and we know it will, that they
have a plan in place to bring in the private sector to help
them solve the problem. That can be a requirement for getting
any kind of a Federal grant. If they don't have the plan in
place, they are not eligible for Federal grants, and you
wouldn't be surprised how fast States would move in that
direction if they knew their Federal assistance was dependent
on having a well-established, clearly thought out local plan on
the State and local level to involve the private sector.
One thing that we found, Mr. Chairman and Members, in all
of our meetings that we had is that you have in place a private
sector community that is ready, willing, and very able to help
our Federal Government address these natural disasters. We need
to clean up some of the laws and some of the provisions in
order to make it possible, but I think that this Subcommittee
certainly has the great leadership and great capacity to make
that happen.
Senator Pryor. Thank you. Dr. Andrews.
TESTIMONY OF RICHARD ANDREWS, PH.D.,\1\ SENIOR ADVISOR FOR
HOMELAND SECURITY, NATIONAL CENTER FOR CRISIS AND CONTINUITY
COORDINATION
Mr. Andrews. Thank you, Mr. Chairman, Members of the
Subcommittee, and thank you for the opportunity to testify
today. I served as a member of the BENS Task Force that
developed the report that has been referenced in the previous
testimony. I am also Chair of the Private Sector Committee of
the National Emergency Management Association (NEMA), which is
the association of all the State Emergency Services Directors,
and served as former Director of the California Governor's
Office of Emergency Services and Homeland Security Advisor to
Governor Schwarzenegger.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Andrews appears in the Appendix
on page 97.
---------------------------------------------------------------------------
My testimony today focuses on my work as Chair of a public-
private sector task force that was formed following the release
of the BENS report to start working on implementing what I
think is one of the key recommendations from the BENS report
which has been referenced by both Mr. Ackerman and Senator
Breaux, and that is to try to develop a systematic process for
incorporating private sector resources into the response to a
major disaster.
Hurricanes Katrina and Rita created the largest demand for
emergency resources in our history, and each of the major
after-action reports cited the Emergency Management Assistance
Compact (EMAC), which is the compact formally adopted by all
the State legislatures for which NEMA serves as the executive
agent, they all cited EMAC for its success in mobilizing tens
of thousands of National Guard, search and rescue, medical and
emergency management personnel.
The BENS report identified also an obvious shortfall of the
2005 hurricane response, and again, it has been referenced in
previous testimony, namely the absence of a systematic process
to utilize private sector resources. A number of different
efforts, especially the creation, as Mr. Martinez-Fonts
mentioned, especially the creation of the National Resource
Registry by DHS's Office of the Private Sector Coordinator
laudably attempted to fill this gap, and while there were some
successes, there was a great deal of frustration both within
the public and the private sectors. Each recognized the need
for greater collaboration, but the absence of a commonly
understood process to match needs with available resources,
whether those were donated resources or contracted resources,
proved to be a major obstacle.
Among the recommendations in the BENS report was the idea
of building a Business Emergency Management Assistance Compact
(BEMAC), modeled essentially on the EMAC system that proved so
successful during the 2005 hurricane season. By expanding EMAC,
it might be possible to weave together a fabric of State-based
Business Operations Centers where private sector
representatives trained in the State's operations system would
work alongside emergency management leaders to coordinate
government and private sector resources.
Earlier this year, the NEMA Private Sector Committee began
to explore whether this concept could be implemented. BENS
supported this effort by assigning staff resources, and my own
company, NC4, endorsed my chairing this effort. Representatives
from eight national corporations, many of which have been
mentioned in earlier testimony, along with the EMAC
leadership--this is the Directors of State Emergency Management
who oversee the EMAC process--served as members of the task
force.
One of the task force's basic premises was to build on
existing State and local initiatives and to focus, like EMAC,
on the interstate deployment of resources. In order to
establish an understanding of existing State and local
initiatives, NEMA conducted a survey of all the States. The
survey identified a number of very promising initiatives at the
State level to work with the public and private sectors, and a
few examples stand out and are worthy of mention.
The Florida Office of Emergency Management has formally
established Emergency Support Function 18, Business, Industry,
and Economic Stabilization. ESF 18 works with the Florida
Retail Association to address strategic supply chain issues,
projected impacts on businesses, and the timely restoration of
commercial services.
Texas, in the aftermath of Hurricane Rita, has developed an
extensive Private Sector Operations group consisting of 28
companies to support immediate mass care, special needs, power,
aviation, and fuel challenges. This group will work alongside
State emergency management to identify shortfalls in public
sector capacity that could be most effectively met by private
sector resources.
Utah is organizing sector-specific coordinating councils
and is working with local Chambers of Commerce and trade
associations to enhance communications, resource management,
and emergency operations assignments.
The New York City Office of Emergency Management has fully
integrated the private sector into their processes at their new
Emergency Operations Centers. There are also important
initiatives underway in the State of New Jersey, the State of
Georgia to create a Business Operations Center that Mr.
Ackerman referenced, in the State of Massachusetts, and also a
beginning initiative in the State of California.
Nevertheless, a number of significant challenges remain,
especially related to using private sector resources in
interstate responses. Only four States have statutory
provisions that enable private sector resources to be used as
agents of the State in out-of-State deployments. Those are
Delaware, Michigan, Maine, and North Carolina. Other States
have specific statutory or procurement regulations that appear
to preclude such arrangements.
A fundamental premise of EMAC is that personnel and
equipment deployed out-of-State must act as agents of the
providing State. Other States have stringent restrictions on
what pre-event contracts and arrangements can be negotiated
with the private sector, and in many cases, apparent
prohibitions against applying those contracts to a response
into another State.
The BEMAC Task Force has identified several next steps that
we believe will help create a more clearly understood process
by which the private sector can be mobilized across State
boundaries, and I would emphasize that these are really the
initial steps, and much like the starting of EMAC in the
aftermath of Hurricane Andrew in 1992, we believe it is
important to take small but real steps as we move towards a
more robust and systematic national process.
BENS has agreed that in cooperation with the U.S. Chamber
of Commerce and the Business Roundtable, they will work with
the Department of Homeland Security to identify the point of
contact for each of the critical sectors. NEMA, in turn, will
brief the critical sector points of contacts on the EMAC
process and will promote the use in each State of the points of
contact to coordinate requests for private sector resources.
NEMA will also develop a document detailing best practice
procedures by State and local governments for working with the
private sector and will distribute this report to State
Emergency Services Directors as well as to the various sector
coordinators.
NEMA will work with our task force to define in detail
mission critical packages of resources projected to be needed
during an emergency response, and again, this is to try to
create the anticipated need in advance so that we are not
trying to put these packages together on the fly.
And NEMA and the BEMAC Task Force will work with FEMA to
address issues related to reimbursements for private sector
resources and compensation for services used through an EMAC-
like process.
These steps, we believe, will advance the use of private
sector resources by State and local entities and help clarify
for the private sector a process to be used in requesting
resources. States will remain the primary coordinating point
for inclusion of the private sector under this paradigm.
Clearly, FEMA needs to be an active partner in this
process. The scale and variety of risks facing this Nation from
natural and manmade emergencies necessitate that we make full
use of our public and private sector resources. Only through
such cooperation partnerships can we accelerate individual and
community economic restoration and recovery.
Again, thank you very much for having me here today. I look
forward to your questions.
Senator Pryor. Thank you.
We are going to go out of order today and we are going to
let Senator Akaka go first. Senator Akaka.
Senator Akaka. Thank you very much, Mr. Chairman.
Mr. Ackerman, I believe strongly that we need an all-
hazards approach to preventing, responding to, and recovering
from disasters. I am pleased with your written testimony and
pleased with the BENS report emphasizing planning for both
natural and manmade disasters. In your experience, has the
Federal Government been as aware as the private sector of the
need for all-hazards disaster planning, and if not, what should
the government be doing?
Mr. Ackerman. Thank you. When I think about the many years
I have spent in disaster recovery because of the telecom
industry, many of these disasters have been local or have been
able to be handled at the State level, so there has been a
great deal more practice at a State, private sector, local
response. In the area which I am very accustomed to, which is
the Southeast Coast, we have had a lot of practice. We have
had, probably in my 40 years, over 50 hurricanes that have come
on that coast and it seems to work very well because of the
relationships that have been built over time.
When a disaster overwhelms local capability, which we could
expect in either natural or manmade at Hurricane Katrina-scale
or larger, that is the point in which the Federal Government
then comes to the location. And so it is as important to drill
and practice with the private sector and plan as it is with the
Federal Government because often, it is new relationships, it
is different operating procedures, and it is day-to-day
decisions that have to be worked out . . . how the Federal
Government works as a full partner with the State, with the
local, and with the private sector.
FEMA is a big part of this, but it is not just FEMA. North
Command is a part of this. DHS obviously is a part of this. So
as you create the Business Operating Center and integrate that
with the State and local, there also needs to be the ability to
bring in and interface the Federal Government, both at North
Command, FEMA, as well as DHS, whatever agencies are there. And
that collaborative whole hand needs to be able to drill
scenarios and practice scenarios to determine how one would
work out issues as opposed to trying to work that out when the
actual disaster occurs.
Mr. Bourne talked about credentialing. Well, that was born
out in the case of Hurricane Katrina when North Command came to
town and set up a perimeter. We needed to cross that perimeter
in order to work on facilities, but a new perimeter was there
and then the question was, what credentials proved that you
were a valid communications worker and what credentials would
the Federal Government accept as opposed to what credentials
the State and what credentials you would find at the local
level?
So there are numerous issues that will need to be worked
out with all parties at the table before the next event. So I
think that it is a disaster of scale, one where local
capability is overwhelmed, where everyone has to come to the
table and to try to work through how we accomplish our task,
deliver our missions, and assist each other to enable the
recovery of that local area as opposed to just having the
Federal Government come in with a plan.
As I stated in my testimony, I think everybody has a plan.
The lacking plan is how we all work together when the Federal
Government comes to town, short of martial law, which no one
really wants to declare. So I think this issue is one of full
integration, planning, practice, as well as execution,
including the private sector, local, State, and the Federal
agencies that will be involved in disaster response.
Senator Akaka. We really appreciate the BENS report,
``Getting Down to Business: An Action Plan for the Public-
Private Sector Disaster Response Coordination,'' and your
experience really makes a difference in how we move that.
Senator Breaux, you testified that DHS grant programs
currently are geared to funding one-off exercises rather than
long-term collaborations. Project Impact, which was established
in 1997 but eliminated in 2001, focused on long-term continuity
projects to identify risks and vulnerabilities and develop
programs to lessen those risks. These projects involved both
the public and private sectors in disaster planning. Although
FEMA now provides pre-disaster mitigation grants, as you
stated, these are focused competitive grants not directed
toward ongoing collaboration.
Senator, do you believe that Congress should restore
funding for programs such as Project Impact that focus more on
long-term collaborative planning?
Mr. Breaux. I think that anything that gets the Federal
Government four-square behind additional cooperation between
local governments, State governments, with the private sector
would be very helpful. I have thought of suggesting that grants
to States under FEMA be conditioned on the States having in
place a plan for involvement of the local business community so
that the business community will know what to do, and that
wouldn't cost anybody any additional money. The grants are
already going to the States. I think the Federal Government
could insist that the State have in place a workable private
sector continuity program that would immediately kick in in the
event of a natural disaster. I think that would be one way to
accomplish this.
I mean, this is something this Subcommittee and Congress
could insist on, that Federal grants would be conditioned on
the State and local government having a plan to involve the
local private sector. It wouldn't cost you any additional
Federal money, but I guarantee you the State and local
government would follow that recommendation from Congress very
quickly.
Senator Akaka. Thank you. My time is expired, Mr. Chairman.
Senator Pryor. Senator Sununu, thank you for being here
today and being a great Co-Chair. I look forward to working
with you on this.
OPENIN STATEMENT OF SENATOR SUNUNU
Senator Sununu. Thank you.
Mr. Ackerman and Senator Breaux, a question for both of you
relating to the BENS report. One of the things that was
recommended were changes to the Stafford Act. I am curious to
know, one, what specific changes need to be made and is
changing the Stafford Act intended to address a specific
recommendation or just a few recommendations or are all of the
recommendations that you call for sort of encompassed by the
Stafford Act? And are there potential unintended consequences
to changing the Act, because you also emphasized the need to be
deliberative about this. Is there any particular unintended
consequence about which you are most concerned? Mr. Ackerman.
Mr. Ackerman. Yes, Senator. I can give you an example of
the kind of thing that sort of generated an early focus on the
Stafford Act and it had to do with security. Security is
offered to certain government entities, to the Red Cross, and
to others. It is a little bit more questionable as to how that
relates to the private sector.
Again, if you have a disaster that takes out some piece of
a large metropolitan area, there is a likelihood that you will
have some civil disorder go along with that if it overwhelms
local capability.
In the case of Hurricane Katrina, we needed to move into
the city to work in some areas that had a problem and there was
a question about does the Stafford Act include or cover
providing the private sector, especially emergency responders,
not first responders, but power company, telephone company,
computer company, does it provide us security going into an
area where citizens are hostile or armed or just bands of
people who are horribly upset? And so that caused some delay,
caused some consternation, and indeed, there was a very real
and a very significant issue. So that is the example of the
kind of thing that needs to be addressed in the Stafford Act.
I cannot assure you that there would not be unintended
consequences, but it definitely needs to be examined because I
think from a response point of view, it is clear that there are
some issues that hamper response and that appear not to totally
cover the issues that could crop up in a serious large
disaster.
Senator Sununu. Senator Breaux.
Mr. Breaux. Yes. I can only add a little bit. Mr. Ackerman
hit it right on the head. But, there were some classic examples
of trucks being denied access to disaster sites because they
weren't a government truck. You are bringing ice down there.
Well, you can't cross the line because you are a private sector
delivery system. You are not approved to go into that area. And
a lot of the local officials and State officials don't
understand what is to be allowed and what is not to be allowed.
You all last year amended the Stafford Act to at least
prevent under the SAFE Port Act, prevent any Federal agency
from denying essential services from the private sector. That
is a big improvement, that they can't deny essential services
coming from the private sector.
But I think the main thing we are advocating is just bring
the private sector into the process. Make sure the States and
local governments have a mechanism that the private community
is involved in helping to solve the problem. And then that
clears up--if they are at the table from the very beginning,
helping to devise the plan as part of the team, then these type
of problems can go away.
Senator Sununu. Mr. Bourne, I think, as of April 1, there
was a reorganization at DHS that created the National
Preparedness Directorate within FEMA. How specifically is that
directorate being used or going to be used to enhance outreach
and coordination with the private sector?
Mr. Bourne. The National Preparedness Directorate is
specifically designed as both not only internal preparedness
efforts at FEMA and our Federal partners, but really heavily
focused on assisting preparedness at State and local levels and
private sector. Doing that through--certainly they manage the
grant programs that are available, but at the same time--the
Citizen Corps Program and the Community Preparedness Division
within National Preparedness, their job is to reach out to
State and local governments, find ways to build collaborative
partnerships between the private sector, State, and local
governments.
Our other role is to provide a planning framework. Part of
the problem is that we all do planning. We do planning in our
own circles. We do planning within our own expertise. What we
don't have across the Nation is truly a planning community that
involves all the folks that need to be involved. That is an
evolving and growing thing.
Part of what we are doing as we rewrite the National
Response Plan is taking a look at preparedness and planning as
an integral part of understanding how a planning community
needs to be developed. There needs to be some basic framework
so that we are planning to similar objectives, similar
principles. We can't all plan exactly alike. We have different
capabilities and different needs. But we need to be planning
jointly and collaboratively at all levels.
It is very critical, and the National Preparedness
Directorate is focused on this, that the planning effort and
the relationships that are first and primary are the ones
between local business, the private sector, NGOs, and the State
and local governments. That is where 90 percent of all
disasters happen. It is also, however, critical that FEMA have
a good understanding, working through the business associations
and other private sector experts, in how we can involve them in
our planning, training, and exercise activity. National
Preparedness is directly responsible for that effort.
Senator Sununu. Mr. Andrews, in your work for the National
Emergency Management Association, you obviously come in pretty
close contact with people at the State level and some of the
State Directors. What do you see the States being most
concerned about, and is it your opinion that the States are
looking for more Federal mandates for integrating the private
sector into their preparedness plans, or are they hopeful that
we can do this with a little bit more flexibility and with an
approach that recognizes that there are going to be some unique
individual needs among the States?
Mr. Andrews. In the survey that we did of all the States,
and asked them a number of questions about their working
relationships, where they were in the process of working with
the private sector, 44 of the States indicated that they had
some degree of working relationship with the private sector,
and again, it ranged from very formal processes, like in the
State of Florida, to those States that are essentially just
beginning the effort. And I think this really represents a real
sea change. I think 5 years ago, the numbers would have been
dramatically different.
I don't think that the States are looking for mandates in
this area at all. I think that they recognize, for the most
part, that there is an advantage to them, and Hurricane Katrina
clearly brought home the fact that we can have a disaster that
initially appears to be a regional disaster that, in fact,
involves all of the States.
And so there has been a lot of work to enhance the EMAC
system, and again, EMAC is kind of a cornerstone of the
Nation's emergency management capability. All of the National
Guard troops that were mobilized to the Gulf Coast, over 60,000
of them, were done under the authority of EMAC and the
enactments of all 50 State legislatures of the EMAC proposal.
I think the States would welcome some additional
encouragement from DHS and FEMA to move ahead with this, but I
don't think that specific mandates to the States to try to
accomplish this are really necessary.
Senator Sununu. I appreciate that very much. Thank you, Mr.
Chairman.
Senator Pryor. Thank you.
Let me ask you, Mr. Ackerman, if I can, about some of the
things that your company did during the Hurricane Katrina
disaster. As I understand it, you opened your Operations Center
to many of the major wire line, wireless, and cable providers
in the impacted area. I don't know if that was exactly
unprecedented, but it sounds like it may have been. I am
curious about why you did that and how that worked out and why
you felt like that was important.
Mr. Ackerman. Thank you.
The primary cause for taking that action was the
seriousness of the outage. We knew that with the flood, we were
going to have serious outages, landline outages inside the
Bowl, or inside the city itself because of the flood. We knew
that the wireless carriers were going to have serious problems
because many of their links from one location to another were
in facilities that were also in the Bowl. And we knew the
interexchange carriers were going to have problems.
So we knew that getting signal or communications capability
back into the city was of the most--was just of the highest
importance, and therefore, we decided the best thing to do,
since we were managing and responding to the need to fix local
facilities, was to get the carriers into the Operations Center
to help us prioritize what was indeed the most important. So we
worked hand-in-hand with the wireless carriers. We had
representatives from each one of the wireless carriers. We did
the same thing by phone with the interexchange carriers. They
were a little bit more concerned about being together. But it
enabled us to prioritize and get back those facilities that
were most important to restoring the most communications back
to the local community.
And so seriousness drove it, and we felt the best way was
to put everything on the table, get everybody in the room.
Again, it is this collaborative effort at the point in time
when you do have a disaster of this magnitude that enables
success. The more knowledge you have together, the more ability
you have to prioritize and make on-the-spot decisions about
what goes next. I think that is just incredibly important to
restoring service.
Senator Pryor. And how did that work out? Were you pleased
with the way it went?
Mr. Ackerman. I think it optimized the process. The damage
was significant enough that I think it took us a long time to
get facilities back where we would like to have had them. But
it did enable us to optimize the process and I think it did
enable us to get those most important things back first.
Senator Pryor. Before Hurricane Katrina occurred, was that
part of your plan or did you make that decision on the spot,
recognizing the seriousness of the situation?
Mr. Ackerman. It was not part of our plan. We made that
decision on the spot.
Senator Pryor. And did the government help you at all on
that, or was that private sector initiative?
Mr. Ackerman. That was private sector.
Senator Pryor. Let me ask about private sector logistics
and planning. You mentioned the word ``practice,'' and you
emphasized that and how important it is to practice, but let me
also ask about logistics, delivering goods and services,
planning. Your group recommends that the private sector be much
more involved with the government in planning. I think that is
a great concept and it is very logical to me and it seems like
it is something that should be done, but how do we do that and
not create a conflict of interest or an advantage for companies
who are participating in that planning and that logistical
effort?
Mr. Ackerman. I don't have a pat answer for that question.
It is a good question. What I do know is that we have got to
find some way to deal with it because there is such a
significant need to be able to run these drills or practice
ahead of time. Invariably when we run a practice run on a
disaster response scenario, we find something that we had not
thought of before and we are able to clear that problem out
before we get into the actual event.
So I put an extremely high importance on finding a way to
do that. I believe that there are always issues about whether
or not that advantages one company versus the other, but at the
same time, when the ox does get in the ditch and our citizens
are in the situation that they are in, finding a way to be as
expeditious as possible is a big help.
It was mentioned earlier today that there is a great deal
of work going on on pre-approving vendors and putting contracts
into place. I think it was mentioned by Mr. Andrews, also. I
think that is an important issue. I think that everyone cringes
when the word ``price'' comes up, but at the end of the day, we
need to deal with that ahead of time, not during the middle of
the disaster. Again, it is something that begins to slow the
progress down.
So it is difficult and it is tough slugging, but I think it
needs to be done, and again done in practice drills before we
get into the disaster and not after.
Mr. Breaux. Can I add just a real quick thought to what Mr.
Ackerman said?
Senator Pryor. Sure.
Mr. Breaux. The ox in the ditch is a good analogy because
when a city is underwater, you have to respond immediately,
when people are drowning or a fire is going on or right after a
hurricane. And there is a difference between getting people in
immediately to help in an immediate situation as opposed to the
long-term construction and rebuilding. Those things need to be
bidded out in competitive bidding. But you have to have a
system in place before the disaster to get people in in the
immediate aftermath of a disaster and for the first week or so,
get the work done that has to be done. Then you can look at the
long-term work that needs to be done that has to be
competitively bid out and have everybody at the table. But you
can't do that when you are waiting to dewater a city that is
underwater. Those people have to be ready to go as soon as the
hurricane passes through.
Senator Pryor. Mr. Bourne, you also were kind of nodding
your head during the question and answer there. Did you have a
comment on the process? I think I mentioned conflict of
interest or advantage--
Mr. Bourne. It is problematic, and it is problematic for
all levels of government. The General Counsel's Office loves to
accuse me of playing lawyer without a license. They are rightly
concerned that there are regulations and laws that limit how
much we can do.
FEMA has taken a very proactive approach to some of this.
We have looked at the preplanned contracts that we have done,
that we have competed ahead of time to deal with those issues
that we anticipate in the first 72 hours and the immediate days
following rather than that longer term. There are longer-term
recovery contracts that we already do. Readiness costs money,
and a lot of times folks blanch at the idea of spending money
in the event of something that may not happen. But it is like
that insurance policy we all end up buying anyway for our home,
which we hope we never have to use.
So FEMA has put in place a lot of these readiness contracts
so that we have access to the resources we need to support
State and local. But it is also more important, and many State
and local governments have begun to do this, that they begin to
look at advance contracting and planning, as well, whether it
be for debris removal, whether it be for evacuation purposes,
for transportation and other items that they may need.
They may never use them. We hope they don't. But the simple
fact of the matter is that that work in advance saves a
tremendous amount of time and headache in the end. Also, under
the current level and regulatory restrictions that all levels
of government are under, it is the most efficient way to move
resources quickly without getting into an area that we don't
want to go back to, and that is no-bid contracts or contracting
over a barrel during a disaster.
Senator Pryor. One last question before I turn it back over
to Senator Akaka. My question is for you, Mr. Bourne, and that
is what about small business's role? I mean, it is one thing to
have these large Fortune 500 companies. They are all great and
they can do a lot of things logistically, etc., but what about
small business? How do you include small business in the
planning phase?
Mr. Bourne. We have done this in several ways. Certainly,
we encourage State and local governments when they look at
their planning to bring small businesses in. Most communities,
the vast majority of the workforce works for small business.
And those kind of critical jobs and critical businesses need to
be brought back up to speed in part of the planning process.
That has to be done through planning. Also, they are
contracting at the State and local level, whether it is pre-
contracting or post-contracting. It is a small business. They
need to look at small businesses as well as the larger ones.
What we have done for FEMA, and specifically with the
contracts we are putting in place ahead of disasters and the
ones that we have for long-term recovery, we have actually put
in significant small business requirements, localized small
business requirements that will come into play should something
happen and they are activated, where if it is a larger company
that has the contract, they have to give a large percentage of
the work, anywhere from 50 to 75 percent of the work, to local
businesses in the affected area.
Our goal is to get people working back in the area that are
affected as opposed to a company coming in from halfway across
the country to do the work. Simply put, for FEMA's needs, there
are some things that FEMA needs to do that only large business
has the capacity to achieve on a short notice. But what we have
done is encourage them to utilize small businesses in that
process.
Senator Pryor. Right.
Mr. Martinez-Fonts. Sir, if I can just add one comment on
that. On the small business side, I agree with everything Mr.
Bourne has said, but also the preparedness side of it is what
really needs to be the key. I mean, there are so many
businesses that are just so small that what they need to do is
just have the right preparation, and through the Ready.gov,
Ready Business type of outreach, we have been trying to get
businesses to make sure that they have backed up their records,
got a place to have follow-up plans. So really, the focus
there, while I appreciate the question was really more on what
happens in the aftermath--and by the way, our office held the
first small business event in New Orleans after Hurricane
Katrina--but really, it is an issue of preparedness that needs
to be--more emphasis needs to be put on.
Senator Pryor. Senator Akaka.
Senator Akaka. Thank you very much, Mr. Chairman.
Mr. Martinez-Fonts, the Nation faces a very real
possibility of a pandemic influenza outbreak which would affect
the operations of everyone, large and small businesses, as well
as communities, schools, and government and people, especially.
In the event of a pandemic flu, private sector partners could
serve as a powerful tool for tracking and locating employees,
disseminating incident information, and coordinating response
efforts.
Your written testimony discusses the Department's efforts
to increase business owners' awareness of the importance of
pandemic flu preparedness, business community planning and
emergency response coordination. How is DHS incorporating
private sector input and feedback into the Department's
pandemic flu planning?
Mr. Martinez-Fonts. Sir, if I could answer that question, I
had the honor to go around the country last year with Secretary
Leavitt and the Department of Health and Human Services
representing Secretary Chertoff at their outreach on pandemic
influenza. What that led to, the tour took in all 50 States as
well as territories. I attended about 15 of them. There was a
request for what I like to refer to as the two lanes in the
pandemic issue. One is the medical side or the epidemiology of
the disease. The other one is the critical infrastructure side
of it.
HHS is clearly in charge of the epidemiology of it, making
sure eventually that there will be a vaccine, that there are
antivirals, that the hospitals are operating, etc. But those
hospitals and the community isn't going to be able to operate
without critical infrastructure.
So through a pilot program that we have done with the U.S.
Chamber of Commerce and with a not-for-profit called Safe
America, we have been going around the country, in addition to
speaking to specific groups, and I happen to have a list, if
you are interested, of all the outreach literally done. I
didn't actually count them, but I would say it gets up to close
to 100 between what we did with HHS and what we have done
reaching out to both critical infrastructure and businesses of
all sizes and making sure that they have made their plans,
because unlike Hurricane Katrina, where as awful as that was,
resources were able to be brought in from all around the
country. In a pandemic influenza, if it looks something like
the 1918 pandemic, it will hit the country equally all around
and so there will not be very much shifting of resources
around.
So we have an awful lot of lessons learned that have been
shared in that. There is an excellent website that was started
by HHS, but now 17 agencies are putting information on it,
called PandemicFlu.gov. There is an infrastructure protection
out of DHS, a program called Critical Infrastructure and Key
Resources, Continuity of Operation Essential, which is
available on the web. It is available on PandemicFlu.gov, and
it really helps businesses, whether they are actually part of
critical infrastructure or even if they are not, the types of
preparations they need to do, because although much of the
preparation that could be done for a hurricane or a flood is
useful, in a pandemic, we are looking at a very extended period
of time and we are really looking at not the destruction of the
actual infrastructure, but having people just not be available.
Mr. Andrews. If I might add, one of the other initiatives
that BENS has undertaken that relates to your question,
Senator, is through their Business Force efforts, particularly
in the State of New Jersey and in Georgia, they have run
exercises utilizing the private sector for assistance in the
distribution of the Nation's Strategic Pharmaceutical
Stockpile. So using private sector resources both as facilities
to help distribute it, using personnel within the private
sector to help distribute the resources, which will probably
overwhelm the capabilities of local government to do so.
So I think it speaks to the point that Mr. Ackerman made
about the importance of practicing these. We need to do this
more extensively across the country, but I think the lessons
that have been learned in those exercises could prove valuable
in a number of different regions.
Senator Akaka. Thank you.
Senator Breaux, your written testimony states that the BENS
Task Force recommended that Congress amend the Stafford Act and
enact a nationwide body of disaster law to preempt the
patchwork of State law in the narrow context of disaster
response. The BENS Task Force report describes your
recommendations in some detail. Has your task force developed a
specific legislative proposal for a natural disaster law?
Mr. Breaux. We don't have legislative language or a
legislative proposal, Senator Akaka, but I think that what we
have concluded is that the Stafford Act, which has served this
country very well since Bob Stafford authored it a number of
decades ago, was meant to help the Federal Government assist
local and State governments, but the private sector really
wasn't part of that mix at that time. I think what we are
suggesting is that this Subcommittee and the appropriate
committees take the time, don't run through it and do it
overnight, but take the time to look at what you all could do
to improve the operational dictates of the Stafford Act and get
local and State governments to have a plan that incorporates
the private sector from the very beginning.
We have outlined some of the difficulties that private
entities have had in responding to disasters, some of the legal
and regulatory problems that they have had, some of the
transportation problems that they have had, and if the Stafford
Act could be amended to bring them into the planning process
from the very beginning, require that FEMA grants go to States
that have adopted a private sector plan into their emergency
preparedness operations, I think those type of suggestions, I
think that this Subcommittee could look at as potential
amendments to the Stafford Act. Don't throw it out the window
because it has worked very well. Just fix it up around the
edges and it would be a real service.
Senator Akaka. Thank you for that. I was interested in how
far you have gone in that, because any kind of help we can get
from you will certainly--
Mr. Breaux. I do think that we have got a very talented
staff over there and I think that they would be more than
willing and able and very anxious to participate with your
staff in the process of making those suggestions for you all to
consider.
Senator Akaka. Thank you very much. My time has expired.
Senator Pryor. Thank you, Senator Akaka.
Let me follow up there, if I may, with Senator Breaux. You
mentioned the national disaster law, which is a good concept
for us to think about and put on the table and see if we can
come up with something that makes sense. But do you think that
part of that should include a good samaritan provision?
For example, when I was in the State legislature in
Arkansas, we had a bill before us which I voted for that
basically said doctors couldn't be sued--I can't remember
exactly how it was structured--it was basically if they
happened upon an accident scene or they were providing some
free service. They couldn't be sued for malpractice for trying
to help somebody.
I know Arkansas has other good samaritan-type laws and
there are many other States that have some variation of those
laws. But do you think that the national disaster law that you
talk about should include some sort of good samaritan
provision?
Mr. Breaux. Yes. I think the short answer would be yes,
with the caveat that obviously you just can't waive all the
laws that protect citizens from being damaged by the negligence
of someone trying to provide assistance or doing it in an
incompetent manner.
But I think when you are dealing with a time of emergency,
if providers of services know that they would be protected in
those unique situations if they exercise their best judgment,
that would be something that I think would be extremely
helpful. It would encourage people to participate.
I mean, how many times have we heard people who have
hesitated to participate in an emergency, even a small one,
somebody collapsing on an airplane, ``Well, I don't want to get
involved.'' ``I am a doctor. If I treat him, I may do the wrong
thing. I will probably get sued.''
I think that type of emergency protection would be very
worthwhile. People could respond in those difficult situations.
I mean, people may die if they don't, and yet they may not
because they fear being sued. So in those narrow situations,
exercising your best judgment, I think, should be encouraged
and that would certainly do that.
Senator Pryor. Mr. Ackerman, in your experience with
Hurricane Katrina and other disasters in corporate America,
have you had those same liability concerns in various contexts?
Mr. Ackerman. I think we do. Obviously, we worry about
those exposures. What we have found, in general, is oftentimes
business will go ahead and assume that risk, but it is never
easy because one knows the exposure that is out there. So these
situations do come up. Individuals, companies, managers, people
have to make those decisions. I don't think that there is any
given pattern to how it comes out, but I do think that people
who are not risk averse generally follow that pattern, but then
we have to worry about the litigation outcomes afterwards, so
it is a constant issue.
Senator Pryor. Yes.
Mr. Martinez-Fonts. Mr. Chairman, if I could add, I was a
banker for 30 years prior to joining the Administration, and
since my last 5 years in government, I have been watching and I
believe that liability issue will literally stop a private
sector company in its tracks as they are concerned now. As Mr.
Ackerman just said, many people will go out there and be very
forward-leaning with it and will take the chance, but I have
also seen a lot of cases where people have just sort of stopped
and said, ``I am not sure what it is going to do to me and so I
am not going to go forward with it.''
Senator Pryor. It is a real concern.
Mr. Martinez-Fonts, if I can stay with you just for a
moment. Last February, Secretary Chertoff told the Senate
Homeland Security Committee that DHS needed an integrated
Incident Command Center. I think you maybe mentioned this in
your opening statement, but could you again give us a status
report on this Incident Command Center?
Mr. Martinez-Fonts. Sir, I am not sure I mentioned it in my
statement, but we have a National Operations Center (NOC),
where we have a common plan, a common operating picture that
comes together and has the ability to now, for the Department
of Homeland Security, bring together all of those incidents and
is able to bring up to the Secretary's level all the
information and then have it filter down to the right
operational people within the Department.
Senator Pryor. So do you feel like that Incident Command
Center he referred to is in place?
Mr. Martinez-Fonts. I think it is, if I am thinking of the
right thing, sir. I would say, yes, that it is, and it has
really become a much more robust program than anything we have
had before.
Senator Pryor. Has it been tested?
Mr. Martinez-Fonts. It is tested very regularly, and not
only have--I would say have they tested their own performance,
but they have now performed on behalf of the Department in
other external exercises and, therefore, in effect, tested
themselves in the ability to interact with the rest of the
first responder community and the rest of the country.
Senator Pryor. So it sounds like what Mr. Ackerman was
talking about, you have done some practice with it, but have
you also used it in disasters, yet, do you know?
Mr. Bourne. I can answer that.
Senator Pryor. Go ahead.
Mr. Bourne. National Response Coordination Center, which
FEMA manages, is actually a module, a node, a part of the
National Operations Center. We routinely, with the National
Operations Center, keep track of ongoing disasters and
emergencies that happen across the country. There have been a
number of incidents that have taken place, especially since
Hurricane Katrina, on average, 50, 60 disasters a year of which
we are in both FEMA's operations facility and the NOC are
providing the Secretary with situational awareness on what is
happening, helping to make resource allocation decisions,
assisting us in obtaining additional information to help our
operations on the ground. So there have been a number of
declared events, Stafford Act events, in which the National
Operations Center has been an integral part of our activities.
Senator Pryor. Okay. And one last question for you, Mr.
Martinez-Fonts, and that is, as I understand it, DHS has done
some public-private initiatives and partnerships with the
airlines, shipping, chemical industry. Are there lessons
learned there that you can apply to other sectors and maybe
expand on?
Mr. Martinez-Fonts. Yes, sir. A very good example of what I
had brought up earlier was the critical infrastructure. The
industries that you just talked about are all critical
infrastructures, and as you know, those are all under the
direction of Assistant Secretary Bob Stephan. There are Sector
Coordinating Councils, in effect, one Sector Coordinating
Council for each one of the critical infrastructures, and that
group is just constantly--it has two sides. It has a private
sector side and a government side, Sector Coordinating Council,
Government Coordinating Council. They are constantly testing
and proving and providing information. Those lessons learned
are then spread out between the Sector Coordinating Councils,
between the Government Coordinating Councils, and among all of
those.
An example was the Critical Infrastructure Key Resources
Guide that I mentioned earlier for pandemic. That has been
distributed widely because it just really is something that is
very useful. In other words, if the largest of companies could
do this kind of thing, what lessons can be learned or could be
utilized and applied for a smaller company? And so that
distribution has been very widespread, and yes, in fact, those
lessons learned are being shared all across.
Senator Pryor. Great. That is what we want to hear.
Dr. Andrews, let me ask you about--I believe Senator Sununu
asked about EMAC and there has been some discussion about a
Business Emergency Management Assistance Compact. Some people
call it BEMAC. Is there such an entity now? Is there a BEMAC?
Mr. Andrews. There is not a formal BEMAC system across the
country.
Senator Pryor. Should there be, and if so, how do we
structure that? Does it make sense to do it State-by-State,
region-by-region, industry-by-industry? Tell us your thoughts
on what a BEMAC might look like and how it should function.
Mr. Andrews. Well, the task force that I chair, we have
looked very carefully at this, and again, trying to be as
practical as we possibly can in terms of the recommendations
that we make. Many of the ideas and, I think, elements of this
have been outlined in the BENS report and it really starts with
having in each of the States a Business Operations Center, that
is, someone within the various critical--people within the
various critical sectors who have been identified in advance,
who understand the processes that are used by that State when
an emergency occurs, and who will report either physically or
will be in communications with the State's Emergency Operations
Center when it is activated representing their sector.
If this exists across the country in the various sectors
and requests are made through the EMAC system for resources
that cannot be filled within the impacted State, then they
would have reach-back into the other States that might be able
to provide that source where in turn you would also have
representatives from the business community.
It is an interesting situation, where there are some
States, for example, North Carolina, where they do use private
sector resources as agents of the State in out-of-state
responses. And, in fact, legal opinion from, for example, the
private medical community is that it is only under this
structure that they can really respond out-of-state.
I think as part of a review of the Stafford Act, this might
be something that we need to take a look at, because some
States do have specific provisions that prohibit the use of
private sector resources as agents of the State, whereas other
States allow it. If there was some national ability where
States could, in fact, use private sector resources as agents
of the State, understanding the liability and reimbursement
issues, I think it would be possible to formally align the
business community with the EMAC system.
And again, given the fact that the EMAC legislation has
been approved by all 50 State legislatures, I think this is
something that continues to be a kind of linchpin that we need
to build on. Right now, I see the system operating essentially
in parallel with the EMAC structure, but NEMA and the State
Emergency Directors are committed over the course of the next
year to continuing to work with our task force to try to
resolve any issues that remain.
Senator Pryor. Thank you.
Mr. Bourne, as you well know, in February 2006, the White
House released its report called ``The Federal Response to
Hurricane Katrina: Lessons Learned.'' One of those
recommendations was to establish the system that allows for
direct delivery of goods from private sector vendors to
customers and, therefore, bypassing the need for storage sites,
and other reports, think tanks, groups, etc., have made similar
recommendations.
However, and maybe I misunderstand this, but my
understanding is that FEMA has decided to rely more on forward-
basing of products in government-run storage sites. Do I
misunderstand that?
Mr. Bourne. No. Actually, while we do have a number of
logistics centers across the country for certain commodities
that we move very quickly into areas, we are actually looking
at long-term, over the next year or so, developing a third-
party logistics system where we are not the ones owning,
storing commodities that would be used in various responses. We
would have, essentially, a system where we would have access to
those through contracts, pre-arranged third-party logistics
management where the folks out there who do this all the time,
whether it be the trucking companies, the Wal-Marts of the
world, the Home Depots, etc., are the ones managing that for us
with us having full visibility into where those commodities are
and where they are going.
Our Logistics Management Directorate is taking an active
look at this right now. There has been an assessment done on
it. We are moving away from purely maintaining our own stocks
of things. We always run into the issues of, is it available
when we need it? How far do we have to move it? We want to
shorten supply lines and the best way to do that is to tap the
industries that have them in the areas that are affected, and
that is the direction we are headed in.
Senator Pryor. And let me ask about the TOPOFF 4 exercise.
Can you tell me a little bit about that?
Mr. Martinez-Fonts. TOPOFF 4 is the fourth of a series of
Top Officials exercises that take place every 2 years. I
believe it has now been rescheduled--I forget the exact date
for this year, but I think it is October or so in the fall, and
it is an exercise wherein something will happen, whether it is
a--it could have been--during TOPOFF 3, we had some chemical
agents being dispersed. It took place on the East Coast. It was
in New Jersey. It was up in Connecticut, Rhode Island, and the
like, and we actually exercise in place the events and
coordinate with both the private and the public sector, State
and local and everyone that is involved. So the coming-up event
will take place in Seattle, Arizona, and Guam.
Senator Pryor. So the private sector is involved in that?
Mr. Martinez-Fonts. Yes, sir, they will be.
Senator Pryor. And when Administrator Paulison testified
before the House Homeland Security Committee on May 14, I think
he had 13 pages of testimony, but he did not mention one time
the private sector, as I understand his testimony. You guys
probably weren't there. That just raises a concern in my mind
that here you have the FEMA Director explaining to the House,
explaining to the Congress different things that they are
doing. I think he talked about the playbook, pre-scripted
mission assignments, etc. But apparently during that testimony,
at least in his prepared remarks, he didn't mention the private
sector.
From your standpoint--I will just ask you, if I may, Mr.
Bourne, do you think the private sector is sufficiently
involved in, as they say, pre-scripted scenarios?
Mr. Bourne. We are just beginning this relationship, quite
frankly. We have done a lot of work. We have got a lot more to
do. FEMA has been engaged in doing a reform top to bottom which
involves a lot of moving parts. Never mind the fact that we
have also brought in programs that had not been in FEMA prior.
So we are beginning this relationship. That is why we are
bringing BENS and BRT and the Chamber together next week to
further this relationship and figure out what other avenues
that we can take.
We have spent a tremendous amount of time over the last
several months in the rewrite process of the National Response
Plan to take in private sector concepts and ideas as part of
that writing process, and I think that the Subcommittee will
see as we begin to roll that out in the next several weeks for
comment that a lot of the--that there has been private sector
involvement in that planning, in the document, but that much
more needs to be done and we are embarked on that.
Senator Pryor. Great.
Mr. Bourne. One of the things I will just add to your prior
question, if I could, our staff tells me that we are planning a
logistics briefing next week and certainly will make that
available to your staff.
Senator Pryor. Great. Thank you.
In the Post-Katrina Reform Act, we mandated Regional Strike
Teams. Are you familiar with those? Is the private sector
involved in the establishment of those Strike Teams?
Mr. Bourne. Not directly, and I will tell you why. The way
the legislation was crafted and the way that we have had to
build the teams, they are Federal responders. FEMA
traditionally in its response puts out folks that are, quite
frankly, it is a pick-up team in many respects in the past.
They are folks in our regional offices and from headquarters
that have other responsibilities day-to-day. They are formed
into what they call Emergency Response Teams and then they are
sent to disasters.
We are changing that model. We don't call them strike teams
now. We are calling them Incident Management Assistance Teams.
We are building them now, and they are going to be full-time
Federal disaster experts working for FEMA. They are not going
to be there to supplant local or State emergency responders or
incident command. They are going to be that initial response.
Their job is going to be to respond to disasters, and when they
are not responding to disasters, to train, equip themselves,
train and exercise with State and local governments.
Now, is there a role for a relationship for them with the
private sector? Quite possibly. We are going to have to look at
what that means, and I think the most effective way to achieve
that is after we have developed a relationship between these
teams and the State and local government emergency management
folks and see how they want to see that interaction take place.
Senator Pryor. I want to thank my colleagues and thank the
panel for coming here today and answering a long list of
questions that we have and thank you for your actions to
prepare America to meet the next set of challenges in the world
of disasters and response.
We are going to leave the record open for 2 weeks if
colleagues want to submit written questions. If Senators do
that, I would love for all of you to respond to those as
quickly as possible. Additionally, several of you mentioned
inserting your statements as part of the record. Those will be
included in the record, or if any of you on the panel have any
documents or other items to add to the record, we will be glad
to include those, as well.
So again, I want to thank you all for being here at our
inaugural meeting of our Subcommittee and we look forward to
working with you. Thank you.
[Whereupon, at 3:55 p.m., the Subcommittee was adjourned.]
PART II: PROTECTING OUR CRITICAL INFRASTRUCTURE
----------
THURSDAY, JULY 12, 2007
U.S. Senate,
Ad Hoc Subcommittee on State, Local, and
Private Sector Preparedness and Integration,
of the Committee on Homeland Security
and Governmental Affairs,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:03 p.m., in
room 342, Dirksen Senate Office Building, Hon. David Pryor,
Chairman of the Subcommittee, presiding.
Present: Senator Pryor.
OPENING STATEMENT OF SENATOR PRYOR
Senator Pryor. Let me go ahead and call us to order. Thank
you all for being here. I thank the members of the public who
are in the back there, as well. We appreciate your interest.
Welcome to the Ad Hoc Subcommittee on State, Local, and
Private Sector Preparedness and Integration. I want to welcome
everyone here today and thank you for taking time out of your
busy schedules to be here.
This hearing is a continuation of an ongoing dialogue we
are having on the Subcommittee and here in the Senate with the
private sector focusing on the importance of making sure that
the government and the private sector are working together to
protect our critical infrastructure.
Simply put, critical infrastructure is defined as
capabilities and services that secure our country and make it
livable. We all know this, but it includes everything from
highways to communications to financial services to electricity
and we use it to accomplish everything we do throughout the
day. For example, we wouldn't be here today if we didn't all
rely on critical infrastructure to get here and to utilize what
we have here in this hearing room even.
Critical infrastructure assets are so interconnected that
one accident or natural disaster could potentially cause a
massive upheaval. The nuclear reactor accident in Chernobyl,
Ukraine, for instance, exposed 6.6 million people to
radioactive fallout and forced the evacuation of almost 400,000
people. In this country, Hurricane Katrina damaged oil
refineries and spiked gas prices across the country. The
disaster also disrupted Internet access, clean water supplies,
telecommunications, and on and on and on.
Because disruption of our critical infrastructure would
cause mass chaos and fear, these systems are prime targets for
terrorists. In early May of this year, the FBI and an attentive
store clerk stymied an attempt by six men to ``kill as many
soldiers as possible,'' at Fort Dix Army Base in New Jersey.
The men were in the process of making bombs and accumulating
weapons. Once their plan was fully developed, they intended to
storm the base, firing on and bombing our men and women in
uniform.
Just last month, authorities foiled a terrorist plot to
blow up JFK International Airport, its fuel tanks, and a jet
fuel artery. Terrorists are focused on critical infrastructure
and they understand how critical it is in the United States
that we keep those things operational, even under adverse
circumstances.
In this Ad Hoc Subcommittee, we are moving into a new era
in terms of homeland security and national security. These
terrorist plots that I have been talking about are living proof
that extremist groups want to try to inflict pain on our
citizens and on our economy and they are trying to do as much
damage as they can to our country and they think they know how
to do it.
For all these reasons, it is crucial to have an effective,
well thought-out plan for protecting our infrastructure. Now,
last year, the Department of Homeland Security released a plan
called the National Infrastructure Protection Plan (NIPP). The
NIPP was to set out a standard for industries to identify and
prioritize critical infrastructure assets. It required each of
the 17 critical infrastructure sectors to submit a plan dealing
with the unique protection challenges that industry faces, and
we have a chart here with those sectors listed.\1\
---------------------------------------------------------------------------
\1\ The chart referred to appears in the Appendix on page 227.
---------------------------------------------------------------------------
So for our efforts to be effective, we must make sure that
both government agencies and the private sector are involved in
creating the protection plans. In our hearing today, we will
review the process of creating the plans, discuss the
challenges and successes in public-private partnerships, and
look at how the overall effort contributes to preparedness.
With that in mind, understand that today is a very busy day
in the Senate. We have DOD authorization on the floor and there
are lots of amendments and lots of Senators have committee
hearings, so we don't know how many Members will be able to
attend, but certainly when colleagues show up, we will try to
accommodate them and get them in and let them ask questions and
move on to their next stop.
What I would like to do is go ahead and introduce our
panel. We have your backgrounds already and we will submit
those for the record. Each of you will have 8 minutes to give
an opening statement. If you want to just submit that for the
record and summarize, that is up to you.
Let me just run through the panel very quickly and just say
a few words about each person and then I will open it up and
let you all give your opening statements.
Our first witness will be Bob Stephan. He is the Assistant
Secretary for the Office of Critical Infrastructure Protection
at the U.S. Department of Homeland Security. He is responsible
for DHS's efforts to catalog our critical infrastructure and
resources and coordinate risk-based strategies to secure them
from terrorist attack or natural disasters.
Eileen Larence will be the second witness. She is the
Director of the Homeland Security and Justice Issues Division
at the U.S. Government Accountability Office. She manages
investigations, issues reports, and makes recommendations, and
handles Congressional requests for work on homeland security
issues.
And then Ken Watson will be third. He is Vice Chairman of
the Partnership for Critical Infrastructure Security. He
established the Critical Infrastructure Insurance Group with
the goal of driving Cisco's contribution to the security of
worldwide critical infrastructure.
So Mr. Stephan, if you would lead off for us.
TESTIMONY OF COLONEL ROBERT B. STEPHAN,\1\ ASSISTANT SECRETARY
FOR INFRASTRUCTURE PROTECTION, U.S. DEPARTMENT OF HOMELAND
SECURITY
Colonel Stephan. Mr. Chairman, thank you very much for the
kind invitation to appear before you today. I sincerely
appreciate the opportunity to address you on the role of the
Department's Office of Infrastructure Protection and ensuring
robust coordination with the private sector as we work actually
together as a team to protect our Nation's critical
infrastructures from terrorist attack and also enable their
quick recovery in the wake of a terrorist attack or a natural
disaster because we have another terrorist to deal with in our
mission space and she is called Mother Nature.
---------------------------------------------------------------------------
\1\ The prepared statement of Colonel Stephan appears in the
Appendix on page 104.
---------------------------------------------------------------------------
My staff and I are keenly aware of the importance of fully
integrating and working with our private sector partners across
our mission space as well as with our State and local
government partners. As a point of departure for your team, it
is important that we note that the vast majority of our
Nation's critical infrastructures, about 85 percent or so,
those are owned and operated by the private sector in some way,
shape, or form. Hence, our comprehensive work with the private
sector represents a very key component of our national
protection network as well as our national information sharing
network.
Both the Congress and the President of the United States
have recognized that full support, cooperation, and engagement
of government and private sector partners at all levels is
required to prevent terrorist attacks, mitigate natural
disasters, restore essential services after an incident, and to
generally maintain the American way of life.
Our partnership with the private sector spans the diverse
spectrum of the 17 sectors that are identified in Homeland
Security Presidential Directive No. 7. You have those
catalogued there in your chart. This partnership also extends
very importantly in a boots-on-the-ground-type construct to
high-risk communities across the country, where my staff and I
have put a great deal of focus and effort to bring together
Federal, State, and local government partners and the private
sector to engage in vulnerability assessments, security
planning, information sharing, best practices exchanges, risk
reduction and incident management activities.
Since the creation of my office in March 2003, our mission
has been very clear. Our overall approach focuses on
establishing and sustaining a risk-based unified program to
protect and enhance the resiliency of our Nation's
infrastructures. The key to this approach is a layered defense
constructed of physical protection, cyber security, and
resiliency within the sectors as tailored to the requirements
of each of those sectors. This again, sir, is a long-term
effort that involves a comprehensive government and private
sector engagement inside and outside of regulatory space at
various levels across our national risk landscape.
The private sector has made significant investments to
strengthen both physical and cyber security to boost
resiliency, increase redundancy, and develop contingency plans
since the September 11 attacks. Of equal importance, State and
local agencies have stepped up to this mission plate and have
strengthened infrastructure preparedness within their
jurisdictions. Supporting these efforts, in one example, DHS
has provided nearly $2 billion in infrastructure-targeted risk-
based grant funding over the past several years, to include
$445 million this year.
Our partnerships across various levels of government and
with the private sector form the operational core of our
National Infrastructure Protection Plan--sir, we do
affectionately refer to that as the NIPP, and thank you for
highlighting that--and, as well, the supporting 17 Sector-
Specific Plans (SSPs), in each of the sectors. Through the NIPP
and these supporting plans, we now have a unified national game
plan and an ever-expanding arsenal of tools to implement our
mission.
The NIPP base plan establishes the overall risk-based
approach that defines the unified way we are going to protect
the enhanced resiliency of our critical infrastructure sectors
across the board. Organizationally, the heart of the NIPP is
bringing people together in some kind of construct? It is akin
to bringing good Super Bowl teams to the playing field at the
end of football season. Establishing Sector Coordinating
Councils on both the government side of the house and on the
private sector side of the house, bringing the right people to
the table in a legally protected framework to get the job done,
whether it is policy recommendations, planning, looking at risk
assessment methodologies, planning for incidents and actually
conducting incident management operations.
Within the NIPP, the NIPP partnership models encourages
private sector owners and operators to establish Sector
Coordinating Councils as a principal entity for coordinating
with the government across a wide variety of issues. These
entities are self-run and self-governed and their specific
membership varies from sector to sector, including owners and
operators, associations, and other entities, corporations, or
individual companies, both large and small. The finalization
and release of the NIPP Sector-Specific Plans used this
framework in terms of its development and will be an essential
piece of implementing and integrating those plans across the 17
sectors.
Developed under the umbrella of the NIPP partnership model,
the Sector-Specific Plans represent adaptations of the NIPP
baseline risk analysis and risk management framework, its
governance structure and information sharing protocols, as
tailored, once again, to the specific needs and requirements of
each of the 17 sectors, which are very different in and amongst
themselves.
This undertaking represents the very first time that
government and private sector entities have come together on
such a large scale across every sector of the economy to
develop joint plans to better protect and ensure the resiliency
of our critical infrastructures against both terrorist
incidents and natural disasters. Each plan contains concrete
deliverable milestones and timelines that define the road ahead
for each of these sectors.
In a series of parallel undertakings, we are leveraging the
NIPP sector partnership model and coordinating council
structure to finalize a comprehensive annex to the National
Response Plan that deals with infrastructure protection and
restoration; to develop sector-specific guidelines for pandemic
influenza preparedness; establish infrastructure protection
research, development, modeling, simulation, and analysis
requirements; and building a National Infrastructure Protection
Awareness and Training Program, to include exercises such as
the upcoming TOPOFF Officials 4 exercise, which will be
conducted in October of this year.
Our partnership framework enables more progress in another
important area, information sharing, where we use the NIPP
partnership framework to share information of a risk-based
nature on a day-to-day basis that includes operational
information, situational awareness of incidents that are
occurring across our infrastructure sets around the country
every day, and we use that same incident management information
sharing network to collaborate and integrate with one another
during crisis, incidents, or emerging threat scenarios.
Another important advancement in our relationship with the
private sector is the establishment of our Homeland
Infrastructure Threat and Risk Analysis Center, or HITRAC. This
is an infrastructure and intelligence fusion center that we
operate in a joint partnership with Charlie Allen, the
Assistant Secretary for Intelligence and Analysis at DHS.
Through this center, we provide access to classified
information. We enable members of the private sector leadership
to obtain security clearances to the tune of about 900 so far
across the sectors and using the tear-line concept are able to
share very broadly important emerging threat products with the
private sector at a tactical and strategic level.
Through the HITRAC and our National Infrastructure
Coordinating Center, which maintains an operational status or
pulse of the Nation's infrastructure on a day-to-day basis, or
private sector partners receive real-time threat situation and
status information and analyses, which is in turn used to
inform security and operational planning, resource investments,
and key risk mitigation activities.
Coordinating with other key stakeholders through our
partnership model is fundamental to the success and it has also
been a key enabler to allow us to push out the door very
important boots-on-the-ground activities that are having a very
noticeable impact in terms of improving our security posture
across the private sector infrastructure landscape. Through our
comprehensive review program, we provide a structured joint
analysis, Federal, State, and local capabilities, private
sector capabilities needed to enhance the security of our
highest-risk national infrastructures. Today, we are virtually
through, and we will be through in September, walking across
the chemical sector and the nuclear energy sector in terms of a
comprehensive review process, bringing lots of inside and
outside defense equities to the table.
Through our Buffer Zone Program, we have a DHS-administered
grant approach that is designed to assist local law enforcement
and private sector critical infrastructure owners and operators
increase security within the buffer zone, or the area outside a
facility that can be used by an adversary to conduct
surveillance or launch an attack. Through this process, we have
completed more than 2,200 individual site visits in locations
across the United States, pushing approximately $190 million
out the door to State and local law enforcement to provide
connectivity to specifically identified critical infrastructure
facilities and boost their reinforcing capability for
prevention through protection to response and recovery.
Our Protective Security Advisors represent a cadre of 78
folks right now in place across the country in key urban areas,
rural areas of the country, places where we have a nexus of
population and critical infrastructures. These Protective
Security Advisors (PSAs), foster partnerships, facilitate
collaboration, conduct vulnerability assessments, facilitate
training and exercise programs, provide general situational
awareness back to me on a day-to-day basis. They have conducted
about 15,000 liaison visits with private sector owners and
operators over the past 2 years and they are my first boots on
the ground in terms of the infrastructure protection Federal
mission subset during any incident, and they have a very
comprehensive and solid list of Rolodex contacts across the
Federal, State, and local community and the private sector
community in their geographic areas of responsibility.
Through them and others, we have conducted soft target
awareness courses and surveillance detection training programs
across the country. The soft target piece is a week-long course
that provides private sector owners and operators and security
personnel with a venue to receive and share baseline terrorism
awareness, prevention, and protection information and is
intended to enhance individual and organizational security
awareness. Our surveillance detection course provides a
guideline for mitigating risk to infrastructures by developing,
applying, and deploying protective measures in the creation of
a surveillance detection plan within facilities such as
shopping malls, arenas, stadiums, public access, and gathering
sites. We have conducted 284 surveillance training awareness
courses across the country as well as an additional increment
of the same number of our soft target awareness training
packages.
Our TRIPwire program, bombing prevention, is highlighted by
the recent events in London and Glasgow, a very important part
of our day-to-day business. This is an online web-based tool
that provides the latest and greatest information to bomb
squad, private sector security folks, law enforcement officials
across the country in terms of terrorist tactics, techniques,
and procedures relative to IEDs, VBIEDs, and maritime-based
improvised explosive devices. To this date, we have got about
40 Federal departments and agencies, 28 military units, 365
State and local law enforcement agencies, and 35 private sector
companies hooked into this website, and in the last year since
it has been operational, we have had nearly four million site
hits.
Finally, with respect to the demands of incidents caused by
Mother Nature, we have put into place through our Protective
Security Advisor Network out in the field and through
infrastructure specialists here at the Department headquarters
and in cooperation with our national ops center and FEMA
headquarters a very robust set of experts that are manning
watch 24/7 and are prepared to respond and organize a team of
specialists around any type of incident that involves the
downing of our infrastructures, that would involve follow-on
security assessments, restoration and recovery operations, or
any type of assistance or information sharing requirements that
we need to bring to the table.
In terms of my remaining time with you today, looking
toward the future, we are finalizing our office's long-term
strategy for continued program growth and evolution. We are
finalizing our 2008 to 2013 strategic plan--I hope to have that
done within the next couple of weeks--that identifies a very
significant number of primary goals essential to implementing
our national mission and continuing to build out this very
important public-private sector partnership framework. This
effort is being conducted in tandem with our sector annual
reporting process under the National Infrastructure Protection
Plan. Our goal is to continue our risk-based approach to
infrastructure protection, tailored again to the needs and
requirements of the individual 17 sectors. As we move into the
future, the NIPP partnership framework and the tens of
thousands of security partners across the public and private
sector that it brings to the table will continue to drive our
national approach.
Certainly, no one can predict the future with 100 percent
accuracy, but certain things are a given. Technology, the way
in which owners and operators do business, and their supply
chain dependencies and interdependencies will certainly evolve,
and vulnerabilities and consequences will change accordingly.
We can also count on our risk calculation changing over time.
Another fact is very clear. We face a very clever,
flexible, patient, determined terrorist adversary. The path
forward provided by the NIPP, the Sector-Specific Plans, and
the partnership framework allows us to act collaborative as
together we adapt to a very dynamic risk environment, a very
dedicated and very ingenious enemy through a national unity of
effort that we have begun to build and will continue to build
out over time.
Success over time means making commitments and following
through on them. We will approach our collaborative
implementation of the NIPP and the SSPs with this in mind and
continue to refine and enhance our solid partnership with the
private sector, State and local governments.
I will leave you with one more important observation. The
more we utilize the sector partnership model, the stronger and
more effective it gets. We will continue to incorporate lessons
learned, strive to constantly improve and adapt our
partnership, communications, and coordination with the changing
times and risk landscapes at the national level. Continued
support of our focused activities in concert with all of our
partners will help ensure our Nation's preparedness in my
mission area.
Sir, thank you for this important opportunity to discuss
the infrastructure protection mission area, and the public-
private sector partnership framework that truly lies at its
core. I would also like to thank you for your continued support
and the support of this Subcommittee and the larger Committee
of which you are a part for your dedication to the success of
this vital component of our overarching homeland security
mission, and I would be happy to answer questions following my
colleagues. And sir, thank you for your time today.
Senator Pryor. Thank you.
Our second witness, whom I introduced a few moments ago, is
Eileen Larence. I suspect that I have mispronounced your name.
Ms. Larence. That is right.
Senator Pryor. Is that right?
Ms. Larence. No ``W''.
Senator Pryor. OK, thank you. Go ahead.
TESTIMONY OF EILEEN REGAN LARENCE,\1\ DIRECTOR, HOMELAND
SECURITY AND JUSTICE ISSUES, U.S. GOVERNMENT ACCOUNTABILITY
OFFICE
Ms. Larence. Mr. Chairman, I appreciate the opportunity to
discuss the results of GAO reviews of the Department of
Homeland Security's efforts to ensure the Nation's most
critical infrastructure, from power plants and health care
workers to the Internet, is protected from terrorist attacks
and disasters, a daunting and complex challenge as Hurricane
Katrina demonstrated and you pointed out in your opening
statement. It is also an important mission, as DHS estimates
infrastructure influences about 50 percent of our GDP, and as
my colleague mentioned, about 85 percent is owned by the
private sector, meaning DHS must depend on partnerships with
this sector to voluntarily pay for added protection. DHS also
recognizes the Nation cannot afford to protect everything, so
it has devised a risk management model for infrastructure
investments, an approach GAO generally endorses.
---------------------------------------------------------------------------
\1\ The prepared statement of Ms. Larence appears in the Appendix
on page 115.
---------------------------------------------------------------------------
As you pointed out, sectors were to create Sector-Specific
Protection Plans. These plans were due to DHS by the end of
December and released on May 21 of this year, and sectors
recently submitted status reports on where they are against
these plans to DHS. In terms of these plans, it is important to
realize that they are separate from emergency response plans.
We also found that they tend to be what we would call plans to
plan, meaning that they describe how or what processes the
sectors are going to use to identify their critical assets and
resources, assess their vulnerabilities and risks, prioritize
their resources, and select protective measures for them. And
while owners and operators may to date have implemented
protective measures for some of their individual assets to
maintain business continuity or to comply with existing
regulations, sector plans are to go beyond individual assets
and take a more comprehensive national look at vulnerabilities
and gaps across the sectors.
GAO has reviewed the stand-up of the Coordinating Councils,
the NIPP, and nine of the sector plans, as well as interviewed
the chairs of each council, and has drawn several findings from
this work.
First, while sector plans are very useful to DHS in
providing a consistent baseline, sectors had mixed opinions
about the value of the plans and some were not as detailed and
complete as others, which could limit their usefulness.
Second, sectors have faced several challenges moving
forward as plans and implementation evolves.
Third, it appears that relatively few sectors are close to
completing all of the systemic steps called for in the NIPP and
will continue to evolve, as well.
To further elaborate on each of these points, the sector
plans are useful to DHS by providing it a baseline and
consistent approach to protection, and a number of private
sector representatives said that developing the plans was
helpful for providing collaboration, information sharing, and
common strategies. But for several other sectors, ones that
were more mature, more homogeneous, or regulated, the plans are
not as useful because these sectors had prior plans they were
already implementing, such as in response to the Y2K scare, or
because they did not think the private sector had been
sufficiently involved in the process.
While all the plans met DHS guidance and NIPP requirements,
the comprehensiveness and potential usefulness of the plans
that we reviewed were also mixed. They all included protection
goals and objectives and sector intentions for assessing,
prioritizing, and protecting assets. But the plans varied in
the extent to which they: First, discussed protective measures
in detail, since some sectors were not ready to do so or chose
not to; second, recognized how sectors depended on each other,
such as for electricity, telecommunications, or water to
continue operations, and laid out these dependencies in their
plans and in implementation; third, comprehensively assessed
not only their physical assets, such as buildings, but also
their cyber and human assets, a gap that could deter sectors'
readiness; and fourth, discussed possible incentives they could
use to encourage private sector protection efforts, even though
sectors depended on such efforts.
And while plans acknowledged the need for metrics to
determine how much protection we are achieving, some are going
to rely on qualitative measures of progress, such as tests
accomplished, instead of outcome measures of protection
achieved. We recognize that assessing outcomes will be very
difficult, but as you know, measures drive performance, so
addressing this and other gaps in the plans will be important
moving forward.
As to our second finding, most private sector
representatives spoke positively of their lead Federal
agencies, including DHS, and the support provided, especially
contractor support, but to varying degrees identified some
challenges that they face: First, dealing with DHS
reorganizations, staff turnover, and lack of expertise about
some sectors; second, getting full council representation for
some sectors that have a widely diverse membership, such as the
health and agricultural sectors; third, having infrastructure
that was primarily systems, networks, or people rather than
buildings, and this complicated their planning, and according
to the IT sector representatives, also complicated qualifying
for some of the grant programs, as well.
Another challenge was getting State and local players
involved, in part because of the costs and time commitments,
even though they are critical to protection efforts, and also,
getting buy-in to the plans from all individual owners,
operators, and private sector members. So marketing these plans
will be important. This will also help to ensure that the plans
don't simply sit on the shelf. And a final challenge was
private sector reluctance to provide DHS with information on
assets and vulnerabilities for fear that their proprietary
information would not be protected, including from possible
terrorists, or they would lose competitive advantage or face
litigation.
As a result, most sectors still rely on their own voluntary
information sharing advisory councils to share information and
we are optimistic about the Critical Infrastructure Protection
Advisory Council DHS initiated because it provides for closed
meetings with the private sector. But others were still
cautious about using DHS's program to protect critical
infrastructure information and we had identified such
reluctance in a report last year and proposed recommendations
for improvements, and also using DHS's Homeland Security
Information System because it lacks certain security features
that were important to the private sector.
As for our last finding, according to the sector plans we
reviewed and representatives we contacted, it appears that only
a few sectors, especially more mature ones, are relatively far
along in completing all steps in the sector-wide NIPP process,
and several newer sectors, such as health care, were still in
the early stages. The recent status reports that the sectors
submitted to DHS may give us a more accurate picture of this
progress.
DHS has made a lot of progress and has opportunities to
promote this progress going forward. For example, it could
target its support to the sectors that have made less progress.
It can ensure that the critical gaps in the plans and the
challenges we discussed are addressed. It can help sectors
market these plans to get by in an implementation. It can
streamline its review process in the future and provide the
private sector more time for input, a problem a number of the
private sector representatives identified in speaking with us.
Maintaining momentum and timelines for implementation will
also be important. Continued Congressional oversight, such as
assessing sector status reports to determine progress,
assessing the threat information and risk assessments that
sectors use, since they drive the investment decisions, and
what sectors have achieved with grant funding can also provide
momentum and GAO stands ready to support this oversight.
Finally, longer-term policy questions can include, does DHS
have enough leverage to ensure the private sector will meet
protection goals? Can we rely on market incentives or do we
need other incentives, such as more targeted funding, tax
incentives, or innovative R&D investments? Who will pay for any
gaps between protection the private sector is willing to fund
and any added protection needed to meet national security
goals? And are we focused on the right goal, protection versus
resiliency? Some in the private sector argue the end game
should be resiliency, which means how quickly can operations be
restored after an incident, rather than protection, which they
characterize as adding more guns, guards, and gates, because
resiliency is measurable and perhaps more affordable. What is
the right balance between these two goals?
This concludes my statement and I would be happy to answer
any questions. Thank you.
Senator Pryor. Thank you. Ken Watson.
TESTIMONY OF LIEUTENANT COLONEL KENNETH C. WATSON,
(RETIRED),\1\ VICE CHAIRMAN, PARTNERSHIP FOR CRITICAL
INFRASTRUCTURE SECURITY, AND SENIOR MANAGER, CRITICAL
INFRASTRUCTURE ASSURANCE GROUP, CISCO SYSTEMS, INC
Mr. Watson. Mr. Chairman, thank you for inviting the
Partnership for Critical Infrastructure Security (PCIS) to
participate in today's hearing on America's private sector
preparedness to protect our critical infrastructure.
---------------------------------------------------------------------------
\1\ The prepared statement of Mr. Watson appears in the Appendix on
page 140.
---------------------------------------------------------------------------
The NIPP designated PCIS as the private sector cross sector
coordinating council for protecting critical infrastructure,
but in fact, we have been fulfilling that role for the last 8
years, since we formed in 1999. Our council consists of the
Sector Coordinating Councils (SCCs), the private sector
components of the designated critical infrastructure sectors.
Most of the sectors have also established Information Sharing
and Analysis Centers (ISACs), to manage the daily information
sharing needs of the sectors.
In October 1997, the President's Commission on Critical
Infrastructure Protection published its seminal Critical
Foundations report, which identified two irreversible trends:
Increasing privatization of critical services; and increasing
migration of core business and government operations to
networks, including the Internet. The Federal Government called
for a public-private partnership and we responded by founding
the PCIS in 1999 in response to that call.
We have made tremendous progress. I believe we are on a
very solid path and the Nation's critical infrastructure is far
more resilient to potential attacks or natural disasters than
we were 8 years ago.
The PCIS Business Plan identifies four broad goals, each
with its own objectives and metrics: First, partnership
leadership on critical infrastructure issues and policy that
reflect the consolidated all-sector perspective; second, cross-
sector leadership in cross-sector interdependency issues;
third, sector assistance to increase the value to the sectors
and the SCCs; and fourth, PCIS effectiveness, improving the
organizational effectiveness and value of the PCIS itself.
Our members see value in understanding issues common to
multiple sectors, unique challenges or solutions from a single
sector, and the ability to jointly approach DHS and other
government organizations. In addition, because of our sector-
specific subject matter expertise, the National Infrastructure
Advisory Council, or NIAC, calls on us from time to time to
help develop policy advice for the President. Two notable
recent efforts studied pandemic vaccine prioritization for
critical infrastructure protection workers and issues
surrounding public-private sector intelligence coordination.
Chief among our recent successes is the development of the
NIPP and its 17 Sector-Specific Plans. This level of
collaboration would have been impossible without the Critical
Infrastructure Partnership Advisory Council framework provided
by the Congress in the Homeland Security Act of 2002 and
implemented by Secretary Chertoff more than a year ago. This
CIPAC framework allowed us to work side-by-side with our
government counterparts to write these plans. This
collaboration improved the NIPP's approach to risk management.
The initial DHS draft proposed a bottom-up approach for all the
sectors which focused on physical assets. After considerable
engagement between DHS and functionally-based sectors, such as
electricity, IT, and communications, the NIPP Risk Management
Section evolved to accommodate top-down risk management models,
permitting multiple approaches.
Developing the Sector-Specific Plans (SSPs), was not a
perfect process. Most sectors were pleased with the
collaboration of their sector-specific agencies, but for
others, a learning curve still remains. I see these as growing
pains as all partners embrace the new framework.
The list of sector successes is long and growing. My
written testimony highlights six sample success stories and I
encourage you to review them at your earliest opportunity. For
example, in the financial services sector, several Regional
Partnership Councils have formed, allowing members to
collaborate on disaster management matters with Federal, State,
and local partners. Meanwhile, the rail and water sectors have
begun meeting quarterly with key intelligence personnel to
build trust, increase knowledge, and raise awareness. Using a
competitive DHS grant, the commercial facilities sector created
a training course to help managers of stadiums, arenas,
performing arts centers, and convention centers to implement a
DHS web-based security awareness and vulnerability assessment
tool.
Removing barriers to private sector participation is a key
initiative of DHS and the PCIS. The Subcommittee asked me to
comment today on three specific areas of concern: First, issues
of competitive advantage; second, fear of sharing sensitive
information; and third, worries the partnership might exclude
smaller operators.
I understand competition is cited frequently as a barrier
to partnership, but I believe Greg Jones, the Chief
Administrative Officer for Greenberg Traurig, LLP, summed it up
best when he wrote recently, ``We are competitors, not
enemies.'' The same holds true for the collaborative approach
embraced by the SCCs and the ISACs.
Regarding sharing sensitive information, we work closely
with the Protected Critical Infrastructure Information Program
Office (PCII), and the Information Sharing Environment (ISE),
under the CIPAC framework to develop a simplified, rational
approach to protecting information. As long as statutory
protections for this information remain, the PCII Program
should function within the newly-proposed Controlled
Unclassified Information (CUI), environment.
Despite these efforts, some sectors still have serious and
legitimate concerns. First, sectors are unclear about what
sensitive information DHS needs. Second, sectors worry this
information might be disclosed publicly, making it available to
competitors or used in litigation.
SCCs include all relevant trade associations, a provision
we insisted upon and DHS incorporated into the CIPAC framework
to ensure inclusion of smaller operators. The food and
agriculture SCCs, for example, has 119 separate entities
representing the entire sector, from farm to table. The
financial services SCCs has 34 associations and companies
representing banks, brokerages, and insurers. In addition,
Homeland Security Assistant Secretary Bob Stephan and others
regularly travel around the country encouraging companies and
associations to join their SCCs and ISACs, and we appreciate
that.
Finally, please allow the PCIS to make a few suggestions
that we, its members, feel would enhance the partnership and
improve the ability of the United States to manage exceptional
events. First, let the partnership mature. We have accomplished
a great deal with DHS since its inception and even more since
Secretary Chertoff exercised the Section 871 exemption to
create CIPAC a year ago. While we welcome Congressional
involvement, we must continue building a trusted environment
that allows us to work freely with our government partners on
sensitive safety and security issues. Moving forward, we would
be happy to work with you as you consider standards and risk
assessments.
Second, the PCIS asks you to help us educate all Federal
partners about the nature and value of this partnership because
it has not been executed uniformly across all sectors. Some in
the Federal Government still fail to understand the model's
merits. Many we work with in the DHS IT and Communications
Operations Group and the Partnership and Outreach Division
embrace the structure, but the farther you travel from those
offices, the less understanding and appreciation of the sector
partnership framework you will find.
Third, it is time to review the National Response Plan to
include more proactive private sector participation in response
actions. This is crucial in the cyber dimension, as PCIS
considers all cyber incidents international by default. The
private sector has multiple collaborative mechanisms to deal
with significant cyber incidents. Many Internet service
providers, for example, collaborate through the informal ``nsp-
sec'' community. Multiple public and private sector incident
response teams also belong to the more formal Forum of Incident
Response and Security Teams (FIRST). These two organizations
are really the global cyber first responders. In turn, the NRP
should direct proper authorities to these and other like-minded
organizations during a cyber incident of national significance.
Finally, the government must do a better job of sharing
timely and useful information with the private sector. It is
often difficult to determine exactly who needs to know
sensitive information, but this partnership framework includes
enough trust to err on the need-to-share side of the equation.
Complex interdependencies, a lack of sector familiarity, and
complex collocation of assets argue for a proactive sharing of
alerts and warnings with the PCIS and the relevant ISACs. Many
ISACs can transmit and store classified material and many
sectors have cleared individuals who can be trusted with
sensitive information.
That concludes my remarks. Thank you again for the
opportunity to be with you today on behalf of PCIS. I would be
happy to answer any questions you have.
Senator Pryor. Thank you. Mr. Watson, let me start with
you, if I may. Just by way of background, tell me a little bit
about your organization, the Partnership for Critical
Infrastructure Security. I think you said it started in 1999.
Why did it start? How does it work?
Mr. Watson. The way it started, as you remember, the
President's Commission on Critical Infrastructure Protection
(PCCIP), or the Marsh Commission, reported its Critical
Foundations report on the vulnerability of critical
infrastructures and a plan forward in October 1997. The
government responded with PDD-63, Presidential Decision
Directive 63, in May 1998, which created a lot of government
organizations including the CIAO, the NIPC, and a few others
that were scattered around the Federal departments.
At the time, the Critical Infrastructure Assurance Office
(CIAO), was in the Department of Commerce. The Department of
Commerce put out a call for public-private partnership because
that was the view of the Marsh Commission, that the only path
forward because of these irreversible trends that I mentioned
was public-private partnership. We responded by calling, I
think over 200 companies to come to the table to form the PCIS,
and our first meeting was actually in the Windows on the World
restaurant at the top of the World Trade Center in December
1999. Since then, we created committees to look at research and
development, information sharing, public policy, and any other
areas that might be important to all the sectors or multiple
sectors and began to coordinate with the Federal Government.
When DHS was formed, all of the offices that were dealing
with critical infrastructure assurance moved into the
Department, so we had a single face now to work with--to
coordinate most efforts across the sectors. Now, we understand
that many of the sector-specific agencies are not in DHS. DHS
has the overall coordination role and we are comfortable with
that. For example, the financial services sector had a long
relationship with the Treasury Department and they want that to
continue and we support that, and similar relationships exist
for the other sectors.
Senator Pryor. OK. And you have been asked to help
coordinate the various sectors. What is your role there?
Mr. Watson. Currently, I am the Vice Chairman of the PCIS.
I am also on the Executive Committee for the IT Sector
Coordinating Council.
Senator Pryor. You obviously work very closely with DHS. Is
there an arms-length relationship with DHS? Are you independent
of them?
Mr. Watson. We are very independent. At first, the funding
model was donations from founding member companies. We got away
from that because we believed that the business model that
included payment of dues was exclusive and eliminated some of
the smaller players, and so we eliminated the dues requirement.
DHS stepped up to the plate after they were formed to help
provide administrative support as long as--and we made sure
that they couldn't have access to private sector-only
information, but if they wanted to provide information, that is
what we are still doing admirably now. They support us in terms
of coordinating conference calls, printing, organization
support, meeting support, those kinds of things, and that
relieves us of the burden of a lot of expenses.
We do have a Board of Directors and we pay for our own
Directors and Officers insurance and our own budgeting, but it
is so minimal that it is not a burden to anybody that would
like to participate.
Senator Pryor. Great. Now, let me ask, you mentioned in
your testimony about the trust level with the private sector
and the government, and I understand that sometimes the
government is very reluctant to share classified information.
Sometimes the private sector is very reluctant to share some of
their proprietary information. I understand that. But what is
the best way to balance national security and the need for the
interested parties to be fully informed and have all the
information they need? Do we have that balance yet? What do we
need to do to improve that?
Mr. Watson. We are making a lot of progress. We are not
completely there yet. I think that the effort of the
information sharing environment is a good one. It is not mature
yet. We haven't really defined whether PCII will work within
the framework. We think it will, but it hasn't been tested yet.
Now, this is the ability to share sensitive information with
the government. The private sector would like to share
information with the government because the government has a
role in helping us protect ourselves and the country from
attacks and natural disasters.
On the sharing of sensitive government information,
including classified information, HITRAC is a step in the right
direction. It is the Homeland Infrastructure Threat and Risk
Analysis Center--the DHS fusion center that brings in all of
the threat and law enforcement information, and they have
opened up HITRAC to private sector participants, which we think
is a very positive step.
Now there is an opportunity to get private sector expertise
in the door to help train government analysts on what is
important and what is not important, so we are making progress,
but there is more to do.
Senator Pryor. Let me ask, I want to get to you in just a
moment, but let me ask while I have you, Mr. Watson, there are
15 national planning scenarios that cover a wide range of
disasters--earthquakes, floods, cyber attack----
Mr. Watson. Right.
Senator Pryor [continuing]. Pandemic flu, etc. To the
layperson, it seems that we are covering the waterfront there,
but is there anything that you think we are missing? Are there
any scenarios that we really haven't thought of or something
that might fall in the gaps that we are really not preparing
ourselves for?
Mr. Watson. That list of scenarios is pretty thorough. They
are also plugged into the National Exercise Program, either one
at a time or in combination, and I think that is the right
thing to do. It is going to take an awful long time to get
through all 15 if you do them one at a time. I think the
nightmare scenario would be a large physical attack in
combination with a cyber attack that disables the emergency
response. That is the one that keeps us up at night. So if we
could exercise that and make sure that the first responders--
firefighters, police, emergency medical, and local government
decision makers--work through the degraded communication that
would happen in those kinds of things and had alternate means
of communications planned in advance, we would be much more
resilient to that kind of a combined attack.
Senator Pryor. Let me ask about the cyber attack, because
that is a relatively new phenomenon that a lot of people don't
know a lot about. They may get a virus on their computer or
something like that, but they really don't understand. In your
estimation, how bad could a cyber attack be? I have heard some
people talk about a digital Pearl Harbor. What is kind of the
worst case scenario for a cyber attack, in your estimation?
Mr. Watson. Well, first of all, it is not as good or as bad
as you see in a lot of the press. You can see comments all over
the spectrum. The Internet is probably the most resilient and
redundant communications means that we have ever developed. It
would be very unlikely that it would be disabled because--for
many reasons. It is resilient. It is redundant, as I have said.
But the bad guys use the Internet like we do, to share
information or to spread information or to gather information.
So they don't want to take down the infrastructure on which
they depend any more than we would want it to come down.
That said, if terrorists had the wherewithal to delay or
confuse a 911 response system while they were conducting a
physical attack, they could theoretically increase the number
of casualties and delay the response to protect those citizens,
and that is the one that would worry me.
Senator Pryor. OK. Do you feel like we are taking steps to
avoid that scenario?
Mr. Watson. We are taking a lot of steps. The sectors are
very engaged and we are improving the security responses in
everything from control systems, all the way through
communications and interdependencies.
One area I think we could work better on is regional
interdependency exercises so that every region and every city
knew who the stakeholders were in all the sectors and they had
exercised through all these options and knew the backup plans
they need to put in place.
Senator Pryor. In your view, is that something that could
be coordinated by the Department of Homeland Security?
Mr. Watson. I believe it is and I think it is in their plan
to do that.
Senator Pryor. OK. Thank you.
Mr. Stephan, let me turn to you. I know it looked like a
couple of times you wanted to chime in there and maybe add a
little something. Did you want to add anything before I ask you
questions?
Colonel Stephan. No, sir. I am pretty much in agreement
with Mr. Watson's response. He has been a great partner and his
leadership has been personally very effective in building a lot
of bridges and certainly they are not shy in bringing problems
and issues to us through the PCIS and at the individual sector
level. That is what the partnership is all about and we
continue to solicit that feedback. Every suggestion that these
folks pass up or issue they pass up, I take action on or
explain to them why I am not able to do it so at least we have
that very positive and direct feedback loop going back and
forth.
Senator Pryor. Good. Let me ask about these sectors that we
have talked about here, these 17 sectors. One of the first
questions I have is when you try to get information from them,
who do you get information from? For example, the food sector
is such a broad, wide-ranging sector. Who do you get
information from and how do you manage that information?
Colonel Stephan. Sir, there are two different levels of
information and collection, if you will. One is sector-level
information in terms of strategic risk concerns for the sector,
general concerns, how each sector does incident management. We
work through the Sector Coordinating Council framework,
sometimes through the PCIS if it is an issue that crosses
multiple sectors. Using that approach, again, that is more for
strategic-type information needs.
Then we have another level that is a little bit more
challenging because we need individual vulnerability and
consequence information that we need to draw in many cases from
individual companies or corporations across the 17 sector
landscapes. I get information from them, sometimes again using
the Sector Coordinating Council framework, but more importantly
and probably most importantly, my direct information venue now
is my Protective Security Advisor cadre, those 17 folks
representing my boots on the ground, my eyes and ears forward
in very critical locations across the country that have
developed trusted relationships with State and local partners
as well as private sector partners down to the individual
facility level.
Cracking this nut is tough in terms of risk. We are using a
tiered approach and we have identified through our partnership
model approximately 2,500 things out of the tens and tens of
thousands of things that represent infrastructure nodes across
the country, things that we would classify as a tier one or
tier two by sector, meaning certain consequence and threat and
vulnerability criteria. We work through the Sector Partnership
model, through the Coordinating Councils, and with individual
facilities to gather information relative to their
vulnerabilities and consequences and how a threat vector of a
particular nature might affect them. That process was kick-
started a couple of years ago to drill down so we could focus
on those things that we all considered to be mutually
important.
Senator Pryor. OK. Let me ask a similar question to what I
asked Mr. Watson a few moments ago about information going back
and forth between the government and the private sector. Again,
I know sometimes the government is very reluctant to share
classified information. That is understandable and I understand
why the private sector is reluctant to share proprietary
information or just very sensitive information, whatever it may
be. But do you feel like that the government is doing an
adequate job in sharing classified information under the right
circumstances and do you feel like you are getting enough
information from the private sector?
Colonel Stephan. Sir, on the classified piece first, we
have enabled about 900 private sector leaders across the 17
sectors to get a secret-level security clearance, so they come
into our classified world and actually give us advice and
recommendations as we are building the intel products that
affect their world and help us translate from intel speak into
private sector speak, if you will. That is one important piece.
But I think the most important piece is working with the
intelligence and law enforcement community, the CIA, the FBI,
and others, kind of ingraining within those organizations the
need to declassify using the tear-line construct, tearing off
sources and methods, normally the facts and figures associated
with threat information or maybe at the ``for official use
only'' or at the completely unclassified level.
I have been with the Department since day one. It was a
very difficult process 4 years ago to declassify information in
real time to get it to the private sector. We can do that now,
for example, in this emerging threat scenario with respect to
the London and Glasgow events, the JFK events, the events
associated with the group that was going to be focused on Fort
Dix in New Jersey, very quickly, I mean, within a matter of
hours, declassifying information, forming tear-line pieces of
it, using our information network to blast it out through the
PCIS and the individual Sector Coordinating Councils across the
United States to our various private sector partners. That is
dealing with government to private sector information exchange.
On the flip side, information that we require of the
private sector, the key is trust, trust that we will be able to
protect the information that the private sector provides to us
that is of a proprietary nature or that is of a very specific
vulnerability or consequence nature so that they, in fact,
don't actually focus terrorists on them through this process.
Before we published the final Protective Critical
Infrastructure Information Rule, I think we had a whopping
total of 48 vulnerability submissions from the private sector,
about a year and a half ago. Since the publication of the final
rule, since now everybody knows what the real deal is and they
can study it, they can have their lawyers focus on it, we now
are over 5,400 individual vulnerability assessment submissions
in the span of the last 18 months. So we continue to climb the
chart now in a geometric fashion instead of trickling them in a
few dozen or so maybe in a year's time frame. That is very
important.
Getting education and awareness through the Sector
Coordinating Councils, through the PCIS, down to the companies
that this is how your information will be protected is very
important, but the true test of time of all of this will be
when PCII hits the judicial process for the first time and we
have a successful court case that will show the private sector
that this will withstand judicial scrutiny and we will get a
favorable ruling. Until that happens, there will be a shadow of
doubt in the private sector's mind that the court system will
allow this information regime that we have put in place to
stand.
So again, doing everything we can to work with the folks,
help them understand why we need the information, how it will
be protected, final rule out the door, building up that trust
through my PSAs and others at the individual jurisdiction or
company level, and finally, this will have to go through the
court process to make a 100 percent determination.
Senator Pryor. In the last few days, Secretary Chertoff has
been in the news about perhaps increased threat level in the
summer months, and the Department of Homeland Security, a
couple years ago established this color-coded threat level. Do
you incorporate that in what you are doing? In other words, do
you look at various infrastructure and say, well, this may be a
red, this may be a yellow, this may be a green? Do you make
that independent assessment?
Colonel Stephan. Sir, we make that assessment, but not
independently, in concert with State and local government
officials, principally the State Homeland Security Advisory
Network, and again, through the Sector Coordinating Councils
for each of the sectors. I have a general level of protective
measures in place that people will go to depending on where we
are in the color scale. That has been coordinated over time
over the past 3 years.
We used that set of protocols specifically with the
transportation sector, the aviation subsector last August when
we went from yellow to orange in the aviation subsector,
putting in place mutually agreed-to protocols. Some of those
responsibilities lie with the Federal Government through TSA.
Lots of them, and most of them, in fact, lie with the airports
and the airlines through that network.
Senator Pryor. So in other words, you feel like you have
the flexibility--just say, for example, Secretary Chertoff says
we generally are in an orange----
Colonel Stephan. Yes, sir.
Senator Pryor [continuing]. But you look at your sectors
and you say, well, these couple of sectors are probably more to
red and these others may be more to yellow, but nonetheless,
you have the flexibility to----
Colonel Stephan. We have the flexibility to go up by color
by individual sector or subsector, or if we want to not do
that, we can, by virtue of our Executive Notification System,
our Information Sharing Network, our Sector Partnership Council
framework, bringing the folks together and say, based on Intel,
we feel it is prudent that this sector, without raising
necessarily to orange or red, take additional steps such as the
following, and we push those recommendations out the door. But
again, we do that in a collaborative fashion via phone
conference or face-to-face meetings sector by sector.
Senator Pryor. All right. Let me ask one last question for
you, Mr. Stephan, if I can, and that is, I think it was both
you and Ms. Larence testified that the private sector controls
about 85 percent of the critical infrastructure in this
country. Who controls the other 15 percent, and are we doing
something similar with that 15 percent?
Colonel Stephan. I would say probably the lion's share of
the remaining 15 percent is under State and local government
control. For example, a lot of the water sector, municipal
governments own water systems throughout the United States. And
then probably less than 1 percent is an asset that is owned and
operated and protected by the Federal Government. So our
Federal departments and agencies have the least amount of
responsibility by ownership across the board, State and local
governments next in line, and finally the big lion's share of
all this is through the private sector.
We have a similar arrangement. We have a State, Local,
Tribal, Territorial Government Coordinating Council, about 30
individuals that represent Homeland Security advisors,
emergency managers, law enforcement, public health officials,
food and agriculture officials, regulatory officials at the
State and local government level. We use them as a sounding
board and as an information sharing network much as we do the
Private Sector Coordinating Councils.
And, of course, all the grant programs directed at
infrastructure essentially provide money that go to State and
local communities in concert with infrastructures that happen
to reside within their jurisdictions. For example, my buffer
zone program that IP owns, $191 million over the past 4 years,
2,200 to 2,400 individual plans that tie inside defense and
outside defense considerations together that unite State and
local government, law enforcement with private sector security
people to have a web of security that extends beyond the fence
line or perimeter of a facility. That is how we need to
collaborate together.
Senator Pryor. OK. Let me ask one other follow-up. When the
Department of Homeland Security was founded, the Critical
Infrastructure Assurance Office (CIAO), is that what you call
it?
Colonel Stephan. Yes, sir.
Senator Pryor. It migrated from Commerce to DHS.
Colonel Stephan. Yes, sir.
Senator Pryor. CIAO has started to try to get an assurance
program for each U.S. department, is that right?
Colonel Stephan. Sir, the CIAO in its form 4 years ago no
longer exists. Those individual entities, five or six of them
that came forward into the Department of Homeland Security no
longer exist as individual entities. They are now interspersed
among the divisions of the Infrastructure Protection Office or
the Cyber Security and Communications Office. That early work
by the CIAO has been superceded by the 17 Sector-Specific
Plans, and a principal component for the Federal departments
and agencies is the Government Facilities Sector-Specific Plan,
where a lot of that pioneer work by the CIAO has been embedded
or integrated.
Senator Pryor. OK, great. That sort of ties up a loose end
for me, because I didn't know how that worked. Thank you.
Ms. Larence, let me ask you a few questions here. I believe
in either your testimony or report, you talk about the turnover
rate at Homeland Security and its effect on trust, just human
nature being what it is, when you have a lot of new people and
you haven't had a chance to build those relationships. What do
you think we can do or should do, or how can we help alleviate
that problem and build that trust? What do we need to do there?
Ms. Larence. I don't know if I can address the turnover
rate, but in terms of trust, this is an issue that we continue
to identify in our reports over probably about the last 4
years. Some of the sectors did report to us that it has been
improving, that they have been building effective relationships
with their counterparts within DHS and that has helped the
sectors progress. I think not only the turnover, but the lack
of expertise about the sectors and how their businesses operate
is also another gap that might be something that DHS could
address, perhaps through additional arrangements with
contractors or intergovernmental personnel arrangements where
you could bring folks in to learn about the industries'
business.
Senator Pryor. Let me ask, in your testimony a little bit
earlier, you talked about plans to plan, and as I understand,
what you were saying is that sometimes these efforts really
result in plans to make a plan, but they never really get to
the plan. Is that what you mean by that?
Ms. Larence. The NIPP process is really about describing
the process that sectors will use to get to the end point of
identifying their critical assets and making sure they are
protected, and so the NIPP was really just requiring the
sectors to identify how they would go through that process.
Senator Pryor. And, by the way, do you think that has been
successful so far?
Ms. Larence. All of the sectors have met those baseline
criteria.
Senator Pryor. OK.
Ms. Larence. But if you look at the plans, some of the
sectors that are more mature, for example, banking and finance,
if you read their plans, they will indicate that they have
identified a lot of their critical assets. They have risk and
vulnerability assessments in place. They have been regulated.
Their examiners have been doing risk assessments on a wide part
of the industry.
And so you can tell some sectors have gone through more of
those steps, whereas if you look at, for example, public health
or food and agriculture, they are really just getting their
sectors organized and they are still at the very front end of
that process where they are trying to make sure they have the
right people at the table, quite frankly, and then begin to
determine what criteria they would use to figure out what their
most critical assets are across a widely diverse base. I think
food and agriculture points out that they have millions of
farmers, two million farmers, and 150 meat packing processing
plants that they have to bring to the table. Health care has 13
million health care professionals, 6,000 hospitals and a number
of other facilities and labs. So just trying to get their arms
around what their sector looks like and how to manage that
diversity is a real challenge for them.
Senator Pryor. You apparently testified before the House
Homeland Security Committee, 3 weeks ago, something like that?
Ms. Larence. We did a member briefing yesterday, sir, and
before Appropriations several months ago.
Senator Pryor. OK. Let me ask about the plan-to-plan idea
and how some sectors are further ahead than others. Overall,
what is your overall assessment of how we are doing in this
effort? I mean, are we halfway there? Are we a quarter of the
way there? Are we almost there? What is your general assessment
of how we are doing?
Ms. Larence. Well, in terms of actually designing and
implementing the plans, we asked the chairs of each of the
Private Sector Councils for their opinions, their own opinions
of where they were, and I would say that most of them
characterize themselves pretty much at, on a scale of one to
five, at about a three. I think they feel that their large,
most critical facilities or assets, were at least doing risk
assessments or had them under control. They still have a lot of
work to do to really get that sector-wide perspective.
A couple of sectors felt that they were at a one or a two,
that they had pretty much moved through the process and really
had identified their assets and had conducted risk assessments
and had protection measures in place, and a couple of the other
sectors, as I mentioned, the public health and food and
agriculture, some of those that are newer, recognized that they
were probably more at stages three, four, or five, where they
had a ways to go.
That doesn't mean that those sectors' assets, however, are
not protected, because as we mentioned, individual owners and
operators, because of simply business operations or continuity
of operations, or maybe the regulatory requirements for
security, have taken some steps to make sure their assets are
protected. So we don't want to mislead that the assets in those
sectors are, in fact, unprotected. It is just trying to figure
out as a whole, across the sector, where are we.
Senator Pryor. Given your analysis and your review of the
situation as it currently stands, if most of the sectors right
now would give themselves maybe a three on a scale of five, if
we were to have this same hearing a year from now, would they
come in at fours and fives or would they still be at about a
three?
Ms. Larence. I think we are trying to get them to ones or
twos, but I think a lot of them, if you look at their sector
plans and the milestones that they had set out for them, have a
pretty ambitious plan, I think, over the next year or two to
move through that model. So I think we would see a lot more
progress.
Senator Pryor. OK. Good. Did anybody want to follow up on
anything the other witnesses have said?
Colonel Stephan. Sir, just one. I hardly ever am in
disagreement with my colleagues from GAO, because they do a
wonderful job. They have a significant amount of challenges. I
would just question the phrase, ``plan to plan.'' I think that
where we are is that every sector now has a baseline plan, and
as you see from that list, these sectors--the only thing they
share in common is that they are all different, all very
unique. Most of them are huge, with the exception probably of
the nuclear energy sector. There is a fairly tight, very tight,
closely knit circle of friends there with a very small number
of facilities that is under a security-regulated environment.
I would say that all of these plans represent plans that
have deliverables, milestones, and timelines that are concrete
that set a baseline. These plans will be reviewed and updated
on an annual basis, as required. But all of them have tangible
things that they have signed up to with metrics to measure
their performance embedded inside the plans that they have
agreed to as a public-private sector partnership, and I would
characterize them in that context as opposed to plans to plan,
because I feel pretty strongly, I am not in this business to
plan anymore. I am in this business to implement. We have a
year and a half left in this Administration, and for my mission
responsibility, no more planning except for, for example, in
the case of avian flu, where we do have a few more steps to
make at the sector level to put the final loops into that and
close them.
These things are a baseline. Some sectors are higher than
others in terms of where they are in progress. That is by
virtue of the fact of who they are, what their risk landscape
looks like, how many actors are in there, how dispersed are
they, so on and so forth. So I would just add that to my
testimony.
Senator Pryor. Ms. Larence, did you have any comment on
that?
Ms. Larence. Two, if I may, sir. Just one following up on
cyber. I promised my colleague in our IT team to plug, as a
separate effort, that they went through all the sector plans
specifically looking to what extent they identified cyber
issues, as Mr. Watson was referring to, and they will be
releasing that report probably later next week.
Similarly to our findings, they determined that to some
extent it varied, the extent to which sectors considered their
cyber assets in their sector plans. For example, as he
mentioned, control systems. It is important that sectors think
about where their critical cyber assets are and integrate those
into their plans. So I think we still have some work to do with
some of the sectors on that.
The other thing I would just mention under information
sharing, something to watch that is developing at the State
level are State information or intelligence fusion centers, and
each State has been creating those now to fulfill, I think, a
gap that they found within their State jurisdictions to have
information that their governors and that their State and local
folks could use. We have been doing some work looking at those
fusion centers and they are now beginning to look, some of
them, at how they can bring the private sector into those
fusion centers, as well, which would give them some more direct
access to intelligence and information.
Senator Pryor. Right. We have been talking about that on
the Subcommittee, as well, so that is good.
Does anybody else want to comment?
Mr. Watson. I might have one more point, just to
reemphasize the need to look at the regional interdependency
issue. Terrorists and Mother Nature don't attack sectors, they
attack individual areas, and this has been a very valuable
exercise to develop sector-wide principles and guidelines for
security measures. It has been valuable for us. In the IT
sector, the first thing we had to do was define the sector. Who
are the members and what are the key functions? How do we look
at the dependencies of those functions, and what are the cross-
sector interdependencies? So that has been very valuable for
us.
But we need to always keep in the forefront of our minds
that it is a regional emphasis. We need to build from there and
look at the multiple sectors that are uniquely connected in
each region of the country.
Senator Pryor. Good. Well, listen, I want to thank the
witnesses again. We will keep the record open for 15 days. All
of our colleagues on the Ad Hoc Subcommittee may submit
questions in writing. If they do submit any questions, I would
like you all to respond to those as quickly as you could.
I want to thank you all and let you know that your written
statement will be made part of the record, and if you have
other documents or studies that you want to be part of the
record, we will be glad to include those, as well.
So thank you again for being here and thank you for your
testimony.
[Whereupon, at 3:17 p.m., the Subcommittee was adjourned.]
A P P E N D I X
----------
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
�