[Senate Hearing 114-582]
[From the U.S. Government Publishing Office]
S. Hrg. 114-582
ASSESSING THE SECURITY OF OUR CRITICAL TRANSPORTATION INFRASTRUCTURE
=======================================================================
HEARING
before the
SUBCOMMITTEE ON SURFACE TRANSPORTATION
AND MERCHANT MARINE INFRASTRUCTURE,
SAFETY AND SECURITY
of the
COMMITTEE ON COMMERCE,
SCIENCE, AND TRANSPORTATION
UNITED STATES SENATE
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
__________
DECEMBER 7, 2016
__________
Printed for the use of the Committee on Commerce, Science, and Transportation
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
U.S. GOVERNMENT PUBLISHING OFFICE
24-732 PDF WASHINGTON : 2017
____________________________________________________________________
For sale by the Superintendent of Documents, U.S. Government Publishing Office,
Internet:bookstore.gpo.gov. Phone:toll free (866)512-1800;DC area (202)512-1800
Fax:(202) 512-2104 Mail:Stop IDCC,Washington,DC 20402-001
SENATE COMMITTEE ON COMMERCE, SCIENCE, AND TRANSPORTATION
ONE HUNDRED FOURTEENTH CONGRESS
SECOND SESSION
JOHN THUNE, South Dakota, Chairman
ROGER F. WICKER, Mississippi BILL NELSON, Florida, Ranking
ROY BLUNT, Missouri MARIA CANTWELL, Washington
MARCO RUBIO, Florida CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota
TED CRUZ, Texas RICHARD BLUMENTHAL, Connecticut
DEB FISCHER, Nebraska BRIAN SCHATZ, Hawaii
JERRY MORAN, Kansas EDWARD MARKEY, Massachusetts
DAN SULLIVAN, Alaska CORY BOOKER, New Jersey
RON JOHNSON, Wisconsin TOM UDALL, New Mexico
DEAN HELLER, Nevada JOE MANCHIN III, West Virginia
CORY GARDNER, Colorado GARY PETERS, Michigan
STEVE DAINES, Montana
Nick Rossi, Staff Director
Adrian Arnakis Deputy Staff Director
Jason Van Beek, General Counsel
Kim Lipsky, Democratic Staff Director
Chris Day, Democratic Deputy Staff Director
Clint Odom, Democratic General Counsel and Policy Director
------
SUBCOMMITTEE ON SURFACE TRANSPORTATION AND MERCHANT MARINE
INFRASTRUCTURE, SAFETY AND SECURITY
DEB FISCHER, Nebraska, Chairman CORY BOOKER, New Jersey, Ranking
ROGER F. WICKER, Mississippi MARIA CANTWELL, Washington
ROY BLUNT, Missouri CLAIRE McCASKILL, Missouri
KELLY AYOTTE, New Hampshire AMY KLOBUCHAR, Minnesota
JERRY MORAN, Kansas RICHARD BLUMENTHAL, Connecticut
DAN SULLIVAN, Alaska BRIAN SCHATZ, Hawaii
RON JOHNSON, Wisconsin EDWARD MARKEY, Massachusetts
DEAN HELLER, Nevada TOM UDALL, New Mexico
STEVE DAINES, Montana
C O N T E N T S
----------
Page
Hearing held on December 7, 2016................................. 1
Statement of Senator Fischer..................................... 1
Statement of Senator Booker...................................... 2
Statement of Senator Nelson...................................... 5
Prepared statement........................................... 5
Statement of Senator Blumenthal.................................. 32
Statement of Senator Klobuchar................................... 34
Witnesses
Hon. John Roth, Inspector General, U.S. Department of Homeland
Security....................................................... 6
Prepared statement........................................... 8
Neil Trugman, Interim Chief of Police, Amtrak.................... 12
Prepared statement........................................... 13
Chris Spear, President and CEO, American Trucking Association
(ATA).......................................................... 14
Prepared statement........................................... 16
Anthony Straquadine, Jr., Manager, Commercial, Government Affairs
and Managing U.S. Officer, Alliance Pipeline Inc............... 20
Prepared statement........................................... 22
Tom Belfiore, Chief Security Officer, Port Authority of New York
and New Jersey................................................. 24
Prepared statement........................................... 26
Appendix
Response to written questions submitted to Hon. John Roth by:
Hon. John Thune.............................................. 45
Hon. Deb Fischer............................................. 45
Hon. Cory Booker............................................. 46
Response to written questions submitted to Neil Trugman by:
Hon. John Thune.............................................. 46
Hon. Deb Fischer............................................. 47
Hon. Cory Booker............................................. 48
Response to written questions submitted to Chris Spear by:
Hon. John Thune.............................................. 48
Hon. Deb Fischer............................................. 48
Hon. Cory Booker............................................. 50
Response to written questions submitted to Anthony Straquadine,
Jr. by:
Hon. John Thune.............................................. 52
Hon. Deb Fischer............................................. 52
Hon. Cory Booker............................................. 54
Response to written questions submitted to Tom Belfiore by:
Hon. Deb Fischer............................................. 55
Hon. Cory Booker............................................. 56
ASSESSING THE SECURITY OF OUR CRITICAL TRANSPORTATION INFRASTRUCTURE
----------
WEDNESDAY, DECEMBER 7, 2016
U.S. Senate,
Subcommittee on Surface Transportation and
Merchant Marine Infrastructure, Safety, and Security,
Committee on Commerce, Science, and Transportation,
Washington, DC.
The Subcommittee met, pursuant to notice, at 2:40 p.m. in
room SR-253, Senate Russell Office Building, Hon. Deb Fischer,
Chairman of the Subcommittee, presiding.
Present: Senators Fischer [presiding], Booker, Nelson,
McCaskill, Klobuchar, and Blumenthal.
OPENING STATEMENT OF HON. DEB FISCHER,
U.S. SENATOR FROM NEBRASKA
Senator Fischer. Good afternoon. I am pleased to convene
the Senate Subcommittee on Surface Transportation and Merchant
Marine Infrastructure, Safety, and Security, for our last
subcommittee hearing of 2016 titled ``Assessing the Security of
Our Critical Transportation Infrastructure.''
Securing our Nation's transportation system is critical to
keeping Americans safe. Over the past year, we've seen an
increasing threat of terrorism to vital surface transportation
networks. On September 17, a bomb exploded in New York City's
Chelsea neighborhood injuring 31 people. Two days later, police
in Elizabeth, New Jersey, removed from a public trash can a
backpack filled with pipe bombs. The devices were discovered
near the town's train station. Fortunately, no one was killed
in either bombing.
But earlier this year, in Nice, France, a member of ISIL
drove a commercial truck into a crowded promenade, killing 84
people. And in March, 16 individuals were killed in a bomb
blast at a metro station in Brussels. These tragic events
underscore a dangerous reality. Our surface transportation,
rail, ports, pipelines, and mass transit systems are at serious
risk of attack.
Unlike TSA aviation security checkpoints at our airports,
TSA does not directly manage surface transportation security.
Instead, TSA is responsible for providing guidance, oversight,
intelligence, and assistance to system operators and law
enforcement so that they can ensure security across our
Nation's surface transportation network.
However, recent reports by the Office of the Inspector
General of the Department of Homeland Security have questioned
the TSA's management of our Nation's surface transportation
security programs and resources. A September 2016 IG report
found that oversight of a critical TSA port access program,
otherwise known as TWIC, had inadequate oversight. TWIC impacts
nearly 3.5 million port and freight workers. The IG's office
found that the program's fraud detection techniques were not
monitored, and key internal controls were missing from the
terrorism vetting process.
A second, even more alarming IG report from September found
that TSA lacks an intelligence-driven, risk-based security
strategy that informs security and resource decisions across
all transportation modes, beyond aviation. The report further
noted that TSA lacks a formal process to incorporate risk in
budget formulation decisions. The TSA's annual budget is
approximately $7.3 billion.
When TSA Administrator Peter Neffenger testified earlier
this year before this committee, he pointed out that TSA spends
just 3 percent of its budget on surface transportation security
initiatives. This fact may come as a surprise to most
Americans. Congress must evaluate the adequacy of these
resources and demand that they be spent based on the threat
risk to our transportation network. It's clear that our ports,
highways, pipelines, and railways are at risk. Today's hearing
convenes a panel of multimodal stakeholders and experts to
discuss how we can enhance the security of our transportation
system and ensure that the TSA is effective.
This fall, Chairman Thune, Ranking Member Nelson, Senator
Booker, and I introduced the bipartisan Surface Transportation
and Maritime Security Act to address these concerns. This
comprehensive bill would instruct the TSA to establish risk-
based budgeting, expand the highly effective K-9 explosive
detection teams for surface transportation, and authorize
computer vetting systems for passenger networks. Among other
provisions, this important legislation would address management
inefficiencies raised by the Inspector General as it relates to
the TWIC program.
In May 2015, the Senate Commerce Committee passed the
Essential Worker Identification Credential Assessment Act,
which compels the TSA to fully assess the TWIC program and work
with the Inspector General to resolve vetting, oversight, and
other major security loopholes.
I am pleased to convene this hearing with the Inspector
General of the Department of Homeland Security and leading
experts from the pipeline, trucking, and passenger rail
sectors. I look forward to learning more about how you advance
all aspects of security in your daily operations and how we can
work together to strengthen our transportation security.
I would now like to invite my colleague and this
subcommittee's Ranking Member, Senator Cory Booker, to offer
any opening remarks.
Senator Booker?
STATEMENT OF HON. CORY BOOKER,
U.S. SENATOR FROM NEW JERSEY
Senator Booker. Thank you so much, Chairwoman Fischer, for
holding yet another very important hearing on surface
transportation, in general, surface transportation security, in
particular. I really look forward to hearing from all the
witnesses.
The focus of this hearing is clearly on transportation
security. But I just want to take a moment to speak about
transportation safety. The Senate is now considering a CR,
which, among other provisions, includes a dangerous rollback in
truck safety that will have the effect of allowing truck
drivers to work more hours and get less rest. Some colleagues
and I have fought this battle time and time again, but it
continues to remain an uphill battle.
The data is chilling. Now, there are 4,000 people who lose
their lives to large truck accidents each year, and over
100,000 people are injured. It is paramount that Congress works
together in a deliberative way, having a discussion on what is
one of the monumental areas in which people are dying in
America. The numbers we're talking about represent a plane
crash each week in America. That's how many people are dying,
and the situation is not getting better. It's actually getting
worse. There's a 4.4 percent increase in accidents from 2014 to
2015.
We have a lot of good minds on this, from industry to
activists to Senators on both sides of the aisle. We should be
discussing this issue in the regular course of business, not
flipping into a CR a rollback of these restrictions. It may be
business as usual in the U.S. Senate, but it's something I just
cannot accept or at least let go by quietly.
I spent time with the victims of these accidents, the
tragedy that is being visited upon family after family, day
after day, and it irks me that this is something that we can
prevent, working together. I'm shocked and saddened that the
data has not compelled more action on this issue.
The threat of a security challenge or a terrorist attack is
real, and while I'm pleased that we're discussing those issues
today, I hope we will double down on our commitment to explore
basic road safety issues in the upcoming year and find ways to
make our highways safer for all Americans. We can coexist. We
can make sure business is done and families are safe.
Now, when it comes to security threats as a whole, New
Jersey is often a prime target, given the density of our
location. Over the course of a weekend this past September, as
the Chairwoman noted, a series of attacks occurred in my home
state and the surrounding region. In Seaside Park, New Jersey,
an improvised device exploded in a garbage can near the course
of a charity race. It could have been devastating and,
fortunately, was not.
In Manhattan, just 12 miles from where I live, an explosion
injured 30 people on a crowded sidewalk in Chelsea. Finally, a
bag of explosives were found near a train station in Elizabeth,
New Jersey, just about a mile from where I live.
These planned attacks are a stark reminder of how quickly
our relative peace can be shattered and how we must ensure that
we are adapting to new threats. This is particularly true for
our surface transportation systems, where transit and passenger
rail move millions of people every single day.
The 9/11 Commission, chaired by former New Jersey Governor
Tom Kean, recognized this challenge and identified that
terrorists may turn their attention from air to rail and
transit stations as targets. Unfortunately, nearly a decade
after we passed the implementation of recommendations of the 9/
11 Commission Act, we are still, still waiting on TSA to
complete many of the recommendations. That is unacceptable.
And it's not just rail and transit. The Commission also
highlighted the need to secure the major ports, pipelines,
bridges, and tunnels. With thousands of containers moving in
and out of the port area in which I live and many millions of
Americans do, hazardous materials moving through our pipelines,
and cargo moving on trucks and rails across the country, the
transportation network is vast and open. There is a serious
security challenge.
The transportation industry is a backbone of our economy. A
catastrophic failure of our transportation system could have
serious economic consequences, not to mention the tragic loss
of life, with terrorists focused on these soft targets.
For example, the Hudson River Tunnel, which connects
northern New Jersey to midtown Manhattan, carries approximately
200,000 passengers every day. It is a vital economic artery for
the region and a critical evacuation route for Manhattan in the
event of a terrorist attack. I remember what happened after 9/
11 just trying to get people out of Manhattan and first
responders in.
Because the tunnel lacks redundancy, a terrorist attack in
the tunnel would be catastrophic and would have long-term
economic consequences for the Nation. We know the billions of
dollars of economic loss just when New Jersey transit or
Northeast Corridor rail systems are shut down. Bi-state efforts
are currently underway to advance the Gateway Program, which
would add a critical layer of redundancy across the busiest
river crossing in the United States of America. I'm hopeful
that we will take the necessary action to realize the security
and mobility benefits that a new tunnel would offer.
In addition, we must continue to find new ways to adapt and
meet the ever-challenging threats to our transportation system.
That's why I've joined with Chairman Thune, Ranking Member
Nelson, and Senator Fischer to introduce the Surface
Transportation and Maritime Security Act, another example of
our bipartisan efforts to make America safer. This bill will
take steps to close the gap in our security and provide
additional resources to enhance security across our
transportation system.
Again, I look forward to hearing from the witnesses today.
I'm grateful that Chief Belfiore is here as well, in
particular. We have a lot of work to do. We can do more, and we
must do more to meet the threats that are facing our nation's
surface transportation.
Thank you very much.
Senator Fischer. Thank you, Senator Booker.
I would just like to say it has been a pleasure to serve on
this committee with Senator Booker. In the last two years, we
have accomplished quite a bit. We've worked together in that
bipartisan manner, looking for issues that we can agree upon
that are really going to help the people of this country.
And it has been a pleasure, sir, to work with you.
I think we've had about 16 hearings over 2 years, either
here in Washington or outside of Washington around this
country, and Senator Booker has been a wonderful partner on
every single issue that we've worked on.
At this time, I would like to introduce the panel one by
one and have you give your statements before the Committee.
We'll begin with the Honorable John Roth, who is the Inspector
General of the United States Department of Homeland Security.
Welcome, sir.
STATEMENT OF HON. BILL NELSON,
U.S. SENATOR FROM FLORIDA
Senator Nelson. Madam Chairman, may I enter an opening
statement?
Senator Fischer. Oh, I apologize, Ranking Member Nelson. I
did not see you come in. Please give us your opening statement.
Senator Nelson. I'll just enter the opening statement in
the record.
[The prepared statement of Senator Nelson follows:]
Prepared Statement of Hon. Bill Nelson, U.S. Senator from Florida
I want to thank Chairman Fischer and Ranking Member Booker for
calling this hearing about protecting our Nation's surface
transportation networks from terrorist attacks.
A series of attacks over the last year or so--from attacks in
France and Belgium to those right here in the U.S.--have rung the alarm
bell that we cannot be complacent.
Transportation remains an attractive target for terrorists.
This Committee has heard that call. Last year, the Committee took
an important step to improve aviation security by moving the Airport
Security Enhancement and Oversight Act of 2015.
This bill took common sense steps to prevent an insider threat to
our aviation system by improving the background checks for aviation
workers. It also increased random physical screenings and covert, red-
team testing.
And while these steps were essential, the threat is ever changing.
I am concerned that our current strategy does not sufficiently
address the vulnerabilities exposed in Brussels and in the pipe bomb
attacks in New York and New Jersey.
Those incidents highlighted the vulnerability of our surface
transportation networks.
That is why I worked with Chairman Thune and Senators Fischer and
Booker to introduce the Surface Transportation and Maritime Security
Act.
The legislation addresses deficiencies in TSA's efforts to secure
our rail, transit, highway, port and freight transportation systems.
It also responds to recent concerns raised by the Department of
Homeland Security Inspector General.
The Inspector General found that TSA has yet to complete several
important and overdue requirement from the recommendations of the 9/11
Commission which were enacted into law in 2007.
For example, it's been 8 years, and TSA has yet to develop rules to
ensure that surface transportation workers have sufficient security
training, or that railroads have clear standards for their security
plans.
In addition, the Inspector General identified serious gaps in TSA's
program to provide credentials for workers accessing secure areas of
ports.
Fifteen years after TSA first established its Transportation Worker
Identification Credential program, the agency still struggles to
prevent fraud in the vetting of workers.
This legislation addresses deficiencies identified by the Inspector
General and requires TSA to make changes.
Importantly, the legislation also takes steps to respond to the
recent pipe bomb attacks by immediately adding 70 additional canine
teams.
It also gives TSA the ability to add up to 200 teams over time.
Canine teams provide a power psychological and physical deterrent
to potential threats.
They also have an unparalleled ability to identify detect
explosives.
I believe it's time to reexamine our transportation security
strategy and refocus our efforts, and this legislation helps us get
there.
I want to thank the witnesses for coming today and I look forward
to hearing from you on these issues.
Senator Fischer. And we are pleased to welcome you to the
Committee hearing today.
Senator Nelson. Yes, ma'am.
Mr. Roth?
STATEMENT OF HON. JOHN ROTH, INSPECTOR GENERAL,
U.S. DEPARTMENT OF HOMELAND SECURITY
Mr. Roth. Chairwoman Fischer, Ranking Member Booker, and
members of the Subcommittee, thank you for inviting me here to
testify today.
TSA has a broad responsibility to oversee and regulate
surface transportation: highway, freight and passenger rail,
mass transit, and pipelines, as well as port security. However,
TSA's budget allocates most of its resources to air passenger
screening and dedicates only a small portion, roughly about 2
percent, to vulnerable areas of surface transportation.
Recently, our office has published three reports that
identify significant weaknesses in TSA's ability to secure
surface transportation in the Nation's maritime facilities and
vessels. First, we issued a report that found that TSA does not
have an intelligence-driven, risk-based security strategy to
inform security and budget needs across all types of
transportation.
In 2011, TSA began publicizing that it uses an
intelligence-driven, risk-based approach across all
transportation modes. However, in fact, TSA incorporates a
risk-based approach only in aviation and really only at the
checkpoint. Additionally, they do not have a budget process
that would incorporate risk into its budget decisions or
resource allocations.
TSA is working to create a consolidated risk-based security
strategy across all transportation modes. However,
notwithstanding the fact that they've been working on this for
a considerable amount of time, they do not intend to provide us
with a risk-based security strategy until the last quarter of
2017.
The second report that we issued found that TSA has failed
to develop and implement regulations governing passenger rail
security required more than 9 years ago. Specifically, although
required to by the implementing recommendations of the 9/11
Commission Act of 2007, TSA neither identified high-risk
carriers nor issued regulations requiring those carriers to
conduct vulnerability assessment and implement DHS-approved
security plans.
TSA also did not issue regulations that would require a
railroad security training program. Further, unlike aviation
and maritime port workers, TSA has not developed regulations
requiring security background checks for rail workers. TSA has
just submitted a Notice of Proposed Rulemaking on one rule to
the Federal Register. However, they won't even commit to a
timeline as to when they will move the other two regulations
forward.
The third report we issued found that TSA is missing key
internal controls in the Transportation Worker Identification
Credential Program, known by its acronym, TWIC. The background
check for TWIC includes a check for immigration, criminal, and
terrorist-related offenses that would preclude someone from
being granted unescorted access to secure facilities at
seaports. Our review found that TSA did not adequately
integrate the security measures intended to identify fraudulent
applications into the background check process. This was the
case, notwithstanding the fact, that a Government
Accountability report found the same problems 5 years ago.
We determined that TSA's lack of oversight was the primary
reason that the TWIC background check process had so many
control weaknesses. At the time of our review, the TWIC
background check process was divided among multiple program
offices, so no single entity had complete oversight and
authority over the program. Furthermore, the lead program
office for the program lacked key metrics to measure TSA's
success in achieving TWIC program core objectives.
Many of the issues I've discussed today are addressed in S.
3379, the Surface Transportation and Maritime Security Act. We
believe that, if enacted, this legislation will direct numerous
improvements to our Nation's security. However, I must
emphasize that the Department and TSA have demonstrated over
time, a pattern of being dismissive and lax on implementing
requirements related to non-aviation security. Under these
circumstances, change will require significant oversight by
Congress, by my office, and the Controller General to ensure
that TSA and the Department take timely actions to implement
these improvements.
Madam Chairman, this concludes my testimony. I would
welcome any questions you or other members of the Committee may
have.
[The prepared statement of Mr. Roth follows:]
DHS OIG Highlights
Assessing the Security of our Critical Surface Transportation
Infrastructure
Why We Did This
The audits discussed in this testimony are part of our ongoing
oversight of the Transportation Security Administration (TSA). Our
reviews are designed to ensure efficiency and effectiveness of TSA
operations in order to fulfill both aviation and non-aviation-related
missions.
What We Recommend
We made numerous recommendations to TSA in our audit reports
discussed in this testimony.
What We Found
TSA has many responsibilities in addition to providing security for
our Nation's aviation passengers--including highway, freight and
passenger rail, mass transit, port security, and pipelines. However,
TSA has not considered these areas a priority, thus exposing the
traveling public and sensitive infrastructure to additional risk. This
testimony highlights several recent audits of TSA's non-aviation
security-related missions. Our findings include:
TSA lacks an intelligence-driven, risk-based security
strategy that informs security and resource decisions across
all modes of transportation.
TSA has not fully implemented internal controls that
strengthen the reliability of port worker background checks.
TSA has not implemented regulations governing passenger rail
security, established a rail training program, nor conducted
security background checks of frontline rail employees.
We believe that the Surface Transportation and Maritime
Security Act, if enacted, will assist in addressing a number of
the challenges facing the Department and direct TSA to correct
significant deficiencies in its programs and operations.
Agency Comments
We issued 10 recommendations that TSA concurred with and, in most
cases, has begun implementing corrective actions.
______
Prepared Statement of Hon. John Roth, Inspector General,
U.S. Department of Homeland Security
Chairman Fischer, Ranking Member Booker, and members of the
Subcommittee, thank you for inviting me to testify at today's hearing
regarding the security of our surface transportation infrastructure.
When the American public thinks of TSA, they think of the
Transportation Security Officer in a blue shirt instructing them to
remove their belts and shoes before going through security screening at
the airport. The truth is that TSA has a much broader responsibility to
also oversee and regulate our Nation's surface transportation modes--
highway, freight and passenger rail, mass transit, and pipelines--and
port security, to ensure the freedom of movement for people and
commerce. However, TSA's budget reflects the public perception of its
mission, allocating most of its resources to air passenger screening
and dedicating only a small portion to the vulnerable areas of non-
aviation.
Recently, the OIG has published three reports \1\ that identify
significant weaknesses in TSA's ability to secure surface
transportation modes and the Nation's maritime facilities and vessels.
Specifically, we identified issues with TSA's ability to identify risk
across all modes of transportation, the reliability of background
checks for port workers, and passenger rail security.
---------------------------------------------------------------------------
\1\ TSA Oversight of National Passenger Rail System Security (OIG-
16-91); TWIC Background Checks are Not as Reliable as They Could Be
(OIG-16-128); and Transportation Security Administration Needs a
Crosscutting Risk-Based Security Strategy (OIG-16-134).
---------------------------------------------------------------------------
TSA Needs a Crosscutting Risk-Based Security Strategy
TSA has many responsibilities beyond air travel, and is
responsible, generally through the use of regulation and oversight, for
surface transportation security. However, TSA focuses primarily on air
transportation security and largely ignores other modes. We found that
TSA does not have an intelligence-driven, risk-based security strategy
to inform security and budget needs across all types of transportation.
In 2011, TSA began publicizing that it uses an ``intelligence-driven,
risk-based approach'' across all transportation modes. However, we
found this not to be true. In an audit we released this past September,
we reported that TSA specifically designed this approach to replace its
one-size-fits-all approach to air passenger screening but did not apply
it to other transportation modes. Additionally, TSA's agency-wide risk
management organizations provide little oversight of TSA's surface
transportation security programs. TSA established an Executive Risk
Steering Committee which was intended to create a crosscutting, risk-
based strategy, which would drive resource allocations across all
modes. However, neither it, nor any of these entities place much
emphasis on non-air transportation modes.
We also found that TSA lacked a formal process to incorporate risk
into its budget formulation decisions. Despite the disparate
requirements on the agency, TSA dedicated 80 percent of its nearly $7.4
billion FY 2015 budget to direct aviation security expenditures, and
only about 2 percent to direct surface transportation expenditures. Its
remaining resources were spent on support and intelligence functions. A
formal process that incorporates risk into its budget formulation would
help TSA ensure it best determines and prioritizes the resources
necessary to fulfill its missions.
TSA concurred with our recommendations, and is working to create a
consolidated risk-based security strategy for aviation and surface
transportation modes. It also noted that efforts were made to improve
the budget process by conducting a series of crosscutting program
reviews and developing resource planning guidance. However,
notwithstanding that they have been working on this for a considerable
amount of time, TSA does not intend to provide us with its risk-based
security strategy until the last quarter of 2017. We also do not yet
have their formal budget planning process that uses risk to inform
resource allocations.
TSA Missing Key Controls within the TWIC Background Check Process
TSA--responsible for safeguarding our Nation's ports and maritime
facilities through the Transportation Worker Identification Credential
(TWIC) program--lacks key internal controls and this compromises the
TWIC program's reliability. These weaknesses leave our Nation's
seaports at risk for terrorist exploitation, smuggling, insider
threats, and internal conspiracies.
TSA provides background checks, or security threat assessments, for
individuals who need unescorted access to secure port facilities; and
issues a biometric identification card, also known as a TWIC. The
background check process for TWICs is the same as that of aviation
workers \2\ and drivers who need a Hazmat Materials Endorsement.\3\ It
includes a check for immigration-, criminal-, and terrorism-related
offenses that would preclude someone from being granted unescorted
access to secure facilities at seaports.
---------------------------------------------------------------------------
\2\ TSA Can Improve Aviation Worker Vetting (OIG-15-98)
\3\ Commercial drivers required to transport hazardous materials
must undergo a background check by TSA prior to receiving a hazardous
material endorsement on their Commercial Driver's License.
---------------------------------------------------------------------------
The Government Accountability Office (GAO) also reviewed the TWIC
program five years ago. In 2011, GAO identified key internal control
weaknesses in TSA's management of the TWIC background check process and
recommended the Department take significant steps to improve the
effectiveness of the program as a whole. Although TSA took some steps
to address GAO's concerns, our review--five years later--found that TSA
did not adequately integrate the security measures intended to identify
fraudulent applications into the background check process.
For example, TSA required enrollment staff to use a digital scanner
that could evaluate security features present on identification
documents and generate a score to help TSA determine if the document
was authentic. However, TSA did not collect or use these scores when
completing its background checks--nullifying the effectiveness of this
security measure. For those documents that could not be electronically
scanned, TSA required the staff at the enrollment centers to manually
review identity documents. However, TSA did not require that the staff
be trained at detecting fraudulent documents. When the enrollment staff
documented their observations of suspicious identity documents in TSA's
system, TSA did not have a standardized process for collecting,
reviewing, or using the notes when completing the background checks.
We determined TSA management's lack of oversight was the primary
reason the TWIC background check process had many control weaknesses.
At the time of our review, the TWIC background check process was
divided among multiple program offices so that no single entity had
complete oversight and authority over the program. Furthermore, the
lead program office for the program lacked key metrics to measure TSA's
success in achieving TWIC program core objectives. For example, the
measures in place focused on customer service, such as enrollment time
and help desk response time, rather than on areas like accuracy of the
background check itself. Since our review, TSA told us it realigned the
divisions responsible for the TWIC background check process in an
effort to provide better oversight and guidance and has begun making
improvement to strengthen the controls surrounding the background check
process. However, we have not validated the TSA's actions, so we do not
know whether this has improved the program's functionality.
TSA Delays Implementing Passenger Rail Security Regulations
TSA has failed to develop and implement regulations governing
passenger rail security required more than nine years ago by the
Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11
Act).\4\ Unlike the security presence that TSA provides air passengers
in airports, its responsibility for rail passengers rests in assessing
intelligence, sharing threat information with industry stakeholders,
developing industry best practices, and enforcing regulations. This is
particularly important due to the volume of passengers using this mode
of transportation and the unique challenges in the rail environment.
---------------------------------------------------------------------------
\4\ Public Law 110-53.
---------------------------------------------------------------------------
In Fiscal Year 2015 alone, Amtrak carried 31 million passengers
across the continental United States and Canada, and operated more than
300 trains daily. Additionally, Amtrak and other passenger rail
carriers operate in an open infrastructure with multiple access points
that make it impractical to subject all rail passengers to the type of
security screening that passengers undergo at airports. Notwithstanding
this, there were actions that TSA could have taken, but did not, that
would have strengthened rail security. Specifically, although required
to by the 9/11 Act, TSA neither identified high-risk carriers nor
issued regulations requiring those carriers to conduct vulnerability
assessments and implement DHS-approved security plans. TSA also did not
issue regulations that would require a railroad security training
program and security background checks for frontline employees.
Regulations to implement a training program are important to ensure
rail carriers have a mechanism in place to prepare rail employees for
potential security threats.
Furthermore, unlike aviation and maritime port workers, TSA did not
develop regulations requiring security background checks for rail
workers. TSA vets airport and maritime port workers who need unescorted
access to secure areas against the terrorist watchlist and immigration
status and criminal history information, and these processes are
consistent with the requirements in the 9/11 Act.
These very issues were identified in 2009 by GAO, which reported
that TSA had only completed one of the key passenger rail requirements
from the 9/11 Act. Seven years later, we identified that the same rail
requirements--a regulation for rail carriers to complete security
assessments, a regulation for rail security training, and a program for
conducting background checks on rail employees--remain incomplete.
Following the 2004 terrorist attack on a passenger train in Madrid,
Spain, TSA issued a security directive for Amtrak. That directive
required carriers to improve security procedures by designating a rail
security coordinator, reporting significant security concerns to TSA,
and allowing TSA to conduct inspections for any potential security
threats. TSA does conduct some limited inspections to verify carrier
compliance with these requirements. However, TSA does not enforce other
aspects of the security directive, such as the use of bomb-resistant
trash receptacles, canine teams, rail car inspections, and passenger
identification checks to enhance security and deter terrorist attacks.
Instead, TSA relies on Amtrak and other transit entities to implement
security measures if resources permit, and is even considering
rescinding these minimal requirements from the directive. Without
enforcing all security requirements, TSA diminishes the directives
importance and carriers ability to prevent or deter acts of terrorism.
In the absence of issuing formal regulations to implement the 9/11
Act requirements, TSA has developed and implemented a variety of
outreach programs and voluntary initiatives to strengthen rail security
for Amtrak. However, Amtrak is not required to participate or implement
TSA's recommended security measures because the initiatives are
voluntary. TSA's reliance on voluntary initiatives has created an
environment of reduced urgency to implement regulations governing
passenger rail security; to establish a rail training program; and to
conduct security background checks of frontline rail employees. If TSA
does not fulfill these requirements, it cannot ensure that passenger
rail carriers will implement security measures that may prevent or
deter acts of terrorism.
Pending Legislation
Many of the issues I've discussed today are addressed in the
Surface Transportation and Maritime Security Act. I want to thank the
Committee for introducing legislation to address a number of the
challenges facing the Department. We believe that if enacted, this
legislation will direct numerous improvements to our Nation's security.
However, I must emphasize that the Department and TSA have demonstrated
a pattern of being dismissive and lax on implementing requirements
related to non-aviation security, as illustrated in the attached
appendix. Under these circumstances, change will require significant
attention by Congress, the Inspector General, and the Comptroller
General to ensure that TSA and the Department take timely actions to
implement these improvements.
Future work
We will continue to audit and evaluate the Department's aviation
and non-aviation-related programs and report our results. Currently, we
are reviewing the effectiveness of TSA checkpoint screening, Federal
Air Marshal oversight of civil aviation, the TSA PreCheck enrollment
process, the TSA's Office of Intelligence and Analysis, and TSA's use
of the Sensitive Security Information designation. We are planning a
review of passenger security for cruise ships.
Madame Chairman, this concludes my testimony. I welcome any
questions you or any other members of the Subcommittee may have.
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
Senator Fischer. Thank you very much.
Next, we have Chief Neil Trugman, who is the Interim Chief
of Police at Amtrak.
Welcome.
STATEMENT OF NEIL TRUGMAN, INTERIM CHIEF OF POLICE, AMTRAK
Mr. Trugman. Good afternoon, Madam Chair, Senator Booker,
and members of the Committee. Thank you very much for the
invitation to speak today. Amtrak takes its responsibility to
protect its passengers, employees, and patrons seriously. And
on behalf of Amtrak's new CEO, Mr. Charles ``WICK'' Moorman,
and the men and women of the Amtrak Police Department, I am
happy to discuss our efforts with you.
Amtrak serves more than 500 communities in 46 states,
carrying over 31 million travelers last year, which was a
record. APD was created to protect employees, passengers,
stations, and critical infrastructure. Uniform officers are the
most visible patrol presence, performing right-of-way
inspections, random passenger bag screening, and regular
patrols. They are supported by the Special Operations Division
that specializes in counterterrorism, countersurveillance, and
response tactics to include K-9 operations.
APD is a leader in the vapor wake K-9 program, which is
capable of detecting explosive particles in the air as someone
passes by. Our K-9 program of both conventional and vapor wake
detection dogs averages over 1,000 train rides a month.
Additionally, we coordinate with numerous local, state, and
Federal agencies, and Amtrak detectives are assigned to the
FBI, National Joint Terrorism Task Force at the National
Counterterrorism Center, as well as the JTTFs and key field
officers across the country.
We have also trained Amtrak employees and passengers to
spot suspicious behaviors and report the activity to the APD by
phone or text. The ability to leverage our skilled workforce
and our passengers contributes greatly to our safety and
security.
We have worked diligently in recent years to install
security improvements that align with the implementing
regulations of the
9/11 Commission Act, Section 1513(b), which authorizes Amtrak
to allocate its DHS grant funding to 22 permissible counter-
terrorism purposes. And Amtrak has undertaken numerous
initiatives, including adding K-9 teams; conducting DHS ISTEP
exercises, which are the Intermodal Security Training and
Exercise Program; and improving station security, surveillance,
and station hardening measures.
While some formal regulations are under development, Amtrak
has worked to comply with the spirit and affordable security
requirements of the Act, including security planning, risk
assessments, and employee training. Furthermore, we have
received the Gold Standard ranking from TSA after last year's
baseline assessment and security evaluation. This is TSA's
highest ranking.
Over the years, Federal investment to implement security
improvements aimed at protecting Amtrak's passengers,
employees, and infrastructure has varied. Amtrak receives
Intercity Passenger Rail grant funds through annual DHS
appropriations for security projects that are linked to
transportation security fundamentals as described in grant
funding guidance and are consistent with Section 1513 of the 9/
11 Act. These areas generally fall into programs associated
with security best practices: planning and assessments;
infrastructure protection; security awareness, training, and
exercises; and operational packages and equipment.
In 2008 and 2009, Amtrak received over $25 million from the
Intercity Passenger Rail grant program, but since 2012,
appropriations have dropped to $10 million. At this level, the
ability of Amtrak to reduce risk and protect passengers is
reduced.
With sufficient funding, Amtrak could implement a wide
range of identified risk management solutions for
infrastructure protection, such as expanded video surveillance,
next-generation access control systems, and more high-security
fencing. The APD would be able to expand its K-9 program,
deploy additional security services, and increase the number of
screening teams nationally. These improvements would greatly
benefit the traveling public and ensure the Nation's investment
in Amtrak receives the protection it deserves.
I look forward to answering any questions you might have
about Amtrak's transportation security program.
Thank you.
[The prepared statement of Mr. Trugman follows:]
Prepared Statement of Neil Trugman, Interim Chief of Police, Amtrak
Good morning Madam Chair, Senator Booker and members of the
Committee. Thank you very much for the invitation to speak today.
Amtrak takes its responsibility to protect its passengers, employees
and patrons seriously, and on behalf of Amtrak's new CEO, Mr. Charles
``WICK'' Moorman, and the men and women of the Amtrak Police Department
(APD), I'm happy to discuss these issues with you.
Amtrak serves more than 500 communities in 46 states, carrying over
31 million travelers last year, a record, and we have carried more than
thirty million riders for the last six years. APD was created to
protect employees, passengers, stations, rolling stock and critical
infrastructure. Uniformed officers are the most visible patrol
presence, supported by a Special Operations Division that receives
special training in prevention, detection and response tactics. APD was
a leader in ``vapor wake'' K-9 program, which are capable of detecting
explosive particles in the air after someone carrying them has passed.
APD performs counter-terrorism and counter-surveillance operations,
random passenger bag screening, and right-of-way patrols. Our K-9
program of both conventional and vapor wake detection dogs averages
1,000 train rides a month. We coordinate with numerous other local,
state, and Federal agencies, and Amtrak officers are assigned to the
FBI National Joint Terrorism Task Force at the National Counter-
Terrorism Center, as well as Joint Terrorism Task forces, in key field
offices across the country.
Passenger rail security differs fundamentally from aviation
security. Many railroad stations are a part of the urban fabric of city
centers. The largest stations are multi-modal, hosting busses, subways
and commuter rail with offices, food courts and retail establishments.
New York Penn Station hosts more rail travelers annually than the La
Guardia, JFK, and Newark Airports together. Daily commuting cycles
require a fundamentally different security solution than airports,
because urban terrain is different, and rail journeys are an organic
part of our travelers' daily schedule.
Conversely, small rural stations are frequently unstaffed and
provide access and connectivity between the Nation's heartland and its
cities through an intercity route system. Screening every passenger
prior to boarding in the passenger rail environment, as the airports
do, is not feasible without resources and technology railroads don't
currently possess. We do however, employ a variety of tactics to
surveil key infrastructure and stations, while retaining robust
capability to surge resources and leverage partnerships in
unpredictable ways to complicate the task for an attacker. We
coordinate with other law enforcement agencies and the intelligence
community to respond to threats and adapt tactics in anticipation of
potential new threats. We have also trained Amtrak's employees and
passengers to spot and report suspicious behaviors including by phone
or text. The ability to leverage our skilled workforce and our
passengers contributes significantly to our safety and security.
We have also worked diligently in recent years to install security
improvements that align with the Implementing Regulations of the 9/11
Commission Act. Section 1513(b) authorizes Amtrak to allocate its DHS
grant funding to 22 permissible counterterrorism purposes, and Amtrak
has undertaken numerous initiatives, including adding K-9 teams,
conducting DHS-approved (Intermodal Security Training and Exercise
Program), ISTEP exercises, improving station security and surveillance
and station hardening measures. While some formal regulations are under
development, Amtrak has worked to comply with the spirit and affordable
security requirements of the Act, including security planning, risk
assessments and employee training. Furthermore, we have received a
``Gold'' standard ranking from TSA after last year's Baseline
Assessment and Security Evaluation. This is TSA's highest ranking.
Over the years, Federal investment to implement security
improvements aimed at protecting Amtrak passengers, employees, and
infrastructure has varied. Amtrak receives Intercity Passenger Rail
(IPR) grant funds through annual DHS appropriations for security
projects that are linked to transportation security fundamentals as
described in grant funding guidance, and are consistent with Section
1513 of the 9/11 Act. These areas generally fall into programs
associated with security best practices: planning and assessments;
infrastructure protection; security awareness, training and exercises;
and operational packages and equipment. In 2008 and 2009, Amtrak
received over $25 million from the Intercity Passenger Rail grant
program, but since 2012, appropriations have dropped to the $10 million
level.
At this level, the ability of Amtrak to reduce risk and protect
passengers is reduced. With sufficient funding, Amtrak could implement
a wide range of identified risk management solutions for infrastructure
protection, such as expanded video surveillance, next generation access
control systems, and more high security fencing. The APD would be able
to expand its K-9 program, deploy additional security services and
increase the number of screening teams nationally. These improvements
would greatly benefit the traveling public and ensure the Nation's
investment in Amtrak receives the protection it deserves.
I look forward to answering any question you might have about
Amtrak's transportation security program.
Senator Fischer. Thank you very much.
Next, we have Mr. Chris Spear, who is the President and CEO
of the American Trucking Association.
Welcome.
STATEMENT OF CHRIS SPEAR, PRESIDENT AND CEO, AMERICAN TRUCKING
ASSOCIATION (ATA)
Mr. Spear. Thank you, Chairman Fischer, Ranking Member
Booker, and distinguished members of the Subcommittee. Thank
you for the opportunity to testify today. My name is Chris
Spear. I am the President and CEO of the American Trucking
Association, with a membership through our affiliated partners
of more than 30,000 companies and every type and class of motor
carrier operation.
The trucking industry is an integral component of our
nation's economy, transporting more than 80 percent of our
nation's freight and employing approximately 7 million workers
in trucking related jobs, including over 3.5 million commercial
drivers. It's also important to note that the trucking industry
is comprised primarily of small businesses, with 97.3 percent
of trucking companies operating 20 trucks or less and 90.8
percent operating six trucks or less. Most importantly, the
trucking industry now spends more than $9.5 billion each year
on safety enhancements to help ensure that drivers and
passengers of all vehicles make it safely to their destination.
ATA also places great emphasis on security, the topic of
today's hearing. Our focus is on strengthening transportation
security without undermining economic security. To do this, we
must rationalize the various credential requirements commercial
drivers use, whether it be one federally issued credential or a
credential with a Federal background check, such as a hazardous
materials endorsement, to satisfy any Federal regulation that
requires having a criminal history records check to operate in
a facility or to conduct certain operations.
Having drivers undergo multiple, duplicative screenings, in
our view, undermines our Nation's economic security by posing a
direct financial burden on drivers and motor carriers and
further depleting scarce Federal Government resources. Since
MTSA authorized TWIC in 2002, ATA has advocated a one
credential or screening, many-uses policy to balance the flow
of commerce without compromising the security of our Nation's
supply chain.
ATA strongly believes that the TWIC can serve as a
universal credentialing background check, as well as a physical
access control security mechanism at regulated port facilities.
If the role of TWIC is to prevent acts of terror from occurring
and to stop possible terrorists from obtaining access to secure
areas of MTSA regulated facilities, one could argue this
objective is being met. Yet the timeline for achieving this
goal is unsatisfactory at best.
Redundancy of security threat assessments has still not
been addressed. It has been 15 years since the tragic events of
September 11, yet commercial drivers are still required to get
a background check for TWIC, HME, and Free and Secure Trade, as
well as different airport checks. Imagine requiring two
separate cards for getting to and from the House and Senate.
That's just two locations. Now multiply that number by the
thousands, and we begin to understand what commercial drivers
and carriers face every day.
Adopting a one credential or screening, many-uses policy
would fix this problem. Absent this policy, ATA's highest
security priority will continue to be the multiplicity of
background checks and their associated costs and burdens.
Drivers must undergo these checks to perform their everyday
work responsibilities, including transporting hazardous
materials, delivering at maritime facilities, crossing
international borders, and transporting air cargo.
ATA has consistently supported a system and process that
provides for a criminal history records check through national
data bases. Today's threats aren't against one or more states,
but America itself. In my previous life, I worked in the Middle
East; North Africa; Central Asia, including Iraq, Syria, and
Libya, and I've encountered elements that hold America in
disdain. They don't chant ``death to Nebraska'' or New Jersey.
They chant ``death to the United States.''
So if we're serious about protecting our homeland, then we
must eliminate reactive behavior that results in redundant
policies and practices. This is why the ATA supports the TWIC
as the potential single credential and Security Threat
Assessment that, in turn, can demonstrate and provide
compliance with multiple programs and regulations.
TSA has not yet provided for full recognition of one STA
for compliance with another regulatory STA, for instance,
permitting TWIC holders seeking an HME to follow their TWIC as
proof of already having an equivalent STA. This is a policy
that is supported statutorily by Section 1556 of the 9/11
Commission Act, whereas other Federal agencies, including DOD,
are accepting the TWIC for compliance with their credentialing
requirements.
ATA continues to voice its concern with GAO's suggestion
that Congress consider alternative credentialing approaches
which might include a more decentralized approach for achieving
TWIC program goals. A decentralized approach is inherently
flawed, will elevate security risks, inflict harm to our
economy, and further delay adoption of a one credential or
screening, multiple-use policy.
ATA supports the DHS serving as the primary authority in
coordinating and managing security programs affecting the
transportation sector. In that vein, harmonizing the
consolidation of the motor carrier requirements pertaining to
security background checks, security plans, security training,
and corporate security reviews is and remains an elevated
industry priority.
ATA also supports the Surface Transportation and Maritime
Security Act, S. 3379, recently introduced by this committee,
which would take steps to reduce costly and unnecessary
background check requirements on drivers, specifically by
allowing TWIC holders to obtain their hazmat endorsement
without the need for additional background checks.
A secondary security priority for the ATA is also
cybersecurity. This is an issue that we are very keen to
address, as it becomes more applicable to an integrated
trucking industry, and a topic that I would be more than eager
to take questions on today.
Protecting our Nation's critical infrastructure is a key
priority for the trucking industry, as it is essential to our
Nation's security and economic prosperity. Threats to our
Nation's roadways pose a danger to the motoring public and the
security of our complex supply chain. The ATA stands ready to
support Congress and DHS to be sure that enhanced national
security and the unencumbered flow of commerce remain
compatible priorities.
Thank you.
[The prepared statement of Mr. Spear follows:]
Prepared Statement of Chris Spear, President and CEO,
American Trucking Associations (ATA)
Introduction
Chairman Fischer, Ranking Member Booker and distinguished members
of the subcommittee, thank you for the opportunity to testify today on
``Assessing the Security of our Critical Surface Transportation
Infrastructure.'' My name is Chris Spear, and I am the President and
CEO of the American Trucking Associations (ATA). Founded in 1933, ATA
is the Nation's preeminent organization representing the interests of
the U.S. trucking industry. Directly and through its affiliated
organizations, ATA encompasses more than 30,000 companies and every
type and class of motor carrier operation.
The trucking industry is an integral component of our Nation's
economy, transporting more than 80 percent of our Nation's freight and
employing approximately 7 million workers in trucking-related jobs,
including over 3.5 million commercial drivers.\1\ It is also important
to note that the trucking industry is comprised primarily of small
businesses, with 97.3 percent of trucking companies operating 20 trucks
or less, and 90.8 percent operating six trucks or less.\2\
Approximately 80 percent of all U.S. communities depend solely on
trucks to deliver and supply their essential commodities.\3\ Most
importantly, the trucking industry now spends more than $9.5 billion
each year on safety enhancements to help ensure that drivers and
passengers of all vehicles make it safely to their destination.\4\
---------------------------------------------------------------------------
\1\ American Trucking Associations, American Trucking Trends 2016
(August 2016)
\2\ American Trucking Associations, American Trucking Trends 2016
(August 2016).
\3\ ATA staff, developed the 80 percent figure by using the Rand
McNally Commercial & Marketing Guide (2001) numbers for rail service to
communities and calculating the inverse, ultimately deriving the number
of communities serviced by truck.
\4\ American Trucking Associations, (2016, June 26). Trucking
Industry Spends $9.5 Billion In Safety Annually. Retrieved from: http:/
/www.trucking.org/ATA%20Docs/News%20and%20Infor
mation/Reports%20Trends%20and%20Statistics/
06%2028%2016%20%20Trucking%20Industry%
20Invests%20$9%205%20Billion%20in%20Safety%20Annually.pdf
---------------------------------------------------------------------------
ATA also places great emphasis on security. Our focus is on
strengthening transportation security without undermining economic
security. To do this, we must rationalize the various credential
requirements commercial drivers use, whether it be one federally issued
credential or a credential with a Federal background check, such as a
Hazardous Materials Endorsement (HME), to satisfy any Federal
regulation that requires a criminal history records check to operate in
a facility or to conduct certain operations. Having drivers undergo
multiple duplicative screenings undermines our Nation's economic
security by posing a direct financial burden on drivers and motor
carriers and further depleting scarce Federal Government resources. In
short, this current and longstanding lack of coordination among Federal
agencies in harmonizing or coordinating screening requirements is not a
viable operating environment for motor carriers and commercial drivers.
The Problem with Alternative Credentialing Approaches
Since the Maritime Transportation Security Act (MTSA) of 2002 (Sec
102 of PL 107-295) authorized the Transportation Worker Identification
Card (TWIC), ATA has advocated a ``one credential or screening, many
uses'' policy to balance the flow of commerce without compromising the
security of our Nation's supply chain. ATA strongly believes that the
TWIC can serve as a universal credentialing/background check as well as
a physical access control security mechanism at regulated port
facilities. If the goal for TWIC is to prevent acts of terror from
occurring and to stop possible terrorists from obtaining access to
secure areas of MTSA-regulated facilities, one could argue that this
objective is being met. Yet the timeline for achieving this goal is
unsatisfactory at best. It has been 15 years since MTSA was enacted, 9
years since the TWIC final rule became effective, and still America has
to wait two more years before TWIC readers are to be fully implemented.
While one could argue that this is measurable progress, ATA believes
that we can and must do better.
Redundancy of security threat assessments has still not been
addressed. It has been 15 years since the tragic events of September
11, yet commercial drivers are still required to get a background check
for TWIC, HME and Free and Secure Trade (FAST), as well as different
checks for airports. Imagine requiring two separate cards for getting
to and from the House and Senate. That's just two locations. Now
multiply that number by the thousands and we begin to understand what
commercial drivers and carriers face every day. Currently, there are
2.1 million active TWIC cards out of more than 3.5 million issued.\5\
When dealing with over 700,000 drivers,\6\ that have acquired the TWIC
since 2007; requiring access to thousands of sensitive sites throughout
the nation, the numbers tell the story.
---------------------------------------------------------------------------
\5\ Office of Inspector General; Department of Homeland Security
(2016). TWIC Background Checks are Not as Reliable as They Could Be
(OIG-16-128)
\6\ ATA staff was given this number by DHS, Office of Security
Policy and Industry Management
---------------------------------------------------------------------------
The Solution is TWIC
Adopting a ``one credential or screening, many uses'' policy would
fix this problem. Absent this policy, ATA's highest security priority
will continue to be the multiplicity of background checks and their
associated costs and burdens. Drivers must undergo these checks to
perform their everyday work responsibilities, including transporting
hazardous materials, delivering at maritime facilities, crossing
international land borders and transporting air cargo. ATA has
consistently supported a system and process that provides for a
criminal history records check through national databases. Today's
threats aren't against one or more states, but America itself. If we're
serious about protecting our homeland, then we must eliminate reactive
behavior that results in redundant policies and practices. This is why
ATA supports the TWIC as the potential single credential and Security
Threat Assessment (STA) that, in turn, can demonstrate and provide
compliance with multiple programs and regulations.
TSA has not yet provided for full recognition of one STA for
compliance with another regulatory STA, for instance permitting TWIC
holders seeking an HME to show their TWIC as proof of already having an
equivalent STA. This is a policy that is supported statutorily by
Section 1556 of the 9/11 Commission Act, whereas other Federal agencies
are accepting the TWIC for compliance with their credentialing
requirements. For example, the Department of Defense (DOD) has
established policy allowing commercial drivers transporting freight in
and out of appropriate military facilities to use a TWIC in lieu of
obtaining a DOD-issued Common Access Card (CAC). DOD acceptance of the
TWIC for such purposes is recognition of the strength of the TWIC STA
process and its compliance with Federal Personal Identity Verification
(PIV) standards used by millions of Federal employees.
The Government Accountability Office (GAO) issued a report three
years ago \7\ criticizing TSA's planning shortfalls for implementing
the TWIC reader pilot in a manner that did not yield usable information
due to data-collection challenges. While ATA recognizes that TSA faced
some technology challenges in collecting TWIC-reader functionality
data, we would also point out that certain facilities using the TWIC
readers successfully verified the credentials' status, identifying and
improving throughput for truck operations. Additional focus should be
given to facilities that have successfully implemented the TWIC
readers, utilizing the ``lessons-learned'' and applying them to other
facilities facing reader challenges.
---------------------------------------------------------------------------
\7\ Government Accounting Office (2013), Transportation Worker
Identification Credential: Card Reader Pilot Results Are Unreliable;
Security Benefits Should Be Reassessed, (GAO-13-695T)
---------------------------------------------------------------------------
ATA continues to voice its concern with GAO's suggestion that
Congress consider ``alternative credentialing approaches, which might
include a more decentralized approach for achieving TWIC program
goals.'' \8\ A decentralized approach is inherently flawed, will
elevate security risks, inflict harm to our economy and further delay
adoption of a ``one credential or screening, multiple uses'' policy.
Specifically, a decentralized approach would result in an environment
in which each state or location performs STAs and issues separate
credentials for truck drivers to access maritime facilities throughout
the country. Such a scenario would result in an increasingly
burdensome, inefficient and ineffective system for transportation
workers who work and operate at multiple MTSA-regulated facilities. In
contrast, the TWIC serves as a robust, nationwide, uniform STA that can
be utilized at multiple locations when matched with the appropriate
readers. For GAO to legitimately stand by its recommendation for
decentralization, it would first need to explain why DOD's command and
control administration of its CAC credential and the measurable
benefits it provides its holders around the world should do the same.
Such a suggestion would be baseless, just as it is for the TWIC
credential. The TSA and Coast Guard need to focus their efforts on
ensuring the successful deployment of TWIC readers nationwide rather
than creating a vast assortment of individual systems, which,
unfortunately our Nation still has 16 years after TWIC was authorized
by Congress.
---------------------------------------------------------------------------
\8\ Federal Government Approaches to Issuing Biometric IDs: Hearing
before the Subcommittee on Government Operations of the Committee of
Oversight and Government Reform, House of Representatives, 113th
Congress (2013) (Testimony of Stephen M. Lord)
---------------------------------------------------------------------------
ATA supports the implementation of the TWIC readers to improve
security as well as throughput at maritime facilities for commercial
vehicles. ATA asks Congress to remain vigilant during the
implementation of the TWIC reader final rule; holding DHS accountable
for ensuring that personnel working throughout our country's critical
transportation infrastructure have been properly screened and continue
to be vetted through relevant databases. Moreover, when the credential
is utilized with the appropriate readers, it can ensure the validity of
the card, match the TWIC to the cardholder, and allow for improved
throughput when entering secure areas requiring these systems.
Some TWIC Progress Being Made
Setting the ATA's standing request for a ``one credential or
screening, many uses'' policy aside, there are specific instances of
progress with respect to TWIC that ATA can report to this subcommittee.
In 2014, ATA submitted written testimony to the Senate Committee on
Homeland Security and Governmental Affairs.\9\ At that time, we
provided an update on several challenges and opportunities facing the
full adoption of TWIC based on day-to-day experiences of the trucking
industry, including:
---------------------------------------------------------------------------
\9\ Evaluating Port Security: Progress Made and Challenges Ahead:
Hearing before the Committee on Homeland Security and Governmental
Affairs, Senate (2014)
---------------------------------------------------------------------------
The excessively high cost of the TWIC;
The extended time the application process requires of
applicants, taking time off work twice; once to apply and
provide the biometrics; and, a second visit to pick up the
credential;
The failure to expand TWIC's utilization to satisfy other
Federal STA regulatory requirements, including identical STA
programs within the Transportation Security Administration
(TSA);
The past lack of TWIC enrollment facilities nationwide to
facilitate the enrollment of transportation workers who live
far from either coast; and,
The failure to implement the TWIC rule with its essential
counterpart reader rule, annulling the credential's technology
benefits and serving only as an expensive ``flash-pass.''
Since citing these five concerns in 2014, ATA is pleased to report
that it has witnessed moderate improvements. The cost of the TWIC just
two years ago was $129.50. It is now $125.25 for new applicants;
$105.25 for new applicants with a valid HME; and, a replacement card is
now $60.00. That said, the combined costs for TWIC and HME screenings
have well surpassed $200 million, paid for entirely by the trucking
industry as part of the overall cost to keep our Nation safe.
While the TSA website still cites an extended wait time of 4 to 6
weeks for applications to process, TWIC applications are now reportedly
being processed in as little as two weeks. Applicants also don't have
to take as much time off to acquire their actual credential. In July of
2014, TSA allowed for the ``one visit'' program to go national. The
second visit to pick up a TWIC from the enrollment center was no longer
required. Applicants could now have their TWIC or replacement TWIC
mailed to their home.
The failure to expand the utilization of TWIC has also improved
since 2014, but unfortunately not by much. Drivers with TWIC cards are
deemed to have met the requirements for the Personnel Surety Program
(PSP) under Chemical Facility Anti-Terrorism Standards of 2014 \10\ and
have the ability to use the TWIC to enter covered facilities and
installations.
---------------------------------------------------------------------------
\10\ Protecting and Securing Chemical Facilities from Terrorist
Attacks Act of 2014, Pub. L. 113-254. Sec. 2102, 128 Stat.2909 (2014)
---------------------------------------------------------------------------
The lack of enrollment centers has been addressed by the contractor
as suggested in our 2014 testimony. Forty-one states now use the
universal enrollment for TSA and the fingerprint locations can also be
kiosks at state DMV's.
As for implementation of the reader rule, the U.S. Coast Guard put
out this rule in August of this year and it is currently expected to go
into effect August 23, 2018. The rule, however, uses a tier level
system, where only the highest level are required to use the readers.
If that occurs, many of ATA's members required to have TWIC may not
have their card scanned.
ATA members, specifically drivers and carriers, will continue to
serve on the front line where they experience the successes and
shortfalls of TWIC. That being the case, ATA will continue to update
Congress as well as provide comments to DHS and its agencies on these
and any other challenges that may arise to help improve the TWIC
program and balance the importance of transportation and economic
security.
ATA supports the DHS serving as the primary authority in
coordinating and managing security programs affecting the
transportation sector. In that vein, harmonization and consolidation of
motor carrier requirements pertaining to security background checks,
security plans, security training and corporate security reviews is and
remains an elevated industry priority. ATA also supports the Surface
Transportation and Maritime Security Act (S. 3379) recently introduced
by the committee, which would take steps to reduce costly and
unnecessary background check requirements on drivers, specifically by
allowing TWIC holders to obtain their hazmat endorsement without the
need for additional background checks. Such reforms will continue to
improve the efficiency of goods movement without hindering our national
security interests.
Cybersecurity
A secondary security priority for the ATA is the need to continue
harmonizing any security requirement on carriers to harden their
operations when transporting certain types of cargo or operating in
environments that require a higher degree of security. Trucking is not
exempt from the threats of cybersecurity. Our industry will continue to
work with service providers as well as government agencies to improve
our cybersecurity posture and make certain that our systems and
protocols are never compromised.
The number of cyberattacks throughout the country continues to
climb, compromising countless businesses and threatening consumer and
personal privacy. Moving the majority of our Nation's freight and
adopting more technology that our industry requires to remain
competitive and efficient makes trucking equally susceptible to cyber
threats. Trucking companies have already been victims of ``ransomware''
(i.e., locked out of their servers with demands for money to resume
access) and have had sensitive business information stolen.
In October, hackers initiated a denial of service attack that
caused a massive Internet outage, leading to widespread disruption of
commerce and usage among Americans who rely upon the Internet for a
wide variety of transactions. The trucking industry is ever mindful of
such threats, especially while the debate over autonomous vehicles
unfolds. While the potential of automated trucks to improve highway
safety and save lives is significant, so is the danger posed by cyber
criminals and terrorists. ATA will continue to advocate for a policy
framework on autonomous vehicles that will ensure public safety and
reduce threats to our Nation's infrastructure, while also encouraging
innovation in this rapidly changing environment where the benefits of
improving safety, reducing emissions and fuel burn, eliminating
congestion and increasing productivity may ultimately reside.
The ATA also supports voluntary supply chain security programs that
embrace stakeholder input, adopting best practices established by
industry, and offering motor carriers valuable benefits in exchange for
program participation. The sharing of information is yet another key
component of the private and public sectors working in partnership to
implement coordinated and integrated protective security measures.
Conclusion
Protecting our Nation's critical transportation infrastructure is a
key priority for the trucking industry, as it is essential to our
Nation's security and economic prosperity. Threats to our Nation's
roadways pose a danger to the motoring public and the security of our
complex supply chain. The ATA remains committed to working with DHS to
protect our highways from potential threats and mitigate the
possibility of a truck conveyance from transporting or being used as a
weapon. ATA has and will continue to actively participate as a member
of the Highway and Motor Carrier Sector Coordinating Council to work
with other industry stakeholders and our government partners to
identify and implement solutions to improve the security of our
Nation's critical surface transportation infrastructure. Regulation for
the sake of regulation, however, is not a solution. Security
regulations should continually seek to effectively balance national
security interests without hindering the efficient movement of goods
throughout our economy by placing undue burdens or costs on industry
and subsequently, consumers. In doing so, our increasingly connected
world and trucking industry requires a mindset where cyber threats to
our Nation's infrastructure can be just as consequential to public
safety and our economy as physical attacks. The ATA stands ready to
support Congress and DHS to be sure that enhanced national security and
the unencumbered flow of commerce remain compatible priorities.
Senator Fischer. Thank you, Mr. Spear.
Next, we have Mr. Tony Straquadine--did I pronounce your
name right?
Mr. Straquadine. Yes, ma'am. That's correct.
Senator Fischer.--who is Manager of Commercial and
Government Affairs at Alliance Pipeline and a Representative of
the Interstate Natural Gas Association of America.
Welcome.
STATEMENT OF ANTHONY STRAQUADINE, JR., MANAGER,
COMMERCIAL, GOVERNMENT AFFAIRS AND MANAGING
U.S. OFFICER, ALLIANCE PIPELINE INC.
Mr. Straquadine. Good afternoon, Chairwoman Fischer,
Ranking Member Booker, and members of the Subcommittee. My name
is Tony Straquadine. I'm appearing before you today as a
representative of Alliance Pipeline and as a member company of
the Interstate Natural Gas Association of America, or INGAA.
Alliance Pipeline is a 2,400-mile integrated Canadian and
U.S. natural gas transmission system pipeline, delivering rich
natural gas from Western Canada and North Dakota's Bakken
formation to the Chicago market. We've been in commercial
service since December 2000 and deliver an average of 1.6
billion cubic feet of natural gas per day. Each and every day,
our staff focuses on the safe and reliable transportation of
natural gas for our shippers. The abundant and affordable
energy we transport is used for heating homes, creating
affordable electricity, and revitalizing American
manufacturing.
My testimony today will address a voluntary cybersecurity
architecture review recently completed by Alliance Pipeline
with staff from TSA and FERC's Office of Energy Infrastructure
Security. I'll also provide brief comments on Senate Bill 3379,
Surface Transportation and Maritime Security Act.
In August 2016, Alliance met for a two-day, voluntary
cybersecurity architecture review with members of FERC's Office
of Energy Infrastructure Security and TSA's Office of Security
Policy and Industry Engagement. This review was designed to be
a collaborative, non-regulatory approach that promotes secure
and resilient infrastructure through the sharing of information
and best practices.
The goal of the review was to gain a comprehensive
understanding of the entity's overall cybersecurity posture, to
identify potential areas of concern, and to articulate
actionable recommendations and observations that promote
positive change in the security posture of the reviewed
organization. This review encompassed all aspects of Alliance's
information systems and networks, including our industrial
control systems.
While this review was led by FERC's Office of Energy
Infrastructure Security, TSA staff actively participated to
better understand the risks and best practice recommendations
in the cybersecurity areas related to natural gas pipelines.
TSA acknowledged that they have much to learn, and Alliance
Pipeline supports TSA's effort to build their competencies in
this area. I would also like to acknowledge the FERC team for
their efforts in leading this review.
The outcome of this review was well received by all
parties, as Alliance Pipeline received over 60 best practice
observations and recommendations. Alliance is working to
implement many recommendations that have been prioritized to
ensure ongoing safe and efficient cybersecurity operations.
Alliance has also recommended that other pipelines in our
industry sector consider participating in a similar
cybersecurity architecture review.
Alliance Pipeline has reviewed S. 3379, and on behalf of
INGAA, we support this legislation with the following comments.
First, we support the creation of an advisory committee as
proposed in Section 8 of this bill but suggest that the broad
array of different transportation modes being represented under
one committee might limit more sector-specific expertise and
involvement in the Committee. We would suggest either formal or
informal subcommittees focused on specific sectors, such as
marine or pipelines, which would allow for greater involvement
within that sector in the advisory committee decisionmaking
process.
Second, we agree with the comments on the Transportation
Worker Identification Credential Program improvements and
oversights as contained in Section 17. We also support the
mission of TSA in their oversight role and look forward to
working with the agency as they add additional departmental
resources to interface with the pipeline sector, specifically.
With respect to both cyber and physical infrastructure
security in the pipeline sector, we'd like to note that the
energy pipeline industry is experiencing greater numbers of
threats from those who want to attack infrastructure as a way
to make a political statement about the use of fossil fuels.
These threats are potentially dangerous and disruptive, and we
note that to date, there has been a reluctance to prosecute
these perpetrators. This is creating an appearance of a risk-
free environment for future attacks on pipelines. Attacks on
pipeline infrastructure should be treated in a consistent
manner, whether those attacks are coming from a foreign state
or whether such attacks are coming from demonstrators bent on
making a dramatic impact with the media.
In conclusion, Alliance Pipeline supports improving
cybersecurity review capabilities of TSA as it relates to the
natural gas transmission pipeline industry. We also broadly
support S. 3379 with the above noted recommendations.
Madam Chair, thank you again for the opportunity to provide
insight into Alliance Pipeline's focus on maintaining safe and
reliable natural gas pipeline operations which results in the
reliable delivery of energy to heat our homes, fuel our
economy, and keep the lights on. I'd be happy to answer
questions at the appropriate time.
[The prepared statement of Mr. Straquadine follows:]
Prepared Statement of Anthony Straquadine, Jr., Manager, Commercial,
Government Affairs and Managing U.S. Officer, Alliance Pipeline Inc.
Good afternoon Chairman Fischer, Ranking Member Booker, and members
of the Subcommittee. My name is Tony Straquadine, and I am the Manager,
Commercial, Government Affairs and Managing U.S. Officer for Alliance
Pipeline Inc. I am appearing before you today as a representative of
Alliance Pipeline and as a member company representing the Interstate
Natural Gas Association of America (INGAA).
Alliance Pipeline consists of a 2,391-mile integrated Canadian and
U.S. natural gas transmission pipeline system, delivering rich natural
gas from the Western Canadian Sedimentary Basin and the Williston Basin
to the Chicago market hub. The United States portion of the system
consists of approximately 967 miles of infrastructure including the 80-
mile Tioga Lateral in North Dakota. Alliance has been in commercial
service since December 2000 and, through an innovative suite of
customer-focused services, delivers an average of 1.6 billion standard
cubic feet of natural gas per day. Each and every day, Alliance
Pipeline staff focuses on the safe and reliable transportation of
natural gas for our shippers; those who live and work near our system;
and our employees. The abundant and affordable energy we transport is
used for heating homes, creating affordable electricity, and
revitalizing American manufacturing.
As authorized under the Natural Gas Act, Alliance Pipeline is an
interstate natural gas pipeline certificated by the Federal Energy
Regulatory Commission (FERC). Alliance is also subject to pipeline
design and safety oversight by the Department of Transportation's
Pipeline and Hazardous Materials Safety Administration (DOT-PHMSA).
Natural gas pipelines also operate with the benefit of the guidance of
the Department of Homeland Security's Transportation Security
Administration (DHS-TSA). TSA's surface transportation pipeline program
is designed to enhance the security preparedness of the Nation's
natural gas pipeline systems and provide cyber risk management
information to surface transportation operations, including the U.S.
Computer Emergency Readiness Team (US-CERT).
My testimony today will address a voluntary Cybersecurity
Architecture Review recently completed by Alliance Pipeline with staff
from DHS-TSA and the FERC Office of Energy Infrastructure Security
(OEIS) staff. I will also provide brief comment on S. 3379, the draft
bill titled ``Surface Transportation and Maritime Security Act.''
Voluntary Cybersecurity Architecture Review
During August 2016, led by Alliance Pipeline's President and CEO,
Mr. Terrance Kutryk and senior Information Services staff, Alliance met
for a two-day voluntary Cyber Security Architecture Review (the Review)
with members of the FERC OEIS and DHS-TSA's Office of Security Policy
and Industry Engagement. This Review was designed to be a
collaborative, non-regulatory approach that promotes secure and
resilient infrastructure through the sharing of information and best
practices. The goal of the Review was to gain a comprehensive
understanding of an entity's overall cybersecurity posture, to identify
potential areas of concern, and to articulate actionable
recommendations and observations that promote positive change to the
security posture of the reviewed organization.
This Review encompassed the business environment, governance, risk
management, teams and programs, cybersecurity awareness and training,
supply chain security, and all company networks, including but not
limited to corporate and industrial control systems. While this review
was led by OEIS staff, DHS-TSA staff actively participated to better
understand the risks and best-practice recommendations in the
cybersecurity areas related to natural gas pipeline transmission
systems. DHS-TSA clearly acknowledged that they had much to learn in
the cybersecurity realm. Alliance Pipeline supports DHS-TSA's efforts
to build their competency in this area. I'd also like to acknowledge
FERC's OEIS team for their efforts in leading this Review.
In advance of this Review, Alliance completed an assessment against
the National Institute of Standards and Technology (NIST) Cybersecurity
framework. This NIST framework was acknowledged by OEIS as best
practice.
The outcome of this Review was well received by all parties
participating, as Alliance Pipeline received numerous best practice
recommendations offered by OEIS and DHS-TSA. Alliance is working to
implement many recommendations that have been prioritized to ensure
ongoing safe and efficient cybersecurity operations. Alliance has also
recommended that other pipelines in our industry sector consider
participating in a similar Cybersecurity Architecture Review.
Alliance Pipeline Comments on the Surface Transportation and Maritime
Security Act
Alliance Pipeline has reviewed the Surface Transportation and
Maritime Security Act (the Act) draft, dated September 21, 2016. On
behalf of INGAA, we support the legislation and offer the following
comments.
First, we support the creation of an advisory committee as proposed
in Section 8, but suggest that the broad array of different
transportation modes being represented under one committee might limit
more sector-specific expertise and involvement in the committee. We
would suggest either formal or informal subcommittees focused on
specific sectors, such as marine or pipelines, which would allow for
greater involvement within that sector in the advisory committee
decision-making.
Second, we agree with the transportation worker identification
credential improvements and oversight contained in Section 17.
We support the mission of TSA in their oversight role, but hope
that more emphasis can be placed on having adequate departmental
personnel in place to interface with the pipeline sector.
With respect to both cyber and physical infrastructure security in
the pipeline sector, we want to note that the energy pipeline industry
is experiencing greater numbers of threats from those who want to
attack infrastructure as a way to make a political statement about the
use of fossil fuels. These threats are disruptive and potentially
dangerous, and we note that to date there has been a reluctance to
prosecute the perpetrators. Our industry's concern is that this could
create the appearance of a ``risk-free'' environment for future attacks
on pipelines. Attacks on pipeline infrastructure should be treated in a
consistent manner, whether such attacks come from foreign states or
from domestic activists bent on doing something dramatic for media
attention.
Conclusion
Both Alliance Pipeline and INGAA support improving the
cybersecurity review capability of DHS-TSA as it relates to the natural
gas transmission pipeline industry. We also broadly support the Surface
Transportation and Maritime Security Act with the above noted
recommended modifications.
Madam Chair, thank you again for the opportunity to provide insight
into Alliance Pipeline's focus on maintaining safe and reliable natural
gas pipeline operations, which results in the reliable delivery of
energy to heat our homes, fuel our economy and help keep our lights on.
I would be happy to answer questions at the appropriate time.
Senator Fischer. Thank you very much.
Next, we have Mr. Tom Belfiore, the Chief Security Officer
of the Port Authority of New York and New Jersey.
Welcome, sir.
STATEMENT OF TOM BELFIORE, CHIEF SECURITY OFFICER, PORT
AUTHORITY OF NEW YORK AND NEW JERSEY
Mr. Belfiore. Thank you so much. Good afternoon, Honorable
Chair of the Subcommittee.
Senator Fischer. Good afternoon.
Mr. Belfiore. Thank you for this privilege today to speak
about the Port Authority's role in securing our critical
surface transportation assets.
The Port Authority of New York and New Jersey conceives,
builds, operates, and maintains infrastructure critical to the
New York-New Jersey region's transportation and trade network.
The assets we protect include six airports, including JFK,
Newark, and LaGuardia; two tunnels, the Holland and Lincoln
Tunnels; four bridges, including the George Washington Bridge;
the Port Authority bus terminal at 42nd Street and 8th Avenue
in Manhattan; the PATH rail system which moves 265,000
passengers each weekday; the ports of New York and New Jersey;
and, of course, the World Trade Center complex in lower
Manhattan.
Recent domestic and international events prove to us that
now, more than ever, we must be prepared to address ever-
growing, ever-evolving, and more lethal threats. The
transportation sector and critical infrastructure assets remain
as the most attractive targets of terrorist organizations and
lone actors. Particularly acute are the Port Authority's
assets, as we operate the Nation's largest airport system, the
busiest bus terminal, the most traveled bridge in the nation,
the East Coast's busiest ports, and secure the World Trade
Center.
The Port Authority employs a risk-based, intelligence-
driven, multi-layered security approach to protect these
critical infrastructure assets and all those who depend on
them. The layers in the methodology are: being intelligence-
led; measuring risk through a layered assessment process;
police prevention and interdiction methods; operational
security measures that include contract security resources; the
deployment of available and developing technologies; the use of
engineered hardening solutions; the Office of Emergency
Management to include response and recovery; strong Federal,
State, and regional partnerships and relationships; and, of
course, we measure our effectiveness, audit, and revise the
program constantly.
Our policing strategy is intelligence-led, as the Port
Authority Police Department has a presence in 28 Federal,
State, and local law enforcement task forces that include the
FBI Joint Terrorism Task Force in both the states of New York
and New Jersey. We are confident that we are connected to
receive important and actionable intelligence and information
in a timely fashion that will help us protect these critical
assets.
Our PAPD is a highly competent and professional police
agency that maintains a 24/7 command presence at our
transportation facilities and assets. Our policing methods
include routine uniform patrols, high visibility emergency
service unit patrols, the deployment of dedicated counter-
terrorism teams, as well as the assignment of explosive
detection K-9 units and radiation detection capabilities.
Our police presence is supplemented by a contract security
guard force of over 1,000 unarmed security officers who are
trained in behavioral recognition techniques and counter-
terrorism awareness. These security officers are posted at
critical locations throughout our facilities and also staff
multiple 24/7 security operation centers.
In addition to our human assets, we have made significant
investments in our capital security projects as directed by our
periodic program of risk assessments that inform our
investments to further strengthen our facilities. Since 2001,
the Port Authority has spent close to $9.9 billion on
operational and capital security measures. This includes over
$1.2 billion spent in asset hardening of critical
infrastructure.
For example, at our bridge facilities, we have protected
suspension and main cables. At our PATH rail transit
facilities, we have hardened our tunnels and have implemented
flood protection strategies. At our marine facilities, we have
installed complex access control and CCTV systems. We also
continue to partner with Federal agencies in piloting state-of-
the-art radiation detection technologies. In the coming years,
we plan to spend nearly another billion dollars to further
protect these assets.
The use of technology is of paramount importance. In
addition to our agency-wide surveillance system of more than
6,000 CCTV cameras, the Port Authority has invested in robust
card access control and alarming systems; perimeter and laser
intrusion detection systems; detection devices that help
protect against chemical, biological, and radiological threats;
a robust radio communication system that allows for
interoperability with our mutual aid partners and first
responders. The Port Authority operates a 24/7 cybersecurity
operation center that can receive alerts from our cyber defense
tools and respond to threats to our network and equipment.
The Port Authority has its own Office of Emergency
Management that is vital to this multi-layered protection
scheme. They lead our agency-wide business continuity program.
They manage and administer agency-wide security grants. They
also plan and execute agency-wide training and full scale
exercises. These remarkable training initiatives involve both
agency personnel and our regional first responders. To date,
over 27,000 Port Authority staff and regional partners have
been trained on such topics as active shooter response, PATH
rail emergencies, incident command, terrorism attacks, and
other hazards.
In order to maintain a prepared, unified, and accountable
security operation, the Port Authority regularly measures,
audits, and inspects programs and systems. These internal
auditing programs allow us to proactively identify and mitigate
issues and concerns before our adversaries can discover and
exploit them. Furthermore, in an effort to ensure independent
third party review, the Port Authority participates in the
Department of Homeland Security Safety Act Program. Since 2011,
we have received a number of Safety Act certifications and
designations.
So how can the Federal Government help? First and foremost,
we thank you so much for the help we have received. We cannot
do it without you. The Port Authority keeps security as a top
priority. A critical resource is the Federal Grant Program.
This funding source is essential to help us continue to protect
our facilities from these ever-changing and evolving threats.
A large source of funding comes from the Transit Security
Grant Program. In 2016, the maximum amount of funding through
this program was set at $87 million nationwide. Of course, an
increase in funding would allow transit operators to pursue
larger capital security projects. We are also very appreciative
of the efforts underway to extend grant duration periods from
three to five years, which can allow us to complete larger and
more complex security enhancements.
In closing, I would like to thank the members of this
subcommittee and our congressional delegation for their
dedicated, unwavering, and continuing support that allows us to
better serve our employees and customers and to better protect
our regional critical transportation infrastructure and
perhaps, most importantly, all those that depend upon it.
Thank you so much.
[The prepared statement of Mr. Belfiore follows:]
Prepared Statement of Thomas Belfiore, Chief Security Officer,
The Port Authority of New York and New Jersey
About the Port Authority
The Port Authority of New York & New Jersey conceives, builds,
operates and maintains infrastructure critical to the New York/New
Jersey region's transportation and trade network. These facilities
include America's busiest airport system, including: John F. Kennedy
International, LaGuardia, and Newark Liberty International airports,
marine terminals and ports, the PATH rail transit system, six tunnels
and bridges between New York and New Jersey, the Port Authority Bus
Terminal in Manhattan, and the World Trade Center. For more than ninety
years, the Port Authority has worked to improve the quality of life for
the more than 18 million people who live and work in New York and New
Jersey metropolitan region.
The Office of the Chief Security Officer
Created in 2012, the Office of the Chief Security Officer (OCSO) is
a department within the Port Authority and is responsible for providing
the highest quality public safety, facility security operations,
security program management, emergency management, and airport rescue
and firefighting training and services. Together, over 2,000 employees
ensure the security and safe movement of the Port Authority's
customers, partners, employees, and stakeholders every day.
I. Port Authority New York and New Jersey Transportation Assets
The Port Authority builds, operates, and maintains critical
transportation and trade assets that fall under our five (5) lines of
business:
Aviation
Rail
Tunnels, Bridges and Terminals
Ports
Commercial Real Estate
Our aviation assets include six (6) airports: John F. Kennedy
International Airport, LaGuardia Airport, Newark Liberty International
Airport, Teterboro Airport and Stewart International Airport. In 2015,
Port Authority airports moved an estimated 124 million passengers.
Our rail and surface transportation assets include the Trans-Hudson
Rail System (PATH), George Washington Bridge, Bayonne Bridge, Goethals
Bridge, Outerbridge Crossing, the Port Authority Bus Terminal, George
Washington Bridge Bus Station, Journal Square Transportation Center,
Holland Tunnel and Lincoln Tunnel. In 2015, the PATH system carried
over 76.5 million passengers; an average of 265,000 passengers per day.
Additionally, over 115 million vehicles travel over PA's bridges and
Tunnels annually.
Port Authority also manages ports that transport vital cargo
throughout the New York and New Jersey region. The Port of New York and
New Jersey is the largest on the east coast and in 2015 moved over 3.6
million cargo containers.
The Port Authority also owns and manages the 16-acre World Trade
Center site, home to the iconic One World Trade Center.
The transportation sector and critical infrastructure assets remain
as the most attractive targets of terrorists' organizations and lone
actors; particularly acute are the Port Authority of New York and New
Jersey assets, as we operate the Nation's largest airport system, the
busiest Bus Terminal and most traveled bridge (GWB) in the nation, and
the east coast's busiest ports. Outlined below are the tools and
strategies we deploy to ensure our assets and the people who rely on
them are safe and secure.
II. Our Multi-Layered Approach to Securing Our Assets and Protecting
the Public
The tragic events of September 11, 2001, remain the single most
important turning point in the role of security within the Port
Authority. Since that time, the Port Authority has spent close to $9.9
billion on operational and capital security measures. These
expenditures were guided by a robust risk-based, intelligence-driven,
multi-layered security approach to protect the Port Authority's
customers, the general public, employees, and critical infrastructure
by developing, implementing, and managing programs that preserve life
and property, increase safety and security, and support the Agency's
business objectives by strengthening our resilience and continuity of
operations. With these measures in place--there is no single point of
failure. Our multi-layered approach is explained in detail below.
Intelligence-Led
The Port Authority Police Department (PAPD) implements
intelligence-led policing to ensure our resources are effectively
deployed to prevent potential threats to our customers, employees, and
facilities. The PAPD has presence in 28 Federal, state, and local law
enforcement task forces, to include: the Federal Bureau of
Investigation Joint Terrorism Task Force (FBI JTTF) in New York and New
Jersey which allows for shared intelligence across many agencies; the
New York and New Jersey High-Intensity Drug Trafficking Areas (HIDTA)
taskforce and the New Jersey State Police Regional Operations
Intelligence Center (ROIC) that allows for the immediate exchange of
important, timely and actionable intelligence for both sides of the
Hudson.
Additionally, we have a stakeholder representative assigned
fulltime to the New York Police Department's Lower Manhattan Security
Initiative. This unit is a key provider of day-to-day actionable
intelligence relative to routine conditions like large events and
demonstrations to current and emerging threats.
These combined resources result in the agile, flexible, effective
and efficient deployment of security and law enforcement resources that
are responsive to current and developing threats and conditions.
Risk Assessments
As the owner and operator of multi-modal transportation assets, it
is critical that the allocation of human and financial resources across
our various facilities be determined using a risk-based approach. To
that end, all-hazards risk assessments are performed on a regular basis
to better understand changes in threats and vulnerabilities related to
our facilities. Our periodic multi-hazard assessments look across all
Agency assets and prioritize our risk to inform security and resource
decisions across all of our transportation assets.
Police Interdiction Activities
The PAPD is comprised of over 1,900 uniformed police officers
operating across thirteen (13) Port Authority facilities. The
department also includes a Criminal Investigations Bureau, Special
Operations Division, which includes an Emergency Services Unit and a
Canine Unit (K-9), and an Aircraft Rescue and Firefighting component at
the Port Authority airports.
Through visible uniformed police presence and in partnership with
other law enforcement agencies, the PAPD suppresses crime and utilizes
counterterrorism measures to thwart potential adversaries seeking to
cause harm or disruption by way of an attack. PAPD also deploys high
visibility patrols and specialized services to enhance basic patrol
functions utilizing intelligence-led policing concepts.
Operational Security Measures and Security Agents
The Port Authority implements civilian security programs to
supplement our police department activities and increase the levels of
protection at our facilities. These programs safeguard Port Authority
facilities from threats to physical infrastructure, unauthorized access
to restricted areas, cybersecurity attacks, and breaches of protected
security information.
Security policies, procedures, and operating protocols are
ingrained at each of our facilities. A foundational element of
protecting our facilities is granting access to certain secure areas
only to authorized persons, after extensive criminal history checks are
conducted. At our airports, the Federal Secure Identification Display
Area (SIDA) program is utilized. For our maritime facilities, the
Federal TWIC program is in effect and we support efforts to make this
program as robust and reliable as possible.
We carry this model beyond where federally regulated to our other
surface transportation facilities including tunnels, bridges,
terminals, and rail facilities by requiring all third-party contractors
and service vendors to undergo criminal history checks as well.
Additionally, the Port Authority employs over 1,000 unarmed
Uniformed Contract Security Agents to guard our facilities and keep our
employees and customers safe.
Technology
A critical element of a robust multi-layered approach is the
development and maintenance of advanced technology systems to support
both security and resiliency. Significant investments have been made in
this area.
We employ an agency-wide video surveillance system of more than
6,000 Closed Circuit Television (CCTV) cameras with recording
capabilities. Access control systems and alarming is in use at each of
our facilities.
Perimeter intrusion detection systems are deployed at our airports
and a laser intrusion detection system is in use at PATH to detect
intrusions into our under-river tunnels from the track area.
Sensors and detection devices are in place in certain locations to
help protect against chemical, biological and radiological threats.
With regard to radio communications, the Port Authority has
invested over $110 million to deploy an agency-wide Police intra-
operable 800 MHz radio system at all its facilities, enabling PAPD
officers responding to an incident from a neighboring command (e.g.,
Holland Tunnel, Newark Airport, etc.) to talk seamlessly with other
PAPD officers assigned to a different command. Further, we have
deployed antenna networks carrying National Mutual Aid channels in both
the UHF and 800 MHz bands (``UTAC and 8TAC'') into the PATH underground
to assure radio inter-operability with our mutual aid partners, such as
NYPD, FDNY, and the City of Jersey City first responder agencies.
Lastly, we have created a new Cyber Security program to better
monitor and respond to suspicious activities occurring on our network,
therefore strengthening our capability to protect our critical
information and industrial control systems. The Port Authority operates
a 24/7 cybersecurity operations center that can receive alerts from our
cyber defense tools and respond to threats to our network and
equipment.
Engineered Hardening Solutions
Since September 11, 2001, the Port Authority has made over $1.3
billion in asset hardening investments. Although faced with the
challenge of retrofitting security features into existing facilities,
we have implemented a multitude of hardening solutions. At our aviation
facilities, we have placed bollards at all terminal frontages, enhanced
perimeter fencing, strengthened vehicular guard posts, and are
protecting terminal glass.
At our bridge facilities, we have protected suspension and main
cables, strengthened the supporting towers, and created standoff to the
bridge bases and piers from water-borne threats.
At our PATH rail transit facilities, we have installed tunnel
hardening and flood mitigation strategies, while also protecting key
rail support facilities with bollards, cameras, and access control.
At our maritime facilities, we have installed access control and
CCTV systems, systems to allow for Port-wide emergency notifications,
and enhancements to aid in evacuation of the Port. We continue to
partner with Federal agencies in the piloting of state-of-the-art
radiation detection technologies.
Office of Emergency Management
The Port Authority enhances resiliency, response, and recovery
through our Office of Emergency Management (OEM). The OEM champions
programs that provide the Port Authority with the resources, support,
and capabilities to prepare for, respond to, recover from, and mitigate
against all-hazards. The OEM is organized into three core mission
areas:
Emergency Management. Supports the Incident Command response
structure at Port Authority during events or incidents.
Additionally, responsible for all-hazard planning and training
for agency personnel and regional partners who will support our
response activities to emergencies at our facilities located in
New York and New Jersey. Through the use of tabletop and full-
scale exercise, over 27,000 Port Authority staff and regional
partners have been trained on such topics as Active Shooter
response, PATH rail emergencies, terror attacks and other
hazards.
Grant Management. Administers and manages all Federal and State
Homeland Security Grants that allows us to harden our assets,
invest in technology, initiate new programs, and provide for
enhanced police protective services.
Risk Management and Resiliency. Responsible for coordinating
and implementing the agency-wide all-hazard risk assessment and
oversees the Port Authority Business Continuity program.
These programs are regularly adapted to meet the needs of the Port
Authority with an impact range that stretches from individual employee
preparedness to agency-wide, corporate-level resiliency.
Federal, State, and Regional Partnerships
The Port Authority understands the importance of maintaining strong
relationships with our Federal, State and local partners. These
cooperative partnerships are integral to our intelligence,
counterterrorism, cybersecurity, technology, and training efforts. The
support received through these partnerships helps us better secure our
assets and the information exchange is mutually beneficial to all
partners.
Measuring Effectiveness and Performance Assurance
In order to maintain a prepared, unified, and accountable security
operation, the Port Authority regularly measures, audits and inspects
programs and systems. This practice instills a culture of evaluating
the effectiveness and integrity of our systems and program performance.
The OCSO also maintains its own Quality Assurance Inspections program
that evaluates the physical protection strategies employed at the Port
Authority. These internal auditing programs allow us to proactively
identify and mitigate issues and concerns before our adversaries
exploit them.
Furthermore, in an effort to ensure independent third party review
of our security programs, the Port Authority actively participates in
the U.S. Department of Homeland Security (DHS) Safety Act program. To
date, Port Authority received six (6) awards for designation and one
(1) for certification at various facilities.
For 2015, TSA has awarded the PATH Security program its Gold
Standard for best practices in rail security.
III. How the Federal Government Can help?
Grant Funding
The Port Authority keeps security as a top priority as evidenced by
the investments in resources it makes to that purpose. Currently,
agency-wide, 24 percent of personnel and 22 percent of the operating
budget is allocated to security. Since 2002, $1.3 billion has been
spent in capital security projects and another $900 million in capital
security projects have been identified for the coming years.
The Port Authority does not receive any tax dollar support from New
York or New Jersey and relies on agency generated revenues to support
our operations and capital program. So much of those resources are
claimed by maintaining our assets in a state of good repair. Therefore,
making Federal grant funding programs even more important to our
efforts to secure aging critical infrastructure from evolving threats.
A large source of funds for our capital security projects comes
from the Transit Security Grant Program (TSGP). In 2016, the maximum
amount of Federal funding through this program was set at $87 million
nationwide for all transit operators. This amount, when distributed,
can only fund smaller capital security projects. An increase in TSGP
funding would allow transit operators to pursue larger capital security
projects that would better reduce the risk to those who use our
facilities.
We are appreciative of the efforts underway to extend grant
durations to allow for delivery of complex security enhancements.
IV. Closing Remarks
In closing, I would like to thank the members of the Surface
Transportation and Merchant Marine Infrastructure, Safety and Security
subcommittee for inviting me to testify on behalf of the Port Authority
of New York and New Jersey.
The Port Authority operates the busiest and most important
transportation facilities in the region, as such, we take on the
tremendous responsibility of maintaining safety and security. The Port
Authority will continue to make enhancements to its policing and
security programs and systems in an effort to stay current and adapt to
the ever-changing threat landscape. I would like to thank our
congressional delegation for their continuing support that allows us to
better serve our employees and customers and better protect our
regional critical transportation infrastructure.
Senator Fischer. Thank you, sir, and my thanks to you and
all your officers for the work you do daily to protect
thousands and thousands of Americans and keep us safe. Thank
you.
Mr. Belfiore. Thank you, ma'am.
Senator Fischer. To begin with the first round of
questions, I'd like to explore cybersecurity. We heard two
gentlemen bring up cybersecurity in their comments, and I think
that's something that this committee is interested in, and a
number of other committees here in the Senate are as well. I
serve on the Armed Services Committee, and cybersecurity is a
big topic that we are looking at as well.
So, Mr. Straquadine, in your testimony, you mentioned the
growing concern with cybersecurity. Could you elaborate a
little bit upon that and how not only you work with the Federal
Government but if that partnership is open and beneficial, but
also how you work with other private entities and if you are
able to share information back and forth in order to better
combat the threats that are out there?
Mr. Straquadine. Thank you, Chairwoman. Certainly, we work
with the agencies--TSA with the responsibility for oversight--
but we were approached specifically by Federal Energy
Regulatory Commission Chairman Bay. He had stood up a team of
Office of Energy Infrastructure Security that had the
expertise. They do have regulatory oversight for the electric
utilities. They had done these reviews within the utility
world.
We were one of the first pipelines to welcome them in, with
TSA, to do this review, because we knew we could learn from
that. There are many things you know and many things you don't
know. The cyber world is ever-changing. So it was one that--
coming in with that review--that was well defined up front as a
collaborative, non-regulatory approach.
It was one that we shared--or we brought down our
information systems experts. Our CEO sat at the table for two
days to review this information, because, ultimately, he needs
to make the budget decisions to our board. And from that side
of things, it was very positive. In fact, I had my information
security team come to me and say, ``That was the best thing
we've ever done,'' because we could identify the immediate and
near-term threats and develop a plan and budget related to
that.
We also monitor the information security side that the TSA
has as far as their computer centers, or ICS-CERT centers, that
are available from a point of view of what's threatening
industry, in general, and we do share within our industry
within the INGAA association. We've done a----
Senator Fischer. When you receive a threat, when you
anticipate a threat, when you hear chatter that's out there of
possibilities of a threat to your infrastructure, you're able
to share that with other companies?
Mr. Straquadine. Yes, we are.
Senator Fischer. And do you also share that with the
Federal Government?
Mr. Straquadine. I believe we do through the ICS-CERT
process. We have not had that specific threat. We've recognized
no incremental or unique threats to our industry sector to
date. But we're aware, and we will utilize that process as
necessary.
Senator Fischer. And in your testimony, you said that the
TSA clearly acknowledged that they had much to learn in the
cybersecurity realm. What advice would you give to the TSA, and
what advice would you give to this committee about what the
priorities should be with regard to cybersecurity?
Mr. Straquadine. I believe the approach of collaboration
with companies to review their cyber approach with experts in
the field--and, clearly, that's where the FERC team has
demonstrated that expertise and has been supportive of doing
this effort, again, collaboratively reaching across to the
agency at TSA. It's unique, as I understand it, in the
government, but it's one that has worked well, at least from
what we've perceived and experienced, and what we've encouraged
our industry to participate in as well.
Senator Fischer. Thank you.
Mr. Spear, you in your comments just briefly stated that
you would like to discuss cybersecurity and would take any
questions. So I'm giving you that opportunity.
Mr. Spear. Certainly. I'd look at the trucking industry as
quite vast. It's becoming much more integrated as we adopt
electronic logging devices. The ability to manage fleets
nationwide, track them, manage them in a safe and productive
manner requires technology, and that technology is also in the
backbone of a network that could be vulnerable.
We've had instances of ransom ware, servers held for
ransom, stolen customer data. We've had instances where we've
done tests on the ability to access a commercial vehicle's
brakes and accelerators. I know this committee has focused a
lot of time----
Senator Fischer. You said you did a test on that. That has
been----
Mr. Spear. There have been researchers at the University of
Michigan that have done a test to determine the ability to hack
into an industrial vehicle's accelerator and braking system. So
our industry is very focused on this issue, like the auto OEMs.
I know there has been a lot of attention on this committee
given to the autos, seeing that there have been instances where
vehicles have been hacked and control has been taken externally
from the driver. Imagine that happening to an 80,000-pound
commercial vehicle. That's something we certainly want to
avoid.
We're obviously watching very closely the autonomous
debate. It's an issue that we are coming to the table on. As an
industry working with our OEMs, our software providers, our
equipment providers, we see great promise to safety and
environment--less fuel burned, less congestion, driver
retention. There are a lot of benefits that could come out of
this technology.
But I think cybersecurity certainly is a question that we
believe needs to be answered up front. We're watching very
closely what the FCC does in terms of rewarding seven channels
of safety spectrum. We would like to see all seven channels go
to safety, not shared spectrum with Wi-Fi users. We don't feel
that that's something that we want to have compromised in the
operation of any vehicle, including commercial vehicles. So
this is a space where we believe we need to do more as an
industry and be certain that any integration of our systems are
not made vulnerable to outside interests and taken advantage
of, either for data or the control, actually, of a commercial
vehicle.
Senator Fischer. Thank you very much.
Senator Booker?
Senator Booker. With your permission, Chairman Fischer,
Senator Blumenthal has some conflicting commitments, and I
would like him to go before me.
Senator Fischer. Of course.
STATEMENT OF HON. RICHARD BLUMENTHAL,
U.S. SENATOR FROM CONNECTICUT
Senator Blumenthal. Thank you very, very much, Senator
Booker. I appreciate that courtesy, and thank you to both you
and the Subcommittee Chairwoman, Senator Fischer, for having
this hearing.
Before I begin, I really want to commend both of you for
your leadership and your efforts as Chairman and Ranking Member
of this committee in your work on the Surface Transportation
and Maritime Security Act--very, very important advance. Sorry
that it won't be passed during this session, but I think it
gives us a template for the next session, and I'm hoping that
we can bring it across the finish line next year.
I also want to join in your remarks, Senator Booker, in
effect, really lamenting the potential rollback that we see in
the CR on trucking safety and fatigue rules, which is very,
very unfortunate. I hope that we can remedy that point in the
next session as well.
And, finally, to echo your concern, Madam Chairwoman, on
the issue of cyber, as a member of the Armed Services
Committee, you'll recall that in our hearing recently with a
number of very expert witnesses on emerging threats and
national security, cyber was at the forefront, and both Senator
McCain and I attended a briefing of the Senate United States
Marine Corps Caucus, where the commandant's major concern, his
priority, was, in fact, or is now cyber and the prospect of
cyber attack and the need for cyber defense. So all of our
systems, utilities, finance, medical, and transportation very
much implicate the issue of cybersecurity.
I want to ask a question that involves the TSA,
specifically, the implementing recommendation of the 9/11
Commission Act, which dates from 2007. That law required the
Department of Homeland Security, through the TSA, to take
rigorous, robust action to stem the tide of terrorist threats
to transportation on our shores, including the surface
transportation network.
A lot of the focus has been on our skies and aviation
security, but the law required TSA to complete a number of
critical security mandates by August 2008 regarding rail and
surface transportation. And to be very blunt, the TSA is
nowhere near completing the necessary actions that will help
protect rail stations, transit facilities, bus stops, and other
critical points of transit and to prevent attacks on soft
targets throughout our surface transportation network.
There are three specific areas of concern that I have:
number one, ensuring high-risk target railroads have sufficient
security plans; number two, training, ensuring that public
transportation agencies, railroads, and bus providers have
training standards on security threats for their frontline
employees; and, number three, vetting, ensuring that public
transportation agencies and railroads conduct rigorous name-
based security background checks and immigration status checks
on all frontline employees.
TSA, unfortunately, has met none of these statutory
requirements. They are legal requirements in our statutes. And
I'm very concerned about this fact and have repeatedly demanded
answers from TSA about when it's going to comply with the law,
and the repeated answer has been, ``It's hard. It takes time.''
But in the meantime, what we see around the country and around
the world is, in fact, attacks on the soft targets, whether
they are the perimeters outside checkpoints at airports or some
of our rail and rail facilities and threats to them.
Mr. Roth, you share my many concerns, and in your
testimony, you referred to the DHS as--I'm quoting--
``dismissive and lax,'' end quote, in implementing
requirements. Is this particularly troubling after these
attacks that we've seen at train stations and rail stations
around the world, and how do we get DHS to take action?
Mr. Roth. I share your concern with this, and certainly in
my testimony--we put a chart in the back of my testimony that
shows the delays that TSA has had, notwithstanding the fact
that there have been numerous high profile rail attacks,
starting, in fact, with the 2004 Madrid attacks, that were very
concerning. The regulations that are required under the 9/11
Commission Act are all very common sense, and it would really
bring rail transportation on par with air transportation.
An airport has to have a security plan that's approved by
DHS. It seems common sense for railroads to have the same.
Airport workers have to have a background check that includes
terrorism screening. It seems very common sense that railroad
workers would have to have this. We pressed TSA on exactly what
the delay is, and we didn't get a good answer. We've got, I
think, the same answer that you have received, which is that
rulemaking is difficult. Yet they've made rules with regard to
airports, and they've made rules with regard to seaports, but
they somehow have not yet gone to surface. So I do share your
frustration.
Senator Blumenthal. And as you're aware--and Mr. Trugman is
especially aware--Penn Station actually handles half a million
passengers every day. Senator Booker and I are often among
them, or at least he is a rider of Amtrak. I know I see him
there all the time. But I go in and out of Penn Station, and I
sometimes wonder when I do, whether the security is adequate. I
see some of it there. There's no question that some of that
security is visible in the form of police and K-9s. It's the
busiest transportation hub in our country, busier than all
three airports combined.
My question to you, Mr. Trugman, is: Is Penn Station--
Amtrak owns it--really prepared?
Mr. Trugman. We are prepared, and we work really well with
our partners. It's a layered approach. All our employees are
trained. All our passengers--you see the videos that we have
when you're boarding the train. I thank you for your ridership.
Those are all part of the training that we get through the DHS
grant in our emergency corporate communications--corporate
security administration which we have, the EMCS.
You know, we work very closely with our NYPD, with the New
York State Police, and all the law enforcement community. The
intelligence that we get--because we're embedded in the JTTF in
New York and the national JTTF--is vital to protecting that.
The K-9 program is a very important part of that strategy, and
our counter measures with the counter-terrorism units that we
have is very--it's a layered approach, and we work well with
that.
Senator Blumenthal. And you would not disagree with Mr.
Roth that those TSA regulations are important?
Mr. Trugman. They're very important. But right now, we have
a great working relationship with TSA. We have the VIPR teams
that come to the stations, the FAMS that work in the stations,
not only in New York but across Amtrak. We work really well
with the Office of Intelligence for TSA. We're doing pilot
projects with the TSA Office of Requirement Capabilities
Assessment. We have an MOU with them. So we have a good working
relationship with the TSA.
Senator Blumenthal. I have a great working relationship
with the TSA, too. I admire the dedicated individuals who work
there, and I try to tell them all the time whenever I see them,
in the airports, particularly, how much I appreciate their hard
work. They are under-resourced, regulations are hard to do, and
they do take time. I just want them to do that part of their
job a little bit more expeditiously. But I share your respect
for them.
Thank you, Madam Chairwoman.
Senator Fischer. Thank you, Senator Blumenthal.
Senator Klobuchar?
STATEMENT OF HON. AMY KLOBUCHAR,
U.S. SENATOR FROM MINNESOTA
Senator Klobuchar. Thank you very much, Madam Chairman, and
thank you, Ranking Member Booker, for this hearing.
The terror threat against the commuter rail station in L.A.
yesterday reminds us that our transportation systems are still
a target. In fact, in an article in 2014 in al-Qaeda and the
Arabian Peninsula's terror recruitment magazine, Inspire, the
magazine provided instructions on how to make a bomb using non-
metallic materials, how to bypass TSA security, and all of you
know all too well, the threat that we face here. So that's why
I appreciate this hearing.
I want to take us a little away from where maybe most of
the people have been focused on, and this is to the Canadian
border, which borders my state. The Canadian National Railway
border crossing just east of International Falls in Minnesota
sees the most railroad cars of any crossing between the U.S.
and Canada, and you know $2 billion of goods go back and forth
between the two countries every single day and 350,000
passengers.
The improving economy and increased demand for imports and
Canadian crude oil has created a rail bottleneck at our
Minnesota-Ontario rail crossing. I've heard from my
constituents about significant delays. Some of the trains are
nearly two miles long and represent a challenge for people
getting to work and emergency vehicles that need to pass.
I guess I'd start with you, Inspector General. How is TSA
working with other government agencies and local partners to
address safety and efficiency, and what are some of the biggest
challenges that TSA faces?
Mr. Roth. Certainly, when it comes to ports of entry,
particularly land ports of entry on the northern border,
Customs and Border Protection has the lion's share of the role
in ensuring the efficient transport of people and material
across the border while at the same time maintaining security,
and it is an enormous challenge. Having toured the northern
border, including the Port of Detroit, which is also a very,
very busy port----
Senator Klobuchar. I've been there, yes.
Mr. Roth. They have enormous challenges, both with
manpower, with infrastructure, and the kinds of increases that
are necessary as trade increases. So I'm deeply sympathetic to
the CBP mission there and the challenges that they face. They
seem to manage, but I understand that there are challenges.
Senator Klobuchar. Right. Exactly.
My next question is, I guess, for you, Mr. Belfiore, as
well as the Inspector General. So what we passed last week, the
Cross Border Trade Facilitation Act, was a bill that Senator
Cornyn and I have led, which allows for public-private
partnerships to help improve infrastructure and increase the
number of Customs and Border Patrol inspectors at our land
ports of entry. There is significant support in the House as
well, and we believe this is going to become law. There have
been trials, and now this would permanently allow for these
partnerships.
CBP has a $5 billion budget shortfall, and that's why we
think engaging private partners to fill the gap for places
where they see this need for extra commerce security is
helpful. As I mentioned, we've got some major ports of entry in
our state.
Given budget constraints, I guess I would start with you,
Mr. Belfiore. How do you think this legislation can best be
used to improve transportation security at our ports of entry--
points of entry and ports?
Mr. Belfiore. So in speaking to those that run the ports
for the Port Authority of New York and New Jersey and
particularly those who are interested in security--of course,
we have a strong partnership with CBP and the U.S. Coast Guard
in what we do in trying to secure the ports. We think that
additional CBP presence is very important for the success of
that security program that we have.
In addition to that, there's also a business impact to the
presence of CBP in addition to, first and foremost, security.
It would allow for greater throughput and allow for probably
more hours of operation that would accommodate the growth that
the ports of New Jersey are currently experiencing.
Senator Klobuchar. Very good. Just turning to my last
question here on rail safety--and, by the way, I want to
welcome Mr. Straquadine--thank you so much--with the Natural
Gas Association of America, and Minnesota has a company. Thank
you very much. We appreciate that.
Mr. Straquadine. Thank you, Senator.
Senator Klobuchar. We move more than a million barrels of
oil by rail every day in Minnesota, and transporting hazardous
materials can pose a significant risk to surrounding
communities. And, of course, I hear concerns all the time from
communities, Inspector General, about delays, but also about
risks, and, of course, we've had some spills of not just oil,
but biofuels and other things over the years in Minnesota,
Wisconsin. I think people don't realize because of where we are
how much traffic we get from North Dakota and Canada and other
places.
We pushed in the FAST Act to have provisions to help local
governments to plan and respond to rail incidents. But I just
wondered if you could give an update on what training or
collaboration TSA is using with state and local security
partners for derailments or hazardous spills.
Mr. Roth. The authority for this is actually split between
TSA as well as the Federal Emergency Management Administration,
FEMA. FEMA focuses much on what would occur in a response sort
of environment, and we have not looked at that specific issue.
I know that the General Accountability Office is currently
looking at how FEMA is doing through that kind of collaboration
to determine whether or not they are prepared in the event of
oil spills.
I will have to say on the other part of it, the TSA part of
it, the surface transportation part of what TSA does has been
largely ignored by TSA. The focus has been almost exclusively
on aviation security and, candidly, almost exclusively on
checkpoint security, not even sort of insider threat kinds of
security as well. So the kinds of things that they could do,
they've missed the opportunities to do, including sharing
intelligence, sharing best practices, the kinds of things that
would prevent a spill from occurring in the first place.
Senator Klobuchar. Right. So you're talking about best
practices and more people at these locations, the facilities,
which is what Senator Cornyn and I are trying to get at with
our bill, when it comes to rail, is what you want to see.
Mr. Roth. That's correct.
Senator Klobuchar. Very good.
Do you want to add anything--our local guy?
Mr. Straquadine. I would just add that the challenge around
transportation of energy by rail is overcome by long-term
commitments to pipeline installations. While I represent the
natural gas industry, specifically Alliance Pipeline, the fact
is that oil by pipe is the safest, most efficient, and cost
effective way to move energy from a producing region to a
consuming or refining area.
Senator Klobuchar. And we have, as you know, some major
refineries in our state.
Mr. Straquadine. Yes, we do.
Senator Klobuchar. So some upgrades to the pipelines.
Mr. Straquadine. We do have wonderful oversight by the
Department of Transportation Pipelines Hazardous Material
Safety Administration that we work collaboratively with, from
our company's perspective, but much like we did in our
cybersecurity review with TSA and FERC. We reach out to PHMSA
to find best ways to learn how we can do things better and how
we can encourage them to look at best practices as well.
Senator Klobuchar. Thank you very much.
Thank you, everyone.
Thank you, Chief, as well.
Senator Fischer. Thank you, Senator Klobuchar.
Senator Booker?
Senator Booker. Just really quickly, a small issue but very
irksome, Mr. Belfiore. The Port Authority of New York and New
Jersey--shouldn't it be called the Port Authority of New Jersey
and New York?
[Laughter.]
Mr. Belfiore. I'll take that back, Senator.
Senator Klobuchar. This is like Fargo-Moorhead should be
called Moorhead-Fargo.
Senator Booker. I just want to make sure to get that on the
record, sir.
Mr. Belfiore. Yes, sir.
Senator Fischer. We need to make a lot of changes.
Senator Klobuchar. Yes, we need to make some changes right
here.
Senator Booker. Yes, right now, on the record. Let the
record reflect that he said he will go back and change that
immediately.
[Laughter.]
Senator Booker. Look, I have, like the good Senator from
Connecticut, a lot of respect for TSA and their workers. I
interact with them on a regular basis as my course of travel.
But, obviously, I'm very frustrated with some of the larger
issues in regards to the TSA. The agency has stated for years
that they use an intelligence-driven, risk-based strategy for
transportation security. But a recent DHS Inspector General
report found that the agency does not have a risk-based
strategy across transportation modes. This is very concerning
to me.
So, in your opinion, Mr. Belfiore, what are the
consequences for security for surface transportation, of the
TSA not using a risk-based strategy?
Mr. Belfiore. So, in being familiar with the IG's report
and Mr. Roth's report, I think it includes many important
recommendations. But, perhaps to me, the most important
recommendation is the adoption of an intelligence-led, risk-
based strategy across all of the areas of responsibility for
TSA.
I think that it's something that our office and the Port
Authority can wrestle with every day, as we are multimodal, and
there are only so many dollars, and we compete with the
importance of maintaining those critical assets and keeping
them in a state of good repair and taking those same dollars
and creating new development of very important transportation
assets, and at the same time, we need to secure what we have.
The best way to spend those precious dollars, we think, is with
the intelligence-led, risk-based methodology that we have.
So what it does for us is it looks for risks and threat and
vulnerability. It looks at what's in place to defend those
assets.
Senator Booker. I'm sorry to cut you off. This is what
frustrates me--and you are so gracious in being grateful to the
Congress for the grants that you all get for security. But my
opinion is that we are trying to do a lot with very little,
because we're not allocating our resources based upon the
threats to our country.
More people travel the Northeast corridor by rail than they
do by air. In addition to that, if you look at the targets in
the greater New York area, which is the number one target,
arguably, for terrorists--at least it's ranked that way by the
Department of Homeland Security as a high-risk region--you
understand--if you look at it in analysis of all the attacks
being carried out globally right now, since 2001, more than
1,900 attacks have been carried out against public
transportation systems globally, resulting in 4,000 deaths,
14,000 injuries. The attacks on metro stations, on rails--this
year, the attack on the Brussels metro station killed more than
a dozen people and injured more.
If we look at the pattern of attacks, globally, right now,
you're seeing them disproportionately focused on the
transportation modes that you're charged with protecting. Yet
the resources and the allocation of those resources are being
put in a way that seems to be contrary to any evidence-based
analysis of where we need to shore up these soft targets.
So the persistent threat to rail, to public transportation,
is not reflected in grant funding. In your opinion--and I know
how grateful you are for the Federal grant funding you get--
does the current amount of grant funding reflect the need that
your agency has for protecting vulnerable targets?
Mr. Belfiore. Well, the short answer to that, Senator, is
no.
Senator Booker. OK. And I'm mindful of my time, but, to me,
that really does turn us to your written testimony, which is,
to me, just shocking. It's actually shocking, your testimony,
to be able to say that we have a real problem, that we have
resources being poured into protecting from the last terrorist
attack, focusing on what has happened and not looking at the
pattern of what the enemy is actually doing. To me, that is
highly frustrating and alarming, that even when the 9/11
Commission clearly states the problem, we have done nothing
almost a decade later. Missing deadline after deadline, we've
done nothing to effectuate it.
Being that I savor my bipartisan relationship with Chairman
Fischer, my time has expired. I'm going to stop and keep going.
The graciousness of--let the record show that----
Senator Fischer. He's on a roll.
Senator Booker. So Congress actually passed legislation. I
feel like we're being responsible. And you said this, again, in
your testimony. We passed legislation about implementing the 9/
11 recommendations. So there were several requirements in law
for TSA to issue regulations. This is astounding to me, that by
law, they've been required to issue regulations that would
provide direction to public transportation agencies, railroads,
bus companies on security training for frontline transportation
workers.
Your review, Mr. Roth, is so alarming, and I just want to
understand. I mean, I know what would happen, God forbid, if
what we see happening in European nation after European nation
were to happen here in the United States. But that's not what I
want. I don't want to be able to have people say, ``I told you
so.'' We need to get the job done and protect surface
transportation. Eight years after a law was passed, 8 years,
and the TSA has yet to issue proposed rules to implement the 9/
11 Commission's recommendations.
So my first question to you is: What are the consequences,
in your opinion, or potential consequences, of their lack of
action? And your job as an IG is--is the TSA in any way back on
track to implementing those regulations?
Mr. Roth. To answer your last question first, they are not.
They can't give us a date as to when even they will submit the
regulations to OMB, which is, as you know, the first step in a
process of a long rulemaking process. So it's not even out of
the building yet for two of the most important of those
regulations. So I share your frustration with that. And,
really, what it is--it's illustrative of TSA, when they talk
about being risk-based, what they're talking about is they risk
base the passengers who come through screening. But they don't
do any risk-based approach to anything else that they do as
part of their job.
To give an example, they have the Federal Air Marshal
Service, which is a program that--the actual budget is
classified, but it's in the hundreds of millions of dollars,
multiple hundreds of millions of dollars for this program, for
Federal Air Marshals to sit there to ensure that nobody enters
a cockpit whose doors are locked. So the question is what risk,
exactly, are they trying to counter here? And the cost of that
program is astronomical.
So why aren't they, as sort of an entity, taking a look at
what are your threats, what is it we can do to counter those
threats, and then let's build a budget that will actually make
sense to counter those threats with programs that they put in
place. They have not done that. So it is particularly sort of
disingenuous for them to call themselves an intelligence-
driven, risk-based organization when, in fact, they are not,
not only across modes of transportation, but even within air
transportation.
Senator Booker. So, I mean, this is--I don't understand why
this sense of alarm is not greater in our country when, again,
we're watching the attacks our enemy is doing in other nations.
It's astonishing to me that we would--even the monies we are
allocating are so misallocated in proportion to what the actual
threats are.
This is not being done in an intelligent manner. This is
not being done in a systematic manner. It's not following
Federal regulations. It's not following Federal law. I mean,
I'm not sure if I'm seeing what seems to appear to me to be
willful disregard for the security and the safety of our Nation
by an agency so out of line, eight years out of line, with the
Congressional mandates.
You've been in this business for a long time. Give me some
recommendation about what Congress could be doing to get this
agency on track to protect the American people.
Mr. Roth. I wish I had some sort of silver bullet for you.
I think it's continued oversight, as I said in my testimony, by
the Congress, by my office, by the Government Accountability
Office. I don't have any good answers for you.
Senator Booker. You know, the people to your left, sir,
from the private industry to the sworn officers--they go out
there every single day, trying to protect Americans. You know,
I don't always agree with industry, as you heard from the
beginning. But, dear God, they're trying to keep their product
safe and people safe. And I see this from what happened in
Elizabeth, from what happened in Manhattan, that the threat
isn't gone. People are plotting right now, right now, against
this country, and we can't even make an intelligent allocation
of the assets we have and, arguably, from the documents that
you produced, are wasting millions of dollars, as you said,
with the security at doors, for a problem that could be solved
on a fraction of the cost and that money reinvested into
principal targets.
So I don't need another round. The last question I have, to
shift a little bit--Chief, I worry about--obviously, I'm a New
Jersey Senator, and I've seen what happened on 9/11, literally
watching it with my own eyes from where I stood in Newark, and
I worry about critical infrastructure not having redundancy.
So it has been billed as an infrastructure project, the
rail lines across the Hudson, the ones that are now crumbling,
in one of the most critical economic arteries of our country--
20 percent of our GDP in this region. Just for--quickly,
because I'm definitely treading on the grace of my colleague--
can you just--and this will be my final question. Why are those
tunnels not just important for infrastructure and the flow of
commerce and goods, but why are they important for the security
of the region?
Mr. Trugman. Well, they're very important. And, as you, I
was a young kid growing up in Brooklyn, New York, and watched
the building of those two towers. I never thought I'd watch
them crumble as a D.C. police officer. So I changed my whole
aspect in law enforcement that day.
The Gateway project and the tunnels they have now--we do--
again, I'll reference my layered approach. We have a layered
approach where we do right-of-way patrol to protect those
tunnels and the infrastructure that goes into Manhattan from
New Jersey. We have worked with our partners in Amtrak, with
the Emergency Management And Corporate Security office for
video systems, intrusion systems. We work very closely with our
partners. I can't stress that enough, from everything--I have a
detective assigned to the New Jersey Fusion Center. I have
detectives assigned to the JTTFs, as I testified. We work with
our partners at the New Jersey-New York Port Authority Police
Department, the New Jersey Transit Police, the New Jersey State
Police--just about every jurisdiction you can imagine.
Together, that's what keeps us safe, because we all work
together. We host meetings--the Northeast Corridor Coalition
with the intelligence groups from every jurisdiction,
basically, now, from Washington to Boston, to discuss what
we're seeing and what we need to prepare for. So I am confident
what we're doing is everything we possibly can do right now,
because the infrastructure, not just the tunnels, but the
bridges, are very concerning.
We work with the marine units from the New Jersey State
Police, from the D.C. Police Department to check some of the
bridges here in the city, and the aviation units. We've talked
to our aviation partners in the military and the police
departments to look out for our tracks. It's a simple--I get a
call from an aviation pilot who says, ``What do I look for?'' I
say, ``Anybody who's not wearing a hard hat or an orange jacket
or an orange shirt doesn't belong there.'' So it's that simple,
and that's what we do.
Senator Booker. Thank you, sir.
Thank you, Madam Chairwoman.
Senator Fischer. Thank you, Senator Booker. I'm going to do
a little cleanup if that's OK with you.
Mr. Roth, to follow up with my colleague's line of
questioning and his expressed frustration, do you think that
the TSA is even structured correctly? Do you have any comments
on that?
Mr. Roth. We haven't looked at that as a specific issue. I
know that, historically, before the current administrator of
TSA was there, it was a fairly stove-piped organization.
Certainly, when we looked at ground transportation security, it
seemed that that was stove-piped. In other words, there's a
Chief Risk Officer who is supposed to be looking at risk
enterprise-wide. We were able to show him documents, TSA
documents, that he had never seen before with regard to ground
transportation risk.
So there are certain stove pipes certainly within TSA. We
don't have any recommendations as to how to fix that, at least
in these reports.
Senator Fischer. Thank you.
Mr. Spear, some questions for you. In your written
testimony--and to follow up what Mr. Roth was talking about
right now with security at airports--you mentioned that the DOD
allows workers to transit in and out of military facilities
with their TWIC in lieu of additional credentials. Do you think
that's secure, first of all? And, second, how does it affect
efficiency?
Mr. Spear. Well, I do think it's secure. I actually had a
common access card with the DOD for a number of years. I've
used it all over the world, used it in the green zone in Iraq.
It's a phenomenal ID. It's great protocol, great command
control over the system. It's an outstanding example of how to
get it right.
Now, why we can't do the same thing with TWIC is beyond me.
I can tell you that after we left Iraq, the Iraqi government
adopted the same ID system that common access card utilizes.
This is my ID for the green zone, Iraqi ID, same chip, same
biometrics, same credentialing, and same protocol. Now, I would
argue that the Iraqi government is not a bastion for
efficiency, but why they are doing it better than TWIC is
beyond me.
So I think it's a living example of why--you know, to have
to wait 15 years since MTSA was enacted, 9 years since the TWIC
rule became final and effective, and we still have to wait two
more years for the reader rule to become final--I mean, how
long does it take to do an ID card?
Senator Fischer. You have a lot of different credentials
that drivers have to go through. I've got a list here. You've
got the TWIC. You've got the HME, which is hazardous material
endorsement. You have the free and secure trade.
Mr. Spear. That's correct.
Senator Fischer. Do drivers need all those? What is it like
for a driver to have to go through that process in time and
energy and cost? And let's get back to what we're worried about
here with security. Does it take all of these cards to make a
driver more secure?
Mr. Spear. In our opinion, no. As I said earlier, I think
protecting the homeland, to have a system that's seamless yet
secure--we've proven it. The common access card proves it. We
have living examples. We have other agencies like DOD that
allow TWIC to be used on base. Now, if we're allowing drivers
to access military installations with a TWIC card, I can't
understand why TSA can't get past this impediment and use it
seamlessly across the board for all MTSA facilities. It just
doesn't make any sense to me.
Our drivers, for instance, are frustrated by it. Right now,
they do need all these IDs. We would argue that they should
have one, and that it should be seamless, and it's proven that
it can be done securely. Our drivers--you know, to go through
the process to obtain an HME or a TWIC card--it takes time, and
if you put yourself in the role of a driver, they're out
driving. That's their job. So to take time to go to an
enrollment center and to go through this process is taking them
out of a situation where they're earning money and going
through this process to obtain the credential.
It has gotten more efficient, I will say. Since we last
testified before the Senate in 2014, the cost has come down,
the enrollment centers are much more widespread, and the time
that it takes, from 6 to 8 weeks, has actually been reported in
the field as a little more than two weeks in many instances. So
there are some pockets of improvement, but it's not across the
board.
I would also say that when they go to the enrollment
centers, there's a lack of parking. For a truck driver, that's
also a problem. So we have a truck driving parking problem
nationwide already, especially in the Northeast Corridor. These
enrollment centers don't accommodate that, either. So there are
a lot of impediments that they have to go through to get that.
But I think the real underlining thing that I would say is
that we have a chronic driver shortage. So for carriers that
are trying to get drivers to move hazardous cargo and go to
these particular sites that require multiple credentialing,
it's very problematic, very disruptive to their business, very
disruptive to the customers and to commerce, in general. So
these are impediments that I believe could easily be solved if
we'd just adopt TWIC universally.
Senator Fischer. Thank you, Mr. Spear.
Senator Booker, did you have other questions?
Senator Booker. Besides reminding Chief Trugman that when
he talks about New York-New Jersey transportation, it's not the
tunnels that go into Manhattan. It's actually the tunnels that
go into New Jersey, sir. So you should prioritize that
understanding.
[Laughter.]
Mr. Trugman. I stand corrected.
Senator Booker. Thank you very much, sir.
Senator Fischer. I see a common thread here today going
through.
Senator Booker. It's true. These New Yorkers don't
understand. But even their football teams don't play, actually,
in New York. They play in New Jersey, which is God's country,
sir.
[Laughter.]
Mr. Trugman. There's only one team that actually plays in
New York right now, and that's the Buffalo Bills.
Senator Booker. Yes, yes. I'm glad you understand that.
Thank you, sir.
Senator Fischer. Thank you, Senator Booker.
I would like to note that the hearing record will remain
open for two weeks, and during that time Senators are asked to
submit any questions for the record. Upon receipt, the
witnesses are requested to submit their written answers to the
Committee as soon as possible.
With that, I would like to thank all of you for being here
today. I appreciate you taking the time to offer us some
valuable information.
The hearing is adjourned.
[Whereupon, at 4:10 p.m., the hearing was adjourned.]
A P P E N D I X
Response to Written Question Submitted by Hon. John Thune to
Hon. John Roth
Question. How is TSA progressing towards a risk-based strategy for
non-aviation transportation systems. Your September 9 report identified
TSA's deficiencies in this area and made several recommendations. I
concurred with your concerns and in September introduced the Surface
Transportation and Maritime Security Act which would require TSA to
develop a risk-based strategy. Have you seen progress from TSA in
developing a strategy that first identifies the risks and then
determines the proper funding levels?
Answer. On November 21, 2016, TSA provided us with an update on the
actions it has taken to address the recommendations in our report, TSA
Needs a Crosscutting Risk-Based Security Strategy (OIG-16-134). TSA
indicated that it expects to complete a risk-based security strategy
that encompasses all transportation modes in the fourth quarter of FY
2017. TSA is also taking steps to integrate enterprise risk management
with resource planning and expects to complete this process by December
31, 2020. We will continue to monitor TSA's progress on addressing our
recommendations.
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Hon. John Roth
Question 1. Mr. Roth, you referenced the 9/11 Act and that TSA has
not fulfilled several rail security directives, including identifying
high risk carriers. Has the TSA indicated its intention to carry out
these directives and strengthen rail security?
Answer. On November 29, 2016, TSA provided us with an update to the
recommendations we made in our report, TSA Oversight of National
Passenger Rail System Security (OIG-16-91). TSA has designated the
rulemakings as high priority and indicated it is making progress. On
December 16, 2016, TSA published two rulemakings in the Federal
Register:
Notice of Proposed Rulemaking for Security Training for
Surface Transportation Employees and
Advance Notice of Proposed Rulemaking for Surface
Transportation Vulnerability Assessments and Security Plans.
TSA anticipates a Notice of Proposed Rulemaking for surface
security vetting by the end of 2017.
Question 2. There are concerns about the GAO's recommendations for
``alternative'' credentialing methods, including the potential for a
decentralized system (whereby each entity have their own port security
systems). Can you elaborate further on these concerns?
Answer. We did not review ``alternative'' credentialing methods in
our audit, TWIC Background Checks are Not as Reliable as They Could Be
(OIG-16-128). However, during site visits at two ports, we observed
that port workers were required to have a valid TWIC as well as airport
issued credential to access certain port areas. We believe there could
be increased security risks if TSA adopts ``alternative'' credentialing
methods because the Department would have to provide oversight to
ensure the decentralized credentialing methods meet minimum security
requirements.
Question 3. What are your thoughts on the United States Coast
Guard's (USCG) August 2016 final rule that will require high-risk
category facilities and a vessel to incorporate an electronic TWIC
validation process, which includes a biometric check for high-risk
category facilities and a vessel, prior to entry into a secured area?
Answer. The final rule was published after we completed our audit
field work. Additionally, TWIC implementation at facilities and vessels
was outside the scope of our review, which focused on the TSA
background check process. GAO identified in its 2011 audit that unless
TSA strengthens its background check process, there is a risk that
someone can access a secured area with a fraudulently obtained TWIC
card whether or not the facility uses a card reader. We agree with
GAO's assessment.
Question 4. The August 2016 TWIC reader rule also states that,
while not required, a maritime operator can utilize electronic TWIC
inspection on a voluntary basis if they feel that this provides an
additional level of security protection--and many have chosen to
incorporate TWIC electronic readers into their USCG facility security
plans. Are you seeing the biometric check being utilized beyond the
category facilities that will be subject to USCG Final Rule?
Answer. Voluntary use of electronic card readers was outside the
scope of our audit. We attempted to obtain a listing of all facilities
that use electronic card readers for background informational purposes
only; however, USCG officials told us they were unable to provide that
information. We may pursue this topic during a future audit.
______
Response to Written Question Submitted by Hon. Cory Booker to
Hon. John Roth
Question. The Federal Government has a vital role in ensuring that
freight flow is not inhibited by a lack of security resources.
In order for our ports to perform efficiently, U.S. Customs and
Border Protection (CBP) must be adequately funded and staffed. In 2015,
when CBP was last funded to hire additional staff, only 20 of 2,000
staff were assigned to seaports. In addition to the obvious
implications for homeland security, this is also a supply chain
problem. When vessels cannot efficiently move through the customs
process, the delays can ripple throughout our Nation's supply chain.
Although there is no single solution to port congestion, the gap in
Federal investment is an issue that we have the ability to address.
What can Congress do to better match resources with the need to
secure our supply chain?
Answer. To determine CBP resources is a complex process. CBP uses a
three-pronged resource optimization strategy for improving port
operations. The workload staffing model is used to identify CBP's
staffing needs at ports of entry. The model takes into account
operational data from CBP information technology (IT) systems, as well
as information that program offices provide. CBP uses workload staffing
model results in its budget requests to increase user fees and request
additional staff. In 2014, we issued a report on CBP's workload
staffing model, U.S. Customs and Border Protection's Workload Staffing
Model (OIG-14-117), where we reported that the workload staffing model
methodology is sound, but the data from more than 25 IT systems used in
calculations may not be reliable. This calls into question predicted
staffing needs and shortages. We recommended CBP catalog, track, and
validate all data sources; and independently verify and validate
version 2 of the workload staffing model after its completion, to
ensure that it satisfies CBP's requirements and functions as CBP
intended. We are monitoring CBP's implementation of the recommendations
and expect completion by January 31, 2017.
To help mitigate staffing and other resource shortages, CBP relies
on technology for screening cargo shipments. Specifically, it uses the
Automated Targeting System to review, identify, and select cargo
shipments that pose a possible threat to national security.
Additionally, CBP relies on cross-agency coordination efforts to make
the supply chain more efficient. Our report, CBP's Houston Seaport
Generally Complied with Cargo Examination Requirements but Could
Improve Its Documentation of Waivers and Exceptions (OIG-15-64),
included recommendations that have strengthened controls in identifying
high-risk cargo shipments. CBP has also implemented recommendations in
OIG report, Inspection of U.S. Customs and Border Protection Miami
Field Office Ports of Entry (OIG-15-13) to improve Miami Field Office
Port of Entry operations for passenger screening, agriculture
safeguarding operations, and cargo targeting.
______
Response to Written Question Submitted by Hon. John Thune to
Neil Trugman
Question. Chief Trugman, will you discuss the security challenges
of the open environments we see in train stations and what TSA is doing
to help you ensure the safety of the traveling public?
Answer. Surface transportation as a whole remains an ``open''
environment because it provides a functional service for millions of
rail passengers and mass transit commuters. Because of the volume and
daily use of these systems, the maintenance of accessible and efficient
surface transportation is an essential requirement for the travel needs
of the public for the present and the future. Multi-modal, major Amtrak
stations like New York, Washington D.C., Philadelphia and Chicago alone
are utilized by hundreds of thousands of passengers, patrons and
members of the public each day. Surface transportation and its ``open''
environment is, therefore, a key part of this Nation's infrastructure.
Protecting Amtrak's passengers, employees, patrons and
infrastructure is challenging. The Amtrak Police Department relies upon
a three pronged security philosophy--Prevention, Partnership and
Participation. Through these prongs, the Amtrak security platform is
established and developed through corporate security plans, Amtrak
Police deployments, collaborations with federal, state and local law
enforcement stakeholders, training and public outreach programs. The
Partnership prong, by necessity, is extremely important to Amtrak
because of its Federal mandate to operate an intercity rail system that
covers 500 communities in 46 states.
With TSA, Amtrak has found one of its most reliable partners to
help keep ``America's Railroad'' safe. Amtrak continues to consider our
relationship with TSA as good and supportive of the security strategy
that Amtrak employs. The following are examples of the types of regular
and ongoing support that TSA provides to Amtrak:
Provision of TSA National Screening force personnel on a
regular basis to major Amtrak stations to supplement Amtrak's
random and unpredictable baggage screening program
Use of FAM personnel to support undercover and surge
operations
Seminal Partner in RAILSAFE program
APD participates in the TSA Mass Transit Peer Advisory Group
(PAG) as part of one of the Sector-Specific Government
Coordinating Councils created under the NIPP
Daily exchange of intelligence and information sharing with
TSA-OI and the APD AIT
Identification of potential security risks and improvements
through TSA BASE program
Participation and support of TSA through HSEEP Exercise
programs and training
Strong programmatic relationship for coordination and
support of IPR Grant/CA and NECDT programs
Relationship with TSA as a Mass Transit Test Bed agency
Cooperative approach on 49 CFR 1580 compliance regulations
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Neil Trugman
Question 1. What are your thoughts on the United States Coast
Guard's (USCG) August 2016 final rule that will require high-risk
category facilities and a vessel to incorporate an electronic TWIC
validation process, which includes a biometric check for high-risk
category facilities and a vessel, prior to entry into a secured area?
Answer. Amtrak must qualify this response with the fact that it is
not typically under USCG regulation and for the most part is not
covered by TWIC regulations. As a result, Amtrak's experience is very
limited. Since the USCG final rule on mandatory use of electronic TWIC
validation process is defined to specific areas--facilities or vessels
with certain dangerous cargo (CDC) or with 1,000 or more passengers--it
would not seem to apply to Amtrak on most occasions even if such
regulations were applicable.
Amtrak would agree generally, however, that use of a biometric
check would increase the security levels of a facility or vessel.
Question 2. The August 2016 TWIC reader rule also states that,
while not required, a maritime operator can utilize electronic TWIC
inspection on a voluntary basis if they feel that this provides an
additional level of security protection--and many have chosen to
incorporate TWIC electronic readers into their USCG facility security
plans. Are you seeing the biometric check being utilized beyond the
category facilities that will be subject to USCG Final Rule?
Answer. Again, this does not apply to Amtrak at the current time.
Amtrak has not had any experiences in this area to share with the
Committee.
______
Response to Written Question Submitted by Hon. Cory Booker to
Neil Trugman
Question. The Federal Government has a vital role in ensuring that
freight flow is not inhibited by a lack of security resources. In order
for our ports to perform efficiently, U.S. Customs and Border
Protection (CBP) must be adequately funded and staffed. In 2015, when
CBP was last funded to hire additional staff, only 20 of 2,000 staff
were assigned to seaports. In addition to the obvious implications for
homeland security, this is also a supply chain problem. When vessels
cannot efficiently move through the customs process, the delays can
ripple throughout our Nation's supply chain. Although there is no
single solution to port congestion, the gap in Federal investment is an
issue that we have the ability to address. What can Congress do to
better match resources with the need to secure our supply chain?
Answer. Seaport and port supply chain security are not areas where
the Amtrak Police Department has typical duties and responsibilities.
The Amtrak Intercity Passenger Rail system does not intersect with
vessel and shipping related security issues as it does with other modes
of surface transportation like commuter rail and busses. However, the
Amtrak Police Department does collaborate and address security issues
with the USCG, state and local agencies with regard to Amtrak's
critical infrastructure in or over waterways like railroad bridges and
buttresses. Solid working relationships are maintained with these law
enforcement agencies and security matters are coordinated.
Generally, Amtrak agrees with the premise that more funding of
maritime security programs, like more funding of surface transportation
programs, is essential to improving America's homeland defense and must
be a key ingredient to maintaining and creating programs to prevent all
hazards events, including criminal and terrorist acts.
______
Response to Written Question Submitted by Hon. John Thune to
Chris Spear
Question. Mr. Spears, there has been a lot of discussion of the
TWIC program. I hear the program has progressed, but I am interested in
your thoughts. Is the TWIC program providing the verifications you need
and how would you like to see the program changed?
Answer. ATA continues to support the concept of a single,
federally-issued credential for transportation workers to satisfy
multiple security threat assessment (STA) requirements. The TWIC is a
robust, standardized credential that, when paired with appropriate card
readers, has the potential to serve as a valuable and effective tool to
enhance the security of our ports and other critical infrastructure.
Unfortunately, drivers with TWIC cards are still subjected to multiple,
identical STAs to obtain separate credentials in order to access other
highly secure facilities and haul hazardous materials. This has
resulted in the costly and inefficient environment that motor carriers
and drivers operate in today. So long as there is no one single,
universally-accepted credential, the full potential of the TWIC cannot
be realized.
Under the law, TSA may only perform STAs for a TWIC card on workers
``engaged in the field of transportation''. Recently, TSA amended its
legal interpretation of ``field of transportation'' to cover ``any
individual, activity, entity, facility, owner, or operator that is
subject to regulation by TSA, Department of Transportation, or the U.S.
Coast Guard, and individuals applying for trusted traveler programs.''
\1\ ATA supports this new interpretation which will greatly expand the
number of individuals in the coming years who apply and pay for a STA
and TWIC card. As more TWIC cards are issued, the establishment of the
TWIC as the single, national, uniform credential becomes more critical
in order to reduce inefficiencies and lift the burden of undergoing
duplicative background checks and obtaining multiple credentials.
---------------------------------------------------------------------------
\1\ 81 Federal Register No. 188; 66671-66672; https://www.gpo.gov/
fdsys/pkg/FR-2016-09-28/pdf/2016-23370.pdf
---------------------------------------------------------------------------
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Chris Spear
Question 1. Mr. Spear, what type of policies would a Security
Threat Assessment include, in your opinion? In addition to a single
credentialing system, what other policies would streamline the security
process without degrading our security?
Answer. Currently, the Security Threat Assessment associated with
the TWIC and HME requires a FBI criminal history records check, a check
against the Terrorist Screening Database, proof of citizenship or
immigration status, and proof of identity. As far as the industry is
concerned, these checks are sufficient in determining whether an
individual poses a threat to national security.
Although a single credentialing process would maximize efficiency
while maintaining security, there are other ways to streamline the
process. The first would be better communication. The Department of
Homeland Security was created by the Homeland Security Act of 2002.
This Act brought 22 Federal agencies underneath this new cabinet level
department. We believe the department has worked through a number of
early concerns, but the industry still faces the situation of being
faced with a number of agencies regulating security.
If a driver is screened for a TWIC card, that screening should work
for an HME. The background check information used for that screening
should not be different, if that driver wanted to apply for TSA
precheck, for personal travel. Should there be a reason that a TSA
officer does not recognize that the TWIC can be used to board an
airplane? The agencies should coordinate their efforts, to minimize
overlap and reduce customer frustration. The ability to immediately
verify an applicant has been cleared and does not pose a security risk
to the Pipelines and Hazardous Materials Administration, should allow
for an expedited clearance with the Federal Aviation Administration.
Those databases should be able to communicate with one another.
Record keeping is another concern when it comes to streamlining the
process. Every five years a new set of fingerprints must be taken to
receive a TWIC. According to the Department of Homeland Security
Privacy Impact Assessment for the Transportation Worker's
Identification Credential,\2\ biometric records are retained on an
individual while they remain an active TWIC card holder. Upon
expiration of the TWIC, those records are destroyed. ATA believes that
if that individual would like to continue to transport commodities to
port facilities and renew their TWIC, the records should not be
destroyed but be retained for the length of the renewal.
---------------------------------------------------------------------------
\2\ U.S. Department of Homeland Security. Privacy Impact Assessment
for the Transportation Workers Identification Credential Program, Oct.
5, 2007. Available at: https://www.dhs.gov/xlibrary/assets/privacy/
privacy_pia_twic09.pdf
Question 2. You mentioned in your written testimony concerns about
the GAO's recommendations for ``alternative'' credentialing methods,
including the potential for a decentralized system (whereby each entity
has its own port security systems). Can you elaborate further on these
concerns?
Answer. A decentralized approach would be disastrous from both an
operational and a cost standpoint. Allowing states and localities or
individual facilities throughout the country to establish their own STA
requirements and issue separate credentials could create confusion
regarding site-specific access requirements, especially for those
transportation workers who operate at multiple Maritime Transportation
Security Act (MTSA) regulated facilities. Furthermore, a decentralized
approach would only add to the costs already imposed on motor carriers
and drivers today. While establishing additional requirements and
credentials for access may be a boon for cash-strapped states and
localities, requiring a driver who holds a valid TWIC card to undergo
duplicative STAs would waste government resources and create an
increasingly burdensome and inefficient operating environment without
enhancing security. For these reasons, ATA continues to support the
``one credential or screening, many uses'' policy that Congress
envisioned when creating the TWIC nearly fifteen years ago.
Question 3. What are your thoughts on the United States Coast
Guard's (USCG) August 2016 final rule that will require high-risk
category facilities and a vessel to incorporate an electronic TWIC
validation process, which includes a biometric check for high-risk
category facilities and a vessel, prior to entry into a secured area?
Answer. In the final rule, the Coast Guard only requires ports
designated as ``Risk A'' facilities to install TWIC readers at access
points to secure areas. Facilities not designated as ``Risk A''
facilities are not required to install readers, but are required to
continue visually inspecting TWICs. Although ATA and its members
support the use of such risk-based approaches in developing security
regulations, in this particular situation, we are concerned about the
lack of uniformity in implementing TWIC readers throughout all MTSA-
regulated facilities.
For one, the lack of a uniform access process across MTSA-regulated
facilities could create delays resulting from uncertainty or
unfamiliarity with site-specific entry verification and inspection
processes, especially among commercial drivers who service multiple
ports during their operations. Secondly, installing TWIC readers at
additional MTSA-regulated facilities would eliminate the potential for
subjectivity by personnel visually inspecting TWICs at entry points.
Since readers to authenticate the card's validity, as well as the
driver's identity and status, will not be available at over 95 percent
of MTSA-regulated facilities, the overall security goal of the TWIC
card is undermined. Finally, motor carriers and commercial drivers have
invested heavily in applying and paying for what was promised to be a
high-tech, secure credential designed to be operated in conjunction
with electronic readers. In reality, however, what they have
functionally paid for is an expensive ``flash pass,'' since most
facilities will not have readers installed to make use of the card's
full potential.
ATA believes expanding the scope of the requirement to additional
MTSA-regulated facilities will further our shared goal of protecting
our Nation's critical transportation infrastructure, reduce confusion
at port secure entry points, and fulfill the promise of the TWIC card
program.
Question 4. The August 2016 TWIC reader rule also states that,
while not required, a maritime operator can utilize electronic TWIC
inspection on a voluntary basis if they feel that this provides an
additional level of security protection--and many have chosen to
incorporate TWIC electronic readers into their USCG facility security
plans. Are you seeing the biometric check being utilized beyond the
category facilities that will be subject to USCG Final Rule?
Answer. It is encouraging to hear that some operators recognize the
security and economic benefits that will come from installing TWIC
readers and have chosen to do so voluntarily. However, without a
requirement to install the TWIC readers, the vast majority of
facilities will continue to rely on subjective visual inspections that
will leave them vulnerable to security threats, undermining the goal of
the TWIC program and endangering critical infrastructure.
______
Response to Written Questions Submitted by Hon. Cory Booker to
Chris Spear
Question 1. The Federal Government has a vital role in ensuring
that freight flow is not inhibited by a lack of security resources.
In order for our ports to perform efficiently, U.S. Customs and
Border Protection (CBP) must be adequately funded and staffed. In 2015,
when CBP was last funded to hire additional staff, only 20 of 2,000
staff were assigned to seaports. In addition to the obvious
implications for homeland security, this is also a supply chain
problem. When vessels cannot efficiently move through the customs
process, the delays can ripple throughout our Nation's supply chain.
Although there is no single solution to port congestion, the gap in
Federal investment is an issue that we have the ability to address.
What can Congress do to better match resources with the need to
secure our supply chain?
Answer. First, there is no replacement for adequate investment in
our Nation's freight infrastructure, including our highways and ports.
Without it, the issues we face in terms of congestion and security
concerns will only grow, exacerbating already unacceptable challenges
for the trucking industry. You are correct that the Federal Government
has a vital role in ensuring that freight flows are not inhibited by
lack of resources and we urge the Congress to continue pushing for ways
to increase investment in our Nation's transportation infrastructure.
In the current environment of scarce Federal resources and
heightened security we must utilize the programs we have in place to
maintain the efficient movement of goods and secure the supply chain.
The SAFE Port Act of 2006 mandated that all agencies which require
documentation for the clearing or licensing the importation and
exportation of cargo to participate in ITDS (International Trade Data
System).\1\ ATA has long supported the development of ITDS to provide a
single window for all government agencies to gather data to clear cargo
entering the U.S. Presidential Executive Order 13659, issued on
February 2014 established specific guidelines and timelines for all
impacted government agencies to be ready to launch ITDS by December
2016. The automated commercial environment (ACE) is the platform
utilized by ITDS and will eventually become a one stop shop for
international trade.
---------------------------------------------------------------------------
\1\ U.S. Customs and Border Protection. International Trade Data
System: Fact Sheet Available at: https://www.cbp.gov/sites/default/
files/documents/itds_capab_2.pdf
---------------------------------------------------------------------------
Like many large undertakings, there are unforeseen mishaps and
delays on implementation. However, no progress has ever been gained
without setbacks. When ACE/ITDS is fully functional, it will allow for
enhanced safety and security, by providing visibility to additional
data and automated communications between government agencies, as well
as an increase in throughput by harmonization of information of
international shippers that are utilized by CBP and other PGAs.
Congress can assist the supply chain community by remaining
vigilant, holding the agencies accountable for maintaining deadlines,
and working with industry stakeholders to discover any inefficiencies
or achievements during the implementation process.
Question 2. The Transportation Worker Identification Credential--
known as TWIC--is issued by TSA to prevent unauthorized access to ports
and other maritime facilities. The TWIC program has faced many
criticisms; including several Government Accountability Office reviews
that found serious problems with the program that prevented the agency
from detecting fraud.
A recent DHS Inspector General report found that similar issues
still exist with the TWIC program at TSA. For example, the report found
that fraud detection continues to be an issue and that TWICs may be
issued even when questionable circumstances exist.
While the program has faced many criticisms, there have been
significant security improvements at the ports. Beyond the TWIC
program, what other actions are critical to securing ports?
Answer. Operational gridlock caused by systemic port congestion is
now an all too common occurrence at America's largest port complexes.
The resulting inefficient, time consuming and costly freight transport
process also serves to undermine efforts to better secure critical port
facilities. Until operational data is routinely collected and analyzed
regarding cargo loading and unloading, terminal gate and truck turn
times, container processing times, equipment availability etc., port
and stakeholder management will be unable to modify and improve port
operational performance. As a result, many key port complexes will
continue to operate at less than optimum levels and in the resulting
congestion, confusion and operational delays will continue to operate
in an environment that undercuts security programs centered on
maintaining a high degree of situational awareness and watchfulness.
The 2016 FAST Act included provisions that were intended to
identify and improve port operational data collection and use under the
jurisdictional leadership of DOT and the Bureau of Transportation
Statistics (BTS). Unfortunately, the mandated collaborative efforts of
the FAST Act's Port Performance Freight Statistics Working Group have
so far been unable to collect the types of and sufficient data for the
port operational database which can be used to better analyze and
modify-manage port activities that creates better value for the public
and all port stakeholders, including and especially the trucking
industry. While the Working Group continues to meet, failure to come
together and develop this database negatively impacts all stakeholders,
including government officials seeking to address port challenges in a
government and industry stake holders work together to create this data
base, congestion and delays will continue in the port freight sector
and implementation of security programs will never fully be reached.
Question 3. What role does technology play in improving port
security?
Answer. Technology is a critical and essential component to the
safety and security of all port facilities. With respect to technology,
port facilities and the trucking industry, TWIC readers are a key
example of how technology and the trucking industry interact on a daily
basis in support of security and efficiency at the entrances to many
port facilities.
Although, as previously noted in my testimony, TWIC readers are not
required at every port, many port facilities use hand held and
stationary TWIC readers as an added layer of security. The TWIC card on
its own, amounts to a tamper-resistant, biometric and very expensive
flash pass. Upon entry to a facility, there is only a visual
verification of the person presenting the credential. In facilities
that use TWIC readers, there is confirmation that:
(A) The person presenting the card is verified by fingerprint
analysis;
(B) The card is authentic and issued by TSA; and
(C) The card has not been revoked or suspended.
ATA has long supported the use of the TWIC with the enhanced
technology of the TWIC readers at port facilities to better ensure the
safety and security of these critical locations to national security.
______
Response to Written Question Submitted by Hon. John Thune to
Anthony Straquadine, Jr.
Question. Mr. Straquadine, I understand the pipelines have worked
with TSA to educate their inspectors and that the pipeline industry is
satisfied with the overall relationship with TSA. Can you speak to what
is making this relationship successful?
Answer. The relationship between the pipeline industry and TSA
began very well. Much of the staff at TSA's Pipeline branch had
familiarity with the pipeline industry by either having experience at
NTSB, PHMSA or the pipeline industry itself. Many of the original
visits by TSA to over 100 facilities were very informative to both the
industry and TSA personnel. They shared a common goal of increased
security and resiliency. Performance based goals with real world
implementations are key to keep the focus on continuous improvement.
Many of the lessons learned in these assessments were shared in
combined TSA annual workshops that had significant participation from
industry security professionals. This allowed not only the visited
facilities to benefit from the common TSA assessments, but these
lessons learned being communicated more widely to the industry.
While there have been reorganizations within the TSA, we have kept
that cooperative attitude and have welcomed new staff that have a more
diverse responsibility under the TSA management structure. The pipeline
industry understands that TSA is working to add additional staff
specific to this sector and we look forward to continued collaborative
efforts with the agency.
Alliance Pipeline has specifically adopted proactive outreach
efforts to build and maintain our relationship with the TSA. This works
because it is not an adversarial or regulatory one, but rather, a
collaborative approach with the agency. This relationship works well as
we discuss sharing threat information and industry response efforts
(such as the voluntary Cybersecurity Architecture Review discussed in
my Subcommittee testimony).
Alliance Pipeline has also obtained the appropriate level of
security clearances for key staff to ensure certain classified threat
information can be shared by TSA on a timely basis. This has resulted
in ongoing threat related briefings and updates related to our
industry/region specific threats.
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Anthony Straquadine, Jr.
Question 1. Mr. Straquadine, in your written testimony you
described another type of security threat to our Nation's pipeline
system, ``political'' security threats. Can you elaborate on this risk
and how pipeline operators are working to address this challenge?
Answer. Congress anticipated that there may be security concerns
due to threats by outside parties and it directed the Department of
Transportation--Pipelines and Hazardous Material Safety Administration
(PHMSA) to develop regulations. This resulted in the establishment of a
PHMSA regulation addressing injuries or destruction of a pipeline
facility. In general, PHMSA has regulatory authority over pipeline
companies, but there are two exceptions in their regulations, which
include: Excavators who damage a pipeline and the aforementioned
``political'' security threat activity. The following are PHMSA
specific penalties:
Sec. 190.291 Criminal penalties generally.
(a) Any person who willfully and knowingly violates a provision
of 49 U.S.C. 60101 et seq. or any regulation or order issued
thereunder will upon conviction be subject to a fine under
title 18, United States Code, and imprisonment for not more
than five years, or both, for each offense.
(b) Any person who willfully and knowingly injures or destroys,
or attempts to injure or destroy, any interstate transmission
facility, any interstate pipeline facility, or any intrastate
pipeline facility used in interstate or foreign commerce or in
any activity affecting interstate or foreign commerce (as those
terms are defined in 49 U.S.C. 60101 et seq.) will, upon
conviction, be subject to a fine under title 18, United States
Code, imprisonment for a term not to exceed 20 years, or both,
for each offense.
(c) Any person who willfully and knowingly defaces, damages,
removes, or destroys any pipeline sign, right-of-way marker, or
marine buoy required by 49 U.S.C. 60101 et seq. or any
regulation or order issued thereunder will, upon conviction, be
subject to a fine under title 18, United States Code,
imprisonment for a term not to exceed 1 year, or both, for each
offense.
PHMSA has struggled with these particular enforcement requirements
for excavators. The TSA which is no longer part of the Department of
Transportation has no regulatory or enforcement authority. The other
branches of the Department of Homeland Security (DHS) do not typically
deal in the enforcement matters. This leads then to the Federal Bureau
of Investigation (FBI) which has investigative authority, and the
prosecutorial responsibilities of the Department of Justice (DOJ).
In recently reported pipeline incidents, clear evidence was
available about the intended actions (typically documented on social
media), but it was difficult for the FBI to respond quickly to gather
the threat related information. While some of this evidence was
gathered, there was reluctance by the DOJ to move forward on
indictments based on the PHMSA authority. Rather, the specific pipeline
companies and local authorities are resorting to local statutes
concerning criminal trespass.
The security posture of many critical facilities is founded on a
deterrence strategy based on enforcement of penalties. Operators, local
officials and the FBI gather evidence about the potential crimes but
the enforcement is under the purview of the DOJ.
What are we doing to help? We are:
Trying to educate disparate parts of the Federal Government
as to the problem and assist in cross communication on the
issue.
Mobilizing our staff, neighbors, security equipment and
consultants to correctly and quickly capture information for
these cases.
Trying to understand why there is a reluctance to prosecute
these individuals and assist in removing these impediments for
Federal agencies.
Coordinating with regulatory agencies to improve warning
signs at physical locations to emphasize the severe penalties
for uninformed trespassers. (However, this effort does not
inhibit informed perpetrators).
Question 2. The TSA administrator previously testified that the
agency spends just 3 percent of its budget on surface transportation
programs. Several of you mentioned the lack of interaction with TSA
staff in your statements. Can you tell us about your interactions on a
regular basis with TSA officials and staff? How could Congress improve
TSA interactions and guidance to surface transportation operators?
Answer. The pipeline industry supports TSA's efforts to fill open
management positions related to our industry sector. We have invited
the TSA to participate in industry tabletop exercises and reviews. Our
sector has been helping to review potential improvements to the TSA
Security Guidelines.
Alliance Pipeline staff with security clearance stay in routine
contact on the State and Federal level with TSA pipeline security
personnel and have access to the approved security databases,
appropriate to our industry. Alliance also supports TSA participation
in industry related exercises and reviews with TSA pipeline personnel
in our operating region.
Question 3. The August 2016 TWIC reader rule also states that,
while not required, a maritime operator can utilize electronic TWIC
inspection on a voluntary basis if they feel that this provides an
additional level of security protection--and many have chosen to
incorporate TWIC electronic readers into their USCG facility security
plans. Are you seeing the biometric check being utilized beyond the
category facilities that will be subject to USCG Final Rule?
Answer. The U.S. Coast Guard (USCG) initiated this TWIC card
effort, and while there may be some applicability to overall security
efforts, the inflexibility and cost of implementing this program seems
to be inhibiting wider use other than what is specifically mandated by
the Coast Guard. Applying the TWIC identification system outside of
USCG facilities seems to be faltering and other solutions that are more
flexible for more industries (e.g., electric utility industry) seem to
be gaining traction in a one-stop personnel identification process.
Alliance Pipeline specifically comments that the TWIC reader
program is an available security tool for USCG facilities and suggests
that broad adoption of this program for non-USCG facilities would NOT
enhance the security for land-based pipeline facilities. The security
infrastructure, training and company-level enforcement tools needed to
deploy this program for the pipeline industry as a whole would impose
an undo resource and financial burden on our industry with little to no
benefit to our security profile.
______
Response to Written Questions Submitted by Hon. Cory Booker to
Anthony Straquadine, Jr.
Question 1. The Federal Government has a vital role in ensuring
that freight flow is not inhibited by a lack of security resources.
In order for our ports to perform efficiently, U.S. Customs and
Border Protection (CBP) must be adequately funded and staffed. In 2015,
when CBP was last funded to hire additional staff, only 20 of 2,000
staff were assigned to seaports. In addition to the obvious
implications for homeland security, this is also a supply chain
problem. When vessels cannot efficiently move through the customs
process, the delays can ripple throughout our Nation's supply chain.
Although there is no single solution to port congestion, the gap in
Federal investment is an issue that we have the ability to address.
What can Congress do to better match resources with the need to
secure our supply chain?
Answer. Department of Homeland Security (DHS)--Transportation
Security Administration (TSA) needs to better match its resource
allocation to the actual transportation security threats in each
transportation mode. S. 3379 proposed such threat-analysis budgeting
for DHS-TSA, and the natural gas pipeline industry would support that
approach.
Question 2. As surface transportation assets become increasingly
automated and reliant on advanced technologies for their safe
operation, they also become more vulnerable to cyber-based attacks.
What steps are you taking to ensure that critical infrastructure is
protected against a cyberattack?
Answer. Natural gas pipeline systems are operated by using a
distributed control network topology with oversight from a centralized
Supervisory Control and Data Acquisition (SCADA) system. The
independent nodes can operate without the central system operating.
Within each node there are backup control systems that will maintain
set points. Safety systems and emergency shutdowns are independent of
the control systems and are not computer based.
The physical transportation of natural gas occurs at relatively
slow speed allowing significant time to respond to changes. Individual
pipeline operators may also include multiple system redundancies to
limit or minimize potential impacts associated with cyber threats.
As discussed during the December 7, 2016 Subcommittee hearing,
Alliance Pipeline participated in a two-day voluntary Cyber Security
Architecture Review with members of the Federal Energy Regulatory
Commission (FERC)--Office of Energy Infrastructure Security (OEIS) and
DHS-TSA's Office of Security Policy and Industry Engagement. This
Review was designed to be a collaborative, non-regulatory approach that
promotes secure and resilient infrastructure through the sharing of
information and best practices. The goal of the Review was to gain a
comprehensive understanding of an entity's overall cybersecurity
posture, to identify potential areas of concern, and to articulate
actionable recommendations and observations that promote positive
change to the security posture of the reviewed organization.
The outcome of this Cybersecurity Architecture Review was well
received by all parties participating, as Alliance Pipeline received
numerous best practice recommendations offered by OEIS and DHS-TSA.
Alliance is working to implement recommendations that have been
prioritized to ensure ongoing safe and efficient cybersecurity
operations. Alliance dedicates attention, expertise and resources to
reinforcing and maintaining its cybersecurity measures on a continuing
basis.
Question 3. What communication or coordination, if any, have you
had with Federal agencies to assist in the prevention of a cyberattack?
Answer. The primary information interface for the natural gas
pipeline industry is with the DHS--Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT). ICS-CERT's mission is to guide a
cohesive effort between government and industry to improve the
cybersecurity posture of control systems within the Nation's critical
infrastructure. ICS-CERT assists control systems vendors and asset
owners/operators to identify security vulnerabilities and develop sound
mitigation strategies that strengthen their cybersecurity posture and
reduce risk. They work to reduce risks within and across all critical
infrastructure sectors by partnering with law enforcement agencies and
the intelligence community and coordinating efforts among federal,
state, local, and tribal governments and control systems owners,
operators, and vendors. Additionally, ICS-CERT collaborates with
international and private sector Computer Emergency Response Teams
(CERTs) to share control systems-related security incidents and
mitigation measures. https://ics-cert.us-cert.gov/About-Industrial-
Control-Systems-Cyber-Emergency-Response-Team
ICS-CERT partners with members of the control systems community to
help develop and vet recommended practices, provide guidance in support
of ICS-CERT incident response capability, and participate in leadership
working groups to ensure the community's cybersecurity concerns are
considered in our products and deliverables.
ICS-CERT facilitates discussions between the Federal Government and
the control systems vendor community, establishing relationships that
foster a collaborative environment in which to address common control
systems cybersecurity issues. ICS-CERT is also developing a suite of
tools, which will provide asset owners and operators with the ability
to measure the security posture of their control systems environments
and to identify the appropriate cybersecurity mitigation measures they
should implement.
The natural gas pipeline industry has multiple communication
interfaces with both the ICS-CERT and the TSA. Specific incident
reporting interface for our industry is via TSA Transportation Security
Operations Center (TSOC) and FBI. The TSOC serves as TSA's coordination
center for transportation security incidents and operations.
Coordination within industry is also handled via Information
Sharing and Analysis Centers (ISACs). In December 2016, the Interstate
Natural Gas Association of America announced that its industry sector
had joined the Downstream Natural Gas Information Sharing and Analysis
Center as part of a continuing effort to enhance the security of its
members' physical assets and cyber networks. The Federal Government
promotes ISACs and Information Sharing and Analysis Organizations
(ISAOs) as a best security practice. They serve as a platform for
sharing cyber and physical threat intelligence, incident information,
analytics and tools. Critical infrastructure sectors use ISACs to share
comprehensive analysis within the sector, with other sectors and with
Federal and state governments. More than a dozen ISACs exist in the
United States, covering a wide range of industry sectors, including
electric, nuclear, financial, telecommunications, information
technology and water. The American Gas Association formed the DNG-ISAC
in 2014. The DNG-ISAC helps local natural gas utilities and natural gas
pipelines throughout the Nation share and access timely, accurate and
relevant threat information as part of their commitment to the safe and
reliable delivery of natural gas to the more than 177 million Americans
who rely on it to meet their daily needs. The DNG-ISAC works closely
with other energy-related ISACs. http://www.ingaa.org/News/
PressReleases/31333
.aspx
In addition to the industry actions referenced above, Alliance
Pipeline is committed to maintaining its proactive and collaborative
approach with both FERC OEIS and TSA staff related to the recently
completed Cybersecurity Architecture Review. Alliance continues to
maintain an open dialogue with both FERC OEIS and TSA on this topic to
reinforce the actions taken as an outcome of this review and to share
best practices.
______
Response to Written Questions Submitted by Hon. Deb Fischer to
Tom Belfiore
Question 1. Mr. Belfiore, I appreciate the multi-layered approach
for port security that you outlined in your testimony.
As it relates to technology, how has that strengthened your ability
to ensure security in the recent past? What are some of the challenges
or risks associated with expanding security technology at ports? Does
that increase, for example, the risk of cyberattacks?
Answer. We consider security technology at all of our facilities as
a force multiplier, supplementing and at times replacing the need for
deployment of human assets. Technology allows for the effective,
efficient, and secure movement of cargo through our ports.
In recent years at our port facilities, we have greatly expanded
our network of CCTV cameras. The Port Authority also created a
``trusted trucker'' program known as SEALINK, where we capture data and
enroll trucking companies and their drivers to ensure only those having
actual business at our ports may enter.
Additionally, to assist with large-scale evacuations of the port,
we have deployed a port-wide siren and public address system, variable
message signage for evacuation notification, and highway advisory radio
to notify truckers.
The challenge to technology we find most is the cost of ownership.
Beyond the initial capital outlay, it is important that funds be
allocated for continued maintenance and recurrent operator training
over the long term. Cyber-attacks of course are a risk to any
technology system, but one that we believe can be largely mitigated
through an effective cyber defense program. The heavy reliance of the
maritime industry on electronic data transmission systems dictates the
need for strong and effective cybersecurity.
Question 2. Many have advocated for TWIC to serve as a one stop
shop for security credentialing. What do you think of this proposal for
other types of infrastructure, such as airports where the Port
Authority uses the Secure Identification Display Area program?
Answer. While a singular security credential across multiple modes
of transportation is seemingly attractive, we believe the TWIC program
would first need to be strengthened (as noted in the DHS IG's report)
and reconciled with the SIDA program before it serves as a replacement
to SIDA. There are several significant differences between the TWIC
program and the SIDA program that would need to be addressed. For
example, CFR 1542 governing airport credentials has a more extensive
list of disqualifying crimes. Further, the airport credential lookback
period for offenses is 10 years while TWIC appears to be 7 years.
Most importantly, the granting of a SIDA credential takes place on-
airport by Port Authority security staff with the analysis of
identification documents and criminal history records checks performed
by the same staff. The level of scrutiny afforded each applicant we
believe is superior to that which would be provided at a Federal TWIC
office.
Question 3. What are your thoughts on the United States Coast
Guard's (USCG) August 2016 final rule that will require high-risk
category facilities and a vessel to incorporate an electronic TWIC
validation process, which includes a biometric check for high-risk
category facilities and a vessel, prior to entry into a secured area?
Answer. We support the USCG effort to require an electronic TWIC
validation process and biometric check for entry into the Nation's
high-risk category facilities. We are pleased that the USCG followed a
risk-based model in assessing the need for these enhancements rather
than a ``one size fits all'' approach.
Question 4. The August 2016 TWIC reader rule also states that,
while not required, a maritime operator can utilize electronic TWIC
inspection on a voluntary basis if they feel that this provides an
additional level of security protection--and many have chosen to
incorporate TWIC electronic readers into their USCG facility security
plans. Are you seeing the biometric check being utilized beyond the
category facilities that will be subject to USCG Final Rule?
Answer. The areas of our port facilities for which the Port
Authority has direct security responsibility do not fall into the high-
risk category. Nevertheless, we are evaluating the prospect of
procuring handheld TWIC biometric readers (similar to those already in
use at our airports) for randomized use in our areas and at times where
we may assume an elevated security posture.
______
Response to Written Questions Submitted by Hon. Cory Booker to
Tom Belfiore
Question 1. The Federal Government has a vital role in ensuring
that freight flow is not inhibited by a lack of security resources.
In order for our ports to perform efficiently, U.S. Customs and
Border Protection (CBP) must be adequately funded and staffed. In 2015,
when CBP was last funded to hire additional staff, only 20 of 2,000
staff were assigned to seaports. In addition to the obvious
implications for homeland security, this is also a supply chain
problem. When vessels cannot efficiently move through the customs
process, the delays can ripple throughout our Nation's supply chain.
Although there is no single solution to port congestion, the gap in
Federal investment is an issue that we have the ability to address.
What can Congress do to better match resources with the need to
secure our supply chain?
Answer. U.S. Customs and Border Protection (CBP) has been very
creative in trying to manage their expansive mission with limited
resources. Most recently, CBP launched a program wherein certain
trusted vessels can begin cargo operations before the vessel is
officially cleared by CBP. This simple measure ensures that the
efficiency of the supply chain is unimpeded by insufficient resources
and we applaud CBP for taking those steps. In a similar fashion, CBP's
innovative Reimbursable Services Program authorized under Section 481
under the Homeland Security Act of 2002 and amended by the Cross-Border
Trade Enhancement Act of 2016 allows for private sector partners to pay
for the cost of CBP resources on overtime to ensure that the supply
chains can continue to flow uninterrupted. While this is an excellent
stop gap measure that can be used in extraordinary situations, it is
not sustainable for either the private sector or CBP.
In the Port of New York and New Jersey, the expectation is that
when the Bayonne Bridge Navigation Clearance Project is completed later
this year, the container terminal operators will need to expand their
hours of operation on a regular basis in order to efficiently handle
the surges of cargo that are anticipated. While the CBP Port Director
and her staff have been extraordinary partners in working with the port
community to address anomalies, they simply do not have sufficient
resources assigned to the Port to handle longer hours on a sustainable
basis to operate the Non-Intrusive Inspection equipment and scan 100
percent of the containers. A few options that Congress may consider are
as follows:
Better allocate the existing and any additional resources
based on risk--not just security risk but also economic risk.
The container terminals in the Ports of Los Angeles and Long
Beach for example are open up to 20 hours a day, 6 days a week,
with full CBP staffing, while our terminals are currently open
between 8-12 hours a day five days a week. This will put the
PONYNJ at a competitive disadvantage in the future.
Considering the volume of containers that move thru the
Radiation Portal Monitors (RPMs) each day and the manpower
required to operate them as compared to the relatively low
number of alarms that occur, investigate ways to remotely
monitor the RPMs and respond to any alarms with a roving
``strike team.''
Evaluate alternative locations for where the radiation
scanning could take place. While some studies have been done to
evaluate spreader bar mounted radiation detection so that the
containers are scanned during the normal handling process, it
is not clear what the status of those studies are or why they
have not been further developed. CBP should also consider other
choke points for where the RPMs could be placed so that each
terminal doesn't have to have its own dedicated equipment and
manpower.
Question 2. The Transportation Worker Identification Credential--
known as TWIC--is issued by TSA to prevent unauthorized access to ports
and other maritime facilities. The TWIC program has faced many
criticisms; including several Government Accountability Office reviews
that found serious problems with the program that prevented the agency
from detecting fraud.
A recent DHS Inspector General report found that similar issues
still exist with the TWIC program at TSA. For example, the report found
that fraud detection continues to be an issue and that TWICs may be
issued even when questionable circumstances exist.
While the program has faced many criticisms, there have been
significant security improvements at the ports. Beyond the TWIC
program, what other actions are critical to securing ports?
Answer. Significant security improvements have been made over the
last 15 years at our Nation's ports, and specifically within the Port
of New York and New Jersey. The successful ability to achieve effective
port security has been based on the development and deployment of a
layered system of measures that has integrated capabilities of
governments and commercial interests in port areas across the various
elements:
national maritime security (securing and monitoring
international sea/shipping lanes, and port entry areas)
vessels/shipping (vessel security plans, safety and security
boardings and inspections)
maritime facilities/port terminals (facility security plans,
outfitting and securing, safety & security inspections, drills
and exercise)
cargo (screening, scanning, inspections and securing)
personnel/terminal workers/truckers (background checks,
credentialing, training)
intermodal mobility within and to and from port facilities
(securing, training, inspections, drills and exercises)
Continued funding of the Port Security Grant program at proper
levels allows for the diverse and complimentary physical security
measures to securing our ports and the over-arching maritime
transportation system.
Question 3. What role does technology play in improving port
security?
Answer. We consider security technology at all of our facilities as
a force multiplier, supplementing and at times replacing the need for
deployment of human assets. Technology allows for the effective,
efficient, and secure movement of cargo through our ports.
In recent years at our port facilities, we have greatly expanded
our network of CCTV cameras. The Port Authority also created a
``trusted trucker'' program known as SEALINK, where we capture data and
enroll trucking companies and their drivers to ensure only those having
actual business at our ports may enter. Additionally, to assist with
large-scale evacuations of the port, we have deployed a port-wide siren
and public address system, variable message signage for evacuation
notification, and highway advisory radio to notify truckers.
The challenge to technology we find most is the cost of ownership.
Beyond the initial capital outlay, it is important that funds be
allocated for continued maintenance and recurrent operator training
over the long term.
Question 4. As surface transportation assets become increasingly
automated and reliant on advanced technologies for their safe
operation, they also become more vulnerable to cyber-based attacks.
What steps are you taking to ensure that critical infrastructure is
protected against a cyberattack?
Answer. Cyberattacks, of course, are a risk to any technology
system, but one that we believe can be largely mitigated through an
effective cyber defense program. The heavy reliance of the maritime
industry on electronic data transmission systems dictates the need for
strong and effective cybersecurity. A few years ago, the Port Authority
launched a comprehensive cybersecurity program based on the Federal
NIST 800-53 standards and deployed additional cyber defense tools,
increased employee awareness and training, and has set out to implement
proper computing controls on all of its' critical systems.
Question 5. What communication or coordination, if any, have you
had with Federal agencies to assist in the prevention of a cyberattack?
Answer. The Port Authority receives cybersecurity alerts from the
DHS Industrial Control Systems Cyber Emergency Response Team (ICS-
CERT), DHS United States Computer Emergency Readiness Team (US-CERT),
U.S. Secret Service, and DHS National Cybersecurity and Communications
Integration, and the FBI. We also frequently meet with the FBI, U.S.
Secret Service (quarterly), and DHS National Cybersecurity and
Communications Integration Center (monthly) to discuss Cybersecurity
related concerns. These entities also communicate to the agency via the
Port Authority Police Department members who are assigned to the JTTF.
This page intentionally left blank.