<DOC> [107 Senate Hearings] [From the U.S. Government Printing Office via GPO Access] [DOCID: f:80597.wais] S. Hrg. 107-550 SECURING OUR INFRASTRUCTURE: PRIVATE/PUBLIC INFORMATION SHARING ======================================================================= HEARING before the COMMITTEE ON GOVERNMENTAL AFFAIRS UNITED STATES SENATE ONE HUNDRED SEVENTH CONGRESS SECOND SESSION __________ MAY 8, 2002 __________ Printed for the use of the Committee on Governmental Affairs U.S. GOVERNMENT PRINTING OFFICE 80-597 WASHINGTON : 2003 ____________________________________________________________________________ For Sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512-1800 Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 COMMITTEE ON GOVERNMENTAL AFFAIRS JOSEPH I. LIEBERMAN, Connecticut, Chairman CARL LEVIN, Michigan FRED THOMPSON, Tennessee DANIEL K. AKAKA, Hawaii TED STEVENS, Alaska RICHARD J. DURBIN, Illinois SUSAN M. COLLINS, Maine ROBERT G. TORRICELLI, New Jersey GEORGE V. VOINOVICH, Ohio MAX CLELAND, Georgia THAD COCHRAN, Mississippi THOMAS R. CARPER, Delaware ROBERT F. BENNETT, Utah JEAN CARNAHAN, Missouri JIM BUNNING, Kentucky MARK DAYTON, Minnesota PETER G. FITZGERALD, Illinois Joyce A. Rechtschaffen, Staff Director and Counsel Larry B. Novey, Counsel Kiersten Todt Coon, Professional Staff Member Richard A. Hertling, Minority Staff Director Ellen B. Brown, Minority Senior Counsel Elizabeth A. VanDersarl, Minority Counsel Morgan P. Muchnick, Minority Professional Staff Member Darla D. Cassell, Chief Clerk C O N T E N T S ------ Opening statements: Page Senator Lieberman............................................ 1 Senator Thompson............................................. 2 Senator Bennett.............................................. 4 Senator Akaka................................................ 7 Senator Carper............................................... 19 Prepared statement: Senator Bunning.............................................. 53 WITNESSES Wednesday, May 8, 2002 Ronald L. Dick, Director, National Infrastructure Protection Center, Federal Bureau of Investigation........................ 8 John G. Malcolm, Deputy Assistant Attorney General, Criminal Division, U.S. Department of Justice........................... 10 John S. Tritak, Director, Critical Infrastructure Assurance Office, U.S. Department of Commerce............................ 12 Michehl R. Gent, President and Chief Executive Officer, North American Electric Reliability Council.......................... 28 Harris N. Miller, President, Information Technology Association of America..................................................... 30 Alan Paller, Director of Research, The SANS Institute............ 32 Ty R. Sagalow, Board Member, Financial Services Information Sharing and Analysis Center (FS ISAC) and Chief Operating Officer, AIG eBusiness Risk Solutions.......................... 34 David L. Sobel, General Counsel, Electronic Privacy Information Center......................................................... 36 Rena I. Steinzor, Academic Fellow, Natural Resources Defense Council and Professor, University of Maryland School of Law.... 38 Alphabetical List of Witnesses Dick, Ronald L.: Testimony.................................................... 8 Prepared statement........................................... 54 Gent, Michehl R.: Testimony.................................................... 28 Prepared statement........................................... 81 Malcolm, John G.: Testimony.................................................... 10 Prepared statement........................................... 64 Miller, Harris N.: Testimony.................................................... 30 Prepared statement with attachments.......................... 94 Paller, Alan: Testimony.................................................... 32 Prepared statement........................................... 112 Sagalow, Ty R.: Testimony.................................................... 34 Prepared statement with attachments.......................... 123 Sobel, David L.: Testimony.................................................... 36 Prepared statement........................................... 166 Steinzor, Rena I.: Testimony.................................................... 38 Prepared statement with an attachment........................ 172 Tritak, John S.: Testimony.................................................... 12 Prepared statement........................................... 77 Appendix Chart with quote from Osama Bin Laden, December 27, 2001, submitted by Senator Bennett................................... 190 Chart entitled ``Reporting and Dissemination of Information.'' Source: The Report of the President's Commission on Critical Infrastructure Protection, October 1997, submitted by Senator Bennett........................................................ 191 Chart entitled ``Coincidence or Attack?'' Source: The Report of the President's Commission on Critical Infrastructure Protection, October 1997, submitted by Senator Bennett......... 192 Chart entitled ``Critical Infrastructure Information Security Act'' submitted by Senator Bennett............................. 193 Copy of S. 1456.................................................. 194 Laura W. Murphy, Director, ACLU Washington National Office, and Timothy H. Edgar, ACLU Legislative Counsel, American Civil Liberties Union, prepared statement............................ 214 John P. Connelly, Vice President, Security Team Leader, American Chemistry Council, prepared statement.......................... 222 Catherine A. Allen, CEO, BITS, The Technology Group for the Financial Services Roundtable, prepared statement.............. 228 SECURING OUR INFRASTRUCTURE: PRIVATE/PUBLIC INFORMATION SHARING ---------- WEDNESDAY, MAY 8, 2002 U.S. Senate, Committee on Governmental Affairs, Washington, DC. The Committee met, pursuant to notice, at 9:33 a.m., in room SD-342, Dirksen Senate Office Building, Hon. Joseph I Lieberman, Chairman of the Committee, presiding. Present: Senators Lieberman, Thompson, Bennett, Akaka, and Carper. OPENING STATEMENT OF CHAIRMAN LIEBERMAN Chairman Lieberman. The hearing will come to order. Good morning. Today the Governmental Affairs Committee takes up the issue of protecting our critical infrastructure from terrorist attack and the extent to which private industry should share sensitive information both within its own community and with the Federal Government. This is a matter of longstanding interest to Senator Bennett, who has introduced legislation with Senator Kyl regarding information sharing and our critical infrastructure. I would like to take this opportunity to thank him for his dedication to this matter of critical importance to our national security. Senator Bennett's legislation, which is called the Critical Infrastructure Information Security Act, would encourage companies to voluntarily share information about critical infrastructure threats and vulnerabilities with the government and among themselves by granting exemptions from the Freedom of Information Act and the antitrust laws. Senator Thompson and I are working with Senators Bennett and Kyl to evaluate the principles and questions embodied in this bill, which raises important questions about how to better secure our critical infrastructure against what we now must conclude are very real terrorist threats and continuing criminal threats. Critical infrastructure is a term that I take to cover our financial, transportation, communications networks, our utilities, public health systems, law enforcement, and emergency services. Critical infrastructure has been described as our Nation's skeleton, but it seems to me that it might more aptly be described as our Nation's vital organs. The critical infrastructure is what keeps the country humming. It enables us to interact with one another. It enables us to continue the life of our economy which sustains all of us, and also makes it possible for us to have the highest quality of life on the planet. The critical infrastructure in that sense is what makes America work. Many of our critical infrastructures are privately owned, and in this information age are increasingly computer-dependent and interdependent with each other. For several years, the Federal Government has been working to develop a public/private partnership to secure critical infrastructure. Companies are encouraged to share information among themselves about vulnerabilities, threats, intrusions, solutions, and to share information also with the government, which can then, as appropriate, issue warnings and respond accordingly. Because of our oversight role, the Governmental Affairs Committee has closely participated in these efforts, although Senator Bennett's foresight is such that he was working on this proposal, this bill, before September 11. Our task took on renewed urgency after the events of September 11. We have held a series of hearings in our governmentwide evaluation about how best to protect Americans here at home as well as our infrastructure, and today's hearing builds on that record that this Committee has compiled. Let me say that if necessary information is not being adequately shared between private entities and the Federal Government, we must address that problem for the safety of all Americans, but we have also got to be concerned, obviously, about unintended consequences, and that would be unduly undermining, for instance, the public's right to know. So there is a balance here to be struck. It is, in that sense, the balance that this Nation has struck since the beginning of its existence between, if I may state it too simplistically, security and liberty. There is a natural tendency now to move along that spectrum towards security after September 11, and it is realistic and responsible to do so, but obviously we do not want to do it in a way that unduly compromises the blessings of liberty which define what it means to be an American and for which we are all grateful, and in that sense which we are fighting to protect in the war against terrorism itself. So those are the very important and difficult questions that the legislation before us deals with and we will be dealing with this morning. I look forward to hearing from today's witnesses to learn exactly what kind of private sector information they believe the government needs, to effectively protect the critical infrastructure and the American people; what the experience of industry and government have been regarding information sharing thus far; and, to the extent that there are those who believe that the proposed legislation would be harmful, or reaches too far, why they feel that is so. Senator Bennett and I certainly agree that the protection of our critical infrastructure is a priority, a national concern now, and I look forward to working with him as we go forward to achieve a good and reasonable solution. Senator Thompson. OPENING STATEMENT OF SENATOR THOMPSON Senator Thompson. Thank you, Mr. Chairman. We certainly are all redoubling our efforts to shore up our defenses after September 11. You point out most of the issues that we are confronted with. However, there are other issues. The role of the Federal Government, with regard to critical infrastructure, has never been fully defined. We are in need of proposals to define the Federal Government's role, as well as assigning specific responsibilities to the State, local and private sector entities. And while we want to encourage industry to share information with the Federal Government, we are still in need of a framework for dealing with that information, and assurances about what will be done with that information once it is received. Senators Bennett and Kyl have introduced legislation which is before this Committee, intended to reduce the threat of terrorism by encouraging private industry to share information with each other and with the Federal Government in order to help prevent, detect, warn of and respond to threats. Originally cast as a cyber terrorism bill, this bill is just as relevant to physical terrorist threats as well. It seems to me that instead of mandating requirements or issuing regulations for the private sector, we should be incentivizing private industry to protect themselves and share information with each other and the Federal Government. At this time I think the Bennett-Kyl bill is on the right track. There are issues and concerns the bill raises, but those are the things we will begin to try to work through today. One thing is certain, information is vital to this Nation. On September 11, despite great physical damage sustained, information continued to flow across the country. We learned that, for example, Verizon's switching office at 140 West Street in Manhattan, which supported 3.5 million circuits, sustained heavy damage. Verizon Wireless lost 10 cellular transmitter sites. WorldCom lost service on 200 high-speed circuits in the World Trade Center basement. Spring PCS Wireless Network in New York City lost four cells. Notwithstanding these losses, the telecom infrastructure continued to bring the Nation sound and images of the events, summoned emergency vehicles and alerted the military. But the wireless disruptions we experienced here in DC, which were also experienced in New York, were localized and due to overload. Within 1 week after September 11, Verizon restored 1.4 million of the 3.5 million circuits it lost. The New York Stock Exchange had phone and data service to over 93 percent of its 15,000 lines when it reopened. Information is vital. The LA Times recently reported that a new CIA report makes clear that U.S. intelligence analysts have become increasingly concerned that authorities in Beijing are actively planning to damage and disrupt U.S. computer systems through the use of Internet hacking and computer viruses. This was in the L.A. Times April 25. I do not know why this is a surprise to anyone. In 1998 the Director of Central Intelligence testified in open session before the Committee that several countries, including Russia and China, have government-sponsored information warfare programs with both offensive and defensive applications. So the stakes are very high. I look forward to hearing from our witnesses today about how we can better protect our Nation's critical infrastructure and its citizens. Thank you, Mr. Chairman. Chairman Lieberman. Thank you, Senator Thompson. Senator Bennett. OPENING STATEMENT OF SENATOR BENNETT Senator Bennett. Thank you very much, Mr. Chairman. I appreciate your courtesy and leadership in holding the hearing. We have been talking about this for sometime, and I appreciate your willingness to raise it to this level. I would ask that the record be kept open for a week to allow interested parties to submit statements and comments. Chairman Lieberman. Without objection, it will be done. Senator Bennett. If I may, Mr. Chairman, I would like to take a little time to just set the scene, as I see it. And I will start out with a chart that shows an interesting quote that came on December 27, 2001.\1\ And the quote is being put up there, but you and Senator Thompson and Senator Akaka have a copy of it. Osama bin Laden says, ``It is very important to concentrate on hitting the U.S. economy through all possible means . . . look for the key pillars of the U.S. economy. The key pillars of the enemy should be struck. . . .'' Making it very clear that he is not just talking about bombing buildings or symbols. He wants to go after the economy. And, obviously, critical infrastructure represents by definition those parts of the economy that he would attack. --------------------------------------------------------------------------- \1\ Chart with quote from Osama Bin Laden appears in the Appendix on page 190. --------------------------------------------------------------------------- I am not quite sure of the number. I have used 85 percent. Some witnesses say 90 percent of the critical infrastructure in this country is owned by the private sector, so that this represents a vulnerability different than any we have ever faced in warfare before. Always before an enemy would concentrate on military targets or production targets that were tied to the military. In this case, as Osama bin Laden's quote indicates, they are going to go after any aspect of the economy that would shut us down. So let us use the more conservative number and say 85 percent of the future battlefield is in private, not public hands. So if the private sector and the government are both targets, they should be talking to each other, and they should be talking to each other in ways that make the most sense. Now, this is not a new issue. If I can go back to a pair of charts that were prepared 5 years ago during the Clinton Administration by the report of the President's Commission on Critical Infrastructure Protection. The first one \2\ has to do with this whole question of reporting and disseminating information, and the President's Commission, under President Clinton, produced this pyramid. And it is a little hard to read, so let me walk you through it, Mr. Chairman. --------------------------------------------------------------------------- \2\ Chart entitled ``Reporting and Dissemination of Information'' appears in the Appendix on page 191. --------------------------------------------------------------------------- At the very top of the pyramid are the publicized system failures or successful attacks. We would think of this in terms of the Nimda attack or the ``I Love You'' virus or other things that have caused economic damage, and the reporting and dissemination of information about things at the top of the pyramid, if you can follow the arrow on the side, is moderate. That is there is a fairly sufficient amount of information. I cannot resist commenting something I was taught many years ago when it came to chart making, which is ``black on blue you never do.'' [Laughter.] And someone did not notice that when they drew that black arrow. Anyway, below that top point of the pyramid, there are threats to critical infrastructure that are less well known and less well reported, and beneath those there are system degradations, information about vulnerabilities that are even less well known and less discussed. And then below that where you talk about the vulnerabilities of particular systems, comes the question of interdependencies where one system may be in very good shape but threatened because it is tied to another that is not in good shape, and then finally, the area that is in the very lowest area of reporting and dissemination are those other sources of useful information that would apply to this. As I was saying, this chart was drawn up during the Clinton Administration and is now 5 years old. Neither we in the Congress nor the administration have done anything formally about this. There has been a great deal of effort put forward during the Clinton Administration being carried on almost frantically in the Bush Administration. But we in the Congress have not responded in any way to try to make the reporting and dissemination of information more widespread. We are still somewhat contented to concentrate entirely on the tip of the pyramid and not look at the things below that. Now, one of the reasons for the legislation that I have introduced along with Senator Kyl, and we have now picked up some other co-sponsors, is to encourage sharing of information voluntarily across the entire spectrum, that is the 85 percent that is in private hands as well as the 15 percent that is in government hands. And, yes, we do want to protect that information from a FOIA request, Freedom of Information Act. The Freedom of Information Act itself allows this to be done. That is there are provisions in the act that say that information need not be shared. But the real focus of the legislation we have introduced is simply to sharpen the definitions of the areas that are already in the act. We are not trying to repeal the act or in any way damage or change its major thrust. We simply want to make the definitions that it already contains a little clearer with respect to this threat. Now, why would we want to protect information from a FOIA request? Because if we do not, we will not get it. There are private companies who simply will not give us the information if they think it is subject to a FOIA request, perhaps because they want to protect it from competitors. It is voluntarily given. Why should they voluntarily tell their competitors that they are under threat? Second, they do not want it to be a road map for terrorists. Many people do not realize that you do not have to be a U.S. citizen to submit a FOIA request. Osama bin Laden could find some third party willing to front for him who would submit a FOIA request, find out how successful he was being in one of his attacks, and the FOIA request therefore could become a road map for the terrorists as they seek to be effective in their attacks. Also, we want consistency from agency to agency and we believe that this legislation will allow that to happen. There is another reason why this information should come to the government, because the government needs to analyze it to determine whether or not the attacks that are coming are real attacks or simply coincidence. Once again, a chart \1\ that comes out of the Clinton Administration that is 5 years old, simply raises the question of whether or not a variety of attacks are a pattern coming from a common source or simply coincidence. Here on this map are a series of things that could happen in the Northwest--9-1-1 suddenly becomes unavailable. In my area of the country there is a threat to the water supply. In the Midwest there are bomb threats at two buildings. Some bridges go down. And FBI phones get jammed. An oil refinery has a fire. These things happen simultaneously. Is there a pattern that would indicate that they are being caused by some enemy, or is simply coincidence that they are all happening on the same day? Without information sharing the government analysts who are looking for the possibility of attack simply will not know. They will have to guess. And guessing is never a very productive kind of thing when you are vulnerable. --------------------------------------------------------------------------- \1\ Chart entitled ``Coincidence or Attack?'' appears in the Appendix on page 192. --------------------------------------------------------------------------- So again this is a chart that is 5 years old, drawn up during the Clinton Administration to say we need information sharing so that we can determine whether or not this is a coincidence or an attack. Now, finally if I could put up a chart that I have produced that summarizes the position that we are taking with respect to this bill.\2\ We believe that there needs to be information sharing on the circle on the left of the chart. Within private industry people ought to be able to talk to each other. The telephone company that is under some kind of cyber attack ought to be able to check with somebody in the banking industry to see if they are experiencing similar sorts of problems. --------------------------------------------------------------------------- \2\ Chart entitled ``Critical Infrastructure Information Security Act'' appears in the Appendix on page 193. --------------------------------------------------------------------------- Senator Dodd and I introduced legislation with respect to the Y2K on exactly this point. And it was passed, and if I may say so, the world did not come to an end. There was not a shutdown of civil liberties or freedom of information. It was simply an opportunity for two industries that are seemingly different, but that have the same kinds of computer problems, to talk to each other. So we have that circle on the left side where people in private industry can talk to each other to say, ``Gee, my facility is under this kind of cyber pressure. Is anything happening in yours that I might know about?'' Then comes the arrow at the bottom of the chart where that information is shared voluntarily with the U.S. Government. Perhaps the most important arrow is the one at the top of the chart where the U.S. Government shares back with industry their analysis. Harking back to the earlier chart, they can say, ``No, we see no pattern here. If you have a problem, it is probably caused by a disgruntled employee or a private hacker that decided you are a target. There is no indication here of a major attack.'' Or the information comes back, ``Hey, we have analyzed this. What is happening to you in the banking industry is similar enough to what is happening in power or other utilities, that we think this is a concerted effort being mounted by somebody who wishes the entire economy ill.'' It is that kind of information sharing and analysis sharing that we think will make the entire Nation safer. So, Mr. Chairman, I appreciate your willingness to hold the hearing. I appreciate your indulgence in allowing me to go on a little longer than is normal for an opening statement to outline where we are. What I hope we can accomplish in this hearing is to determine the degree to which information sharing is needed, how the government can get the information that it needs from the private sector, how the private sector can get analysis and information that it needs from the government, and if there are additional barriers to the sharing of information that we have not addressed in this legislation that could cause us to make changes in it. With that, Mr. Chairman, I will participate, obviously, in the questioning of the panel, and again, thank you for the leadership you have shown in pursuing this issue. Chairman Lieberman. Thank you, Senator Bennett. Thanks for a thoughtful statement, and incidentally, by Senate standards, it was very brief. [Laughter.] Senator Akaka, do you have an opening statement? OPENING STATEMENT BY SENATOR AKAKA Senator Akaka. Thank you very much, Mr. Chairman for holding this hearing today on information sharing between the private sector and the Federal Government as a part of our national strategy to protect our critical infrastructure. Such cooperation should be encouraged in order to safeguard America's computer systems from devastating cyber attacks, and I have listened with interest through the Senator's presentation with the charts that shows it so well. The interdependency and inter-connectivity of government and industry computer networks increase the risks associated with cyber terrorism and cyber crimes. Any security weakness has the potential of being exploited through the Internet to gain unauthorized access to one or more of the connected systems. Information sharing can help protect our national security and critical infrastructure. The necessary exchange of information is furthered through President Clinton's presidential decision, Directive 683, which established ISACs, Information Sharing and Analysis Centers, to facilitate information sharing among private entities. The Directive fosters voluntary information sharing by various entities with the Federal Government to submit sensitive information that is normally not shared to enhance the prevention and detection of attacks on critical infrastructures. I believe the confidential sharing of information on vulnerabilities to the Nation's critical infrastructures is necessary. However, we must carefully examine legislation like S. 1456, which would make voluntary shared information about critical infrastructure security exempt from release under the Freedom of Information Act. Exempting this information from disclosure might mean that State and local governments would not have adequate access to information relating to environmental and public health laws like the Clean Air Act. We must not provide inadvertent safe harbors for those who violate Federal health and safety statutes. I have heard from a number of my constituents who believe that measures to ease information sharing through a FOIA exemption would bar the Federal Government from disclosing information regarding toxic spills, fires, explosions, and other accidents without obtaining written consent from the company that had the accident. States and localities are concerned that other proposals would provide companies with immunity from the civil consequences of violating, among other things, the Nation's environmental, consumer protection and health safety laws. We must be careful not to harm the environment inadvertently or bar communities from acquiring vital public health information by enacting overly broad legislation. I look forward, Mr. Chairman, to hearing from our witnesses on how to promote information sharing between the Federal Government and private sector in a manner that does not turn back existing laws and regulations that protect the environment or public health. Thank you very much, Mr. Chairman, for holding this hearing. Chairman Lieberman. Thank you, Senator Akaka. We will now go to the first panel which consists of representatives of the Executive Branch, the administration. Ronald Dick, who is Director of the National Infrastructure Protection Center at the FBI; John Malcolm, Deputy Assistant Attorney General in the Criminal Division of the Department of Justice; and John Tritak, Director of the Critical Infrastructure Assurance Office at the Department of Commerce. We welcome the three of you. There is a light system here. We ask you to try to keep your opening statements to 5 minutes. With 1 minute left it will go yellow. When it hits red, we are not going to physically remove you, but try to bring it to a conclusion. I would like to say for the record that the written statements that you have submitted to the Committee will be printed in full in our record. So we thank you for being here, for this very important discussion. And, Mr. Dick, why do you not begin? TESTIMONY OF RONALD L. DICK,\1\ DIRECTOR, NATIONAL INFRASTRUCTURE PROTECTION CENTER, FEDERAL BUREAU OF INVESTIGATION Mr. Dick. Good morning Senator Lieberman, Senator Thompson, and other Members of the Committee. Thank you for the opportunity to discuss our government's important and continuing challenges with respect to critical infrastructure protection. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Dick appears in the Appendix on page 54. --------------------------------------------------------------------------- In your invitation to appear before this Committee, you asked me to address issues related to information sharing and critical infrastructure protection. Because the NIPC is located within the FBI, we have access to a great deal of information from intelligence sources as well as from criminal investigations. Only a week ago, our 24 by 7 NIPC watch began receiving calls from several of our private sector partners about the Klez.h worm. The worm had spread quickly and had the potential to affect a number of vulnerable systems by destroying critical operating system files. After consulting with our private sector partners and within a few hours of the official notification, we released an alert which was immediately disseminated via E-mail and teletype to a host of government, civilian and international agencies. The alert was also posted to the NIPC website. This is only the most recent example of two-way information sharing and how the private sector works with the NIPC. The NIPC's InfraGard is an initiative to promote trust and information sharing. We have developed InfraGard into the largest government-private sector joint partnership for infrastructure protection probably in the world. More than half of our 4,100 members have joined since I testified before this Committee 7 months ago. InfraGard expands direct contacts with the private sector infrastructure owners and operators and shares information about cyber intrusions and other critical infrastructure vulnerabilities through the formation of local InfraGard chapters within the jurisdiction of the FBI field offices. I have created a new unit within the center, whose mission includes building trusting relationships with the ISACs that had been mentioned earlier that represent critical infrastructures. We now have information sharing agreements with seven ISACs, including those representing energy, telecommunications, information technology, air transportation, water supply, food, and chemical sectors. Several more agreements are in the final stages. To better share information, NIPC officials have met with business, government and community leaders across the United States and around the world to build the trust required for information sharing. Most have been receptive to information sharing and the value of the information received from NIPC. However, many have expressed reservations due to lack of understanding or perhaps confidence in the strength of the exceptions found in the Freedom of Information Act. In addition, concerns about whether the Justice Department would pursue prosecutions at the expense of private sector business interests, and finally, simply reluctance to disclose proprietary information to any entity beyond their own control or beyond the direct control of NIPC. The annual Computer Security Institute/FBI Computer Crime and Security survey, which was released in April of this year, indicated that 90 percent of the respondents detected computer security breaches in the last 12 months. Only 34 percent reported the intrusions to law enforcement. On the positive side, that 34 percent is more than double the 16 percent that reported intrusions in 1996. The two primary reasons for not making a report were negative publicity and the recognition that competitors would or could use the information against them if it were released. At the NIPC we continue to seek partnerships which promote two-way information sharing. As Director Mueller stated in a speech on April 19, ``Our top priority is still prevention.'' We can only prevent acts on our critical infrastructures by building an intelligence base, analyzing that information and providing timely, actionable, threat-related products to our private and public sector partners. As for the Freedom of Information Act, many legal authorities have agreed that the Federal Government has the ability to protect information from mandatory disclosure under the current statutory framework. Indeed, in 1974 Federal courts began to hold that FOIA itself anticipates that Federal agencies do not have to release private sector commercial or financial information if doing so would, ``impair the government's ability to obtain necessary information in the future.'' And the FBI also has the ability to protect certain information provided by the private sector that is compiled for law enforcement purposes. Nonetheless, the government's ability to protect information is of little value if the private sector is unwilling to provide that information in the first place. Clearly there is room for increasing the private sector's confidence level in how we will protect their information from public disclosure. stated more simply, if the private sector does not think the law is clear, then by definition it is not clear. Therefore, we welcome the efforts of your Committee in improving information sharing, and I look forward to addressing any questions that you may have. Thank you. Chairman Lieberman. Thank you, Mr. Dick. Now Mr. Malcolm. TESTIMONY OF JOHN G. MALCOLM,\1\ DEPUTY ASSISTANT ATTORNEY GENERAL, CRIMINAL DIVISION, U.S. DEPARTMENT OF JUSTICE Mr. Malcolm. Thank you, Senator. Mr. Chairman, Members of the Committee, I would like to thank you for this opportunity to testify about the Department of Justice's efforts to protect our Nation's critical infrastructure and about information sharing that is needed and related to its protection. It is indeed a privilege for me to appear before you today on this extremely important topic and I would commend the Committee for holding this hearing. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Malcolm appears in the Appendix on page 64. --------------------------------------------------------------------------- Since the Committee already has my slightly more lengthy written testimony, I will use the brief time that I have in my oral statement to outline the nature of the critical infrastructure protection, the information sharing problems, and the Department's current efforts to combat that problem. It is clear to the Department of Justice, as it is to this Committee, that information sharing is a serious issue and that its complexity presents significant challenges to law enforcement. The safety of our Nation's critical infrastructure is of paramount concern to the Justice Department. As you know, the term ``critical infrastructure'' refers to both the physical and cyber-based resources that make up the backbone of our Nation's telecommunications, energy, transportation, water, emergency services, banking and finance, and information systems. The problem of ensuring delivery of critical infrastructure services is not new. Indeed owners and operators of critical infrastructure facilities have been managing risks associated with service disruptions for as long as they have had those facilities. However, the operational challenges of ensuring the delivery of the broad array or services that now depend upon the Internet and other information systems is a challenge that has grown exponentially in the last several years. The burgeoning dependence of the United States infrastructure on the Internet has exposed vulnerabilities that have required the U.S. Government to mount new initiatives, to create new Federal entities, to help manage critical infrastructure protection efforts, and to seek prevention, response, and reconstitution solutions. The safety of our Nation is of course our first and foremost overriding objective. The Justice Department has been working across government to address infrastructure issues for several years. However, the attacks of September 11 have heightened our awareness of these issues and created a new sense of urgency. U.S. infrastructure protection efforts are the shared responsibility of many entities, both public and private. Many of this joint effort is based upon the principle that a robust exchange of information about threats to and actual attacks on critical infrastructures is a critical element for successful infrastructure protection. The following, of course, are just a few of the entities that are dedicated to this principle: The National Infrastructure Protection Center, headed up by Mr. Dick; the Department of Justice's Computer Crime and Intellectual Property Section, which I oversee; the Information and Analysis Centers that have been referred to; the Critical Infrastructure Assurance Office, Mr. Tritak's shop; Office of Homeland Security; and the Federal Computer Incident Response Center. To better protect critical infrastructures government and private sector must work together to communicate risks and possible solutions. Acquiring information about potential vulnerabilities from the private sector is essential. Doing so better equips us to fix deficiencies before attackers can exploit them. For example, a vulnerability in an air traffic control communication system could allow a cyber attacker to crash airplanes. That example is not entirely hypothetical. A hacker did indeed bring down the communication system at the Worcester, Massachusetts airport in 1997. After he was caught and prosecuted, and thankfully no lives were lost, nonetheless this is a sobering example. If we concentrate our time and energy on remediation of terrorist attacks after they have occurred, we have already lost. Information is the best friend that we have for both prevention and response. And we recognize that we can protect the Nation only if the private sector feels free to share information with the government. However, industry often is reluctant to share information with the Federal Government. One reason that they give for not sharing this information is that the government may ultimately have to disclose that information under the Freedom of Information Act or FOIA. Industry is also concerned that sharing information among companies will lead to antitrust liability, or that sharing among companies or with the government will lead to other civil liabilities such as a product liability suit or shareholder suit. Without legal protections regarding information needed by the government and which they possess in order to safeguard our infrastructure, even the most responsible civil-minded companies and individuals may hesitate before sharing such critical information, fearing that competitors may share that information and use it to their advantage. With this in mind, both the Senate and the House of Representatives have actively considered addressing this issue through legislation, and the Department appreciates the efforts of, among others, Senator Bennett, a Member of this Committee, for sponsoring such legislation. Such a corporate good samaritan law would provide the necessary legal assurance to those parties willing to voluntarily provide sensitive information to the government that they would otherwise not provide. The Justice Department believes that the sharing of the private sector security information on critical infrastructure between the private sector entities and the Federal Government will help to avert acts that harm or threaten to harm our national security, and that this is of the utmost importance. We are prepared to work very closely with Congress to pass legislation that provides this important legal protection. Mr. Chairman, I would again like to thank you for this opportunity to testify about our efforts. Citizens are deeply concerned about their safety and security of our country, and by addressing information sharing Congress will enhance the ability of law enforcement to fight cyber crime, terrorism and protect our infrastructure. And again, the Department stands ready to work with this Committee and with Congress to achieve those goals. Thank you. That concludes my remarks and I look forward to answering your questions. Chairman Lieberman. Thanks, Mr. Malcolm. Mr. Tritak. TESTIMONY OF JOHN S. TRITAK,\1\ DIRECTOR, CRITICAL INFRASTRUCTURE ASSURANCE OFFICE, U.S. DEPARTMENT OF COMMERCE Mr. Tritak. Thank you, Mr. Chairman, Senator Thompson, and Senator Bennett. It is an honor to be here today. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Tritak appears in the Appendix on page 77. --------------------------------------------------------------------------- It was not too long ago that national security was something that the government did virtually on its own. The term ``national economic security'' used to mean largely free trade and access to markets and critical materials overseas. Now we are confronted with a unique challenge in which we have a national security problem the Federal Government cannot solve alone. National economic security now literally means defending our economy and critical infrastructures from direct attack. As Senator Bennett had indicated in his opening remarks, terrorists had indicated the economy is a target, and that followers have been urged to attack wherever vulnerabilities may exist with all means available, both conventional, nonconventional, and cyber means. Let us be clear what their goal is, too. Their goal is to force us to turn inward and to rethink our global commitments overseas, especially in the Persian Gulf and the Middle East. Securing our homeland today is really a shared responsibility. It is protecting our way of life and the core values that we cherish. It also is going to require a clarification and maybe, in some cases, a redefinition of the respective roles of responsibility of government and industry in light of that shared responsibility. This is going to require an unprecedented level of collaboration, whereby industry must be considered and treated as a real partner. Now, I will tell you as a government person, that is going to require a cultural adjustment on both sides. But we have made it very clear that information sharing is an essential element of fostering that kind of collaboration, not just for the self interest of the companies, but for the public interest. This actually constitutes a public good, which is why both the last administration and this one have encouraged information sharing within the respective infrastructure sectors, because availing themselves of that shared information helps them better manage the risk that they confront, and sharing between industry and government, because there are things that government can bring to this equation that industry alone cannot, and together they can help address common problems. Moreover, information sharing is in fact occurring. There have been ISACs, as Ron Dick has mentioned and Senator Bennett has mentioned, and information sharing is taking place with the Federal Government, but it is clear from everything we have heard so far that there is a reluctance on how far that information sharing is going to go. So I would submit to you that if I had to think through this issue in its clearest form, the question is whether the current statutory and regulatory environment is conducive to supporting a voluntary activity information sharing, which we all accept is in the public interest. And I acknowledge, and we all acknowledge, that this is not going to be easy because we may have public goods that come in conflict from time to time, i.e., FOIA exemption versus open government. I do not think we are going to solve this problem finally with a passage of legislation. Let us be clear, this is not a silver bullet. You cannot regulate or legislate trust, which is an essential ingredient to information sharing taking place, and you are going to hear in the second panel instances where that trust has evolved over time and the level of information sharing and the quality of that sharing has gone up. Some of the newer industries are taking baby steps into information sharing, and they may take a little bit of time before information sharing in those industries fully matures. But what is clear is that if we want to encourage this voluntary activity, we need to examine the public policy and statutory environment to determine whether or not we are doing everything necessary to incentivize and encourage that activity. In the absence of a certain level of predictability and certainty, there may be an impediment to that kind of sharing. I want to acknowledge Senator Bennett for the very good work that you have been doing, not just since September 11, but before September 11, and I think that the attempts at addressing the concerns expressed by industry are very seriously put forward and in fact are very seriously being considered by the administration. I look forward to working with you and the Committee, and I would welcome any questions you may have. Thank you. Chairman Lieberman. Thanks, Mr. Tritak. We will begin the questioning. We will have 7-minute rounds since we only have three of us here. Last September 26, President Bush wrote to Daniel Burnham, who is the CEO of Raytheon, but wrote to him in his capacity as a leader of the National Security Communications Advisory Committee. And in the letter, which was following up on a meeting, the President says, ``My administration is committed to working in partnership with the private sector to secure America's critical infrastructure, including protecting information the private sector provides voluntarily to the Federal Government in support of critical infrastructure protection. ``Accordingly, I support a narrowly-drafted exception to the Freedom of Information Act to protect information about corporations' and other organizations' vulnerabilities to information warfare and malicious hacking.'' So I guess I will begin by directing it to you, Mr. Malcolm. What, if anything, has the administration done to develop the policy that the President stated in this letter, and more particularly, since the President said he supported a narrowly-drafted exception, what are the parameters, if you are at a point where you can say so, of what that narrowly-drafted exception night be? Mr. Malcolm. Sure. Senator, this is, of course, an evolving process, and there are several bills--Davis-Moran, Bennett- Kyl--that are pending and that are being evaluated by the administration. The administration likes a number of ideas that are in both pieces of legislation, probably prefers some of the elements of Bennett-Kyl for reasons that I will be happy to discuss with you. Nonetheless, I think it is safe to say that the administration has some concerns with all of the bills that are pending and is working to try and massage those into what the Executive Branch would consider a best practices bill. A number of the elements that had been discussed in terms of crafting a definition of critical infrastructure information that is both large enough to get the information that the government needs to protect our critical infrastructure, while at the same token not being so large that it protects from public disclosure in the open government aspects of FOIA, protects being an over broad definition that just covers everything. The principle though of coming up with a FOIA exemption the administration believes to be a good one because, as Senator Bennett has pointed out, 85 to 90 percent of the critical infrastructure that is out there is owned and operated by the private sector. The government needs to have that information so that it can assess vulnerabilities and share appropriate information back, and they are not currently providing it. They are to InfraGard to some degree, but we need more, so there has to be a way to bridge that gap. And if a FOIA exemption, narrowly crafted, is the way to go, that is fine, whatever it takes to bridge that gap. Chairman Lieberman. Would you discuss, if you are prepared to, what some of the pluses and minuses are that you see in the various bills, which I suppose would help us understand, at this point, what ``narrow'' means here. Mr. Malcolm. I think that is fine. Again, without getting into the specifics of each legislation, I know that both pieces of legislation, for instance, have an antitrust exemption. The Executive Branch of the administration has traditionally taken the approach that an antitrust exemption is unnecessary, that a business review letter suffices. However, that having been said, we are still studying that aspect of these bills. There are provisions in both bills about the use to which the government can put voluntarily-obtained information. Davis-Moran, for instance, I believe, prohibits the use by the government, both direct use and indirect use, of that information. Bennett-Kyl, I believe, talks about a prohibition in terms of direct use without getting consent. The administration has some concerns about those provisions in terms of what it might do to hamper government criminal and civil enforcement efforts, some of the concerns that Senator Akaka addressed. For instance, the administration would want to make sure that any information provided to the United States could be used by the government for a criminal enforcement act. There are incentives that are in departmental policies of long standing that we believe provide adequate incentives to turn over that information, and we are afraid that anything that is broad could allow for a document dump. It could allow for industry to just turn over information and the government would not be able to enforce its criminal laws or its civil laws. It has a similar concern in terms of prohibitions on direct or indirect use in terms of civil enforcement actions. We would probably prefer something a little more narrowly crafted in the sense that it would not tie the government's hands in either civil or criminal enforcement actions with respect to the information that it obtains. That is an idea of the direction where we are going, so we have the same concerns that Senator Akaka has about not wanting to protect too much information while at the same time giving the government the ability to engage in criminal and civil enforcement actions where appropriate. Chairman Lieberman. OK. That is a helpful response. Obviously, there is a lot of detail to it, Mr. Tritak, as we go along. Do you have any sense of timing as to when the administration would be in a position to either propose specific legislation or comment in detail on the proposals that are before us? Mr. Tritak. I do not, Senator. I know that is a very pressing issue. We are aware that you want to act now on this matter. We want you to act on this issue, and we want to strike while the iron is hot, so I will certainly relay your concerns about the timing and get back to you. Chairman Lieberman. I appreciate that. Mr. Tritak, you talked about trust, which I agree with you, it is a very important element here in that the kind of exemption we are talking about could create a foundation of trust that sensitive information shared with the government will be secured. I want to ask you to talk for a moment about two aspects of that. The first is, just for the record, on what basis you conclude that a new FOIA exemption could actually make a significant contribution to information sharing. And as part of that, if you would consider what one of the witnesses, by submitted testimony, will say on the second panel, which is some skepticism that all information that the government would want to have will in fact be shared by the private sector, even with a FOIA exemption, because of concern about the proprietary, private, etc. nature of it. Mr. Tritak. I would be happy to. Senator, first I will talk to the first question--about what would it actually do. We have to take into account that, for example, with the FOIA laws, they predate this problem. They were on the books long before this issue of information sharing to advance critical infrastructure protection came up. Chairman Lieberman. Right. Mr. Tritak. We have been trying to encourage industry to take proactive voluntary steps to do things they are not required to do right now. The clarifying of FOIA, and I think what Senator Bennett said is exactly the right way, you could approach in one of two ways. You can say that the current environment, if you are very careful and you watch out, the existing exemptions will cover any concerns that may arise regarding FOIA, not to worry. The response we have usually heard in those instances was, ``Well, but that makes us have to second guess our actions. That makes us have to second guess what we are trying to do here.'' And also to be clear, the kind of legislation we are looking at and the kind of trust we are trying to create must take place in a dynamic environment. It is not a set piece exchange where you take a piece of information, you hand it over, it gets considered, and it comes back. Information must flow all the time and at different levels. You cannot stop the process for every little bit of informatin to determine whether it is covered under FOIA. It is very interesting that you should mention the NSCAC as the letter for the President because in fact they have had 20 years of information sharing. And the idea here is, is that companies believe more can be done if this environment is more clear and predictable in terms of the complication of FOIA. Now, I think Ron would attest that when it comes to an actual event, an incident in real time, there is a lot of sharing that goes on. What we are trying to do here is encourage proactive sharing before incidents occur and in a dynamic setting so that companies will actually take preventive and proactive measures. And so I think that is what the trust, along with the right legislative framework, will foster. In terms of the skepticism, I want to make very clear, as I said before, that FOIA alone is not going to be the silver bullet to information sharing. You are not going to get an avalanche of information being shared with the government just because you have this bill piece. What it does, in my judgment, is create an environment that is conducive to that kind of sharing and send a signal to industry that, if you engage in this kind of activity, you will be protected against certain types of disclosures. Chairman Lieberman. Thanks, Mr. Tritak, I apreciate your answer. Senator Thompson and I are smiling because, I do not know whether it is the quality of your answer or staff deference to the Chairman, but the time available to me seems to be growing instead of shrinking. [Laughter.] Senator Thompson. It is the power of the Chair. Chairman Lieberman. Must be. But I am going to have to declare that my time is over, and yield to Senator Thompson. Senator Thompson. Thank you very much, Mr. Chairman. I think that a valid distinction to make here is that under FOIA as it exists, although the government may be able to withhold certain information that we are talking about here, it is discretionary with the government, and the distinction between that and this bill would be that it would be mandatory. Is that a valid distinction to make, it would be incumbent upon the government to withhold it and would have no discretion? Mr. Malcolm. My understanding, Senator, is that there is some discretion in FOIA as it currently exists except as it pertains to trade secrets. Senator Thompson. OK. I think that, Mr. Malcolm, it seems to me like you are on the right track and asking the right questions about this. Many of us are not as steeped in this subject as Senator Bennett and some others are. But in looking at it I would think that the first thing that you--although clearly we need to do something in this direction if it is going to help. One of the first things that you would want to look at is whether or not it would allow a company that perhaps is in a little trouble and sees some vulnerability, to protect itself just strictly for the purpose of protecting itself to do the document dump. Mr. Malcolm. Right. Senator Thompson. And the definitions, as they are currently drafted, provides protection of sharing of information concerning critical infrastructure which it defines as physical and cyber-based systems and services essential to the national defense, government or economy of the United States, including systems essential for telecommunications, electric, oil, gas, etc. It seems to me like this is very broad language and could cover anything from farming to automobile production. And the question would be whether or not if a company was doing a very poor job, deliberately doing a very poor job to save money and protecting its critical infrastructure, and it saw there were some rumblings out there concerning civil lawsuits or the government beginning to take a look at it, it could get a bunch of stuff to you in a hurry and totally protect itself, and keep you, for example, from conducting a civil action against them. I would think that would be something that nobody would want, and I am not sure how you address that, but I think you are asking the right questions, and that is something that should be addressed. In addition, we are operating under the assumption here-- and I assume we will get more of this from the next panel--that information is really being withheld. I think it is important to create a public record for a need for this bill. It stands to reason logically that if there is some vulnerability out there and sharing information, that it is less likely to be shared, but do you really hear instances from industry or others where they are saying that they are really restrained somewhat or afraid to share information for the reasons that we have discussed, any of you? Mr. Tritak. Well, I will just speak for myself. I have been told that precisely, particularly when you are talking about potential systemic problems and vulnerabilities--that there is a real reluctance to share information about those things without better understanding about whether or not you will be protected under FOIA. We are hearing this across a number of sectors. Mr. Dick. Where this comes into play, as was mentioned, when we get into a crisis like with Code Red or Nimda or any of those, the private sector comes forward very, very willingly. Where I think the enhancements need to occur is from the predictive and strategic components, wherein information is shared on a routine basis so that we can be out in front, if you will, of the vulnerabilities so as to share with the private sector what actionable things they can do to prevent them from becoming victims, and that is the kind of thing that needs to occur on a daily basis. For example, during the events of September 11, one of the things that we did very routinely with the Information Sharing and Analysis Center is share physical threat information. We did that for two reasons. One, obviously, is prevention and protection, but two, as we got threats, let us say to the oil and gas industry, only the oil and gas industry experts know that industry from an expert level so as to assess, well, is the threat as described even viable to the oil and gas industry, so as to determine is it a valid threat? So we have to have the ability to share at times even classified information to the private sector to assess that threat and then determine what are the right actions to be taken. Senator Thompson. Right. Mr. Malcolm. Senator, if I may, I just think it is fair to say that to some degree we do not know what we do not know. We need to know it and we need to know it now. Obviously, 85 to 90 percent of the critical infrastructure is owned and operated by private sector. When threats happen or when incidents happen, all of a sudden information which the government did not know about comes forth. We need to have that information now so that we can deal with it prophylactically and have that information at hand if, God forbid, does happen, track down these perpetrators quickly before they repeat their act. Senator Thompson. One of the critical parts of all of this is private industry cooperation with each other. The bill addresses the antitrust aspect of it. And I am wondering whether or not, even if that is taken care of, that there will still be a concern from a competitive standpoint with regard to industry sharing information with each other, they would be allowed to do that. The government may not come down on them for that, but does that in any way--of course this bill, I do not think, addresses that and perhaps cannot. I am just thinking from a practical standpoint that we still have a problem. I think that was a part of the Presidential Directive 63, trying to get industry to work with each other and the government working with industry, etc. It looks to me like this would still be a concern there in the private industry with sharing information one company with another strictly from a competitive standpoint. Do you have any thoughts on that at all? Mr. Dick. Senator, it is a valid concern. It is one we hear fairly routinely, particularly in the information technology arena. However, I think what is--as I talked about in my statement, you see with the number of Information Sharing and Analysis Centers that are being created, with the amount of information that is being shared internally within those organizations. There is a building of trust, as Mr. Malcolm talked about and I talked about too, amongst them. That does not happen overnight, and as was indicated earlier, you are not going to legislate that. Only with time and experience, and that there is value added to the bottom line of these companies through sharing information and reducing the threat is that going to come to fruition. But I think there are very positive first steps that we have made and this Committee can make, by providing the assurances to the private sector that we will minimize the harm that could occur. Mr. Malcolm. Senator, if I may answer your question briefly, I think that even if you had an antitrust exemption, that is not going to do away with antitrust lawsuits. I mean it is going to then be a question of did the competitors who sat down in the room together extend beyond the bounds of the information that they were supposed to discuss? Senator Thompson. If they only did the things that the exemption provides them with in this bill, they would not have had any antitrust problem anyway. Mr. Malcolm. That is right, and that is, again, when we talked about ways in which we are looking at this possibly narrowing it, again, these issues have been dealt with in the past. There is a business review letter once the government has issued a business review letter, which it can in particular circumstances actually do fairly quickly. There has never been an enforcement or antitrust action brought following the issuance of a business review letter, and I think that it might provide some protection on the margins in terms of people feeling comfortable walking into a room together, but in terms of whether they extend beyond the bounds of just talking about critical infrastructure information and getting to pricing and whatnot, that is still going to lead to allegations and possible lawsuits. Senator Thompson. Thank you very much. Chairman Lieberman. Thanks, Senator Thompson. Senator Carper. OPENING STATEMENT OF SENATOR CARPER Senator Carper. Thanks, Mr. Chairman. Good morning. Chairman Lieberman. Good morning. Senator Carper. To our witnesses and guests, thanks for coming this morning. It is my third Committee hearing I have been to, so I apologize for missing most of what you said. I just arrived when Senator Lieberman was questioning you during his first hour of questioning. [Laughter.] I think you have some comments on legislation that maybe Senator Bennett has introduced, and I am not aware of what you had to say about it. Do you have anything positive that you might share with us about the legislation that he has introduced, just each of you? Mr. Malcolm. Specifically about Senator Bennett's legislation, that fact that he has not charged across the desk and at me I think is indicative of the fact that we have said some very positive things about the legislation. Senator Carper. Just share a couple of thoughts you had with me. Mr. Malcolm. Certainly. It provides, for instance, with the government to be able to use independently obtained information without restriction, certainly in terms of not prohibiting the government's use of indirectly or derivatively obtained information in a criminal or civil enforcement action. That is a very good thing. I did take some issuance with Senator Bennett in terms of saying that perhaps even a direct preclusion by the government in terms of the use of information might not be in order, but nonetheless, in terms of a thrust of bridging the gap between private industry and the government in terms of getting that information, we are well down the road and in the right direction with Bennett-Kyl. Senator Carper. Anyone else? Mr. Dick, do you have any thoughts? Mr. Dick. We have had a number of discussions, my staff with Senator Bennett's staff, and are well aware of the legislation, and frankly, are supportive of many aspects of it. As I talked about in my opening statement, we believe that there are sufficient provisions in the FOIA now to protect information that is provided to us. But it really does not matter. If the private sector does not believe it, and does not feel comfortable with it, then we need to provide them those assurances that make them feel that a partnership with the government is worthwhile and is value added to them, and Senator Bennett's bill as a whole does that. Senator Carper. Any changes you would recommend that we might consider in his legislation? We are usually reluctant to try to amend his legislation, but maybe one or two. Mr. Dick. I would defer back to my esteemed colleague, Mr. Malcolm, with the Department of Justice in that regard. Mr. Malcolm. Well, one of them I have discussed already, Senator Carper, which has to do with direct use by the government in a civil enforcement action. I think that that ties the government's hands inappropriately, but I am pleased to see that it is a direct use prohibition and not an indirect use prohibition. Certainly if we are going to tie the government's hands at all, I would prefer seeing, say, a provision in there that allows an agency head to designate which section of an agency is to receive this voluntary information so that other branches of the government can pursue whatever leads it wants to, and use any information that it obtains in a full and unfettered measure. Again, independently obtained information is in there. I forget whether Bennett-Kyl has a requirement that the company said that it is voluntarily providing this information and intends for it to be confidential, but I think that is a good thing. As I recall, Bennett-Kyl, although I may be getting my bills confused, allows for oral submissions to get FOIA protection from the administration's perspective. Again, while we are still mulling this over, I think, to use a non-legal term, it is a little bit loosey-goosey in terms of it does not make clear what information we are talking about, how it is to be provided, and certainly the administration would prefer to see something in which any oral submission were reduced to writing. Those are just a few things. Senator Carper. All right, thanks. Mr. Tritak, tell us a little bit about your wife. Mr. Tritak. I am not sure she is here. Senator Carper. She is not. I do not see her. I do not know if my colleagues know this, but whenever---- Chairman Lieberman. You have a right of privacy, Mr. Tritak. [Laughter.] Senator Carper. No, I think he surrendered that. When the roll is called, not up yonder but in the Senate, there are a couple of roll clerks who call the roll, and among the people who do that are Mr. Tritak's wife. Katie, right? Mr. Tritak. Katie. Senator Carper. And then while I was presiding yesterday, she mentioned to me, she says, ``My husband is going to''--I said, ``Is this your first husband, Katie?'' [Laughter.] She said, ``He is going to be testifying tomorrow before your Committee.'' And I said I would be sure to remember to thank you for sharing your wife with us. She does a great job. She keeps us all straight and on a very short leash. It is very nice to meet you. Let me just ask you a question, and I do not care who really jumps into this one, but take a minute and tell us how you work together, how do your agencies work together in the information sharing program? Mr. Tritak. I would like to actually restate that. We have very clear roles and responsibilities and I would say that our working relationship has actually been quite excellent over the last few years. Mr. Dick and I probably talk at least once a week. My own rule generally, although not in particular detail, is to try to focus on the front end of getting industry to see this as a business case. We have been talking about this as a national security issue. I actually think there is a business case. I think it is a matter of corporate governance. I think this is something that is important for them in terms of their own self interest as well as the interest of the Nation. And the extent to which we can translate the homeland security proposition into a business case, I think we begin to advance greater corporate action. There is a lot of corporate citizenship that you are seeing now. There is a lot of ``wanting to do the right thing,'' but it is also helpful to understand that this can actually affect the bottom line. This is actually something that advances and is in the interest of their shareholders, as well in their industry, in general. Having achieved that, my goal is frankly to find ``clients'' for Ron Dick, who then picks up that case and develops the operational relationships in terms of the specifics of information sharing, working with the lead agencies, working with the ISACs who you will hear from in a few minutes. So I think that is how I certainly see the matter. Mr. Dick. Continuing on with that theme, with the recent Executive Order by President Bush and the creation of the President's Critical Infrastructure Protection Board under Dick Clark has even further solidified that spirit of cooperation within the government. The intent of the board creation, in my estimation, is to raise the level of security and insofar as the government systems are concerned from the CIO level actually to the heads of the agencies themselves. And the intent of the board is to make the government, if you will, if possible, a model to the private sector as to how information security should occur as well as information should be shared amongst agencies. We have created a number of committees. I am on the board and chair of a couple of them, insofar as working within the government and with the private sector to develop contingency plans as to how we will respond to an incident. Frankly, having been in this town for a number of years myself, the environment and the people that are heading up this effort are truly unique insofar as our willingness to move the ball forward, if you will. And the private sector, in my estimation, through Harris Miller and some of the others, Alan Paller, are frankly coming out front, too, to try and figure this out. Mr. Malcolm. I have nothing really to add, Senator, other than, for instance, the attorneys that I oversee in the Computer Crime and Intellectual Property Section have daily, sometimes hourly contact with the National Infrastructure Protection Center, and then also through dealing on various subcommittees with the President's Critical Infrastructure Protection Board we also have dealings with Mr. Tritak's shop among others. So it works well within government. Senator Carper. Well, that is encouraging. Thank you for sharing that with us. Mr. Chairman, if my time had not expired, I would ask Mr. Dick and Mr. Malcolm to report on their wives as well. [Laughter.] Chairman Lieberman. They and I are happy that your time has expired. [Laughter.] Senator Carper. I would say to Mr. Tritak, it is a privilege serving with your wife, and we are grateful for that opportunity and for the testimony of each of you today. Thank you. Chairman Lieberman. I think we can all agree on that. Thanks, Senator Carper. Senator Bennett. Senator Bennett. Thank you, Mr. Chairman. If I can just put a slight historical note here. Mr. Malcolm, considering the initial reaction of the Justice Department to my bill and your comments here, I can say to my colleagues that we have moved a long way. [Laughter.] Because the initial reaction was not only no, but no, on just about everything, and I am grateful to you and your colleagues at the Department, that you have been willing to enter into a dialog and we have been able to move to the point where you are able to make the statements that you have been making here. I think it demonstrates great progress. And I come back to a comment that Mr. Tritak made, which I think summarizes very clearly the problem we have here, when he says this is going to require a significant cultural adjustment on both sides. We have had grow up in this country the adversarial, if you will, relationship between government and industry. Maybe it comes from the legal world where everything is decided by advocates on two sides who fight it out and then presumably the truth comes as a result of this clash. This is not something that lends itself to the adversarial attitude. This is something that requires a complete cultural adjustment. Industry automatically assumes that anything they share with the government will be used against them. There is an unspoken Miranda attitude that anything I tell the Feds, they are going to turn around, even if it is totally benign, they are going to look for some way for some regulator to find me or damage me in some other way. And some regulators have the attitude, unfortunately, that anybody who goes into business in the first place is automatically morally suspect, that if they had real morals they would teach. [Laughter.] Or come to work for the government. And we have got to break down those cultural attitudes on both sides and recognize, as this hearing has, that our country is under threat here, and people who wish us ill will take advantage of the seams that are created by these cultural attitudes, and we have got to see to it that our protection of our critical infrastructure becomes truly seamless between government and industry, and there is an attitude of trust for sharing of information. Now, let me get directly to the issue that Senator Thompson raised with you, Mr. Malcolm. Do you see anything in my bill that would allow someone to deliberately break the law and then try to cover that by some kind of document dump? Mr. Malcolm. Well, I will answer you question this way, Senator--and I am not meaning to be evasive--I believe the intent of your bill, for instance, is not to preclude the government from using the information in terms of a criminal prosecution, although I believe that intent, assuming that is your intent, should be spelled out perhaps a little tighter. But assuming that is your intent, that any information provided voluntarily or otherwise to the government they can direct use of it, derivative use of it in terms of a criminal prosecution, then the answer to your question will be no. In terms of a civil enforcement action--and of course there are many elements that go into a criminal prosecution which may or may not be appropriate. Sometimes you want to take, say, environmental cleanup efforts or any civil enforcement action that is not a criminal prosecution, there is nothing in your bill that I see that prevents that action from going forward. There are things in the bill that make such an action more difficult in terms of precluding direct use of the information that is voluntarily submitted, and of course, that does leave it to a court to determine when you cross the line between direct use and indirect or derivative use. So there is some gray area on the margins of what the term ``direct use'' means, so it is possible that a company say could be negligent in its maintenance of manufacture of some component that deals with critical infrastructure could get some noise out there that something bad is about to happen that might subject the company to civil liability, could do a document dump on the government, and the government would be circumscribed to some degree in terms of its ability to use that information in a civil enforcement action. Senator Bennett. Not being a prosecutor and not being burdened with a legal education---- [Laughter.] My common sense reaction would be if we were getting--I put myself now in the position of the government. If we were getting a pattern of information from an industry, say a dozen different companies were saying, ``This is what is happening, this is what is happening, and so on,'' and one company does a document dump in which there is an indication that something is wrong with their maintenance, it would seem to me, if I were sitting in that situation, here is a red flag that these people are not giving us legitimate information for legitimate purposes. These people have something serious in mind that they are trying to protect and would make me examine their submission far more than I otherwise would. If I were the CEO of a company, and I have been, and somebody in my legal department were to come and say, ``Hey, we can cover this. This is what we would do.'' In the first place, I would not tolerate that in any company that I was running, but if someone were to come to me with that idea that this is how we are going to cover this, I would say, ``You are up in the night here, this is crazy. Fix the problem. Disclose what we need to disclose to help deal with the critical infrastructure thing, but do not think that the Feds are stupid enough to overlook what you are trying to cover here.'' But that having been said, obviously we have the intention you are imputing to us. We do not want, under any circumstances to say that the sharing of information with the government will provide cover for illegal activity or that it will provide cover that somebody in a civil suit could not file a legitimate subpoena for that information. Mr. Malcolm. The only thing that I am saying, Senator, and we are not really disagreeing with each other, we are certainly four-square together with respect to a criminal prosecution. With respect to a civil enforcement action, if you assume you are in the perspective of the government and the evidence has been dumped upon you, if you have say a bad faith exclusion for dumping documents, that puts you into the difficult position of having an evidentiary hearing of sorts to determine what was in the minds of the people who dumped the documents. Were they doing this in bad faith because they realized that their vulnerabilities that were of their own making were about to come to light? Or were they dumping it because they realized that they had these vulnerabilities, whether they should have fixed them or not fixed them. That could harm the government and harm the citizenry. Those are evidentiary issues. All I am saying, in terms of impeding an effort, is if you are in the position of the government and you receive this information, and it is now not FOIA-able, because this now fits within an exemption, so you are largely relying on the government to take an appropriate civil remedial action, there are constraints within the bill that you drafted as to what you can do with that information and how far the direct use extends into information we get. I am not saying it is not doable, because for example, in the hypothetical that you used, you said, well, there are other companies out there that are making rumblings about what bad company is doing. Well, if you get the information from those other companies, it is independently derived, you are in the clear. But if the crux of the information that you have received is from a company that has done the document dump, you then are in the area of trying to figure out or have a judge figure out what motivated the company in terms of making that submission, and you are also in the area in terms of saying to what use can you put the information that has been provided, and again, it is our belief that there are already benefits that a company can get by providing the information. There is a policy that gives favorable consideration for voluntary disclosures in terms of criminal prosecution and civil enforcement actions. That should be enough, and that the government's hands should not be tied in terms of taking appropriate civil enforcement actions, particularly since that information is not going to be FOIA- able and will probably be protected from other civil lawsuits by private organizations. Senator Bennett. If I can just very quickly, Mr. Chairman, on this whole question of a cultural attitude change, it may very well be that the very thing that the head of Homeland Security of the Department of Defense needs to know in the face of an attack is the particular vulnerability that this one company might otherwise not disclose. So I am very sympathetic to what you are saying about the need to see to it that people do not get off the hook, but let us not lose sight in our effort to hang onto that, of the possibility that a terrorist has discovered that this company is the most vulnerable because of bad maintenance or whatever, and is moving in that direction. And if the government does not get that information, we could all be sitting here looking at each other after an attack, saying, ``Gee, we wish we had paid equal attention.'' Thank you very much. Chairman Lieberman. Thank you, Senator Bennett. This is an important line of questioning, and before we move on to the next panel, I want to just take it one step further, and in fairness give my colleagues an opportunity to ask another question also. And this is about the effect on the regulatory process--we have talked about civil and criminal actions--both the authority of the government and the responsibility of private entities under the regulatory process. So I would guess we will hear on the second panel a concern that has been expressed by the environmental community about what an exemption under FOIA as proposed by Senator Bennett's legislation would do to a company's obligations under the right-to-know laws, where they are providing information about environmental health or safety risks and problems, and then that information is made available by the government to the public. There are concerns that the exemptions granted here might give the companies a ground for withholding some of the information that otherwise would be public. Similarly, there is a concern that if a company voluntarily submits the information, receives a FOIA exemption, and then the government decides--perhaps the Justice Department--that the information should be considered for instance in deciding whether to grant a permit, an environmental permit or some other permit for the facility, whether the information has to continue to be kept secret. So my question would be whether you think that those fears are justified, and if so, is there a way to handle them in this legislation? Mr. Malcolm. That is an excellent question, Senator, and in part you are going beyond my ken of expertise, but I will answer it as best I can. And this goes back actually to the point that Senator Bennett just made at the end, which is that we are trying to come up with a fine balancing act that incentivizes companies to give over this information which is desperately and vitally needed by the United States, while at the same time not giving them an ability to, if you will, hide their misdeeds and to get away. And this is a balancing act. In terms of the first part of your question, which I took to mean that, gee, if we were to create such an exemption, that would give a company an excuse to withhold information that it otherwise---- Chairman Lieberman. That they would otherwise have to make public under right-to-know laws. Mr. Malcolm. While I would like to give that matter more thought and perhaps my answer might change, I will say at the risk of shooting from the hip, that I think that concern is probably somewhat exaggerated for two reasons, which is, one any exemption that would be created here I do not believe would take precedence or in any way overrule any other requirements that the company might have. So if it is required under some other regulation to put forth information, I do not think that the company could all of a sudden come back and say, well, I do not have to comply with that regulation because of this FOIA exemption. As well, with respect to private parties' abilities to obtain information, I think we need to be clear, one, this is information nobody would have had but for the voluntary disclosure, and two, it only prevents private parties from one avenue of getting this information, and that is through a FOIA request. It is not taking precedence in any way of any other avenue that civil litigants or interested parties have at their disposal and use frequently to great effect to get information from private industry. It is just saying that among your arsenal of ways of obtaining information, this quiver is being taken out of your arsenal. Now, you had a second part to your question which dealt with any possible effects on, if a voluntary disclosure is made in terms of the government's ability to share that information in a regulatory environment, and I am afraid, Senator, that really is sort of beyond my expertise. Chairman Lieberman. I understand. I would ask you to think about that, and I appreciate your answer to the first part, and as the administration formulates its exact or detailed position on this question, I hope you will keep it in mind that it may be that we can handle this with a simple explicit reassurance in the legislation that there is no intention here to override any other responsibilities that anyone otherwise would have had under other laws. Do any of my colleagues wish to ask another question of this panel? Senator Thompson. Mr. Chairman, along that line, it would seem--I am looking at a summary of the bill here that says the voluntarily shared information can only be used for the purposes of this act. And so I would assume that the purposes of this act would not include environmental enforcement or anything like that. And without written consent, cannot be used by any Federal, State or local authority, or any third party in any civil action. So I think, as you indicated, there is nothing in here that would prohibit using the very information the company gives you to carry out a criminal action against the company. So you can use the information in a criminal proceeding, I would assume, although you have got to have some company lawyer assuring the boss that there is no criminal exposure when they turn that information over, a little practical matter there. But assuming they do, you can use it directly. And in a civil action you can use information derived from other sources. You just cannot use the information that the particular company sent you. But then you would have to carry the burden of proving that you are basing your enforcement action on that other material and not this particular information this company sent you. Somewhat like when a Federal prosecutor gets into sometimes when we have hearings, and he has to prove that he is building his case based on things other than what was on national television every night for a week, and he did not get any information there that he used. There is no fruit of the poisonous tree and all that. So there are some practical impediments there. But getting back to what Senator Bennett said we should not forget that what we are doing here is pretty important and there are some tradeoffs, it seems to me. There is no way that we can avoid some potentially, not the best kind of result. If you have got a company that is supposed to be running a nuclear reactor and they are doing a shoddy job of it, is it not best maybe that we know they are doing a shoddy job of it, even if nobody can sue them? [Laughter.] On the other hand, what if they persist in doing a shoddy job and refuse to do anything about it; what does that leave you? I think you are on the right track. You are asking the right questions, and I think that hopefully we will wisely make those tradeoffs. Thank you. Chairman Lieberman. Thanks, Senator Thompson. Senator Carper, do you have another question? Senator Carper. I think I have done enough damage with this panel. Thank you. [Laughter.] Chairman Lieberman. Senator Bennett. Senator Bennett. Well, I think this has been a very useful discussion, and certainly we stand ready to make the kinds of clarifications Mr. Malcolm is talking about, because it was never the intent and never should be, that this desire to get information should be used in any way to cover any illegal or improper activity. But the one thing that I want to stress one more time that has already been mentioned, but just to make sure we do not lose sight of it, without the passage of some legislation along the lines that I have proposed, in all probability the information that we are talking about will not be available to anybody anyway. We are not talking about something that is a new protection because the ultimate protection, absent our legislation, is the lawyer and the CEO sitting down and saying, ``We are not going to tell anybody about any of this, so that nobody knows. The government does not know. Competitors do not know. A potential litigant in the environmental community or anyplace else does not know because we are just not going to let anybody know about this.'' And if the legislation passes and then the CEO says, ``You know, this is potentially a serious problem, and we can let this out knowing that the effect on our business will be exactly the same as if we do not let it out.'' That strikes me as a positive good for the government to have. So let us keep understanding in all of this discussion that we are talking about information that would otherwise not be available to anybody. Chairman Lieberman. Thanks very much, Senator Bennett. Gentlemen, thank you. I agree with Senator Bennett, it has been a very helpful discussion, and we look forward, as soon as possible to the administration's recommendations to us. Thank you. We will call the second panel now. Michehl Gent, who is the President and Chief Executive Officer of North American Electric Reliability Council; Harris Miller, President of the Information Technology Association of America; Alan Paller, Director of Research at the SANS Institute; Ty R. Sagalow, a Board Member, Financial Services ISAC, and Executive Vice President of eBusiness Risk Solutions, American International Group; David L. Sobel, General Counsel, Electronic Privacy Information Center; and Rena I. Steinzor, Academic Fellow, Natural Resources Defense Council and also more particularly a Professor at the University of Maryland School of Law. We thank you all for being here. I know you have been here to hear the first panel, and we look forward to your help for us as we try to grapple with this serious matter and balance the national values that are involved. Again I will say to this panel, that your prepared written statements submitted to the Committee will be printed in full in the record, and we would ask you to now proceed for an opening 5-minute statement. Mr. Gent. TESTIMONY OF MICHEHL R. GENT,\1\ PRESIDENT AND CHIEF EXECUTIVE OFFICER, NORTH AMERICAN ELECTRIC RELIABILITY COUNCIL Mr. Gent. Thank you Chairman Lieberman, Senator Thompson, and Committee Members for this opportunity to testify on information sharing in the electric utility industry, and information sharing between industry and government as it relates to critical infrastructure protection. --------------------------------------------------------------------------- \1\ The prepeared statement of Mr. Gent appears in the Appendix on page 81. --------------------------------------------------------------------------- Because of electricity's unique physical properties and its uniquely important role in our lives, the electric utility industry operates in a constant state of readiness. The bulk electric system is comprised of three huge integrated synchronous networks that depend instantly and always on coordination, cooperation, and communication among electric system operators. We treat preparation for acts of terrorism the same way we deal with the potential loss of a power plant or transmission line. We have trained people, facilities and procedures in place to handle these contingencies. What we lack are security clearances for key electric industry personnel to be able to receive and evaluation classified threat information. We also lack the equipment that would allow us to communicate by voice over secure channels with people that have these clearances. In my written statement I have outlined our very good working relationship with the U.S. Government, the FBI, the National Infrastructure Protection Center, the Department of Energy, the Critical Infrastructure Assurance Office and others. We have successfully managed a number of very difficult challenges including Y2K and the terrible events of this past September. I commend the NIPC and the DOE specifically for the way they have conducted themselves and their programs. At the heart of our success is our commitment to working with the FBI. We made this commitment nearly 15 years ago, and the trust in each other that we have built over the years has carried over into the NIPC. The word ``trust'', as you have heard here earlier today is a very important word to us. Without trust none of these programs will work. We are proud of our relationship with the NIPC and the DOE. However, this strong relationship could be much better, could be stronger. Trust alone is not enough to allow us to do the additional things that are needed to prepare for future possible terrorist attacks. To be able to share specific information with the government we need to have some assurances that this critical information will be protected. To be able to share specific vulnerability information within our industry and with other industries to do joint assessments of inter-sector vulnerabilities, we need to have targeted protection from antitrust laws. We therefore support S. 1456 introduced by Senator Bennett. The electric utility industry is building on the trust of one another that we developed in its Y2K effort. We are approaching critical infrastructure protection similar to the way we dealt with Y2K. We have an all-industry organization called the Critical Infrastructure Protection Advisory Group. In my testimony I have outlined the scope and activities of that group. It is very active and we are very proud of the progress they are making. Our Information Sharing and Analysis Center, or ISAC, gets lots of acclaim. We have had a lot of practice and we have been doing this information gathering, analysis, and dissemination for decades. We did not get much attention before because most people have not given too much thought about what it really takes to keep the lights on. Adding cyber threat awareness to our physical threat analysis programs was a natural. Physical and cyber activities are becoming increasingly entwined. We believe that our electric industry's experience is a great formula for success and an example of how an industry organization can best serve the industry that supports it. To take the next steps and to deal in greater detail with the combined threats of physical and cyber terrorism, our industry needs an even greater ability to share information within the private sector and with the government. In summary here are my recommendations. We need to provide a way of sponsoring agencies such as the FBI and DOE, to increase the number of industry personnel with security clearances. Private industry input is needed for any credible vulnerability assessment. We need to provide inexpensive, effective, and secure communication tools for industry participants that participate in these infrastructure ISACs. We need to provide limited specific exemptions from Freedom of Information Act restrictions for certain sensitive information shared by the private sector with the Federal Government. We need to provide narrow antitrust exemptions for certain related information sharing activities within the industry. We believe that S. 1456 does achieve this result. And finally, we need to adopt the reliability legislation that has been passed by the Senate as part of the comprehensive energy bill. Again I thank you for this opportunity. I look forward to your questions at the end of the panel. Chairman Lieberman. Thanks, Mr. Gent. Mr. Miller, please proceed. TESTIMONY OF HARRIS N. MILLER,\1\ PRESIDENT, INFORMATION TECHNOLOGY ASSOCIATION OF AMERICA Mr. Miller. Thank you very much, Mr. Chairman. On behalf of the more than 500 members of the Information Technology Association of America, I am very pleased to be here in front of you. I know my 5 minutes is going to go quickly, but I just want to say a couple of personal things. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Miller with attachments appears in the Appendix on page 94. --------------------------------------------------------------------------- First of all, Senator Thompson will be sorely missed when he retires at the end of this Congress. I am not sure I am going to have another opportunity to testify before this Committee, but his leadership on information technology issues and bringing information technology to the government has been quite remarkable and we really appreciate his leadership and that of the staff. Chairman Lieberman. I agree, and I will be sure to tell him. This is one of those rare cases in Washington where you say something nice about a person when he is not in the room. [Laughter.] So that is even more sincere. Mr. Miller. Thank you, Mr. Chairman. Second, it is once again a pleasure to work very closely with Senator Bennett, whose leadership on the Y2K has been continued on this issue and we appreciate it. And third, Mr. Chairman, one of my senior staff recently found a bestseller called ``The Power Broker'' authored by you---- Chairman Lieberman. Your testimony is becoming more and more impressive as you go forward. [Laughter.] Mr. Miller. And my staffer asked if you would agree to sign this. We promise not to go out on the eBay auction site. So thank you, Mr. Chairman. Last, but not least, I did bring my general counsel, Joe Tasker with me. While you were studying at the law school at Yale, I was up the street at the political science department, so if this gets too technical I may turn to my general counsel to help. Basically, I want to make just a couple of important points today. First of all, we strongly endorse the Bennett-Kyl bill, and certainly none of the suggested changes made by Mr. Malcolm on behalf of the Justice Department would give us any heartburn if the primary sponsor feels that those are acceptable. So the kind of narrowing that the Justice Department is suggesting sounds quite reasonable if Senator Bennett, Senator Kyl, and the House sponsors also agree, so we can certainly go along with that. Basically three simple messages I want to leave you with. The cyber security threats are substantial and growing. Second, information sharing requires tremendous trust, and that was also discussed in the first panel. And third, we think that passage of this legislation is essential if we are going to move along that trust quotient that is necessary. In terms of the growing threat, I have a lot of data in my written submission, but let me just make one simple point. We now believe that a new virus or worm is being written and unleased out there every 5 minutes, so just while I am testifying before your panel, we are going to have a new virus or worm out there. In the 2 hours of this hearing you are going to have a couple of dozen new viruse worms out there. So the threat is enormous. It is growing, and the attention that this Congress can put on this issue is very important. We know that most citizens are much more scared of physical threats and biological threats than they are of cyber threats, but as Senator Bennett has so eloquently stated on many occasions, the worst-case scenario is really the combination of a physical threat or a bio threat with a cyber threat, and because our society, our government and our economy are so dependent on our cyber network, the attention this Committee and this Congress is paying to cyber threats and that the administration is paying is absolutely essential. Well, if the threat is so real, what is the problem about information sharing? Well, we all remember the old adage ``Macy's doesn't tell Gimbel's.'' Well, it is particularly true, as Mr. Dick suggested in the previous panel in the information technology industry. We are a very competitive industry, and as the head of a trade association, I can tell you how difficult it is to get them to share information, and in particular, Macy's and Gimbel's do not go tell the cops. That just is not the way it is done. But yet as the first panel pointed out and you pointed out in your opening statement, Mr. Chairman, that is essential if we are going to deal with this threat. We need to get a situation where we are sharing the information. So how do we do it? How do we get beyond the business as usual mentality that these organizations have? Well, Senator Akaka mentioned that ``terrible'' acronym, ISAC, the Information Sharing Analysis Centers, but those are critical. Let me be clear what this is. These are closed communities. Now you may say, ``Why do you need a closed community?'' Because we are dealing with, by definition, sensitive and confidential information, just as the government has classified internal information that they do not want to share with the public or with potential terrorists or criminals, similarly the industry has those issues. And so we are creating with these Information Sharing Analysis Centers which are closed community environments. So the first challenge is to get the ISAC members themselves to share information. As one who was instrumental in setting up the IT ISAC, for example, I can tell you that is still difficult. We are still taking baby steps even though the organization was formally announced almost 14 months ago and has been in full operation for over 8 months. It is very tough to get people to share this kind of sensitive proprietary confidential information even though they know in some sense it is the right thing to do, because not only, as was pointed out in the previous panel, do you have to see the return on investment, you also have to be sure there is no enormous downside, and that downside of that public disclosure is perhaps one of the biggest threats to that. And then we have to move on, as Mr. Gent just said in his comments, to sharing across the ISACs, so we have that kind of sharing. There are institutions being created to do that. There are institutions that already exist such as the Partnership for Critical Infrastructure Security that encourage that, but we really need to advance that. And then of course the sharing with the government, which is really what Senator Kyl and Senator Bennett's bill is all about; how do we move beyond simply sharing within industry, again, sensitive information before events occur? And we believe that this information sharing will be accelerated if key executives, and particularly the lawyers who are the gatekeepers here, are willing to allow their companies to share information without the threat to FOIA. We certainly believe that the good faith provisions that Mr. Malcolm and you just discussed, Mr. Chairman, and Senator Bennett discussed, are exactly right. We are not trying to allow companies to hide bad faith actions, but to get companies to the appropriate level of care and trust, we believe this passage of this legislation is essential. Today, Mr. Chairman, criminals and terrorists are in the driver's seat. The bad actors have great advantages. There are hacker communities out there. They have conventions. They communicate on the Internet. They are not worried about FOIA provisions, but we have to get the good guys together in the same way. We have to get them to cooperate. One final point. Mr. Dick said quite correctly that the industry and government are trying to work together on a lot of good advances such as the InfraGard program. But we still believe, Mr. Chairman, the government perhaps can do a little bit more to share sensitive information in the other direction. Now, we understand again that is very difficult, and in some industries it is being done, but again, that is trust going the other way. That is the cultural change on both sides that Mr. Tritak referred to, but we would encourage this Committee to continue to dialog with industry and with government to make sure the information sharing is going in both directions. Thank you very much. Chairman Lieberman. Thanks, Mr. Miller. Mr. Paller. TESTIMONY OF ALAN PALLER,\1\ DIRECTOR OF RESEARCH, THE SANS INSTITUTE Mr. Paller. Thank you, Mr. Chairman. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Paller appears in the Appendix on page 112. --------------------------------------------------------------------------- Every day millions of attacks are launched across the Internet in an ongoing battle between---- Chairman Lieberman. Mr. Paller, excuse me. Tell us what the SANS Institute is. Mr. Paller. SANS is the principal education organization in information security. We train about 16,000 people a year, the intrusion detection analysts, the firewall people, the guys on the front lines, and that is who I am representing in this discussion today. I will start by answering directly the four questions that were outlined in the letter that you sent. The government is not getting the data it needs from the private sector, either to provide adequate early warning or to give a good report to you or to the public about the real costs of cyber crime. On the other hand, specific elements of government are doing a wonderful job of responding very quickly to information the private sector provides. For example, the Office of Cyber Security in the White House and the FBI created a wonderful public/private technical partnership to fight specific worms. GSA inside the government is doing a great job of sharing data within the government, getting data reported to it and sharing it within the government. Private sector organizations are not doing very well in sharing attack data. I will give you specific information on that. Although they are making good use of data on unsuccessful attacks, and I will differentiate that in a minute. The fourth question is whether legislation is needed. I am not a lawyer. I do not have that training, but I believe a clarification of the FOIA exemption is not going to cause companies to share cyber attack data with the government. I fully agree that secrecy of that data is essential when that data is presented, to protect the victim from further damage. You have to keep it secret because if you do not, the bad guys, will pile on. If anybody is known to be attacked, everyone else comes in and goes and gets them, plus you have got all the problems with the business issues. But even if you provide a perfect FOIA exemption, the companies under attack are unlikely to share the data. There is ample evidence to prove this. Even when the technical trust relationship is established--I think of FOIA as a technical trust. Trust is a personal issue. FOIA is a technical way of trying to build it. Even when the technical trust relationship is perfect, the evidence comes from the members of one of the ISACs, not the oldest ISAC, but the most active old ISAC in this information sharing of cyber data, the Financial Services ISAC. They have a reporting system that is absolutely perfect. They cannot figure out who reported. And so you would think that would solve the problem. But if you go in and check the data, you will find that substantially none of them reported data on current attacks or reported data on other attacks with one single exception, and the exception is actually the reason you think there is data, and that is when they have actually hired the company that runs the ISAC to be their instant response team. So the company that is hired goes in as part of the victim's team, and because they know the data as the victims know it, they feed it into the database. But the idea that if you establish a perfect technical trust relationship, you are going to get the data--we have no proof of that? Chairman Lieberman. What do you mean by data here? Mr. Paller. I mean, ``I am being attacked right now. It is coming in through a new vulnerability in IIS. It has gone two steps. It has also taken over my database. They are extorting money from me.'' And it is happening right now. Two people get it. One is the consultant that was called in, and if they call the law enforcement in, they will get it, too. But there is no sharing with other people. Chairman Lieberman. You mean the fact that it is happening? Mr. Paller. The fact that it is happening because it is a private event. They are being extorted. Chairman Lieberman. Understood. So that is what you mean by data here---- Mr. Paller. Yes, exactly. Chairman Lieberman. Because they do not want to reveal it. They do not want it to be known---- Mr. Paller. They do not want to reveal it, and they see no benefit in revealing it. Chairman Lieberman. And they see danger or vulnerability or loss. Mr. Paller. It is a bet-your-company loss. It is that big to them. So all the other stuff tends to pale. If the government--this is the line they do not like to say, but if the government wants substantially more people to report attack data, I think you are going to need to make reporting mandatory through changes in contract and grant regulations or through other action in legislation like the legislation you have that requires federally insured banks to report suspicious activities. I have a couple of charts. Is it all right if I show them to you? Chairman Lieberman. Sure, if you can stay within your time. Mr. Paller. Well, since we have 1 minute left, let us not do that. There are five areas that the data sharing comes in. One is vulnerability data. If a utility finds out it has a vulnerability in a SCAN system, running its systems, it could do a lot of good if it shared that with the government and it could do a lot of good if it shared that with the other utilities right away, and getting that data is absolutely essential to the early warning. Two, unsuccessful attack date is being shared very well. This is the data that hits your system but you do not want. That data has found two worms and it has helped block one of them and helped capture the criminal that did the other one. So that is working. What is not working are the two sets of data that you want when the attack is taking place, when it is taking place and you are not getting it after the fact, and as I said before, you are not going to get it unless you require it. The last set of data is the one that actually can do the most good. There is a synthesis of data that companies will share. The synthesis is ``we have been attacked, so we know what we have to do to protect our systems,'' and those are called benchmarks. And when the Federal Government and commercial organizations share the benchmarks, you can actually have a radical impact on the effect of new worms. The NSA, the National Institute of Standards and Technology, SANS and the Center for Internet Security have just finished, with Microsoft's help, standard for securing Windows 2000. There will be more coming shortly. If you want to do a lot of good make sure the Federal Government uses some kinds of standards when they buy new equipment so that they are as safe as they can be when they are installed. Thank you. Chairman Lieberman. Thank you. Mr. Sagalow. TESTIMONY OF TY R. SAGALOW,\1\ BOARD MEMBER, FINANCIAL SERVICES ISAC AND CHIEF OPERATING OFFICER, AIG eBUSINESS RISK SOLUTIONS Mr. Sagalow. Mr. Chairman, thank you for this opportunity to testify about the importance of information sharing and the protection of this Nation's critical infrastructure. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Sagalow with attachments appears in the Appendix on page 123. --------------------------------------------------------------------------- My name is Ty R. Sagalow, and I come to you in two capacities today. First as a Member of the Board of the Financial Services Information Sharing and Analysis Center, the FS ISAC. And second, as COO of American International Group's eBusiness Risk Solutions Division, the largest provider of network security insurance in the world. My full remarks have been entered into the record, but I'd like to summarize them for you if I can. Governor Tom Ridge recently remarked, ``Information technology pervades all aspects of our daily lives, of our national lives. Disrupt it, destroy it or shut down the information networks and you shut down America as we know it.'' The sad fact is that our information technology systems are already under attack, and there is every reason to believe it will get worse before it gets better. U.S. companies spent $12.3 billion to clean up damages from computer viruses in 2001. And Carnegie Mellon reported that in 2001 they received over 50,000 incident reports. Today it is easier for a cyber terrorist to shut down a dam by hacking into its control and command computer network than to obtain and deliver the tons of explosives needed to blow it up. More frightening, the destruction can be launched from the safety of the terrorist's living room couch, or cave as the case may be. Fortunately, we are not powerless. Ironically, as it is the information systems which are the subject of the attack, it is our ability to share information which provides our best foundation for defense. Today the financial institutions that are members of the FS ISAC represent more than 50 percent of all credit assets. The mission of the FS ISAC is straightforward: Through information sharing and analysis provide its members with early notification of computer vulnerabilities, computer attack subject matter expertise and relevant other information such as trending analysis. Unfortunately, I am here today to tell you that we have not been wholly successful in that effort, and we can not succeed without your help. We believe there are chiefly three obstacles that must be removed for effective information sharing to take place. The reason, as Senator Bennett has already said, companies will not disclose voluntarily if their general counsels tell them that there is a potential that disclosure will bring financial harm to their company. It is really that simple. As respect to sharing information to the public sector, the fear exists that competitors or terrorists or others will be able to obtain that information through the Freedom of Information Act. As respect to sharing of information within the private sector, there are two fears. First that the sharing will be deemed to be a violation of antitrust laws, as been previously discussed; and second, that the act of sharing the information will lead to civil liability against a company or its directors and officers. Now, much has already been said of the first two points. Permit to speak on the third for a moment. The chilling effect of the potential liability lawsuits on voluntary speech cannot be underestimated. Private lawsuits, or rather the fear of them, have always played an important role in fostering proper conduct. However, when applied inappropriately, they can have the opposite effect. Such is the situation here. Why disclose the potential inadequacy of a security technology of your vendors when that disclosure could lead to a defamation lawsuit. Why recommend the use of specific technology safeguards when such disclosures could lead to lawsuits alleging interference with the contractual rights of others? Why freely disclose the result of research and analysis and best practices, when that disclosure could lead to shareholder lawsuits alleging disclosing of company trade secrets? The risk is too great. Better safe than sorry. Better to keep your mouth shut. These statements represent the danger that we face today as they will be the advice given by general counsels throughout the Nation. Fortunately, this danger can be avoided through thoughtful and balanced legislation like the Senator Bennett-Kyl bill and similar to the great work done by Senator Bennett in Y2K. Putting on my other hat for a moment, I can tell you that information sharing is essential to the creation of a stable insurance market for network security. Insurance plays a critical role in protecting our national infrastructure, both through the spreading of risk as well as the influencing of standards of good security behavior through the incentives inherent in making insurance available and affordable. Today my company leads the way in this effort, and we have already provided billions of dollars of insurance protection for thousands of companies. However, there are very few insurance companies willing to provide network security insurance. The reason, insurance companies cannot underwrite if they do not have access to data on frequency and severity of loss or at least the hope of future access to that data. Effective and robust information sharing becomes the foundation of building the actuarial tables needed to create a stable insurance market. Therefore and in conclusion, we believe that for voluntary information sharing to be both robust and effective, the following needs to happen: An exemption for FOIA as seated in the Bennett-Kyl bill; an exemption of the Federal-State antitrust laws for information that is voluntarily shared in good faith, and finally, the creation of a reasonable safe harbor provision similar to that that was provided under Y2K, to protect disclosure of information within the private sector as long as that disclosure was made in good faith. Mr. Chairman, I would very much like to thank the Committee for permitting me to testify on this important subject. I will be pleased to answer any questions you might have. Chairman Lieberman. Thanks, Mr. Sagalow. Mr. Sobel. TESTIMONY OF DAVID L. SOBEL,\1\ GENERAL COUNSEL, ELECTRONIC PRIVACY INFORMATION CENTER Mr. Sobel. Mr. Chairman, thank you for providing me with the opportunity to appear before the Committee. --------------------------------------------------------------------------- \1\ The prepared statement of Mr. Sobel appears in the Appendix on page 166. --------------------------------------------------------------------------- The Electronic Privacy Information Center, EPIC, has a longstanding interest in computer security policy, emphasizing informed public debate on matters that are of critical importance in today's interconnected world. While my comments will focus primarily on proposals to create a new Freedom of Information Act exemption for information concerning infrastructure protection, I would like to share with the Committee some general observations that I have made as this debate has unfolded over the last few years. First, there appears to be a consensus that the government is not obtaining enough information from the private sector on cyber security risks. I would add that citizens, the ones who will suffer the direct consequences of infrastructure failures, are also receiving inadequate information on these risks. There has not yet been a clear vision articulated defining the government's proper role in securing the infrastructure. While there has been a lot of emphasis on finding ways to facilitate the government's receipt of information, it remains unclear just what the government will do with the information it receives. In fact, many in the private sector advocate an approach that would render the government powerless to correct even the most egregious security flaws. The private sector's lack of progress on security issues appears to be due to a lack of effective incentives. Congress should consider appropriate incentive to spur action, but secrecy and immunity, which some advocate, remove two of the most powerful incentives--openness and liability. Indeed, many security experts believe that disclosure and potential liability are essential components of any effort to encourage remedial action. Rather than seeking ways to hide information, Congress should consider approaches that would make as much information as possible available to the public consistent with the legitimate interests of the private sector. As indicated, I would like to focus my comments on proposals to limit public access to information concerning critical infrastructure protection. EPIC and other members of the FOIA requestor community have, for the past several years, voiced concerns about proposals to create a broad new FOIA exemption such as the one contained in S. 1456 for information relating to security flaws and other vulnerabilities in our critical infrastructure. Government activity in this area will be conducted in cooperation with industry, and accordingly, will involve extensive sharing of information between the private sector and government. To facilitate the exchange of information, some have advocated an automatic, wholesale exemption from the FOIA for any cyber security information provided to the government. Given the broad definitions of exempt information that have been proposed, I believe such an exemption would likely hide from the public essential information about critically important and potentially controversial government activities taken in partnership with the private sector. Critical infrastructure protection is an issue of concern not just for the government and industry, but also for the public, particularly the local communities in which affected facilities are located. I believe the proposed exemption is not needed. Established case law makes it clear that existing exemptions contained in the FOIA provide adequate protection against harmful disclosures of the type of information we are discussing. Exemption 4, which covers confidential private sector information, provides extensive protection. As my written statement explains in detail, I believe that exemption 4 extends to virtually all of the critical infrastructure material that properly could be withheld from disclosure. In light of the substantial protections provided by FOIA Exemption 4 and the case law interpreting it, I believe that any claimed private sector reticence to share important data with the government grows out of, at best, a misperception of current law. The existing protections for confidential private sector information have been cited repeatedly over the past 2 years by those of us who believe that a new exemption is unwarranted. Exemption proponents have not come forward with any response other than the claim that the FOIA provides a ``perceived'' barrier to information sharing. They have not made any showing that Exemption 4 provides inadequate protection. Frankly, many in the FOIA requestor community believe that Exemption 4, as judicially construed, shields far too much important data from public disclosure. As such, it is troubling to hear some in the private sector argue for an even greater degree of secrecy for information concerning vulnerabilities in the critical infrastructure. Shrouding this information in absolute secrecy will remove a powerful incentive for remedial action and might actually exacerbate security problems. A blanket exemption for information revealing the existence of potentially dangerous vulnerabilities will protect the negligent as well as the diligent. It is difficult to see how such an approach advances our common goal of ensuring a robust and secure infrastructure. In summary, overly broad new exemptions could adversely impact the public's right to oversee important and far-reaching government functions and remove incentives for remedial private sector action. I thank the Committee for considering my views. Chairman Lieberman. Thanks, Mr. Sobel. And finally, Professor Steinzor. TESTIMONY OF RENA I. STEINZOR,\1\ ACADEMIC FELLOW, NATURAL RESOURCES DEFENSE COUNCIL AND PROFESSOR, UNIVERSITY OF MARYLAND SCHOOL OF LAW Ms. Steinzor. Mr. Chairman, thank you for the opportunity to appear before you today on behalf of the Natural Resources Defense Council. --------------------------------------------------------------------------- \1\ The prepared statement of Ms. Steinzor with an attachment appears in the Appendix on page 172. --------------------------------------------------------------------------- The issues before you are both significant and troubling, especially in the wake of the tragedies that began on September 11. Obviously, all Americans recognize the importance of doing whatever we can to improve homeland security. At the same time, as Senator Lieberman said, this country was attacked because we are the most successful democracy the world has ever known. If we overreact to those who attacked us so viciously, and in the process undermine the principles and rule of law that have made us such a hopeful example for the world, terrorists will win the victory that has thus far eluded them. NRDC strongly opposes both the text and the underlying principles embodied in S. 1456, the Critical Infrastructure Information Act, and urges you to consider more effective alternatives to make Americans secure. We oppose the legislation for four reasons. The legislation has an impossibly broad scope. To the extent that the legislation focuses on cyber systems, and by these I mean systems that are connected to the Internet and therefore are vulnerable to outside disruption, NRDC as an institution has little to add to the debate. Computers are not our area of expertise. In fact some of us are still using the Windows 95 operating system. Of course, as Senator Thompson has articulated, S. 1456 extends much further than cyber systems, covering not just computers that are connected to the Internet, but also the physical infrastructure used to house these systems. The legislation covers not just physical infrastructure that has or is controlled by computers, but also any physical infrastructure that is essential to the economy and might be damaged by a physical attack. The legislation is not limited to the Freedom of Information Act, but extends to any use by anyone of the information in civil actions. Mr. Malcolm spoke about the government's use of disinformation. I would stress, however, that this applies not just to the government but to the use of the information in a civil action by any party. And the legislation covers information, not just copies of specific documents. It is a slender reed to rest on the adjective direct use when it covers information so broadly, and information in a different format could still be precluded from use in a civil action. NRDC is sensitive to the fears all Americans have about our vulnerability to terrorist attacks. We are active participants in the debate about whether information about the operation of facilities during acutely toxic chemicals should be accessible on the Internet. The Environmental Protection Agency is encountering many challenges as it works diligently to sort through these issues. But these difficult issues are not within the areas of expertise of the government agencies assigned a role in implementing S. 1456. Using legislation of this kind as a vehicle for stressing how information enhances or combats the terrorist threat to physical infrastructure is unwise and duplicative. As Senator Akaka stated so well, the legislation will have a series of disastrous unintended consequences, damaging existing statutory frameworks crafted with care over several decades. Let me draw in another thread of history. A few years ago major industry trade associations, which had members subject to environmental regulations, began to push the idea of giving companies immunity from liability of the performed self-audits, uncovered violations of the law, took steps to solve those problems and turned the self-audit over to the government voluntarily. The Department of Justice vigorously opposed such proposals and they never made it through Congress. Several States enacted versions of self-audit laws. In the most extreme cases, EPA responded by threatening to withdraw their authority to implement environmental programs and the laws were repealed. Self-audit bills defeat deterrence-based enforcement, creating a situation where amnesty is available even where a company has continued in violation for many years and then decided to come into compliance at the 11th hour. As drafted, S. 1456 is a comprehensive self-audit bill that extends not just to environmental violations but to violations of the Nation's tax, civil rights, health and safety, truth-in- lending, fraud, environmental, and virtually every other civil statute with the exception of the Securities Act. The legislation does not even require that companies cure their violations in order to receive amnesty. Redrafting may help, but it will be very hard to solve the problems as long as the legislation covers physical infrastructure. Secrecy is not the best way to protect critical infrastructure, and this Committee should abandon that approach. Rather, actually requiring changes on the ground is a far preferable solution to the threats we face. One way to reduce the vulnerability of physical infrastructure is to ensure that employees have undergone background checks and that site security at the fence line of the facility and the area adjacent to vulnerable infrastructure is enhanced. Another way to protect the public and workers is to eliminate the need for the hazardous infrastructure, for example, a tank holding acutely toxic chemicals. This approach, called Inherently Safer Technologies, is the cornerstone of legislation, S. 1602, now under consideration by the Senate Environment and Public Works Committee. NRDC has also consulted with EPA officials responsible for coordinating their agency's contribution to strengthen homeland security. EPA has extensive legal authority to take actions against companies that fail to exercise due diligence in protecting such attacks. The combination of the Corzine bill and administrative action will make great strides toward addressing these problems. As the Committee continues its consideration of these issues, we hope that you will continue to consult with a broad range of experts and stakeholders and allow us to participate in your deliberations. We appreciate the efforts of the Committee staff to undertake these discussions in order for all of us to better understand the policies, goals and implications of the legislation. Thank you. Chairman Lieberman. Thanks, Professor. Let me see if I can ask a few of you to give a little more detail, without disclosing exactly what you do not want to disclose, which is what are we talking about here with sensitive information? Mr. Paller, in your testimony you gave us a series of examples. I wonder if any of the rest of you, Mr. Sagalow or Mr. Gent, could give us a little more general information about what we are talking about that people you represent or you yourselves would not want to disclose without this kind of exemption from FOIA? Mr. Gent. Senator, you might remember back, I believe it was your freshmen year this Committee held hearings, and not much has changed about the electric system vulnerability since then. And one of the problems back then was that they wanted us to build a list of critical facilities, ``they'' being the government, so that the government could analyze that and be prepared to help us defend at those facilities at that time from physical attack of nations or nation states or terrorists. Not much has changed. We now have the cyber element that goes into this. So government agencies are asking us to come forth with lists of critical facilities along with their degree of vulnerability and what would happen if this facility were taken out. And we have, for the last 20 years, said that we are not going to build such a list. As others have testified, we have no confidence that the government can keep that a secret. Chairman Lieberman. Got it. Mr. Miller, do you have an example that comes to mind, generally speaking? Mr. Miller. In the information technology industry there might be a product that is developed, a software product, which in most formats works fine, but in conjunction with a certain hardware, which a lot of these things are integrated with, different types of hardware, in fact there is a vulnerability. The software vendor may become aware of that, may decide that it wants to communicate with, however, a very limited audience, for example--just its immediate customers and clients because of that relationship, but would be totally unwilling to share that with the government because it does not want to face the possibility of broad public disclosure of that. Again, we are talking about limited cases, not a massive virus attack, where as was discussed in the previous panel, everyone wants to work together to get the word out about a Code Red or a Nimda. We are talking about a particular--the technical term is ``configuration'' of a particular software product, where the impetus is to keep it in a closed community unless otherwise they are incented to do so, and particularly to share it with the government would bring a lot of risk because of this possibility, or Senator Bennett, maybe it is just the paranoia business, the likelihood that if you share it with government it will end up being disclosed. Chairman Lieberman. Mr. Sagalow. Mr. Sagalow. Mr. Chairman, I will give you two examples of information, falling into the areas of best practices that might be shared if there was a FOIA exemption. When it comes to the Nimda virus, Code Red, those massive attacks, that information is being shared. What is not being shared is information on risk management techniques, best practices, corporate governance, and I will give you two examples. If a corporation becomes dissatisfied with their particular vendor, one antitrust software works very poorly and they end up deciding to terminate that contract and instead incorporate another anti-virus software, you would want that information to be shared. A general counsel would be extremely reluctant to give their CEO or CTO permission to share that type of information, fearing potential defamation lawsuits from the vendor that you ended up dropping, as well as from other people for other causes of action like tortious interference with a contractual relationship. The second example I would give you is potential shareholder actions arising out of disclosure of company practices and technology use. There is a business issue of whether you want to disclose these things since some may regard them as trade secrets. However, if all the CEOs of the world were similar to Mr. Bennett, they would disclose a certain amount of what is arguably a trade secret if it is consistent with protecting our national infrastructure and the good of society, as long as it did not do undue harm to the company. A general counsel is not going to take that attitude. A general counsel is going to say even though it is the right thing to do, there are professional plaintiff attorneys out there that will start shareholder derivative actions alleging that the act of disclosure itself was a breach of fiduciary duty. Chairman Lieberman. Thank you. Mr. Paller made a statement which was very frank and sounded pretty realistic, that even with the exemption proposed, that there will be companies who will not share because they are still concerned in a voluntary system that it will not really be kept confidential, and therefore--not that he was recommending this, maybe he was--but that we may need a mandatory system. Now, I wonder whether, real quickly because I want to get on to another question, whether the three of you agree or disagree, if we had appropriate exemption from FOIA do you think companies would still withhold information? Mr. Gent. I think if you made it mandatory, they would not withhold. Chairman Lieberman. Right. [Laughter.] Mr. Miller. I would strongly disagree with Mr. Paller. First of all, I do not know what it would mean to be mandatory and I do not know how you would possibly enforce that, but I think the information sharing is growing. Again, I agree that the FOIA is not the silver bullet, Senator, but for the interest of the industry, yes, there is growing in the communities, electrical, financial services IT, that there is a broader community interest because these people who are American citizens. They want to support the good of the Nation. But they have to be protected on the down side. That is clearly the establishment of the ISACs, the establishment of the partnerships, that sharing of information through InfraGard is a commitment the industry is making. Chairman Lieberman. Mr. Sagalow. Mr. Sagalow. Our members have told us that if these obstacles are removed, there will be a substantial increase in disclosure. Of course some people will never disclose no matter what, but there will be a substantial increase. Chairman Lieberman. Professor Steinzor, let me ask you your reaction to the conversation on the last panel, which was: Why would not your concerns about the effect of the passage of Senator Bennett's legislation on various environmental laws be eliminated by inserting language that said that nothing in this proposal should diminish any obligation that anyone has under any other system of law? Ms. Steinzor. That would go a long way to help, but we would still be required to fight over such issues as whether there was an obligation, there was no obligation, and whether the information was submitted before the government asked for it. The way this bill is drafted it says that information is voluntarily submitted in the absence of such agency's exercise of legal authority. So the agency would have to actually ask for the information in order for it to be submitted non- voluntarily. At the moment, there is a lot of information kept in companies that the government may not have asked for yet, and if it was submitted voluntarily, the protection could be asserted. That is just one of the kinds of problems that we are concerned about. Another way to deal with what you are talking about is a savings clause. Such a clause should be something that is dynamic, not just for laws that are on the books today but laws that are added to the books in the future. And one last thing I would like to add, which is that to the extent that the information we are concerned about here is information that is time-sensitive, one way to approach it would be to say the protection only lasts for a certain limited period of time. We have heard a lot about an attack is ongoing and you need to share the information. Arguably, once you have shared it, once the problem is addressed, as we all assume it will be, you no longer need to make that information secret. Keeping it secret is only important to liability down the line. Again, there would be no liability if the problem was solved. So that is another way to approach this. Chairman Lieberman. Mr. Sobel, do you have a reaction to that discussion on the first panel? I know is it not directly responsive to your concerns. Mr. Sobel. Frankly, Senator, my concern is with this taken in combination, the fact that there would be no possibility of disclosure apparently at any time running into the future, as well as no real governmental ability to address any of the vulnerabilities that are made known to the government, and then there is this provision that I read as a very broad immunity that would also preclude any private actors from seeking corrective action. So what I see, taken as a whole, is this structure that provides information to the government, but then really ties the hands of the government or anyone else to direct and compel corrective action. As I said, I think this approach protects the negligent as well as the diligent, and that is really, I think, the main flaw. Yes, we can certainly assume that many, if not most, of the actors in the private sector are going to be good actors, but it seems to me that this just creates an incredibly large loophole for those companies that frankly are more inclined to be negligent than diligent. Chairman Lieberman. Thanks. Senator Bennett. Senator Bennett. Thank you, Mr. Chairman, and thanks to everyone on the panel including those who were not quite as supportive of my legislation as some of the others, because these are obviously the issues that have to be resolved, that have to be talked about. I sponsored a bill for a long time on the privacy of medical records, and ran into much the same kind of very firm opinions on all sides of the issue, and I kept saying year after year, this is not an ideological issue, this is not conservatives versus liberals or Republicans versus Democrats. This is a management issue. How do we solve the problem? And my staff got sick and tired of me saying it. I would say, if there is a management problem raised by this objection, let us solve the problem rather than put ourselves into ideological camps and then scream at each other? We do a great deal of that in the U.S. Senate, usually on the floor, less so in committee, but we have a serious challenge here. It is one for which there is, frankly, no historic predicate because the coming of the information age has changed the world as thoroughly and fundamentally as the coming of the Industrial Age did. And if you are going to talk about agricultural age warfare after the invention of the repeating rifle, you are going to be left behind. And the statement by Osama bin Laden is a chilling reminder of the fact that we live in an entirely different world, and we all, on all sides of this issue, need to view that world differently. Now, if I were someone who wished this country ill, and I have said this before so I am not giving out any secrets, if I were someone who wished this country ill, I would be concentrating on breaking into the telecommunications infrastructure over which the Fedwire functions. If I could shut down the Fedwire, I could bring all activity in the country to a complete stop. No checks would clear. No financial transactions would take place. There could be no clearing at the end of every day for the Federal Reserve system. The Fedwire is the absolute backbone of everything that goes on in the economy. And I have had conversations with Chairman Greenspan about protecting the Fedwire from cyber attack. That specter before us, how do we deal with the challenge of telephone companies, of power companies, of brokerage houses, banks, and the Federal Government itself, that are tied together in this absolutely intricate network of transactions and facilities, and protect the Fedwire from someone sitting in a cave somewhere coming after it? Now, Mr. Miller could share some information with us, which I have seen, that shows the graphs of the level of attacks that have come against the United States, cyber attacks, and it is a logarithmic scale. It is not just a quiet little incremental increase every year. It is almost Malthusian in terms of the predictions, and it is a hockey stick. And I have stood in the rooms where these attacks are being monitored in real time, second by second, in the Defense Department within the Pentagon. The interesting things is that just as the number of attacks is going up logarithmically, the sophistication of the attacks is going up logarithmically, so that our ability to defend ourselves, which is also going up logarithmically, is just barely keeping up with the sophistication and volume of the challenge that we have. I first became aware of this with Y2K when I was talking with Dr. Hamre, the Deputy Secretary of Defense, as we were trying to find out in a hearing on S. 407, Mr. Chairman, over in the Capitol, where we can have classified briefings, about the degree of this country's vulnerability, and Dr. Hamre said to me, ``We are under attack every day.'' And this was 3 or 4 years ago. And I said, ``Under attack, what are you talking about?'' Well, the attack on the government facilities goes on. My fear, the thing that keeps me awake at night is that if those who are mounting those sophisticated attacks on government facilities--and they are primarily aimed at the Defense Department and the intelligence community, CIA, NSA and others--were to shift their focus onto the private sector and do so in a timing and a circumstance where no one in the government knew that that shift had taken place, how vulnerable are we, and how will we feel if we say, ``Well, we did not facilitate the opportunity for people who are the recipients of those attacks to share with the government what was happening.'' This is not questioning. I am just responding to the panel and sharing with you my deep, and I hope not paranoid, desire to see to it that we are prepared for this. So in the one minute left before we go back to the second round, do any of you, recognizing this is a management issue rather than an ideological issue, have any comments across the gap that has occurred within the panel, that are not just, oh, you are wrong, you do not understand. It is easy for you to say that back and forth to each other. Do any of you have any solutions that you could suggest across the divide that has been created here within this panel in the circumstance that I have framed? Mr. Miller. Just a brief comment. I thought that Mr. Sobel and Professor Steinzor said that with some of the limitations that Chairman Lieberman suggested, and Mr. Malcolm discussed it in the earlier panel with you as the primary sponsor, that they might see some possibility of bridging the gap. Again, these are technical legal issues beyond my exact area of expertise, but I was pleased to hear that both Mr. Sobel and Professor Steinzor indicated that they might--if the language of the bill was even more clear as not to allow the worst bad actors to use the Freedom of Information Act language to hide behind--that they might be open to some kind of compromise. And I thought that was a very positive statement by both of them from my perspective. Ms. Steinzor. Senator, I could not agree with you more that this is an enormous challenge and a grave threat, and I am not by any stretch of the imagination questioning your motives or your sense of urgency about all of this. What is troubling to us is that it would seem as if a more direct way to approach this would be to try and develop technologies like the one Mr. Paller was talking about, to erect firewalls and make cyber systems more secure, rather than simply allowing for a shroud of secrecy to go over them because of the difficulties of drawing lines in this area. You know the Freedom of Information Act, in our experience, is one of the most ponderous legal tools one can ever use. It takes months, years, to get a request answered. And so we are puzzled why the urgent exchange of information could not be protected in a short timeframe in a different way that does not implicate the Freedom of Information Act, which we do not see as a very grave threat to the immediate exchange of information. People are talking about perceptions on all sides, and we are puzzled by that. Mr. Sobel. Senator, if I could just follow up on that, on the FOIA point. I have a real concern that a new exemption approach could actually muddy the waters far more than they are right now. We have heard a lot of concern about the advice that a general counsel might give within a company in terms of whether or not there is adequate protection or not. It seems to me, as an attorney who looks at these issues, that 28 years worth of very clear case law would give me much more comfort in advising a client than a newly-enacted piece of legislation that contains some very broad language. I think if I was that general counsel and this legislation passed, I would say, ``Well, you know, this has not yet been judicially construed. We do not know how much protection this is going to provide.'' I would feel much more comfortable looking at the Critical Mass decision from the D.C. Circuit, where the Supreme Court denied certiorari, and saying, ``This is a pretty good assurance that this information is not going to be disclosed.'' So I do not think we are disagreeing about goals, but I think there is a real question in terms of what is the most effective way of providing the assurance that the private sector seems to want. Mr. Miller. Maybe that is what the hypothetical general counsel would believe, Senator Bennett. That is not what the real general counsels believe. Mr. Sagalow. Senator, let me follow up if I can. Chairman Lieberman. Mr. Sagalow, let me just interrupt. Senator Bennett, I do not have any other questions. I have a couple of colleagues waiting to see me. If you are able, I would like to ask you to continue the discussion, and then when you are through, to adjourn the hearing. Senator Bennett. That is very dangerous on your part. [Laughter.] Chairman Lieberman. I do not want you to get comfortable with the gavel though. [Laughter.] Senator Bennett. Thank you, Mr. Chairman. Chairman Lieberman. Not at all. Thank you for your leadership. It has been a very interesting, important, constructive hearing, and I look forward to continuing to work with you, Senator Bennett, and with those who have been before us to see if we can resolve this in the public interest. Thank you. Senator Bennett [presiding]. Thank you very much. Now, having no constraints upon me, I would like to pursue this a little further. Mr. Sagalow. Senator, if I could just respond to a couple of the comments that were mentioned earlier. My company created something called a Technology Alliance, which is a group of technology companies that advise us as underwriters on evaluating cyber risk, and we have been literally talking to dozens of technology companies over the last 2 years and we continue to talk to them. I can tell you, Senator, that without exception there is no technology company that believes that there is a technology silver bullet. There is no super firewall. There is no super anti-virus or intrusion detection system. There is no single technology or combination of technologies that will solve this problem. On the second issue of the theoretical versus practical general counsel, I agree with the comments of my colleague, Mr. Miller. I do not know what theoretical general counsels say, but I know what they say to me every day. And what they say to me every day is their view of current law and regulation including case law does not give them a sufficient basis to recommend to their CEOs to disclose. More legislation, more action is needed. Senator Bennett. Let me follow through on that one. We have always been under the impression that we were helping FOIA by focusing and defining the exemption which, Mr. Sobel, you indicated has been done by case law so as to make it clear that in this circumstance under these conditions the broad exemption that is already in FOIA would clearly apply and that we were not in any way repealing or destroying FOIA, we were simply focusing the definition. Now, Mr. Sagalow, let us go back to you--recognizing you have not had this discussion, but your perception of how a general counsel would react. Do you think that the passage of this legislation would be viewed in that regard and therefore make a general counsel more likely to say let us go ahead, or do you think they would react to the legislation somewhat in the way that Mr. Sobel is? You do not have to agree with his opinion of where they are in case law, as to try to say maybe he is right that they would say, ``Well, the legislation may sound good, but it is still not going to give me any comfort.'' Mr. Sagalow. I do not know. It is a legitimate issue. I believe that, based upon the conversations that I have had so far, that the majority of general counsels would be looking at it in the first approach. They would be looking at this legislation clarifying existing case law in a way favorable toward disclosure as opposed to a de novo aspect of legislation that they would feel uncomfortable with until years of case law interpretation. Senator Bennett. Let us go back to Professor Steinzor's comment about time. I think that is a very legitimate issue that she has raised. I have used the example which, frankly, Professor, you shoot down, that Osama bin Laden would mount an attack and then file a FOIA request to find out how well it worked, and if indeed FOIA would require 4 years before he got the information, the technology would have been about five generations old by the time he got the information. She has raised an interesting question, gentlemen, about putting a time limit on this, where you say the FOIA request cannot be filed for 3 years, let us say, pick a number. She would probably pick 3 months, but let us pick a number and put a timeframe on this, and talk about what effect that might have in the real world. Mr. Gent. Mr. Gent. Senator Bennett, there are certain operational information that can be made availble moments afterwards, some hours afterwards, some days afterwards, but when it comes down to the configuration and vulnerability of the electric system, this is something that evolves over decades. So having information, in fact, to be honest with you, some of the information that is now being released to the public is still very dangerous and could be considered as a terrorist handbook. So the configuration has not changed that much. The components that are vulnerable have not changed that much over the last decade. So if you talk about operational information, I would be willing to talk about a shorter timeframe, but physical configuration of a system is still important after decades. Senator Bennett. We need to remember, and you have reminded us, that the physical and the cyber are inextricably linked here. Mr. Gent. We believe that. In fact, Hoover Dam is not going anywhere. Senator Bennett. But the ability to break into the computers that are updated that control the sluice gates, somebody could open the sluice gates and drain Hoover Dam without blowing it up. Is that an accurate---- Ms. Steinzor. But, Senator, that again is a cyber issue which presumably would be addressed by technology evolving within a certain period of time because cyber systems are changing all the time. I think the emphasis on the physical configuration is exactly what concerns us because a lot of the physical configuration, for example, at a chemical plant, is heavily scrutinized and regulated by the government. And again, this protection does not just apply to Freedom of Information Act, it always applies to use in a civil action which could be either enforcement or some other type of action that would not be able to proceed if the company was not continuing to do something wrong. So again, my suggestion about the temporal aspect is that the assumption must be that once we discover vulnerability, we are going to address it right away, whether it is in the physical context or the cyber context, that the Freedom of Information Act in civil actions would only be viable if those problems were not addressed, and therefore a temporal limitation might be just the ticket to solve the problem. If I could just add one more thing. As an educator of young lawyers, let me talk about the theoretical versus the actual general counsel. One of the things we always impress on our students is the need to zealously protect their clients' interests, and while I would sign up tomorrow to be your general counsel, you being the hypothetical CEO---- Senator Bennett. You might not be in a financially successful institution. [Laughter.] Ms. Steinzor. Well, but you were articulating such good ethics and good sense, that I think I might do it. Maybe I could keep my university job. The problem is that if there is an opportunity to do a document dump, which of course would not be conceived in those pejorative terms, that it is both a theoretical and actual general counsel would be pushing the company to do exactly that. They would say, ``Look, CEO, we have vulnerabilities involing our physical infrastructure that are very serious, and we should go contact Governor Ridge about those and get into some conversation with him, and if any agency tries to pursue us through one of the more mundane daily laws, we can fend them off while we address our vulnerabilities.'' This kind of situation is our concern. I should have brought a lawyer joke for the occasion. Senator Bennett. I have plenty of those. Ms. Steinzor. Good. Senator Bennett. Anyone want to respond to that? Mr. Miller. Mr. Miller. Not so much to that, but your earlier question about time limitations. It is easy for me to say sure, why not in the information technology industry because 3 years is an eternity. But again, it is very much tied to physical issues. A certain governor of a certain large State just to the north of here, about 4 years ago was very proud to release a document on the Internet that showed where every telecommunications, electrical network, and critical asset in the Commonwealth of his State was located, and it was very public, it was very well known. I am sure Tom Ridge was very proud of that at the time he was governor, because everyone was into disclosure using the Internet. I am sure looking back from his current position, Tom Ridge wonders how he had that crazy idea 4 years ago to make that information public. So I would think, Senator, we need to consult with a lot more people who are, as Mr. Gent was suggesting, involved in these long-term fixed positions that may or may not be controlled by cyber relationships before we would say that the time limit idea intrinsically is a good idea. Again, in principle, I do not think the IT industry would be too much concerned about that, but I think a lot of our customers might be because those physical assets do not change and those physical vulnerabilities do not change for long periods of time. Senator Bennett. Without treading into classified territory, because in this whole process I have spent an awful lot of time in places that deny that they exist after I leave them, as a general principle, someone who is looking over critical infrastructure needs to know key points. And the key point in the critical infrastructure can be taken out with a kinetic weapon many times more efficiently than it can be taken out with a cyber attack. The interesting thing that comes from those who analyze this--and I must be careful about this--the interesting thing that comes from those who analyze this for a living is that the key points in a critical infrastructure are very often not obvious. There might be a particular switch in a particular pipeline or a particular telecommunications switch, or a substation that for some reason is far more critical than any other in terms of possibly shutting down the power grid. A terrorist would give a tremendous amount to know where those key points are. And I am not sure the people who are giving information to the government, if my bill was to pass, would themselves know how key they are or where they are. And the question becomes--the government could put that together. The government says, ``OK, we have got this from this source. We have got this from this source. Uh-oh.'' Back to my original analysis if I am going to mix metaphors here. If this particular facility goes down, that is what shuts down the Fedwire. And the people who manage that facility do not know that. If that information--that is the pieces of information that allowed the government to discover that are individually made available with FOIA, and an analyst working for a hostile nation state comes to the same conclusion that our analyst came to, and said, ``Aha, this is the one thing which if we shoot down, cuts down the Fedwire.'' And that become very valuable information, and maybe they make the decision, ``We are not going to go after it in a cyber way. We are going to get somebody with a truck full of fertilizer to pull up to the front door of that particular facility and lo and behold everybody is going to be surprised because they think they have all of these technological firewalls everywhere else to protect the Fedwire, and bingo, we can take it out with a fertilizer bomb.'' Now, that is obviously a hypothetical and obviously that kind of analysis is going on. But that is the kind of concern that I have about sharing information. And it may well be that we could find a division here between some things that could be disclosed after a 3-year period and some things that could not. I can anticipate some of you are going to say, ``Well, you are not going to know that in advance,'' but let us at least have a quick round on that concern. Mr. Paller. I think you go back to the bigger question that your staff got mad at you about, about understanding it is a management problem. And what I see happening here is what happens in lots of security conversations, which is different people looking at different parts of the animal. (1) If that is what you are going to disclose, it is terrible, and (2) if that (other thing) is what you are going to disclose, it is fine. I think maybe this is one of those really hard slogging jobs where you have to go systematically through every specific type of data in every specific type of environment and get the answers to the questions of which are going to be disclosed and which are not going to be disclosed if you want to get consensus in the room. I am not sure that the effort is going to be worth the trouble, but I do not see a way, as long as you keep a very broad view of what the ``it'' is, to get them to agree how long or when or whether to disclose it. Mr. Miller. Senator, I do not know whether it has to do directly with FOIA legislation. I mean clearly the issue of saying we do not know what we do not know is a real problem. Let me give you an obvious lesson that was learned on September 11, and that is redundancy in telecommunication systems. A lot of companies had learned over time, as part of business continuity planning, to have redundancy in their telecommunication systems, which meant having two carriers, two switches, and two sets of pipes. But a lot of companies put those switches and those pipes in exactly the same building, the World Trade Center. So when the World Trade Center went down they really did not have redundancy. They ended up not having complete telecommunication systems left. And so that was a lesson that was learned, or at least it was put out there. I am not sure whether it has been completedly learned. We are still having this debate with the Federal Government as you know, and there is legislation in Congress to require Federal agencies to begin to think about having true physical redundancy as opposed to assumed physical redundancy in telecommunication systems. So frequently we do not know what we do not know, and we have to have a tragedy or a direct experience to learn that lesson. Would the FOIA exemption you are suggesting help that to come together? Perhaps because who, other than the government, does exactly what you say, which is to look at all of the pieces of the puzzle. At the end of the day, his companies look at the electricity industry, I look at the IT industry, Mr. Sagalow and financial ISAC members look at the ISAC industry. Mr. Paller kind of looks across industries because he has got experts in all of these. But at the end of the day it is only the government that looks at the overall view of how these interdependencies really work in ways that nobody else really can. Mr. Sobel. Senator, I just wanted to make the observation that it seems to me that there is a little bit of a disconnect in terms of industry's attitude here. I mean on the one hand we are being told that the agencies that would receive the information are somehow so incompetent that they would be releasing highly sensitive information in response to a FOIA request despite very strong case law supporting withholding, and yet on the other hand industry seems to believe that there is something valuable that the government has to tell them or something valuable the government has to do in the form of coordinating response activity. So I am not getting a clear picture from industry in terms of how they see government. Is government a competent, useful player here or is it something else, an entity that is going to receive information and very haphazardly release it to the detriment of all of us? So I really am hearing two things here. Senator Bennett. My answer to that question would be yes. [Laughter.] Mr. Sobel. Well, then I think it raises---- Senator Bennett. There is no such thing as industry and there is no such thing as the government. There are a variety of companies in a variety of industries. It is enormously complex, and as you have indicated, the vast majority of them would be very disciplined and act in a responsible way. And there are few, in your opinion, that would not, that would be irresponsible and would try to use this in an improper fashion. There are a variety of people in government who are enormously competent and who would provide the analysis that we need, and there are a variety of people who have demonstrated a regulatory mentality to which I referred earlier, that would use the information in a way just to prove their regulatory muscle that would be irresponsible. You only have to sit in a Senator's office to discover that there is no, ``the Government.'' There are a variety of human beings, some of whom, most of whom, act responsibly and intelligently, and every once in a while there are some regulators who just defy common sense in the way they do their jobs and hang on to the regulations that they have. So my answer to your question, without being facetious, is yes to both sides of it. Mr. Sobel. I think that is very true, but as Mr. Tritak said, if this is a question of trust and establishing trust, I do not understand why that same regulator is suddenly going to be trusted by the industry submitter to comply with your new FOIA exemption if he is not trusted to comply with the existing protections. In other words, if this is an incompetent or malicious bureaucrat, why would this new legislation create any greater trust on the part of the submitter? That is what I am really missing here. Senator Bennett. All you can hope for is that you nudge him in the right way. Mr. Sagalow. Senator, if I could just emphasize on that last point you mentioned, because that is exactly what is happening. In the real world everything is a gray area and what you need to do is nudge the general counsel in the right way. What I am hoping that you are hearing from at least the majority of people that are speaking on this area is a desire not to throw the baby out with the bath water, that this is a very essential piece of legislation, very important to the national infrastructure and our war against terrorism, and that the people on both sides of the aisle, so to speak, are willing to look at language in the bill consistent with the fundamentals: That data is received through independent use would be exempted, that under certain circumstances criminal prosecution if documented through that independent use would be permitted, that certainly it is not the intention of the legislation, and none of my members are indicating they expect it to be the intention of the legislation, that the legislation will somehow allow a company not to disclose what they would otherwise be obligated to disclose, whether in the criminal area, the environmental area, or the financial area. Two other quick comments. My personal belief is that the fear of data dumping or the bad general counsel while not unrealistic, is perhaps overstated. General counsels have a firm belief in the law of unintended consequences. That is why they are hesitating to permit disclosure in the first place. And part of the law of unintended consequences is if you do a data dump thinking that you are going to fool the other side, something is going to go wrong. Very few general counsels take that risk unless it is a matter of utter desperation. And then finally on this issue of the temporal solution to the problem, I can only echo the point that was made earlier, that this issue of ``we do not know what we do not know'' is quite important. We really do not know in any set of documents or data what are the fundamental issues that may be completely applicable 5, 6, or 10 years from now. Senator Bennett. Well, the audience is voting with their feet in saying that the hearing is over. May I thank all of you for your contribution. This has been a serious discussion rather than a simple venting of opinions, and I am grateful to all of you for your willingness to enter into it in that spirit. If I were to summarize my attitude, and speaking solely for myself, obviously, and not for any other Member of the Committee, I wish we had the time to go through all of the issues and ultimately come, as has been suggested here, to a final consensus where everybody buys off and agrees, because I think people of goodwill at all aspects of this probably could arrive there. I must share with you once again, I feel a sense of urgency here which is very powerful, and the more time I spend with the intelligence community, the more time I spend in the Defense Department, the more times I visit that room in the Pentagon, where the attacks on our military infrastructure come in in real time and I see them on the screen, the more sense of urgency I have. I think we err on the side of exposing our country and really with exposing the American economy, exposing the world to serious damage if we delay too long. And I would rather take steps as quickly as we can that start us down the road and maintain a perfect willingness to change the legislation as we get examples of serious violations of environmental or other circumstances by the small minority of companies that might try to take advantage of that, than delay the legislation until we can theoretically iron out all of the problems. I do not wish to be an alarmist. I try not to be an alarmist, but I think this is an issue that requires early action. And that is why I am grateful to the Chairman for his willingness to schedule the hearing, and I am grateful to all of you for your willingness to participate. With that, the hearing is adjourned. [Whereupon, at 12:30 p.m., the Committee was adjourned.] A P P E N D I X ---------- PREPARED STATEMENT OF SENATOR BUNNING Thank you, Mr. Chairman. During the past 7 months community leaders, government officials and average Americans have been re-evaluating the level of security needed to protect ourselves. We have seen dramatic changes in the airline industry, and we have become very concerned about the safety of our ports and other transportation systems. Local, State and Federal emergency personnel have been on a high state of alert. And, we are increasing staffing at our borders. However, protecting our critical infrastructure is one of the most important steps we can take to ensure a safe future, and it should not be overlooked. The government needs to do everything it can to encourage companies to share information with each other and Federal officials in an effort to stop those who are attacking our country. I understand that some companies are concerned about sharing sensitive information because they are afraid it may be released to the public. If we are serious about protecting our critical infrastructure, then we have got to be serious about finding a solution to this problem. If businesses are afraid their non-public information can make its way into the public domain, we will never get the kind of open and productive relationship that we need between the government and business community. I am looking forward to hearing more about the legislation introduced by Senators Bennett and Kyl that begins to address this problem, and I appreciate the time our witnesses have taken to testify today. Thank you. [GRAPHIC] [TIFF OMITTED] 80597.001 [GRAPHIC] [TIFF OMITTED] 80597.002 [GRAPHIC] [TIFF OMITTED] 80597.003 [GRAPHIC] [TIFF OMITTED] 80597.004 [GRAPHIC] [TIFF OMITTED] 80597.005 [GRAPHIC] [TIFF OMITTED] 80597.006 [GRAPHIC] [TIFF OMITTED] 80597.007 [GRAPHIC] [TIFF OMITTED] 80597.008 [GRAPHIC] [TIFF OMITTED] 80597.009 [GRAPHIC] [TIFF OMITTED] 80597.010 [GRAPHIC] [TIFF OMITTED] 80597.011 [GRAPHIC] [TIFF OMITTED] 80597.012 [GRAPHIC] [TIFF OMITTED] 80597.013 [GRAPHIC] [TIFF OMITTED] 80597.014 [GRAPHIC] [TIFF OMITTED] 80597.015 [GRAPHIC] [TIFF OMITTED] 80597.016 [GRAPHIC] [TIFF OMITTED] 80597.017 [GRAPHIC] [TIFF OMITTED] 80597.018 [GRAPHIC] [TIFF OMITTED] 80597.019 [GRAPHIC] [TIFF OMITTED] 80597.020 [GRAPHIC] [TIFF OMITTED] 80597.021 [GRAPHIC] [TIFF OMITTED] 80597.022 [GRAPHIC] [TIFF OMITTED] 80597.023 [GRAPHIC] [TIFF OMITTED] 80597.024 [GRAPHIC] [TIFF OMITTED] 80597.025 [GRAPHIC] [TIFF OMITTED] 80597.026 [GRAPHIC] [TIFF OMITTED] 80597.027 [GRAPHIC] [TIFF OMITTED] 80597.028 [GRAPHIC] [TIFF OMITTED] 80597.029 [GRAPHIC] [TIFF OMITTED] 80597.030 [GRAPHIC] [TIFF OMITTED] 80597.031 [GRAPHIC] [TIFF OMITTED] 80597.032 [GRAPHIC] [TIFF OMITTED] 80597.033 [GRAPHIC] [TIFF OMITTED] 80597.034 [GRAPHIC] [TIFF OMITTED] 80597.035 [GRAPHIC] [TIFF OMITTED] 80597.036 [GRAPHIC] [TIFF OMITTED] 80597.037 [GRAPHIC] [TIFF OMITTED] 80597.038 [GRAPHIC] [TIFF OMITTED] 80597.039 [GRAPHIC] [TIFF OMITTED] 80597.040 [GRAPHIC] [TIFF OMITTED] 80597.041 [GRAPHIC] [TIFF OMITTED] 80597.042 [GRAPHIC] [TIFF OMITTED] 80597.043 [GRAPHIC] [TIFF OMITTED] 80597.044 [GRAPHIC] [TIFF OMITTED] 80597.045 [GRAPHIC] [TIFF OMITTED] 80597.046 [GRAPHIC] [TIFF OMITTED] 80597.047 [GRAPHIC] [TIFF OMITTED] 80597.048 [GRAPHIC] [TIFF OMITTED] 80597.049 [GRAPHIC] [TIFF OMITTED] 80597.050 [GRAPHIC] [TIFF OMITTED] 80597.051 [GRAPHIC] [TIFF OMITTED] 80597.052 [GRAPHIC] [TIFF OMITTED] 80597.053 [GRAPHIC] [TIFF OMITTED] 80597.054 [GRAPHIC] [TIFF OMITTED] 80597.055 [GRAPHIC] [TIFF OMITTED] 80597.056 [GRAPHIC] [TIFF OMITTED] 80597.057 [GRAPHIC] [TIFF OMITTED] 80597.058 [GRAPHIC] [TIFF OMITTED] 80597.059 [GRAPHIC] [TIFF OMITTED] 80597.060 [GRAPHIC] [TIFF OMITTED] 80597.061 [GRAPHIC] [TIFF OMITTED] 80597.062 [GRAPHIC] [TIFF OMITTED] 80597.063 [GRAPHIC] [TIFF OMITTED] 80597.064 [GRAPHIC] [TIFF OMITTED] 80597.065 [GRAPHIC] [TIFF OMITTED] 80597.066 [GRAPHIC] [TIFF OMITTED] 80597.067 [GRAPHIC] [TIFF OMITTED] 80597.068 [GRAPHIC] [TIFF OMITTED] 80597.069 [GRAPHIC] [TIFF OMITTED] 80597.070 [GRAPHIC] [TIFF OMITTED] 80597.071 [GRAPHIC] [TIFF OMITTED] 80597.072 [GRAPHIC] [TIFF OMITTED] 80597.073 [GRAPHIC] [TIFF OMITTED] 80597.074 [GRAPHIC] [TIFF OMITTED] 80597.075 [GRAPHIC] [TIFF OMITTED] 80597.076 [GRAPHIC] [TIFF OMITTED] 80597.077 [GRAPHIC] [TIFF OMITTED] 80597.078 [GRAPHIC] [TIFF OMITTED] 80597.079 [GRAPHIC] [TIFF OMITTED] 80597.080 [GRAPHIC] [TIFF OMITTED] 80597.081 [GRAPHIC] [TIFF OMITTED] 80597.082 [GRAPHIC] [TIFF OMITTED] 80597.083 [GRAPHIC] [TIFF OMITTED] 80597.084 [GRAPHIC] [TIFF OMITTED] 80597.085 [GRAPHIC] [TIFF OMITTED] 80597.086 [GRAPHIC] [TIFF OMITTED] 80597.087 [GRAPHIC] [TIFF OMITTED] 80597.088 [GRAPHIC] [TIFF OMITTED] 80597.089 [GRAPHIC] [TIFF OMITTED] 80597.090 [GRAPHIC] [TIFF OMITTED] 80597.091 [GRAPHIC] [TIFF OMITTED] 80597.092 [GRAPHIC] [TIFF OMITTED] 80597.093 [GRAPHIC] [TIFF OMITTED] 80597.094 [GRAPHIC] [TIFF OMITTED] 80597.095 [GRAPHIC] [TIFF OMITTED] 80597.096 [GRAPHIC] [TIFF OMITTED] 80597.097 [GRAPHIC] [TIFF OMITTED] 80597.098 [GRAPHIC] [TIFF OMITTED] 80597.099 [GRAPHIC] [TIFF OMITTED] 80597.100 [GRAPHIC] [TIFF OMITTED] 80597.101 [GRAPHIC] [TIFF OMITTED] 80597.102 [GRAPHIC] [TIFF OMITTED] 80597.103 [GRAPHIC] [TIFF OMITTED] 80597.104 [GRAPHIC] [TIFF OMITTED] 80597.105 [GRAPHIC] [TIFF OMITTED] 80597.106 [GRAPHIC] [TIFF OMITTED] 80597.107 [GRAPHIC] [TIFF OMITTED] 80597.108 [GRAPHIC] [TIFF OMITTED] 80597.109 [GRAPHIC] [TIFF OMITTED] 80597.110 [GRAPHIC] [TIFF OMITTED] 80597.111 [GRAPHIC] [TIFF OMITTED] 80597.112 [GRAPHIC] [TIFF OMITTED] 80597.113 [GRAPHIC] [TIFF OMITTED] 80597.114 [GRAPHIC] [TIFF OMITTED] 80597.115 [GRAPHIC] [TIFF OMITTED] 80597.116 [GRAPHIC] [TIFF OMITTED] 80597.117 [GRAPHIC] [TIFF OMITTED] 80597.118 [GRAPHIC] [TIFF OMITTED] 80597.119 [GRAPHIC] [TIFF OMITTED] 80597.120 [GRAPHIC] [TIFF OMITTED] 80597.121 [GRAPHIC] [TIFF OMITTED] 80597.122 [GRAPHIC] [TIFF OMITTED] 80597.123 [GRAPHIC] [TIFF OMITTED] 80597.124 [GRAPHIC] [TIFF OMITTED] 80597.125 [GRAPHIC] [TIFF OMITTED] 80597.126 [GRAPHIC] [TIFF OMITTED] 80597.127 [GRAPHIC] [TIFF OMITTED] 80597.128 [GRAPHIC] [TIFF OMITTED] 80597.129 [GRAPHIC] [TIFF OMITTED] 80597.130 [GRAPHIC] [TIFF OMITTED] 80597.131 [GRAPHIC] [TIFF OMITTED] 80597.132 [GRAPHIC] [TIFF OMITTED] 80597.133 [GRAPHIC] [TIFF OMITTED] 80597.134 [GRAPHIC] [TIFF OMITTED] 80597.135 [GRAPHIC] [TIFF OMITTED] 80597.136 [GRAPHIC] [TIFF OMITTED] 80597.137 [GRAPHIC] [TIFF OMITTED] 80597.138 [GRAPHIC] [TIFF OMITTED] 80597.139 [GRAPHIC] [TIFF OMITTED] 80597.140 [GRAPHIC] [TIFF OMITTED] 80597.141 [GRAPHIC] [TIFF OMITTED] 80597.142 [GRAPHIC] [TIFF OMITTED] 80597.143 [GRAPHIC] [TIFF OMITTED] 80597.144 [GRAPHIC] [TIFF OMITTED] 80597.145 [GRAPHIC] [TIFF OMITTED] 80597.146 [GRAPHIC] [TIFF OMITTED] 80597.147 [GRAPHIC] [TIFF OMITTED] 80597.148 [GRAPHIC] [TIFF OMITTED] 80597.149 [GRAPHIC] [TIFF OMITTED] 80597.150 [GRAPHIC] [TIFF OMITTED] 80597.151 [GRAPHIC] [TIFF OMITTED] 80597.152 [GRAPHIC] [TIFF OMITTED] 80597.153 [GRAPHIC] [TIFF OMITTED] 80597.154 [GRAPHIC] [TIFF OMITTED] 80597.155 [GRAPHIC] [TIFF OMITTED] 80597.156 [GRAPHIC] [TIFF OMITTED] 80597.157 [GRAPHIC] [TIFF OMITTED] 80597.158 [GRAPHIC] [TIFF OMITTED] 80597.159 [GRAPHIC] [TIFF OMITTED] 80597.160 [GRAPHIC] [TIFF OMITTED] 80597.161 [GRAPHIC] [TIFF OMITTED] 80597.162 [GRAPHIC] [TIFF OMITTED] 80597.163 [GRAPHIC] [TIFF OMITTED] 80597.164 [GRAPHIC] [TIFF OMITTED] 80597.165 [GRAPHIC] [TIFF OMITTED] 80597.166 [GRAPHIC] [TIFF OMITTED] 80597.167 [GRAPHIC] [TIFF OMITTED] 80597.168 [GRAPHIC] [TIFF OMITTED] 80597.169 [GRAPHIC] [TIFF OMITTED] 80597.170 [GRAPHIC] [TIFF OMITTED] 80597.171 [GRAPHIC] [TIFF OMITTED] 80597.172 [GRAPHIC] [TIFF OMITTED] 80597.173 [GRAPHIC] [TIFF OMITTED] 80597.174 [GRAPHIC] [TIFF OMITTED] 80597.175 [GRAPHIC] [TIFF OMITTED] 80597.176 -