[Senate Hearing 112-586]
[From the U.S. Government Publishing Office]

                                                        S. Hrg. 112-586




                               before the

                       COMMITTEE ON THE JUDICIARY
                          UNITED STATES SENATE

                      ONE HUNDRED TWELFTH CONGRESS

                             SECOND SESSION


                             MARCH 13, 2012


                          Serial No. J-112-63


         Printed for the use of the Committee on the Judiciary

76-357                    WASHINGTON : 2012
For sale by the Superintendent of Documents, U.S. Government Printing Office, 
http://bookstore.gpo.gov. For more information, contact the GPO Customer Contact Center, U.S. Government Printing Office. Phone 202�09512�091800, or 866�09512�091800 (toll-free). E-mail, [email protected]  

                       COMMITTEE ON THE JUDICIARY

                  PATRICK J. LEAHY, Vermont, Chairman
HERB KOHL, Wisconsin                 CHUCK GRASSLEY, Iowa
DIANNE FEINSTEIN, California         ORRIN G. HATCH, Utah
CHUCK SCHUMER, New York              JON KYL, Arizona
DICK DURBIN, Illinois                JEFF SESSIONS, Alabama
AMY KLOBUCHAR, Minnesota             JOHN CORNYN, Texas
AL FRANKEN, Minnesota                MICHAEL S. LEE, Utah
CHRISTOPHER A. COONS, Delaware       TOM COBURN, Oklahoma
            Bruce A. Cohen, Chief Counsel and Staff Director
        Kolan Davis, Republican Chief Counsel and Staff Director

                            C O N T E N T S




Grassley, Hon. Chuck, a U.S. Senator from the State of Iowa......     2
    prepared statement...........................................    98
Leahy, Hon. Patrick J., a U.S. Senator from the State of Vermont.     1
    prepared statement...........................................   102


Bunting, Kenneth F., Executive Director, National Freedom of 
  Information Coalition, Columbia, Missouri......................    17
Ensminger, J.M. (Jerry), Retired marine Master Sergeant, Camp 
  Lejeune Marine Base, Elizabethtown, North Carolina.............    15
Nisbet, Miriam, Director, Office of Government Information 
  Services, National Archives and Records Administration, 
  Washington, DC.................................................     5
Pustay, Melanie Ann, Director, Office of Information Policy, U.S. 
  Department of Justice, Washington, DC..........................     7
Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial 
  Lecturer in Law, George Washington University, and Visiting 
  Fellow, The Heritage Foundation, Washington, DC................    19

                         QUESTIONS AND ANSWERS

Responses of Miriam Nisbet to questions submitted by Senators 
  Grassley and Klobuchar.........................................    26
Responses of Paul Roaenzweig to questions submitted by Senators 
  Grassley, Sheldon, Whitehouse and Klobuchar....................    29
Responses of Melanie Pustay to questions submitted by Senators 
  Leahy, Cornyn, Grassley and Klobuchar..........................    33

                       SUBMISSIONS FOR THE RECORD

Bunting, Kenneth F., Executive Director, National Freedom of 
  Information Coalition, Columbia, Missouri, statement...........    60
Epic.org, Electronic Privacy Information Center, Washington, DC, 
  statement......................................................    66
Ensminger, J.M. (Jerry), Retired Marine Master Sergeant, Camp 
  Lejeune Marine Base, Elizabethtown, North Carolina, statement..    77
New York Times, March 10, 2012, article..........................   104
Nisbet, Miriam, Director, Office of Government Information 
  Services, National Archives and Records Administration, 
  Washington, DC:
    statement....................................................   107
    April 13, 2012, letter.......................................   112
    April 24, 2012, letter and attachment........................   114
Pustay, Melanie Ann, Director, Office of Information Policy, U.S. 
  Department of Justice, Washington, DC, statement...............   119
Rosenzweig, Paul, Red Branch Consulting, PLLC, Professorial 
  Lecturer in Law, George Washington University, and Visiting 
  Fellow, The Heritage Foundation, Washington, DC, statement.....   134
Sunshine in Government Initiative, Rick Blum Coordinator; 
  National Freedom of Information Coalition, Kenneth Bunting, 
  Executive Director; Project on Government Oversight (POGO), 
  Angela Canterbury, Director of Public Policy; American Society 
  of News Editors, Kevin Goldberg, Counsel; 
  OpenTheGovernment.org, Patrice McDermott, Executive Director; 
  and Citizens for Responsibility and Ethics in Washington, Anne 
  Weismann, Chief Counsel, February 16, 2012, letter.............   146



                        TUESDAY, MARCH 13, 2012

                                       U.S. Senate,
                                Committee on the Judiciary,
                                                   Washington, D.C.
    The Committee met, pursuant to notice, at 10:55 a.m., in 
room SD-226, Dirksen Senate Office Building, Hon. Patrick J. 
Leahy, Chairman of the Committee, presiding.
    Present: Senators Leahy, Whitehouse, Grassley, and Cornyn.

                      THE STATE OF VERMONT

    Chairman Leahy. I apologize for the late start. We had the 
beginning of debate on judicial nominations on the floor, the 
Majority and Minority Leaders and myself. I may be No. 2 in 
seniority for the Senate, but when I have the Majority and 
Minority Leaders who are there engaging in the colloquy, you 
tend to stay around and finish it. So I do apologize.
    We are holding an important hearing on one of our most 
cherished open-government laws, the Freedom of Information Act.
    Incidentally, I spoke to the Judicial Conference this 
morning at the Supreme Court and made a pitch again to open up 
our courts to cameras and full, instantaneous coverage. When I 
finished saying that, we had the chief judges of all the 
circuit courts there and the Chief Justice, and I said I was 
going to pause for the thundering applause. But, instead, I 
paused for the thundering silence.
    In the decade since September 11th, we have had to wrestle 
with how best to maintain the careful balance between what is 
legitimate Government secrecy and the public's right to know 
even as new national security threats emerge. Does government 
secrecy have its place? Of course. We were not about to 
announce, for example, to the press a week before the raid on 
Osama bin Laden. But I worry that since September 11th there 
has been overuse of the secrecy stamp. It is too easy to say, 
well, this is secret. And it may be secret because, boy, did we 
screw up. And when that happens, excessive government secrecy 
can come at an unacceptable price: harm to the American 
public's interests in safety, healthy living, a clean 
environment, and so on.
    Sunshine Week is a timely reminder that as the Congress 
considers how best to safeguard critical infrastructure 
information in cyberspace, we have to safeguard the American 
public's right to know about threats to their health and 
safety. Last year, the Supreme Court held in Milner v. Navy 
that the Government could not rely upon Exemption 2 under FOIA 
to withhold explosives maps from the public. That was an 
important victory. But now in its wake, Congress is considering 
several new legislative exemptions to FOIA. We should do that 
pretty carefully.
    In January, President Obama signed into law a carefully 
balanced, narrow exemption to FOIA for Department of Defense 
critical infrastructure information, and I helped craft that. 
It requires Government officials to affirmatively determine 
that withholding critical infrastructure information from the 
public outweighs other interests, such as ensuring that we have 
information that may concern our health and safety. Truly 
sensitive things can be withheld, but not as a knee-jerk 
reaction. So I intend to continue to work with other members on 
both sides of the aisle as we try to fulfill this goal.
    I am going to put my full statement in the record, but I 
commend the Obama administration for taking a number of 
important steps to improve transparency, such as the 
`ethics.gov' portal.
    Senator Cornyn and I, and before him, other Republican 
Senators, have done a lot of the legislation on FOIA. It should 
not be a partisan issue because I do not care whether you have 
a Democratic or Republican administration, there is always 
going to be some who are going to want to say, ``Why do we have 
to release this information? '' Well, my response would be, 
``Because you represent all Americans, and we have a right to 
    [The prepared statement of Chairman Leahy appears as a 
submission for the record.]
    Chairman Leahy. Senator Grassley.

                            OF IOWA

    Senator Grassley. Mr. President--or, Mr. Chairman, before--
    Senator Grassley. That was a slip. I was not trying to be--
    Chairman Leahy. I must admit that I am one of the very few 
Senators who has never had the desire to be President. Go 
    Senator Grassley. Before I read, I agree with what you have 
said except one little part, and I think I will preface my 
remarks with this: You know, I do not care whether we have a 
Republican or Democrat President, it is very, very difficult 
not only under FOIA but under our constitutional responsibility 
of oversight to get information. It is just a culture in the 
executive branch that is difficult to overcome. And the only 
reason I would separate out President Obama a little bit 
different from others is, as you said, he has put in place some 
statements and policies that are for more transparency and more 
openness. But I find it difficult, if I measure what he said he 
wanted to do, with what has actually materialized as either he 
did not mean it or--and I think he did mean it--and, No. 2, the 
people below him are not carrying out his policies.
    So I thank you for holding this hearing. Open government 
and transparency are essential for our democratic form of 
government. And I think James Madison had something very good 
to say about this: ``a people who mean to be their own 
Governors must arm themselves with the power which knowledge 
gives.'' And, of course, that knowledge comes from knowing what 
is going on in our Government, among other things.
    The Freedom of Information Act codifies this fundamental 
principle which our Founders found so valuable. So it is 
important to talk about the Act and the need for American 
citizens to be able to obtain information about how their 
Government is operating.
    Although it is Sunshine Week, I am sorry to report that, 
contrary to the President's proclamations when he took office, 
after 3 years I do not believe the sun is shining commensurate 
with his statements that he wanted to be the most transparent 
of any administration in history.
    Based upon my experience in trying to pry information from 
the executive branch, I am disappointed to report that agencies 
under the control of President Obama's political appointees 
have been more aggressive than ever in withholding information 
from the public and Congress.
    There is a complete disconnect between the President's 
grand pronouncements about transparency and the actions of his 
political appointees.
    On his first full day in office, the President issued a 
memorandum on FOIA. In it, he wrote that Executive agencies 
should ``adopt a presumption in favor of disclosure, in order 
to renew their commitment to the principles embodied in FOIA, 
and to usher in a new era of open government.'' All you can say 
to that is, ``Amen.''
    But, unfortunately, it appears that in the eyes of the 
President's political appointees--and maybe for this the 
President has a big, big job, maybe he cannot keep track of 
what everybody does or the trends in his administration--but 
his proclamations about open government and transparency are 
being ignored.
    Indeed, FOIA requesters appear to have reached the same 
conclusion. I will give you an example. When recently asked 
about President Obama and FOIA, Katherine Meyer, an attorney 
who has been filing FOIA cases since 1978, said, that the Obama 
administration ``is the worst on FOIA issues. The worst. There 
is just no question about it. This administration is raising 
one barrier after another. It has gotten to the point where I 
am stunned. I am really stunned.''
    The problem is more than just a matter of backlogs with 
answering FOIA requests. Based on investigative reports, we 
have learned of inappropriate actions by the President's 
political appointees.
    In March of last year, 2 weeks after this Committee held a 
hearing on FOIA, the House Committee on Oversight and 
Government Reform released a 153-page report on its 
investigation of the political vetting of FOIA requests by the 
Department of Homeland Security. The Committee reviewed 
thousands of pages of internal e-mails and memoranda and 
conducted six transcribed interviews.
    The Committee, under Chairman Issa, learned that political 
staff under the Secretary of Homeland Security corrupted the 
agency's FOIA compliance procedures, exerted pressure on FOIA 
compliance officers, and undermined the Federal Government's 
accountability to the American people. The report's findings 
are disturbing, and I will just summarize four of them.
    First, the report finds that by the end of September 2009, 
copies of all significant FOIA requests had to be forwarded to 
Secretary Napolitano's political staff for review. The career 
staff in the FOIA office were not permitted to release 
responses to these requests without approval from political 
    Second, career FOIA professionals were burdened by the 
intrusive political staff and blamed for delays, mistakes, and 
inefficiencies for which the Secretary's political staff was 
responsible. The Chief Privacy Officer, herself a political 
appointee, did not adequately support and defend career staff. 
To the contrary, in one of her e-mails, she referred to her 
career staff as ``idiots.''
    Third, political appointees displayed hostility toward 
career staff. In one e-mail, political staff referred to a 
senior career FOIA employee as a ``lunatic'' and wrote of 
attending a FOIA training session organized by the career 
staffer for the ``comic relief.'' Moreover, three of the four 
career staff interviewed by the Committee have been 
transferred, demoted, or relieved of certain responsibilities.
    Last, the report finds that the Secretary's office and the 
General Counsel's office can still withhold and delay 
significant responses. Although the FOIA office no longer needs 
an affirmative statement of approval, the Secretary's political 
staff retains the ability to halt the release of FOIA 
    The conduct of the political appointees at Homeland 
Security involved the politically motivated withholding of 
information about the very conduct of our Government from our 
citizens. In particular, it was the withholding of information 
about the administration's controversial policies and about its 
mistakes. That was a direct violation of the President's 
    I am disappointed that there was not more coverage of 
Chairman Issa's report and the inappropriate conduct by 
political appointees at Homeland Security. I am also 
disappointed that the Justice Department has not conducted an 
investigation of this scandal.
    I have to say that I am a bit surprised that some open-
government and privacy groups appear to be accepting the 
dramatic regulatory power that Homeland Security and Secretary 
Napolitano will have under the Lieberman-Collins cybersecurity 
bill and under President Obama's proposal. Given the FOIA 
scandal at Homeland Security, I would have thought that they 
would have more reservations.
    I am also sorry to say that the Department of Homeland 
Security is not alone when it comes to questionable actions. 
Recently, the National Security Archive gave its annual 
Rosemary Award to the Department of Justice for the worst open-
government performance in 2011.
    The charges the Archive makes against the Justice 
Department include:
    One, proposing regulations that would allow the Government 
to lie about the existence of records sought by FOIA 
requesters, and that would further limit requesters' ability to 
obtain information;
    Two, using recycled legal arguments for greater secrecy, 
including questionable arguments before the Supreme Court in 
2011 in direct contradiction to President Obama's presumption 
of openness;
    And, three, backsliding on the key indicator of the most 
discretionary FOIA exemption, Exemption 5 for deliberative 
process. In 2011, the Justice Department cited Exemption 5 to 
withhold information 1,500 times, and that is up from 1,231 
times in 2010.
    According to the Archive, the Justice Department edged out 
a crowded field of contending agencies that seem to be in 
``practical rebellion'' against President Obama's open-
government orders.
    So there is a disturbing contradiction between President 
Obama's grand pronouncements and the actions of his political 
appointees. The Obama administration does not understand that 
open government and transparency must be about more than just 
pleasant sounding words in memos. Ultimately, the President is 
responsible for the conduct of his political appointees, 
especially after 3 years in office. And both he and Attorney 
General Holder certainly know what is going on.
    Throughout my career I have been actively conducting 
oversight of the executive branch regardless of who controls 
the Congress or the White House. Open government is not a 
Republican or a Democrat issue. It has to be a bipartisan 
issue. It is about basic good government and accountability--
not party politics or ideology.
    I started out my remarks by quoting James Madison. Madison 
understood the danger posed by the type of conduct we see in a 
lot of administrations, but this one has not lived up to what 
they said that they intended to do. He explained that ``[a] 
popular government without popular information or the means of 
acquiring it, is but a prologue to a farce, or a tragedy, or 
perhaps both.''
    So I am looking forward to hearing the testimony. I want to 
thank all the witnesses for coming in today, and taking time.
    I also want to thank Sergeant Ensminger for his service to 
our country. I am very sorry about the loss of his daughter. I 
am also cosponsoring the Caring for Camp Lejeune Veterans Act, 
and this was brought to my attention about 4 years ago. People 
in my constituency that I did not even know existed came to my 
town meetings and came to Iowa. They were very much injured by 
what happened at Camp Lejeune, and I thank them for bringing 
that to my attention. And they were not leading a very high 
quality of life.
    Thank you, Mr. Chairman.
    Chairman Leahy. Thank you.
    Our first witness is Melanie Pustay, who is the Director of 
the Office of Information Policy at the Department of Justice.
    I am sorry. Actually, our first witness is Miriam Nisbet, 
the Director of the Office of Government Information Services 
at the National Archives. She served as the Director of the 
Information Society Division for UNESCO in Paris. She earned 
her bachelor's degree and law degree from the University of 
North Carolina.
    I appreciate having you here. I apologize for my voice. It 
worked fine in Vermont yesterday. I got off the airplane 
yesterday and found that we have a few more pollens in the air 
than snow-covered Vermont. Go ahead, Dr. Nisbet.


    Ms. Nisbet. Thank you, Mr. Chairman, Senator Grassley. 
Thank you for having me this morning. And, yes, I can feel that 
pollen a little bit, too, so bear with me, please.
    As both of you have mentioned this morning, the Freedom of 
Information Act is a cornerstone of our democracy, and we at 
the National Archives are proud to display the original Freedom 
of Information Act in the Rotunda of the Archives this week 
during Sunshine Week. For the first time, it is being 
displayed, and we would like to invite you to come and visit 
    An important part of the Freedom of Information Act is 
protecting sensitive information even as the Government strives 
to give the public the greatest access to records under the 
    I am here to provide you with a sense of what we are 
hearing from requesters and agencies about safeguarding 
critical infrastructure information and other records 
previously protected under Exemption 2 of the FOIA. In our work 
at the Office of Government Information Services, or OGIS, as 
the FOIA ombudsman, we talk every day with agency FOIA 
professionals and FOIA requesters. In fact, we have worked with 
requesters and agencies on more than 1,500 specific matters 
since we opened in September 2009. When Congress created OGIS 
as part of FOIA, the statutory mandate for our office included 
working to improve the FOIA process. We do that as we fulfill 
our two-pronged mission: reviewing agency FOIA policies, 
procedures, and compliance, which allows us to see how agencies 
carry out the law; and working to resolve FOIA disputes between 
agencies and requesters, which shows us where there are trouble 
spots. We regularly meet with and hear from requesters and 
agency professionals to discuss trends, problems, complaints, 
and improvements to FOIA's implementation.
    Chairman Leahy. Dr. Nisbet, we have all this and your whole 
statement is part of the record, but if you could direct us to 
which agencies are actually complying with FOIA as they should, 
which ones are not, and why.
    Ms. Nisbet. I would be happy to do that, and if I could, 
let me supplement the record with information about that. In 
fact, we are releasing a report on our activities for fiscal 
year 2011 this week, Mr. Chairman, and there will be a great 
deal of information about precisely what we have seen.
    Chairman Leahy. Which agency does the best job and which 
does the worst?
    Ms. Nisbet. I do feel like I am in the hot seat. I would 
say that there are a number of agencies that we have seen that 
are working very hard. We see that every day. The Department of 
the Interior, for example, is one that we have worked with. Not 
only has it been working on improving its FOIA process overall, 
but it has begun working with us to train its FOIA 
professionals in dispute resolution skills in order to help 
them do their job better and to carry out the FOIA in a very 
collaborative way that would avoid litigation. So I think that 
is really a good example.
    Chairman Leahy. Which ones are the worst? You are the 
    Ms. Nisbet. I think there are a number of agencies that are 
still working very hard with overcoming their backlog problems, 
and that is in some part due to resources. That is a perennial 
problem, as you know. And I really would prefer not to get too 
much into detail about the ones that are not doing a good job.
    Senator Grassley. Just remember, you are not elected. We 
are elected. We can get in trouble for answering that question. 
You cannot get in trouble.
    Ms. Nisbet. I do not know about that, Senator Grassley.
    Chairman Leahy. Thank you.
    [The prepared statement of Ms. Nisbet appears as a 
submission for the record.]
    Chairman Leahy. Ms. Pustay is Director of the Office of 
Information Policy, OIP, at the Department of Justice. Before 
becoming the office's Director, she served for 8 years as 
Deputy Director. She earned her law degree from American 
University's Washington College of Law where she served on law 
review, and disregard her B.A. from George Mason.
    Again, I apologize for the voice. Please go ahead.


    Ms. Pustay. No problem. Thank you. Good afternoon, Chairman 
Leahy and Ranking Member Grassley and members of the Committee. 
I am pleased to be here during Sunshine Week to address the 
effect of the Supreme Court's decision in Milner v. Department 
of the Navy and also to discuss the Department of Justice's 
continuing efforts to ensure that President Obama's Memorandum 
on the FOIA, as well as Attorney General Holder's FOIA 
Guidelines, are fully implemented.
    As you know, the Attorney General issued his new FOIA 
Guidelines during Sunshine Week 3 years ago, and based on our 
review of the Chief FOIA Officer reports and agency annual FOIA 
reports, it is clear to us that agencies are continuing to make 
significant, tangible progress in implementing the guidelines.
    In fiscal year 2011, despite being faced with a noticeable 
increase in the number of incoming requests, agencies overall 
were able to process over 30,000 more requests than last fiscal 
year. And, most significantly, when agencies processed those 
requests, they increased the amount of material they provided. 
The Government released records in response to 93 percent of 
requests where records were located and processed for 
disclosure. This marks the third straight year we have had such 
a significantly high release rate.
    Agencies are also continuing to meet the demand for 
information by proactively posting information of interest to 
the public on their websites. Many agencies have taken steps to 
make the information on their websites more useful to the 
public by redesigning the websites, adding enhanced search 
capabilities, utilizing online portals and dashboards.
    I am also pleased to report in particular on the successes 
achieved by the Department of Justice. This past fiscal year, 
the Department increased the number of responses to requests 
where records were released, and for the second straight year, 
we maintained a record high release rate of 94 percent for all 
requests involving responsive records that were processed for 
    And perhaps even more significantly, of those requests we 
released records in full 79 percent, which means that the 
requester got everything they asked for with no excisions.
    Despite 3 straight years of receiving over 60,000 requests, 
the Department reduced its backlog of pending requests by 26 
percent. We also improved the average processing time for 
simple and complex requests.
    Now, my office also carries out the Department's statutory 
responsibility to encourage compliance with the FOIA. And, of 
course, this guidance was particularly needed in the wake of 
the dramatic narrowing of Exemption 2 that occurred when the 
Supreme Court issued its opinion in Milner.
    As you know, in Milner, the Supreme Court overturned 30 
years of established FOIA precedent by restricting the scope of 
Exemption 2 to matters that relate solely to personnel rules 
and practices. Prior to Milner, agencies had long followed the 
interpretation of Exemption 2 provided by the D.C. Circuit, 
which applied a two-part test that was announced in the Crooker 
case. Under Crooker, information first had to qualify as 
``predominantly internal'' and, second, it had to be either of 
no public interest, which was referred to as ``Low 2,'' or be 
more substantial in nature where disclosure would risk 
circumvention of the law, and that was referred to as ``High 
2.'' We had a substantial body of case law developed over the 
years concerning High 2, with courts upholding protection for 
many different types of sensitive information when disclosure 
would risk circumvention of the law. But as a result of the 
Supreme Court's rejection of High 2 as inconsistent with the 
plain language of the exemption, there is a wide range of 
sensitive material whose disclosure could cause harm and which 
had previously been protected and which is now at risk.
    The Supreme Court was sympathetic in its decision to the 
policy concerns raised by the Government regarding the need to 
protect information when its disclosure risked harm. And the 
Court even acknowledged that it might be necessary for the 
Government to seek relief from Congress.
    Now, in the months since the Milner decision, some agencies 
have sought statutory relief under the FOIA for discrete 
categories of information. However, this piecemeal approach 
does not sufficiently ensure protection for all agencies and 
for all categories of information that were long protected 
under High 2. And we believe that the preferred course of 
action would be to amend Exemption 2 so that its plain language 
addresses the need to protect against disclosure where that 
disclosure would risk circumvention of the law.
    Open-government groups, reporters, and other interested 
members of the FOIA requester community are understandably 
interested in this issue as well, and the precise contours of a 
legislative amendment to Exemption 2 will need to take into 
account both the interests of the agencies in making sure that 
there is no circumvention of the law and the interests of the 
requesters and open-government groups in ensuring that 
exemptions are precisely crafted so as not to unnecessarily 
sweep too broadly.
    In closing, the Department of Justice looks forward to 
working together with the Committee on all matters pertaining 
to the governmentwide administration of the FOIA, including 
efforts to address the effect of the Milner decision.
    [The prepared statement of Ms. Pustay appears as a 
submission for the record.]
    Chairman Leahy. Well, thank you. You have mentioned the 
Milner case; what guidance is DOJ giving to agencies about how 
they should respond, and how they should treat FOIA requests 
seeking critical infrastructure information?
    Ms. Pustay. In the wake of the Supreme Court's decision, we 
issued extensive guidance to agencies to help walk them through 
the changed landscape that occurred as a result of the Supreme 
Court's decision. First of all, of course, we had to explain 
what Exemption 2--what was left of the exemption--covered and 
what would fit within it. But pragmatically, because High 2 is 
now no longer a part of the protection afforded by Exemption 2, 
agencies really have two alternatives: to try to see if other 
exemptions will safeguard the information, and that is 
certainly an option that was discussed and contemplated in the 
Milner case itself, the information that----
    Chairman Leahy. Of course, in the National Defense Act, we 
tried to put in a very, very narrow exemption.
    Ms. Pustay. Exactly. And the other alternative, if existing 
exemptions do not cover the information--let me actually first 
say, as part of our guidance, we instructed agencies to first 
consider whether or not the information needed to be protected. 
We made a point of highlighting the Attorney General's FOIA 
guidelines and the presumption of openness, and we always make 
sure that we use that as our starting point before we even get 
to the point of protecting. But assuming there is risk of 
circumvention, if existing FOIA exemptions----
    Chairman Leahy. It was too easily used before.
    Ms. Pustay. Right now the alternatives would be using other 
FOIA exemptions or seeking relief through specific statutory 
provisions that are covered under Exemption 3.
    Chairman Leahy. Dr. Nisbet, how do you see agencies 
handling these requests for critical infrastructure 
information? Are they following the Milner decision?
    Ms. Nisbet. Well, of course, they are following the Milner 
decision, and they are using language that the Supreme Court 
used to suggest to them that they do look for other exemptions. 
And in some cases, that certainly does work. But it does not 
work in all cases.
    For example, Exemption 7, which applies to records or 
information compiled for law enforcement information, certainly 
could apply to certain sensitive information, particularly as 
it relates to security measures or preventing crime. But 
Exemption 7 is not available to all agencies.
    Similarly, Exemption 1 would not be a good choice. 
Certainly, some agencies do not have classification authority 
nor, as this Committee has recognized, is expanding the 
universe of classified information something that we want to 
    Chairman Leahy. Also, back in 2007, Senator Cornyn and I 
authored the Open Government Act to strengthen FOIA, and in it 
we have the Office of Government Information Services regularly 
reporting to Congress on recommendations to improve FOIA 
compliance within the Government. We have not seen those 
reports. What is the current status of the reports that the law 
    Ms. Nisbet. Let me distinguish between reporting on our 
activity, which we have done and we have made public----
    Chairman Leahy. I am talking about the report that is 
required to be made to Congress on recommendations to improve 
FOIA compliance within the Government.
    Ms. Nisbet. Yes, Mr. Chairman, as to recommendations which 
we have put through the process for review with OMB, we have--
    Chairman Leahy. When did you put it through the process to 
be reviewed?
    Ms. Nisbet. Well, the first set of recommendations were 
given just a little over a year ago. Those did get held up. I 
am not sure that I can explain why. But I can tell you that we 
are working with OMB now to get that process going on.
    Chairman Leahy. Recommendations were made over a year ago, 
and we have not received them yet. The law requires us to 
receive them. When will we receive them?
    Ms. Nisbet. I hope you will receive something very shortly. 
However, I will tell you that we are working with OMB actively 
to see whether or not some of the suggestions that we had might 
be able to be addressed administratively without asking 
Congress to make any legislative changes.
    Chairman Leahy. Well----
    Senator Grassley. Mr. Chairman, what I would like to know 
is: Is it her fault or OMB's fault that they are not----
    Chairman Leahy. The law is pretty clear about us getting 
the reports. We have not gotten the reports. Who is at fault?
    Senator Grassley. We run into this. Just recently, with an 
agricultural rule, they studied it for 2 years, and it was 
sitting in OMB. Finally, after we wrote a letter, OMB released 
    Chairman Leahy. So my question is: Who is not following the 
    Ms. Nisbet. Well, one question I might ask you, Mr. 
Chairman, is the law does not state how often these 
recommendations need to be made.
    Chairman Leahy. I think if the recommendations were made a 
year ago, even if mail has been kind of slow--I mean, I am 
happy to drive down there and pick it up if that would speed 
things up.
    Chairman Leahy. You know, I would be happy to, if they 
would let me in the building.
    Ms. Nisbet. Thank you, Mr. Chairman.
    Chairman Leahy. When will we get it?
    Ms. Nisbet. I will have something to you--how about within 
a month we will have something? I will work actively with OMB 
to make that happen.
    Chairman Leahy. Tell them at OMB that this is not a 
partisan thing. Both Senator Grassley and I would kind of like 
to hear from them. I know they are very busy, but----
    Senator Grassley. Would it help you if we would write a 
letter to OMB and tell them to get off the pot?
    Ms. Nisbet. I think your statements here today will really 
say what you mean.
    Chairman Leahy. You know, I just would like to have people 
be happy to respond to us rather than having to subpoena 
    Ms. Nisbet. Thank you.
    Chairman Leahy. We do have that alternative.
    OK. Earlier this year, the National Archives and Records 
Administration, the Environmental Protection Agency, and the 
Department of Commerce announced the creation of a multi-agency 
FOIA portal that automates FOIA processing, stores FOIA 
requests, and responds in electronic format. If it works as it 
should, it would make it easier for FOIA requesters. Does the 
Department of Justice support this kind of a FOIA portal 
    Ms. Pustay. Yes, we absolutely do. The EPA is launching a 
pilot to build on those capabilities. What I think is important 
and what you will be happy to hear is that we have over 100 
different offices across the Government that already have 
online request capability. We do think it is an important 
improvement to FOIA. And just this week, my office--actually, 
the Attorney General announced this yesterday at our Sunshine 
Week event--that we have an online portal for the senior 
management offices of the Justice Department. So requesters can 
go online at the website in my office, set up a personal 
account, make their request online, be able to track the status 
of their request online any time day or night, and to get their 
responsive documents back through the portal.
    Chairman Leahy. Of course, that is an easier way. I have a 
6-year-old grandson who showed me how he goes online, although 
I am telling him not to go on Google because they now have a 
new plan to spy on Americans. That is just a personal concept.
    Senator Grassley.
    Senator Grassley. Thank you, Mr. Chairman. And if I can 
help you in any way, make sure that you call on me on that 
    Ms. Pustay. We still accept requests the old-fashioned way 
as well, Senator Leahy.
    Senator Grassley. My first question is going to be asked 
for Senator Cornyn because he was here for a while but had to 
go to a meeting at 11. It is to Ms. Pustay. A March 9th article 
in Atlanticwire.com raises questions about the way the Justice 
Department is actually calculating reporting ``backlogs'' and 
``pending requests.'' How do you explain the almost 50-percent 
discrepancy between claimed backlogs, 3,816, and the pending 
requests, 6,897? Now, Senator Cornyn says, ``I can understand 
not counting a few pending requests at the end of the year as 
backlog, especially if the statutory deadlines have not run. 
But I cannot imagine that you received 3,000 new requests at 
the end of fiscal year 2011 that fit that criteria. Could you 
explain the standards and definitions that are applied? And 
then, more importantly, isn't it appropriate to treat all 
requests alike for backlog purposes once the agency's response 
is overdue? ''
    Ms. Pustay. I am happy to address that question. There is a 
difference between pending and backlogged. Pending just means a 
request is open at the moment that the fiscal year closes on 
September 30th. Backlogged means it has been pending beyond the 
statutory time period.
    The FOIA itself actually requires agencies to report the 
number of requests that are pending. The Department of Justice 
added the requirement that agencies report the number of 
requests that are backlogged because we think it is a more 
accurate measurement to know not just how many requests came in 
literally on September 30th, but how many of those requests 
were backlogged. So that is why we track both statistics, 
backlog and pending.
    But we get at the Department of Justice 5,000 requests 
every single month, so having numbers of 3,000 and 5,000 as our 
pending and backlog is totally logical. We get 5,000 requests 
every single month.
    Senator Grassley. I would ask you for myself, Ms. Pustay, 
the National Security Archives recently gave the Rosemary Award 
to Justice for the worst open-government performance last year. 
As part of the award, the Archive stated that you presided over 
the development of a series of proposed regulations that would 
have changed the FOIA process in more than a dozen regressive 
ways. A two-part question, and I will ask both of them.
    First, what is your response to the Archive's citing of the 
Justice Department as having this performance record?
    And, second, what is your response to the Archive's 
statement about the proposed FOIA regressive regulations?
    Ms. Pustay. I will take it in reverse order. The regulation 
comment is very straightforward. Our regulations were--the 
changes that we made were simply designed to streamline, 
simplify, and update the regulations. The comments that we 
received showed that people misinterpreted what we were trying 
to do, misconstrued some of the provisions, and also did not 
necessarily understand the fee guidelines that govern the fee 
categories that are put out by--that are governed by OMB's fee 
guidelines. So all of those issues regarding the regulations, 
we are happy to have the comments because we can now explain, 
walk requesters through, walk the public through, what we were 
intending to do with our regulations. So the comment period 
itself I think will clear that up very easily.
    As to my overall reaction, of course, I am happy to be able 
to stand by our record at the Department of Justice. I am very 
proud of our record. We passed out before the hearing a list of 
our accomplishments to all the members, and I think it is a 
really stellar example of the work that has been done by the 
Justice Department. We have reduced our backlogs. We released--
79 percent of requests got a full release of information. Our 
release rate for 2 years in a row is 94.5 percent, which means 
that requesters who come to the Department of Justice and ask 
for information are getting information 94.5 percent of the 
time. We have also done a lot of work with proactive 
disclosures, making more information available on our website. 
We have worked with agencies to try to help spread the word of 
transparency, to help further implement the Attorney General's 
guidelines. We have built FOIA.gov, a brand-new website that 
breathes life into all the dry FOIA statistics and lets them be 
interactable and much more accessible to the public.
    So I can go on and on. I feel like we have a really strong 
record, and I stand by it.
    Senator Grassley. After Senator Whitehouse gets done, I 
would like to ask for another 5 minutes, if I could.
    Chairman Leahy. Yes, but the vote is coming up. We are 
going to have to keep it short because otherwise, we are not 
going to get the other panel in.
    Dr. Nisbet, I should note that my concern--and I hope you 
realize both my concern and Senator Grassley's are directed at 
OMB, not at you. We are trying to give you a little [clicking 
sound, swings hand].
    Chairman Leahy. It is going to be great to see how that is 
reported in the record.
    Chairman Leahy. Senator Whitehouse.
    Senator Whitehouse. T-L-O-C-K, perhaps? Who knows?
    I am interested in the manner in which the FOIA requests 
can be aggregated across the system and the FOIA data can be 
centralized across the system. For a long time, FOIA requests 
have been agency by agency, and for a long time, FOIA answers 
are sent out and then they kind of disappear, and if somebody 
asks the same question later, particularly if it is to another 
agency, it goes back and it gets re-created.
    I think it is important that there be a central FOIA 
request, you know, portal that people can go to. I think it is 
important that there be a central FOIA data base so that once 
something has been disclosed under FOIA, you can go and find it 
again and it is searchable and it is a resource. You have got 
the FOIA module coming along. It is kind of a pilot in that 
direction. Could you let me know a little bit the status of 
that and what you expect--give me a couple of benchmarks that 
you are looking for in the near future to show the success of 
that and the commitment to that.
    Ms. Pustay. What I can tell you first on FOIA.gov--and then 
you could talk about the portal.
    Ms. Nisbet. Yes.
    Ms. Pustay. FOIA.gov, which is our governmentwide website, 
which is designed to be a one-stop shop for FOIA, we added 
several things just this past year to help meet the concerns or 
the interests that you are expressing. For one thing, we have a 
find function, a search function that we put on FOIA.gov, the 
website, which allows an interested member of the public to 
enter a search term. If they are interested in Al Capone or the 
BP oil spill, they can put that search term into FOIA.gov. It 
launches a search across all agency websites. So everything 
that an agency has posted to date, not just their responses to 
FOIA requests but everything they have posted, would be 
captured by this search. That is particularly important because 
we are encouraging agencies to make proactive disclosures of 
information, to put things on their website separate and apart 
from FOIA requests. And we want the public to have access to 
all that information. So the find button is what is designed to 
help you locate information and maybe not even have to make a 
FOIA request.
    In terms of the online capability to make requests, as I 
said, we have got over 100 offices that have that capability so 
far. Many others are working on developing them. What we did, 
again on FOIA.gov to facilitate access to those portals was we 
now have hyperlinks to all those portals so that when you are 
on FOIA.gov and you decide you want to make a request to the 
National--well, let us pick an agency that has it, our office, 
or Treasury has an online request portal, or NASA, you can go 
right from FOIA.gov and get right in, onto their online request 
    So we have taken steps right now to make that happen, and 
then we are going to continue to add those functionalities to 
FOIA.gov as we go forward.
    Senator Whitehouse. And how is the module coming, Dr. 
    Ms. Nisbet. The FOIA module is a project that is being run 
jointly by--under the lead of the Environmental Protection 
Agency, but with the Department of Commerce and with the 
National Archives as partners. It is being built right now with 
input from FOIA professionals throughout the Government and 
from requesters and is due to launch October 1st. And it will 
be indeed a one-stop shop. In the beginning, of course, we do 
not have all agencies participating, but it is going to be 
something Version 1 can easily be moved into Version 2 as other 
agencies want to join, and it would be both a place where a 
requester can come to one place, make a request to one agency 
or many agencies or all agencies, and that will at the end also 
provide access to any records that have been disclosed under 
FOIA. So we think it has a lot of promise and cost savings for 
the Government as well as a collaborative effort and good for 
requesters as well.
    Senator Whitehouse. Good. Well, we look forward to October 
1st, and I thank the Chairman and the Ranking Member who have 
both over many years shown intense interest in making sure that 
the American people have access to these public records, and 
today's hearing is another example of their commitment.
    Chairman Leahy. Thank you very much.
    Senator Grassley. One question?
    Chairman Leahy. You have one question? Go ahead.
    Senator Grassley. Ms. Pustay, I want to refer to the Milner 
case. It was released more than a year ago. Some believe that 
the impact of the decision will be to endanger public safety. 
The Justice Department has not approached me or my staff about 
legislation to address the impact of the decision, so maybe you 
could tell me why the Justice Department has not submitted a 
legislative proposal. If, in fact, there is a threat to public 
safety, as people indicate, isn't it irresponsible to ignore 
the problem?
    Ms. Pustay. We are actively working and look forward to 
continuing to work to with this Committee on the issue. As I 
said, the impact of Milner is quite significant. The Supreme 
Court really dramatically limited the scope of protection that 
had previously been afforded. And since the time of the 
decision, we have certainly had legislative assistance from you 
all in terms of protecting discrete categories of information.
    As I said in my testimony, though, I think the next step is 
to go beyond a piecemeal approach and to work on a more 
comprehensive approach to the problem.
    Senator Grassley. I will have written questions for the 
    Chairman Leahy. Thank you. We will have further questions. 
I thank you both for being here.
    [The questions appears under questions and answers.]
    Chairman Leahy. Good morning. The first witness will be 
Jerry Ensminger. He is the public face of what may be one of 
the worst drinking water contamination cases in U.S. history. 
This retired Marine gunnery sergeant lost his 9-year-old 
daughter, Janey, to leukemia in 1985, taken by what Gunnery 
Sergeant Ensminger and many others believe was tainted water at 
Camp Lejeune, the base where she was conceived.
    I might say parenthetically, my son, Lance Corporal Mark 
Patrick Leahy, also went through Camp Lejeune, and it raises 
even more the personal stakes. Then I read the terrible things 
that you went through. Mr. Ensminger retired from the military 
13 years ago. He has traveled the country raising public 
awareness about this issue. I say retired Marine. There are no 
ex-Marines, as you know. Gunnery Sergeant, I am glad you are 
here, so please go ahead, sir.


    Sergeant Ensminger. Thank you, Mr. Chairman.
    Just to set the record straight, somebody demoted me. I am 
a retired master sergeant.
    Chairman Leahy. I apologize for that. Please do not tell 
that former lance corporal, or I would be in really deep 
trouble. I had heard it both ways, and I do apologize. Either 
way, I am darn glad you are here.
    Sergeant Ensminger. Yes, sir, thank you.
    Good morning. I would like to take the opportunity to thank 
the Chairman and Ranking Member for offering me this 
opportunity to appear here today. I am here to testify on why 
access to information through the Freedom of Information Act 
matters to me and others from Camp Lejeune and about the 
extreme secrecy we have encountered in trying to expose the 
    My name is Jerry Ensminger, and I served my country 
faithfully for 24 years in the United States Marine Corps. My 
daughter Janey, the only one of my four children to either be 
conceived, carried or born while living aboard Camp Lejeune, 
was diagnosed with leukemia in 1983 at the age of 6. Janey went 
through hell, and all of us who loved her went through hell 
with her. I watched my daughter die a little bit at a time for 
nearly 2\1/2\ years before she finally lost her fight. The 
leukemia won. Janey died on 24 September 1985.
    Shortly after Janey's diagnosis, I began to wonder why. Why 
was she stricken with this disease? I researched mine and her 
mother's family histories, and I could find no other child that 
had been diagnosed with leukemia or any other type of cancer. 
It was not until August 1997, 3 years after I had retired from 
the Marine Corps, that I heard of a report indicating that the 
drinking water at Camp Lejeune had been contaminated during the 
time that we had lived there with chemicals suspected of 
causing childhood cancers and birth defects. That was the 
beginning of my journey on a search for answers and the truth. 
Little did I realize how difficult it would be getting the 
truth out of an organization which supposedly prides itself on 
honor and integrity.
    None of what I am about to say is speculation. It is all 
facts which are borne out by the Department of the Navy and 
United States Marine Corps' own documents. Throughout the 
history of this situation and to this very day, representatives 
of the Department of the Navy and Marine Corps have knowingly 
provided investigating or studying agencies with incorrect 
data, they have omitted data, they have obfuscated facts and 
told many half-truths and total lies.
    The Department of the Navy and the Marine Corps' last 
attempt to block the truth and foil justice is being done by 
redefining key information being utilized by the Agency for 
Toxic Substances and Disease Registry in their study reports 
concerning the base's contaminated tap water as critical 
infrastructure information, or CII. They just recently slapped 
a label of ``For Official Use Only,'' or FOUO, on all documents 
relating to the contamination. Most of these documents and 
information they are labeling CII have been in the public 
domain for more than a decade and some for nearly 50 years. Mr. 
Chairman, the ATSDR estimates that as many as 1 million people 
were exposed to horrendous levels of carcinogenic chemicals 
through their drinking water at Camp Lejeune. These people need 
the uncensored truth concerning their exposures so they can be 
more vigilant about their and their family's health.
    The most recent attempt by the Department of the Navy and 
Marine Corps to suppress the public's knowledge regarding 
ATSDR's Camp Lejeune studies came on 5 January of this year in 
the form of a letter from the Marine Corps to ATSDR. Without 
any public interest balancing test having been executed, key 
information was redacted from a critical report which experts 
are now saying will greatly diminish its scientific value or 
credibility. This was labeled CII by the Department of the Navy 
and Marine Corps, but the legal justifications that they cited 
for requesting these redactions were dubious at best. They 
notably did not mention the new law now governing what 
ultimately can be withheld from the public under the Freedom of 
Information Act by DOD to protect CII.
    It has also been reported that the ATSDR, at the behest of 
the Marine Corps, is currently scrubbing their Camp Lejeune 
website of key data and information published in previously 
released reports. This is all being done without any 
consideration of the public's need, interest, or right to know. 
For many of the exposed Camp Lejeune population, this 
information could literally mean life or death.
    Mr. Chairman, the last thing we need is more secrecy 
disguised as a concern for security of critical infrastructure. 
Any exemption must be very narrowly defined as it is in the new 
CII FOIA exemption for DOD. There must be an enforced public 
interest balancing test to ensure that any security interests 
outweigh other public interests, like health and safety--and 
there must be adequate reporting and oversight on how the 
exemption is used.
    I want to thank Chairman Leahy and Representative Maloney 
for narrowing the blanket exemption to FOIA for critical 
infrastructure information that DOD was seeking in the NDAA for 
fiscal year 2012. Now all we need is oversight to ensure the 
law is implemented and followed. The hearing today is a good 
    Thank you.
    [The prepared statement of Sergeant Ensminger appears as a 
submission for the record.]
    Chairman Leahy. Well, thank you, Sergeant. And let me tell 
you, I will carry my interest in this matter beyond this 
hearing. We Vermonters are sometimes known as being pretty 
tenacious, and I will be. And I will not demote you next time, 
I apologize.
    Sergeant Ensminger. That is all right, sir.
    Chairman Leahy. Thank you very much.
    Our next witness is Kenneth Bunting, the first full-time 
executive director of the National Freedom of Information 
Coalition created in 2010. Before joining that, he spent parts 
of four decades as a journalist and newspaper industry leader, 
and ranking editor of the Seattle Post Intelligencer, which 
during that time won more national and regional awards for 
journalistic excellence than at any other time in its 146-year 
history, including the Pulitzer in 1999 and 2003. 
Congratulations. He has his B.S. from Texas Christian 
    Mr. Bunting, we are delighted to have you here, and I am 
stepping out for a moment while you testify, and that is not 
from a lack of interest, I can assure you. Senator Grassley 
will be here. I have read your testimony, and I will be back.


    Mr. Bunting. I am Ken Bunting, executive director of the 
National Freedom of Information Coalition. We are a nonpartisan 
network of State and regional groups that work to promote open 
government and accountability. I am here today, early in the 
annual recognition of Sunshine Week, to ask that the principles 
of transparent, accountable government not become collateral 
damage as you wrestle with policy issues about critical 
infrastructure information and matters related to 
    We recognize that there are circumstances under which 
information and details about the Nation's critical 
infrastructure need to be shielded from public dissemination. 
We also recognize that one of the legitimate goals of the 
various cybersecurity bills before you is creating a private 
industry comfort level with important information sharing.
    But wherever exceptions to public access related to these 
matters reside in statute, we feel that they should include 
narrow definitions, a balancing test of the public interest in 
disclosure, and a sunset review process. I commend the Chairman 
for inserting narrowing language into the National Defense 
Authorization Act last December. Unfortunately, none of the 
cybersecurity measures before us now have similar provisions.
    Nine years ago, a retired electrician named Glen Milner 
tried to find out something about the potential dangers he and 
his neighbors faced living near naval installations in the 
Puget Sound region of Washington State. Mr. Milner wanted to 
know which parts of the coastal peninsulas and islands might 
see the greatest devastation in the event of an accidental 
explosion at the Navy's Indian Island facility. As you know, 
the Navy refused to provide that information, but the Supreme 
Court, in a ruling handed down last March, discredited the 
Navy's expansive interpretation of FOIA's Exemption 2. That 
case has now been remanded, and Mr. Milner and his lawyers are 
still doing battle in the legal arena for records he first 
requested in 2003 and over which he filed suit in 2006.
    Now, I saw inescapable parallels as I watched the excellent 
MSNBC documentary about Master Sergeant Ensminger and the 
effects of three decades of toxic contamination at the Camp 
Lejeune Marine base in North Carolina. As the documentary crew 
portrayed it, Master Sergeant Ensminger and those who worked 
with him eventually came to recognize the shameful coverup, 
although they had begun with the expectation that the Marine 
Corps would do the right thing of its own volition.
    The moral of this powerful story and so many others is that 
informed citizens with information to hold Government 
accountable provide the best incentive for things being done 
    We certainly do not belittle the concerns the legislative 
proposals before you seek to address. But please be leery of a 
broad, ill-defined sweep in closing off information. We believe 
any new cybersecurity or critical infrastructure exemptions 
should contain, at a minimum, a tight definition of the 
information to be exempted; a sunset for the law and for the 
protection attached to the information; and a public interest 
balancing test that allows legitimately protected information 
to remain protected, but not information being withheld 
primarily to protect the Government from embarrassment.
    Under several proposals that have been put forth in the 
past 8 months, a 1995 ``Dateline NBC'' report that showed 
thousands of the Nation's dams close to collapse might not have 
been possible. Nor likely would a local TV report by University 
of Missouri students that showed only 33 of that State's 1,200 
dams had the Emergency Action Plans required by law. And after-
the-fact reporting by my old newspaper and others in Washington 
State--following a massive pipeline explosion that killed three 
innocent youths--would have been severely limited, reporting, 
by the way, that culminated, perhaps with a causal connection, 
in new pipeline safety legislation and a seven-count criminal 
indictment against two pipeline companies.
    Without balancing tests and sunset provisions, health and 
safety information imprudently hidden from public view might 
remain shrouded in secrecy forever.
    Just last week, nearing the 1-year anniversary of the 
Fukushima nuclear accident in Japan, the NRC released a heavily 
redacted report that used the ridiculously non-descriptive term 
``Generic Issue'' to describe seismic and flooding hazards 
surrounding 35 domestic nuclear facilities. Given new criteria 
for withholding, their refusal to provide intelligible 
information will only get worse.
    Please do not accept that cybersecurity and appropriate 
protections for critical infrastructure information pose a 
Hobson's choice with the people's right to know.
    Senators, thank you for your invitation and for your 
attention. I look forward to your questions.
    [The prepared statement of Mr. Bunting appears as a 
submission for the record.]
    Senator Grassley. [Presiding.] Thank you, Mr. Bunting.
    For the Chairman, I will introduce Paul Rosenzweig, a 
visiting fellow at the Heritage Foundation's Center for Legal 
and Judicial Studies and Douglas and Sarah Allison Center for 
Foreign Policy Studies. Mr. Rosenzweig is also former Deputy 
Assistant Secretary for Policy at the Department of Homeland 
Security and Acting Assistant Secretary for International 
Affairs. He is a senior editor of the ``Journal of National 
Security Law & Policy'' and adjunct professor, Homeland 
Security at the National Defense University. He is a cum laude 
graduate of the University of Chicago Law School. He also has a 
M.S. in chemical oceanography from Scripps Institution of 
Oceanography, University of California at San Diego, and his 
B.A. is from Haverford College.
    Thank you, Paul, for coming. Proceed.


    Mr. Rosenzweig. Thank you very much, Senator Grassley. I 
was checking my records, and this is the sixth time in the last 
10 years that I have been in front of this Committee. It is 
always a pleasure to return to testify here.
    Perhaps equally germane to my testimony today, I both teach 
cybersecurity law and policy at George Washington University 
and as a private consultant often speak of these issues with 
private sector clients who are vitally interested in pending 
cyber legislation.
    My testimony today is restricted to the cybersecurity 
issues in front of us. I have no general issue at all with the 
premise that FOIA is an important aspect of transparency and 
should be broadly construed to promote the transparency of 
Government activity. I think, however, that the cyber threat is 
demonstrably different and that the pending proposals to 
provide for FOIA exemptions in the context of enhanced 
information sharing are right on point and, in my judgment, 
actually essential.
    The cyber threat is real and likely quite enduring, and 
virtually everyone who has examined the issue in the private 
sector has concluded that the cheapest, most cost-effective way 
to get a running start at addressing that threat is through 
enhanced information sharing of cyber threat and vulnerability 
information, both between and amongst the private sector 
themselves and from the private sector to the Government, with 
the Government then being enabled to further share that 
information with others, both in Government and beyond.
    Information sharing about cyber threat and vulnerability 
information is a bit like vaccination in the public health 
context. When one community knows of a virus threat and learns 
of how to cure it, it is essential for that information to be 
widely communicated throughout our community and throughout the 
world. Cyber threat information is fundamentally a public good.
    In this context, it seems to me that the application of 
FOIA to cyber threat and vulnerability information voluntarily 
shared by the private sector with the Government turns FOIA on 
its head. The purpose behind FOIA, as demonstrated quite 
clearly both in the Milner case and in Sergeant Ensminger's 
case, is the transparency of Government functions. Thus, the 
main ground of a FOIA request is to seek information from the 
Government about Government and its operations.
    Here, in the cyber context, the FOIA exemption contemplated 
is in relation to a private sector information sharing that 
would not otherwise--sharing of information that would not 
otherwise come into the Government's possession in the first 
instance. If we are serious about the cyber threat and if we 
seek the voluntary sharing of information in order to foster 
the creation of a clear and manifest public good, then the 
voluntary agreement of private sector actors to provide that 
information will, in the first instance, be contingent upon the 
Government's agreement not to subject them to adverse 
    Private sector actors, rightly, would see the absence of a 
FOIA exemption as a form of Government hypocrisy. We need the 
information, you will say, badly enough that we are asking you 
to provide it for the common good, but not so badly that we are 
willing to prevent that information from being shared with 
other private sector actors who, as your competitors or 
opponents in litigation, might wish you ill.
    In my judgment, in the absence of a FOIA exemption, you 
will not get the private sector information sharing that is 
deemed essential, and it is not really just my judgment. The 
information-sharing provisions with accompanying FOIA 
exemptions are part of the Lieberman-Collins bill that has been 
introduced in this body, the McCain bill that has been 
introduced in this body, the bipartisan Rogers-Ruppersberger 
bill on the other side of the Hill, the bipartisan Lungren bill 
on the other side of the Hill, and I think most significantly 
is an integral part of the Obama administration's own 
legislative submission that they made to you in May of this 
past year.
    Finally, I would close by saying that there is a real 
danger in subjecting cybersecurity threat and vulnerability 
information to the FOIA. Allowing public disclosure of such 
information would be identifying publicly which cyber threats 
are known risks, in effect drawing a road map of what threats 
are not known. That would have the substantive effect of 
drawing a target around the higher vulnerabilities, something 
that I think nobody would want to foster. Complete 
transparency, in my judgment in this instance, would defeat the 
very purpose of the disclosures that we are seeking voluntarily 
from the private sector and might even make us less secure.
    Thank you very much.
    [The prepared statement of Mr. Rosenzweig appears as a 
submission for the record.]
    Chairman Leahy. [Presiding.] Thank you very much.
    Let me start with Sergeant Ensminger. First off, I, like 
all of us, thank you for your service to the country, but also 
as a parent and as a grandparent, I offer you my sympathy for 
what you went through with Janey. I think what you tell us is 
that the transparency that we are supposed to have in FOIA is a 
promise to everybody in this country because it impacts the 
lives of Americans all across the Nation.
    The public interest balancing test that Congress recently 
enacted in the National Defense Authorization Act, will that 
help you and others learn more about the well water 
contamination at Camp Lejeune?
    Sergeant Ensminger. Yes, sir, but only if it is applied. In 
this instance, the National Defense Authorization Act was 
signed by the President at the end of December, and the United 
States Marine Corps sent a letter off on the 5th of January to 
another Government agency, which is part of the CDC, and that 
other Government agency did not question it. They just, for 
lack of a better term, rolled over into a fetal position and 
said, ``Kick me again,'' and redacted--did everything in their 
    Chairman Leahy. It is important that you make that point 
because, as I said, I intend to continue to follow up on this. 
Whether it is Senator Grassley or myself, Senator Cornyn or 
anybody else, we can pass all the legislation in the world with 
the right intentions. If it is not followed, then you are hurt, 
but so is everybody else. Is that correct?
    Sergeant Ensminger. Yes, sir. And the information that they 
are trying to hold back from is the location of water supply 
wells, water towers, the water treatment plants aboard the 
base. I mean, for lack--I asked one of the Senate Committees--
not a Committee but staffs the other day, they held a meeting 
with the Office of the Secretary of Defense and some of the 
representatives from the Marine Corps and the Department of the 
Navy concerning these redactions, and I jokingly asked them, 
before they went into the meeting, to please ask them if they 
perfected their Klingon-type cloaking device to cloak these 
100-and-some-foot tall towers.
    Chairman Leahy. You see them when you drive by on the road.
    Sergeant Ensminger. Yes, sir, and they are painted red and 
white checkered. I mean, what are they----
    Chairman Leahy. It is not a new form of camouflage.
    Sergeant Ensminger. No, sir. And the water supply wells, 
many of them are out--not even within the gates of the base. 
They are along public highways, and the only physical security 
they have around them is a chain-link fence and a locked door 
to the pumphouse. Now, any terrorist that wanted access to 
those without physical security, they do not need to protect 
the information, the infrastructure information. They need more 
physical security, if they really, truly want to protect their 
    Chairman Leahy. Well, when I am here in Washington, because 
of the house I have got in this area, I drive by a place with a 
big sign, ``CIA.'' Well, that is fine. Everybody knows where it 
is. But it is protected.
    Professor Bunting, you have experienced the FOIA process 
from the perspective of an academic, but also as a journalist. 
Do you have an idea how we could protect on the one hand the 
public's right to know while also protecting the Nation's 
cybersecurity? Mr. Rosenzweig talked about that before. Go 
ahead, sir.
    Mr. Bunting. Mr. Chairman, first of all, Professor 
Rosenzweig is the only cybersecurity expert at this panel. I do 
not pretend to be one. But with regard to FOIA, I think the 
worst thing would be a sweeping definition that was too broad, 
too loosely defined, where the words could be made to be 
whatever they wanted it to be, that gave too much unchecked 
power to the Government.
    The reason we also ask that there be a review process, a 
sunset review process, in any new exemptions is exactly what 
Master Sergeant Ensminger just told you. It was only a couple 
of months ago that you put language in the NDAA to try and 
write a narrow definition and also a public interest balancing 
test. But, you know, is it going to be enforced? Time will 
    Given any leeway, agencies will find a way to make it say 
what they want it to say, and so the key thing in protecting 
the public interest to know and not just tossing it out the 
window as you address these very real issues is to write a 
definition that is narrow enough, to make sure that the public 
interest is considered, and that you review it periodically 
going forward.
    Chairman Leahy. Thank you.
    A vote has started. I will yield first to Senator Grassley 
and then Senator Whitehouse.
    Senator Grassley. Has it started? The light is not on up 
there yet.
    Chairman Leahy. Somebody will check.
    Senator Grassley. I will hurry along here then so that 
Senator Whitehouse can ask questions.
    Chairman Leahy. It started.
    Senator Grassley. OK.
    Mr. Rosenzweig, I have a two-part question. First, when a 
business shares cyber threat information with the Government, 
what type of information are we talking about, a general 
description on your part? And, second, describe for us the type 
of damage that you believe would be done to the business 
sharing information and to our country if that cyber threat 
information was made public?
    Mr. Rosenzweig. Well, thank you for the question. I will be 
brief in the interest of time, though obviously the answer to 
your first question is quite complex. But you can, broadly 
speaking, divide cyber threat information that would be shared 
into two bundles. One piece would be the actual malicious code 
and information, the IP protocols and ports that are being 
used, the websites, something that is quite specific to the 
threat itself. I can see no reason why we would ever want that 
information to be subject to FOIA because we would never want 
to broadcast more widely than is already shared that kind of 
threat information.
    The other bundle of information is the data stream in which 
the threat resides, and that can be anything. It can be an e-
mail attachment that is masquerading as an Excel spreadsheet. 
It can be the header information. It can be virtually any sort 
of content data. But that content data is really generally 
independent of the malicious code itself. It helps us identify 
the target that it is coming in Excel spreadsheets, but the 
content of that Excel spreadsheet, which could be a human 
resources spreadsheet or the company's salary data--it could be 
anything. In other words, malicious code can hide literally 
anywhere. So those are the two bundles.
    The damage in the disclosure to the business obviously 
comes in the content information on the second side, which is, 
if they think that that content information is going to be 
subject to onward disclosure through FOIA, they are not going 
to provide it because that is usually CBI, confidential 
business information, proprietary information of some form. So 
what they are looking for is some assurance that the 
information they provide, which cannot be disassociated from a 
malicious code, will, in fact, be protected.
    Senator Grassley. In regard to that first part, you said if 
you could have a longer explanation. Maybe you could submit 
something in writing that would be more thorough than what you 
had time to give.
    Mr. Rosenzweig. Sure.
    [The information appears as a submission for the record.]
    Senator Grassley. My second question, and probably the last 
    Senator Whitehouse. Senator Grassley, would you mind if I 
climbed onto that request so I get an answer as well? I am very 
interested in that same response.
    Senator Grassley. Of course, yes. So that will come from 
the two of us.
    Mr. Rosenzweig. My pleasure.
    Senator Grassley. A two-part question. First, do you 
believe that the actually cyber threat information shared by a 
private company with the Federal Government provides no 
insights into how the Government operates as a Government? And, 
second, why should an open-government group ever need to have a 
copy of actual malicious code or virus given to the Federal 
Government by a private company?
    Mr. Rosenzweig. As to the first of those, I can see no 
interest in an insight-into-government operation in having 
access to the underlying information from the private sector. I 
can see interest in learning how the Government treats what it 
does and whether or not we are responding well. But on the 
information itself, no. And as for the malicious code, I would 
say assuredly not. There is, in fact, a market--a black market, 
of course--in the sale of malicious code exploits because they 
are not generally widely known or used. When one is discovered, 
it is precious to the bad actor. It would be, to my mind, 
contrary to all sense of good public policy to make that more 
generally widely available so that it could be more readily 
exploited by a larger number of people.
    Senator Grassley. For you I have got two more questions, 
but I will yield back my time so Senator Whitehouse can ask 
questions and still get over to vote.
    Chairman Leahy. Senator Whitehouse.
    Senator Whitehouse. Thank you. I just wanted to follow up 
on Senator Grassley's line of questioning. The sort of 
information that would be provided from the private company in 
an information-sharing regime, would that ordinarily--if it had 
not been provided to the Government, would it ordinarily be 
amenable to any kind of FOIA access?
    Mr. Rosenzweig. Not to my knowledge. FOIA does not run to 
the private sector, so if the wastewater treatment facility in 
Providence, Rhode Island, is under some sort of threat--unless 
it is a publicly operated one. I do not actually know about 
Providence. But if it is a private sector one, it is not 
generally subject to FOIA, unless there is some State law that 
might apply that, again, I am not familiar with all 50 State 
laws, but generally no.
    Senator Whitehouse. So nothing that would otherwise be 
available to the public is taken from the public if information 
sharing is protected from FOIA.
    Mr. Rosenzweig. That would be my understanding. We use the 
same model of protecting that type of critical infrastructure 
information that would not otherwise be available because it is 
voluntarily shared. In the PCII, the Protected Critical 
Infrastructure Information, that is shared under the Homeland 
Security Act, under the Chemical Facilities Antiterrorism 
Standards, sensitive security information about aviation, we 
use that model for private sector voluntary information quite 
frequently, and in general, the rule is it would not otherwise 
be available so we are not taking away something.
    Senator Whitehouse. Master Sergeant Ensminger raises the 
very good point that bureaucracies have not been unknown to use 
a variety of techniques to try to dodge disclosure--
overclassification or unnecessary classification being one. Do 
you see a way in which legitimately available information could 
be shielded from public disclosure by some strategic use of the 
information-sharing regime? Somebody decides--I mean, I suppose 
the scenario would be an entity or organization that would 
otherwise have to make a disclosure of some kind, just sends 
the stuff in as information sharing even if it is not really 
legitimate to a cybersecurity complaint, and then says, Aha, 
you see, now I do not have to disclose it because I submitted 
it as the information sharing. Because of the nature of the 
beast, that strikes me as a phenomenon that we could probably 
guard against pretty successfully because it is not the natural 
purpose of the information-sharing effort. But what are your 
thoughts on that point of strategic abuse of the information 
sharing to quell public disclosure?
    Mr. Rosenzweig. Your point is well taken, that is, that one 
could imagine a systematic effort by somebody to hide their own 
private sector malfeasance. That is going to be very unlikely 
and rare in the cybersecurity realm. There is not a lot of 
incentive that I see for trying to maintain vulnerabilities. 
The natural incentive is going to be for people who are aware 
of their own vulnerabilities to fix them because they suffer--
the private sector suffers their own consequences for failing 
to fix that.
    It strikes me that at this juncture, given the imminence of 
the cyber threat as we understand it, the value judgment that 
you need to make is whether or not that small likelihood means 
that you want to develop an exemption that would otherwise 
probably retard a lot of the sharing that is the plus value, or 
if you can come up with--my main answer to you, I think there 
is probably a mechanism for some sort of substituted 
transparency, which is not the full transparency of FOIA to the 
press and the public in this context, but institutions like the 
President's Civil Liberties and Oversight Board that you have 
already created or IGs or----
    Senator Whitehouse. Certainly you would want some form of 
ombudsman or IG to report on whether this was being abused in 
any way, wouldn't you?
    Mr. Rosenzweig. I would certainly see room for something 
like that as a constructive proposal. I have not really thought 
it through that much.
    Senator Whitehouse. All right. I am about to be late to 
vote, so I am going to disappear.
    Thank you, Chairman.
    Chairman Leahy. Thank you all very much. I will keep the 
record open for a couple days for follow-up questions. I did 
not mean to hurry you. You were asking perfect questions, and I 
    Thank you all very much.
    Mr. Bunting. Thank you, Mr. Chairman.
    Mr. Rosenzweig. Thank you, Mr. Chairman.
    [Whereupon, at 12:19 p.m., the Committee was adjourned.]
    [Questions and answers and submissions for the record