[House Hearing, 110 Congress]
[From the U.S. Government Publishing Office]
PARTNERING WITH THE PRIVATE SECTOR TO SECURE CRITICAL INFRASTRUCTURE:
HAS THE DEPARTMENT OF HOMELAND SECURITY ABANDONED THE RESILIENCE-BASED
APPROACH?
=======================================================================
HEARING
before the
SUBCOMMITTEE ON TRANSPORTATION SECURITY
AND INFRASTRUCTURE PROTECTION
of the
COMMITTEE ON HOMELAND SECURITY
HOUSE OF REPRESENTATIVES
ONE HUNDRED TENTH CONGRESS
SECOND SESSION
__________
MAY 14, 2008
__________
Serial No. 110-114
__________
Printed for the use of the Committee on Homeland Security
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via the World Wide Web: http://www.gpoaccess.gov/congress/
index.html
__________
U.S. GOVERNMENT PRINTING OFFICE
43-939 PDF WASHINGTON DC: 2008
---------------------------------------------------------------------
For sale by the Superintendent of Documents, U.S. Government Printing
Office Internet: bookstore.gpo.gov Phone: toll free (866)512-1800
DC area (202)512-1800 Fax: (202) 512-2250 Mail Stop SSOP,
Washington, DC 20402-0001
COMMITTEE ON HOMELAND SECURITY
Bennie G. Thompson, Mississippi, Chairman
Loretta Sanchez, California Peter T. King, New York
Edward J. Markey, Massachusetts Lamar Smith, Texas
Norman D. Dicks, Washington Christopher Shays, Connecticut
Jane Harman, California Mark E. Souder, Indiana
Peter A. DeFazio, Oregon Tom Davis, Virginia
Nita M. Lowey, New York Daniel E. Lungren, California
Eleanor Holmes Norton, District of Mike Rogers, Alabama
Columbia David G. Reichert, Washington
Zoe Lofgren, California Michael T. McCaul, Texas
Sheila Jackson Lee, Texas Charles W. Dent, Pennsylvania
Donna M. Christensen, U.S. Virgin Ginny Brown-Waite, Florida
Islands Gus M. Bilirakis, Florida
Bob Etheridge, North Carolina David Davis, Tennessee
James R. Langevin, Rhode Island Paul C. Broun, Georgia
Henry Cuellar, Texas Candice S. Miller, Michigan
Christopher P. Carney, Pennsylvania
Yvette D. Clarke, New York
Al Green, Texas
Ed Perlmutter, Colorado
Bill Pascrell, Jr., New Jersey
Jessica Herrera-Flanigan, Staff Director & General Counsel
Rosaline Cohen, Chief Counsel
Michael Twinchek, Chief Clerk
Robert O'Connor, Minority Staff Director
______
SUBCOMMITTEE ON TRANSPORTATION SECURITY AND INFRASTRUCTURE PROTECTION
SHEILA JACKSON LEE, Texas, Chairwoman
Edward J. Markey, Massachusetts Daniel E. Lungren, California
Peter A. DeFazio, Oregon Ginny Brown-Waite, Florida
Eleanor Holmes Norton, District of Gus M. Bilirakis, Florida
Columbia Paul C. Broun, Georgia
Yvette D. Clarke, New York Peter T. King, New York (Ex
Ed Perlmutter, Colorado Officio)
Bennie G. Thompson, Mississippi (Ex
Officio)
Erin Daste, Director & Counsel
Natalie Nixon, Deputy Chief Clerk
Coley O'Brien, Minority Senior Counsel
(II)
C O N T E N T S
----------
Page
Statements
The Honorable Sheila Jackson Lee, a Representative in Congress
From the State of Texas, and Chairwoman, Subcommittee on
Transportation Security and Infrastructure Protection.......... 1
The Honorable Daniel E. Lungren, a Representative in Congress
From the State of California, and Ranking Member, Subcommittee
on Transportation Security and Infrastructure Protection....... 4
Witnesses
Colonel Robert B. Stephan, Assistant Secretary, Infrastructure
Protection, Department of Homeland Security:
Oral Statement................................................. 7
Prepared Statement............................................. 9
Mr. Jonah J. Czerwinski, Senior Fellow, Homeland Security, IBM
Global Leadership Initiative:
Oral Statement................................................. 14
Prepared Statement............................................. 15
Mr. Shawn Johnson, Vice Chairman, Financial Services, Sector
Coordinating Council:
Oral Statement................................................. 17
Prepared Statement............................................. 19
Mr. William G. Raisch, Director, International Center for
Enterprise Preparedness, New York University:
Oral Statement................................................. 22
Prepared Statement............................................. 24
Dr. Kevin U. Stephens, M.D., Director, Health Department, City of
New Orleans:
Oral Statement................................................. 30
Prepared Statement............................................. 33
PARTNERING WITH THE PRIVATE SECTOR TO SECURE CRITICAL INFRASTRUCTURE:
HAS THE DEPARTMENT OF HOMELAND SECURITY ABANDONED THE RESILIENCE-BASED
APPROACH?
----------
Wednesday, May 14, 2008
U.S. House of Representatives,
Committee on Homeland Security,
Subcommittee on Transportation Security and Infrastructure
Protection,
Washington, DC.
The subcommittee met, pursuant to call, at 2:22 p.m., in
Room 311, Cannon House Office Building, Hon. Sheila Jackson Lee
[chairwoman of the subcommittee] presiding.
Present: Representatives Jackson Lee and Lungren.
Ms. Jackson Lee [presiding.] Good afternoon. Let me thank
the witnesses for their indulgence. The subcommittee will come
to order.
The subcommittee is meeting today to receive testimony on
partnering with the private sector to secure critical
infrastructure. Has the Department of Homeland Security
abandoned the resilience-based approach?
Importantly, this testimony will discuss what the Office of
Infrastructure Protection has done to promote the concept of
resiliency throughout the 17 critical infrastructure sectors.
I am proud to convene today's hearing, which will focus on
private sector participation in securing our Nation's critical
infrastructure. Among our goals today is to determine the
applicability of resilience to this mission, to what extent the
Department is promoting it, and what we as a Congress can do to
support these efforts.
At the outset, I wish to thank Chairman Thompson for
declaring May Resilience Month for our committee.
In support of Resilience Month, today's hearing will focus
on an area ripe with resilience-related issues. Perhaps nowhere
is resilience more relevant to homeland security than the area
of critical infrastructure protection, which I think could be
more accurately termed critical infrastructure protection and
resilience.
After the attacks on September 11, most of the record $80
billion in economic losses was suffered by the private sector.
The consequences of Hurricane Katrina and Rita caused
extraordinary damage, as well. The magnitude of the hurricanes'
actual impact was rivaled only by the catastrophic failure of
the Federal Government to adequately respond to the resulting
suffering.
I am proud to be focusing on critical infrastructure
resilience, but I know that others have also advocated this
position for some time. A task force of the Homeland Security
Advisory Council on Critical Infrastructure released a report
in 2006 stating that the focus should be shifted from
protection to resilience, because it made a more convincing
business case to companies.
I might add that we want to hear from those here today to
find a way to balance protection and resilience. I believe we
can.
The report said that resilience offers an effective
metric--time--companies can measure how long it will be down in
the wake of a particular disaster and can work to minimize that
time. Resilience, I must say, is not capitulation, we in no way
are saying that our guard should be taken down, to assert that
we are mere political theater.
Instead, we are honestly saying to the American people that
we cannot protect everything all of the time. So if we are hit
or one of our suppliers is hit, we plan to ensure that we can
recover quickly so grave damage is not done to our economy.
Our most recent examples--and we are very grateful that we
have not had a terrorist attack since 9/11. We applaud all of
the front-liners and certainly the Department of Homeland
Security and the diligence of this Congress. But we also use as
a backdrop of experience some of the tragedies that have
occurred over the last couple of years.
For example, Hurricane Katrina is a prime example of the
lack of resiliency. Who knows what will happen with the
terrible excess of tornadoes that have occurred over the last
couple of days and last couple of weeks and the damage that has
been done to major geographic areas, including the obliteration
or elimination of a whole city?
What is the resilience there? That is a very good example
for us to use as a backdrop. What is the resilience in
countries, of course, with different political systems? What
will be the resilience of a China or a Burma?
These are questions that we should be asking so that we are
prepared for what may happen to us here in the United States.
It is my belief that the Department should utilize
resilience as a means of which to encourage private owners and
operators to secure their infrastructure for three reasons.
It requires the provision of information that demonstrates
to companies that there is an actionable threat to their
infrastructure.
Most of the time, this information is not available and, as
a result, companies do not see the justification of these
expenditures in the absence of a threat.
Related to the first, companies have been trained by this
economy to have no expenditures that do not produce profit
within a few months. Protective and preventative measures to
defend against a terrorist act likely do not generate such a
profit.
Third, a focus on protection prevention is not measurable.
We have no metric for quantifying whether something is
protected. Without being able to quantify when enough is
enough, industry is more reluctant to act.
However, I might issue a warning: Failing to do this,
failing to do this is the storybook tragedy for failure and for
a long, drawn-out journey of recuperation. Look to see how hard
the people of New Orleans are working, but because of the
failed actions of the Federal Government, resilience,
recuperation has been long in coming.
A strategy based upon resilience is not a silver bullet,
but it does support the critical infrastructure security
objectives. Beyond encouraging preventative and protective
measures, it asks companies to ensure that they can bounce back
due to a disruption, which may include a terrorist attack.
This will support communities' supply chains and our
national psyche. Furthermore, a focus on resilience can
increase the profitability of our companies. For example, a
2007 report by the Council on Competitiveness, entitled ``The
Resilient Economy: Integrating Competitiveness and Security,''
asserting that the 835 companies that announced a supply chain
disruption between 1989 and 2000 experienced 33 percent to 40
percent lower stock returns than their industry peers.
Those companies that were resilient, and thus able to
effectively deal with and bounce back from disruptions, were
the ones which grew in market share and saw increased returns.
In many ways, last week's full committee hearing was eye-
opening. I do believe that the Department is doing more with
resilience than was mentioned at the hearing. I look forward to
hearing from Assistant Secretary Stephan about those programs
under his auspices, and where and why, and why not, and he sees
resilience as being more effective.
This committee has not shied away from promoting private-
sector security. The 9/11 bill passed last August included a
voluntary private-sector preparedness accreditation and
certification program.
By no means is this program regulatory, but it does provide
for a conversation between the Department and the private
sector about security.
Led by Chairman Thompson, we included language that called
upon the Department to work with Sector Coordinating Councils
under Assistant Secretary Stephan to develop the standards for
the voluntary program.
I look forward to hearing more about this program today and
hearing whether the contemplated standards will include an
element of resilience.
This subcommittee is not interested in blame or bashing.
This subcommittee cares only about securing our critical
infrastructure and having a constructive dialogue with the
Department.
We believe that this hearing is a part of that dialogue and
look forward to learning from Assistant Secretary Stephan and
our other witnesses. Resilience may not be the silver bullet,
but a real discussion about it may make us more secure in our
days, weeks, months and years.
Who knows? There may be legislative penalties for those who
don't see this as a constructive aspect of their business. We
have to be able to save lives; we have to be able to save the
economy; we have to be able to move forward during this time of
crisis. To do so, we need the involvement of the public and
private sector.
Once again, I would like to thank everyone for their
participation today, and I look forward to hearing from each of
the witnesses.
At this time, I would like to enter into the record the
2006 Homeland Security Advisory Council report on critical
infrastructure. Hearing no objections, so ordered.*
---------------------------------------------------------------------------
* The information has been retained in committee files.
---------------------------------------------------------------------------
The Chair is now pleased to recognize the distinguished
Ranking Member of the subcommittee, the gentleman from
California, Mr. Lungren, for an opening statement.
Mr. Lungren. Thank you very much, Chairwoman Jackson Lee.
Thank you, members of the panel, for coming here to
testify. But more importantly, thanks for the work that you
have been doing.
I certainly share the chairlady's interest and concern over
the challenges this Nation faces to secure critical
infrastructure. You probably know as well as anybody, those of
you on the panel, it is an enormous job because of the
thousands of critical infrastructure assets we enjoy,
stretching from coast to coast and beyond.
Pursuant to Homeland Security Directive 7, the Department
of Homeland Security developed the National Infrastructure
Protection Plan, NIPP, to identify these vital assets and
coordinate protection efforts across 18 critical infrastructure
sectors.
Assistant Secretary Stephan, we thank you for the work that
you have done in leading this effort on behalf of homeland
security. Also, I recall when you came and asked for delay of
its issuance until it met, by your judgment, the high standards
that you thought were required.
By identifying critical assets and interdependencies,
coordinating risk-based protection programs, and ensuring
information, the NIPP provides the blueprint, I believe, for a
safer, more secure, more resilient America. It sets national
priorities, goals and requirements for effective distribution
of funding and resources to help ensure that our government,
economy and public services continue in the event of a
terrorist attack or other disaster.
Because the private sector owns or operates approximately
85 percent of the Nation's critical infrastructure, partnering
with the private sector is absolutely essential. To a great
extent, we found the private sector has focused on ensuring its
systems and networks were resilient and able to withstand
disruption, manmade or natural, because of commercial and
economic benefits.
I guess one of the questions we have is: How do we ensure
that continues or, in those cases where it is tough to make it
justified by the bottom line, how do we change the analysis so
that people understand that to be important?
After 9/11, when the financial markets quickly resumed
normal activity, Homeland Security began fostering public and
private partnerships to perfect our country's critical
infrastructure, with each sector bringing strength to the
partnership.
The government provides access to critical threat
information, and I think that is as important as anything else
we do. If you don't have the proper information, it is very
difficult to calculate what the threat is out there and very
difficult for you to respond to that threat.
The government also provides grants, which each sector
controls its own security programs, research and development,
and other resources that are more effective when shared.
Another example, I believe, of the Department promoting
resiliency is the creation of the National Infrastructure
Simulation and Analysis Center. It identifies
interdependencies, the consequence of infrastructure
disruptions, and suggests remedial action across all critical
infrastructure sectors.
It just seems to me that the four key mission areas of the
Department of Homeland Security--preventing, protecting
against, responding to, and recovering from terrorist attacks
or natural disasters--are equally important, whether we use the
rubric of resiliency or not.
I would prefer to prevent an attack, as I am sure we all
would, rather than respond and recover from one. However, if
there is another attack or natural disaster, we must ensure
that the Department and its governmental and private-sector
partners can respond to and recover from such an incident.
So we thank you for being here. I look very much forward to
the testimony from our witnesses.
If I were still chairperson, I would invite you to speak.
But a funny thing happened on the way to the ballot box a
couple years ago.
With that, I would yield back the balance of my time.
Ms. Jackson Lee. The gentleman has yielded back his time.
I welcome our panel of witnesses. Our first witness,
Assistant Secretary Robert Stephan, was appointed to serve as
the Assistant Secretary of Homeland Security for Infrastructure
Protection in April 2005. In this capacity, he is responsible
for the Department's efforts to catalogue our critical
infrastructure and key resources and coordinate risk-based
strategies and protective measures to secure them from
terrorist attack.
I would like to especially thank Colonel Stephan for his
participation today. I understand--and he has been on and been
between two international trips. I might say--I don't know if I
want to say for the record, because he looks very well to me--
but we will put it in the record so that he is covered. He is
fighting off jetlag.
But he has always been very gracious in his relationship
with this committee and the Congress but, more importantly,
very dutiful and attentive to his responsibilities at Homeland
Security. This committee recognizes and appreciates his
dedication to the Department and this very important topic.
Our second witness is Mr. Jonah Czerwinski. Jonah
Czerwinski is Managing Consultant, Global Business Services at
IBM, and a Senior Fellow for Homeland Security in IBM's Global
Leadership Initiative.
First, we are glad that the private sector has seen fit to
establish such an initiative, and we look forward to hearing
his testimony. He is responsible for developing policy,
guidance for the global movement management campaign at IBM. He
also served on the Council on Foreign Relations Study Group on
Strategies for Defense Against Nuclear Terrorism.
From 2001 to 2004, he directed the center's homeland
security roundtable, which regularly convened senior homeland
security leadership of the executive branch and Congress with
leaders of the think-tank community, academia, and private
sector to discuss critical homeland security issues. He is the
primary contributor to the Homeland Security Blog,
www.hlswatch.com.
Our third witness is Mr. Shawn Johnson. Mr. Johnson is a
Managing Director of State Street Global Advisors. He is the
Chairman of the SSGA Investment Committee and Director of
Institutional Fiduciary Services.
Shawn is also a member of the State Street Corporation's
Major Risk Committee, as well as the SSGA's independent
fiduciary committee, and the SSGA Tuckerman Real Estate
Investment Committee.
In addition to managing SSGA's team of economists and
strategists, Shawn oversees SSGA's advanced research center,
product engineering, as well as private equity investments,
including CitiStreet, Wilton, ABCM, and SSGI Italy.
He is also responsible for SSGA's merger and acquisition
activities globally. Additionally, Shawn is currently the Vice
President of the Financial Services Sector Coordinating
Council, the private-sector organization that coordinates
homeland security issues with Federal and financial regulators.
We need not go any further than 9/11 to recognize the
impact on the financial services industry, particularly Wall
Street, to know how important the testimony is today.
Our fourth witness is William Raisch, Director of the
International Center for Enterprise Preparedness, Intercep, at
New York University. He founded the center with initial funding
from the U.S. Department of Homeland Security, as the world's
first academic research center dedicated to private-sector
emergency preparedness and resilience.
His work with Intercep focuses on the development of actual
strategies and policies in this arena through active engagement
of key stakeholders. Topical concentrations reflect an emphasis
on the what and the why of resilience and include best
practices, standards, metrics, assessments, information flow,
public-private partnerships, and the economic impact of
resilience, including the role of incentives for business.
In addition to strong involvement with the U.S. business
sector, the center has an international outreach actively
working with a diversity of multinational corporations, as well
as representatives from various national governments and NGOs
globally.
You are welcome.
Our fifth and final witness is Dr. Kevin Stephens, Health
Director for the city of New Orleans. He has served in this
position since 2002. His responsibilities for public health in
New Orleans include managing six divisions and 30 programs,
encompassing a wide range of health issues.
Dr. Stephens served as Health Director both before and
after Katrina and knows firsthand the importance of health care
infrastructure resiliency.
Dr. Stephens serves on the clinical faculty of Xavier
University, Dillard University, LSU Medical School, and Tulane
Medical School. He is a member of the Louisiana Bar Association
and has worked as a consultant to many local and State and
Federal agencies.
It is my great hope, Dr. Stephens, that as we know that you
are certainly wanting to commend and celebrate the great
progress that has been made in New Orleans--and let me, for the
record, acknowledge that--I want you to be, if you will
unabashedly forward and forceful on the state of the health
infrastructure in New Orleans.
I will place in the record my appreciation and respect for
the hard work that the people of New Orleans and the municipal
leaders have engaged in. Today, however, we want the raw facts
of where you are today.
So I welcome all of the witnesses. Without objection, the
witnesses' full statements will be inserted in the record.
I now ask each witness to summarize his statement for 5
minutes, beginning with Assistant Secretary Stephan.
You are recognized and welcome for 5 minutes.
STATEMENT OF COLONEL ROBERT B. STEPHAN, ASSISTANT SECRETARY,
INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND SECURITY
Colonel Stephan. Thank you, Madam Chairwoman, Ranking
Member Lungren. I appreciate the opportunity to be before you
today.
I also appreciate your ongoing leadership and focus in this
very important subset of the homeland security overall mission
area. I know you have heard previous testimony from some of my
department counterparts, as well as key private-sector
stakeholders, on this topic.
I also hope from my heart that you received a resounding
``no'' from them in response to the question that is titling
this hearing, ``Has the Department of Homeland Security
abandoned the resiliency-based approach?''
This is not about abandoning a resiliency-based approach.
The Department fully embraces the concept of resiliency. It is
not about protection versus resiliency. It is about both.
It is about achieving an appropriate balance, Madam
Chairwoman, as you said in your opening statement. That is what
this is all about, because we understand the incredible
necessity of being able to absorb an attack of Mother Nature,
of Al Qaeda, or some other emergency, and being able to
respond, recover, reconstitute quickly.
But we also feel that, in some cases, some of the more
extreme advocates of the resiliency construct dismiss the
importance of an upfront prevention and protection piece that
absolutely has risk as a critical component so that we can
direct our energies and resources appropriately.
We cannot afford to protect everything, but we cannot
simply stand by and protect nothing. So we have to do things in
advance, and we have to do things after the fact to make sure
that we are saving American lives, limiting disruption to the
economy, and getting American society back on its feet as
quickly as possible. That is what this debate is all about,
from my perspective.
Our focus on the Nation's critical infrastructure includes
actions to mitigate overall risk to assets, systems, networks,
functions, and their interconnecting linkages resulting from
any type of hazard, whether it be a terrorist attack, and
attack by Mother Nature, or a major safety incident.
This includes actions to deter threats, mitigate
vulnerabilities, and minimize consequences. Protection can
include, in the scope of a national infrastructure protection
plan, a wide range of activities, such as hardening facilities,
building resiliency redundancy, incorporating hazard resistance
into facility or system or network design, initiating active or
passive countermeasures, installing security systems, promoting
workforce security programs, and implementing cyber measures,
among various other precautions.
There cannot be a one-size-fits-all approach, as some would
advocate. Rather, we have devised a national-level approach
based on a combination of consideration that reflects an
understanding of vulnerabilities, interdependencies, and
priorities in this all-hazards context.
We view protection as an overarching risk management
strategy that is supported by very important and specific
congressional and executive branch authorities that fully
acknowledge the concept of resiliency where it offers the best
solution to managing a particular set of risk at the facility,
system, sector, or enterprise level.
Since the 9/11 attacks, we have made significant efforts to
define the scope of work required to establish the processes
and mechanisms to secure and mitigate the vulnerability of our
infrastructures, ensuring their functionality and resiliency in
a post-attack or post-incident mode, as well.
Because the private sector owns and operates most of the
Nation's infrastructures, DHS has pursued a framework in which
government and the private sector work together with our State
and local partners in a common approach to set goals and
priorities, identify risks, assign roles and responsibilities,
allocate resources, and measure progress across this framework.
The concept of resiliency is absolutely critical across this
framework.
We also recognize that adopting, however, a one-size-fits-
all construct would possibly create a very important imbalance.
Specifically, we must make sure that our approach incorporates
a resiliency-based response and recovery component, as well as
an upfront risk-based, risk-directed prevention and protection
component.
The chemical, nuclear and energy sectors are prime examples
of the need to balance our concern about infrastructure
restoration after an incident, with our ability to prevent the
release of dangerous chemical substance in the populated areas
in the context of these sectors.
After all, preventing the loss of American lives, innocent
lives, must remain our No. 1 goal and concern. Our efforts and
accomplishment to date, in partnership with many others,
reflect this need for a balanced approach between prevention,
protection, and resiliency.
In June 2006, we released the National Infrastructure
Protection Plan, again, a balanced approach between resiliency,
protection, response and recovery activities, and upfront
prevention.
The NIPP addresses the importance of resiliency over 52
times throughout the course of the document, and it is the
national unifying framework for understanding and managing
risks to our Nation's critical infrastructures.
The 17 critical infrastructure plans that were promulgated
about a year ago are the product of 18 months of joint effort
by CIKR owners and operators, State and local, tribal and
territory officials, and Federal officials to make sure that we
get this right.
The diversity of the sectors means that different types of
protection activities may be most effective for each. Certain
sectors are most likely to embrace resiliency as an overarching
approach, given their inherent characteristics, while others
may focus on specific types of physical protection or
cybersecurity or rapid response, to minimize consequences.
Ma'am, I appear with your staff on multiple occasions
various elements of the sector-specific plans. Just to
highlight some examples, in banking and finance, resiliency
integrated in 48 times, communications sector 55 times, dams 10
times, defense industrial base 14 times, energy 34 times, I.T.
24 times, postal and shipping 23 times, transportation 86
times, water 20 times.
The construct and concept of resiliency, working in
partnership with upfront, risk-based protection, prevention is
thoroughly engrained, embedded and indoctrinated into all the
national-level strategies and plans that we have been working
on for the past 3 years.
In addition, I brought a copy of the National
Infrastructure Protection Plan appropriately marked with all
the resiliency pieces of the puzzle flagged for your staff to
look at.
I brought recently, last night issued, while I was flying
back from overseas, our national hurricane analysis that really
focuses on pre-event, pre-landfall hurricane infrastructure
impacts, as well as what we think might happen post-landfall,
passed that out to our private-sector counterparts.
We recently promulgated the critical infrastructure,
resiliency, protection, security, information sharing annex to
the national response framework that we will use to guide
ourselves and the Nation through hurricane season, as well as a
terrorist attack.
Finally, pandemic influenza across the 17 critical
infrastructure sectors, in a guide that we built with the
private sector, to highlight the need to focus on this type of
pestilence from a resiliency perspective.
So I believe that the documents alone at the national level
speak to the effort that we have put in to making sure we get
this right and to achieve the balance that you spoke to at the
beginning of the conversation.
Ma'am, those are my opening remarks. We look very much
forward to the discussion and the dialogue with you today and,
again, appreciate your collective leadership on this issue.
[The statement of Colonel Stephan follows:]
Prepared Statement of Robert B. Stephan
May 14, 2007
Thank you, Chairwoman Jackson Lee, Ranking Member Lungren, and all
of the distinguished members of the subcommittee. I appreciate the
opportunity to address you on the role of the Office of Infrastructure
Protection (IP) and our many partners, including the private sector, in
securing and enhancing the resiliency of the Nation's critical
infrastructure and key resources (CIKR). I know you have heard from my
counterparts within the Department of Homeland Security on this topic,
and I trust you have also received from them a resounding ``No'' in
response to the question titling this hearing, ``Has the Department of
Homeland Security Abandoned the Resilience-Based Approach?'' Since we
have been in the process of adjusting to a major change in the American
way of life since September 11, 2001, I think it is fair to say that
there is resilience built into practically everything that the
Department of Homeland Security (DHS) does. In fact, DHS defines
resilience as ``the ability to recover from, or adjust to, adversity or
change.'' I would like to focus today on how IP works with its partners
to ensure that a comprehensive, multifaceted framework exists to
support the partnership dedicated to securing and enhancing the
resiliency of the Nation's CIKR.
I believe that a recent article in the publication Foreign Affairs
provides a good explanation of what we mean by ``resiliency.'' The
article stated that there are four factors, that when committed to in a
sustained manner, result in resilience.\1\ The first is robustness, the
ability to keep operating or stay standing in the face of disaster.
Second is resourcefulness, which involves skillfully managing a
disaster once it unfolds. Third is rapid recovery, defined as the
capacity to get things back to normal as quickly as possible after a
disaster. Fourth is the statement that resilience means having the
ability to absorb the new lessons that can be drawn from a catastrophe.
Again, I think that DHS' efforts to date reflect these tenets, and,
particularly for the CIKR protection mission, a sustained commitment is
an absolute requirement of all members of the partnership.
---------------------------------------------------------------------------
\1\ ``America the Resilient,'' Stephen E. Flynn, Foreign Affairs,
March/April 2008.
---------------------------------------------------------------------------
The CIKR protection mission includes actions to mitigate the
overall risk to assets, systems, networks, functions, or their
interconnecting links resulting from exposure, injury, destruction,
incapacitation, or exploitation. In the context of the National
Infrastructure Protection Plan (NIPP), this includes actions to deter
the threat, mitigate vulnerabilities, or minimize consequences
associated with a terrorist attack or other incident. Protection can
include a wide range of activities, such as hardening facilities,
building resiliency and redundancy, incorporating hazard resistance
into the design of a facility, initiating active or passive
countermeasures, installing security systems, promoting workforce
surety programs, and implementing cyber security measures, among
various others. There cannot be a one-size-fits-all approach to CIKR
protection, and we have to devise a strategy based on a combination of
considerations that reflects an understanding of vulnerabilities,
interdependencies, and priorities in an all-hazards context. We view
protection as an overarching risk-management strategy that fully
acknowledges and supports the concept of resiliency where it offers the
best solution to managing a particular risk or set of risks.
Since 9/11, significant efforts have been underway to define the
scope of work required to establish the processes and mechanisms to
secure and mitigate the vulnerability and ensure the functionality of
CIKR across our country. The private sector has made substantial
investments to boost resiliency, increase redundancy, and develop
contingency plans. To support these efforts, the Department has
provided nearly $14.8 billion in risk-based grant funding--with another
$2.5 billion to be distributed this year--to deter threats, reduce
vulnerabilities, and build resiliency.
Because the private sector owns and operates most of the Nation's
critical infrastructure, DHS has successfully pursued a voluntary
partnership approach, where government and the private sector work
together under a common framework to set goals and priorities, identify
key assets, assign roles and responsibilities, allocate resources, and
measure our progress against national priorities. As important as
resiliency is to a number of our critical sectors, we recognize that
adopting a ``one-size-fits-all'' solution could create an imbalance.
The chemical, nuclear and energy sectors are prime examples of the need
to balance our concerns about infrastructure restoration after an
incident, with our ability to prevent the release of dangerous
substances into populated areas. Preventing the loss of human life must
remain our No. 1 goal. Our efforts and accomplishments to date in
partnership reflect this need for a balanced approach.
In June 2006, DHS released the NIPP, the overarching goal of which
is to ``Build a safer, more secure, and more resilient America by
enhancing protection of the Nation's CIKR to prevent, deter,
neutralize, or mitigate the effects of deliberate efforts by terrorists
to destroy, incapacitate, or exploit them; and to strengthen national
preparedness, timely response, and rapid recovery in the event of an
attack, natural disaster, or other emergency.'' The NIPP, which uses
the word ``resiliency'' or a variant of it over 50 times, is the
national unifying framework for understanding and managing the risk to
the Nation's infrastructure through the creation of partnerships with
the private sector. The 17 CI/KR Sector Specific Plans (SSPs) required
under the NIPP were issued on May 21, 2007. They are the product of
almost 18 months of joint effort by the CI/KR owners and operators;
State, local, territorial and tribal governments; and the Federal
Government to identify and address sector specific risks and implement
tailored risk strategies, to include tailored resiliency components.
Specifically, the NIPP provides the coordinated approach to
establish national CIKR priorities, goals, and requirements so that
Federal funding and resources are applied in the most effective manner
to reduce vulnerabilities, deter threats, and minimize the consequences
of terrorist attacks, natural disasters, and other incidents. It
provides an integrated, risk-based approach to focus Federal grant
assistance to State, local, and tribal entities, and to complement
relevant private sector activities. It clearly identifies roles and
responsibilities of all partners, and includes mechanisms to involve
private sector partners in the planning process and supports
collaboration among security partners to establish priorities, define
requirements, share information, and maximize the use of finite
resources. The NIPP serves as the unifying framework to ensure that
CIKR investments are coordinated and address the highest priorities,
based on risk, to achieve the homeland security mission and ensure
continuity of the essential infrastructure and services that support
the American government, economy, and way of life.
Achieving the NIPP goals requires meeting a series of objectives
that include understanding and sharing information about terrorist
threats and other hazards, building security partnerships, implementing
a long-term risk management program, and maximizing the efficient use
of resources. IP focuses on programs, projects, and activities that are
aligned with the NIPP's objectives of Identification and Analysis,
Coordination and Information Sharing, and Risk Mitigation Activities.
This framework and its goals are foundational to what IP does. Every
day, we work with State, local, tribal and territorial leaders and with
private sector owners and operators to pursue a common goal of securing
the Nation's CIKR against terrorist attacks, natural disasters and
other emergencies.
The NIPP provides a Sector Partnership Model through which such
coordinated planning and program implementation can take place. The
SSPs, developed under the umbrella of this Partnership, reflect the
entire range of activities intended to accomplish the goal of security
and resiliency for the sectors, and by doing so, increased
preparedness. While this may sound like a relatively basic undertaking,
it represents probably the first time that the government and the
private sector have come together on such a large scale--literally,
across every major sector of our economy--to develop a joint plan for
how to protect and prepare our CIKR for natural and terrorist-related
incidents. The SSPs define roles and responsibilities within each
sector, catalog existing security authorities, institutionalize
security partnerships already in place; and set clear goals and
objectives to reduce risk, much of which also helps to prepare for
disasters and set the stage for a resilient approach.
The diversity of the CIKR sectors means that different types of
protection activities may be most effective for each. Certain sectors
are most likely to embrace resiliency given their inherent
characteristics, while others may focus more on specific types of
physical protection or training or rapid response to minimize
consequences; most represent a combination of various approaches. Some
examples of activities focusing on resiliency include:
In May of each year, the National Infrastructure
Coordinating Center (NICC), the 24�7 watch center for
coordination and communication with the CIKR sectors,
disseminates a series of documents to the CIKR sectors, which
includes scenario-driven hurricane impact analyses prepared by
the National Infrastructure Simulation and Analysis Center
(NISAC).
This year, NISAC has prepared 10 separate scenario
analyses for simulated hurricanes making landfall in
regions at high risk based on historic hurricane activity,
population, and potential CIKR impacts. These pre-season
analyses are intended to assist the CIKR sectors with
enhanced situational awareness and response and recovery
planning, based upon simulated impacts to each CIKR sector
in those geographical areas, as well as a better
understanding of cross sector interdependencies.
Currently, 24 States have active Water/Wastewater Agency
Response Networks (WARN) organizations, with eight more
scheduled to develop WARN organizations by the end of the third
quarter of 2008. The WARN system development is a direct result
of the sectors third goal from the SSP ``Maintain a Resilient
Infrastructure.''
The Communications SSA, the National Communications System
(NCS), participates in various programs that are aimed at
building awareness or educating a greater community about the
problem of critical infrastructure assurance and resiliency.
An example, the Route Diversity Forum periodically helps
educate NCS member departments and agencies about improving
communications resiliency.
To reach out to the broadcast industry, NCS works through
the Federal Communications Commission (FCC), trade
associations, and the FCC's Media Security and Reliability
Council, which is developing best practices to ensure
optimal reliability, robustness, and security of broadcast
facilities. The NCS also is reaching out to other sectors
with which it shares interdependencies and is assisting
them in reviewing how their plans address communications
interdependencies.
As part of the Nation's electricity supply infrastructure,
the nuclear sector works with regulators and other security
partners to ensure that full operations are resumed as safely
and quickly as possible following an incident which requires a
supply reduction. Furthermore, the sector is working with its
security partners to address medical radioisotope supply
resiliency in the event of a disruption in the radioisotope
supply chain.
Under the auspices of its SCC, the Nuclear Sector has
completed a pilot of its proposed Prompt Notification
program. The Prompt Notification capability will prepare
the sector and nearby CIKR assets to defend against a
geographically coordinated terrorist attack by providing a
real-time mechanism for emergency communications to the
Nuclear Sector, Federal entities, and critical
infrastructure community partners in the vicinity of a
security incident. This program will provide immediate
situational and operational awareness in the event of an
incident, and to enable more effective response and system
restoration.
The Commercial Facilities Sector represents one of our most
diverse sectors. Yet, under the NIPP, it has come together
through its SCC, in recognition of its shared risk and shared
interest in protecting its assets. The participation within its
council shows that there is a strong business case to be made
for making investments of this kind. The companies and
facilities that take steps to protect assets and plan for
emergencies are often the ones that can more quickly recover
from a disruption. Joint activities for this sector include:
The Commercial Facilities Sector Specific Agency
collaboration with the Meridian Institute during their
development of the Southeast Region Research Initiative),
which includes the Community & Regional Resilience
Initiative. These initiatives are intended to develop the
processes and tools needed for communities and regions to
achieve their highest measurable levels of resilience
against disruptions resulting from natural and man-made
disasters. Focus is placed on the ability to quickly return
citizens to work, reopen schools and businesses, and
restore the essential services needed for a full and swift
economic and social recovery. Selected cities in the
Southeast Region are participating in these initiatives.
The ultimate goal of this effort is to strengthen the
capability to withstand, prevent, and protect against
significant multi-hazard threats so that a community,
State, and region, and its private sector partners, can
rapidly restore critical services, re-establish the area's
economic base, and return to ``normal'' as quickly and
effectively as possible.
DHS conducting site assistance visits that incorporated
industry feedback into a set of educational reports that
owners and operators can use to identify vulnerabilities.
DHS providing security training as well as courses on
increasing terrorism awareness around commercial
facilities. To date, DHS has provided a total of 408
courses for the private sector.
Joint participation in major exercises covering terrorism,
hurricane preparedness, and pandemic planning.
Joint working group between DHS and the National
Association for Stock Car Auto Racing (NASCAR) produced a
planning guide for mass evacuation and a template for
NASCAR facilities to use in coordinating with State and
local stake holders and planning. The partnership at each
of these sessions included private sector, State, local,
Federal partners.
The Chemical Sector has numerous programs and initiatives
which increase the Sector's resiliency. In particular the
Sector's dedication to exercises enables the preparation
necessary for a real incident.
The Chemical Sector has participated in numerous national-
level exercises including Top Officials (TOPOFF) and
National Level Exercise 2-08 (NLE 2-08). The Chemical
Sector was active in the Cyberstorm II exercise with a
dozen private sector participants. Exercises like Cyber
Storm II build not only response capability, but also
strong organizational and individual connections that help
ensure the prevention and mitigation of attacks against our
critical systems and networks.
Developed the Pandemic Flu Guideline for the Chemical
Sector--This Annex to the Pandemic Influenza Preparedness,
Response, and Recovery Guide for Critical Infrastructure
and Key Resources will assist the Chemical Sector plan for
a severe pandemic.
The Dams SSA is participating in the development of a pilot
study on regional disaster resilience and risk mitigation for
the Columbia River Basin. This effort is conducted in
collaboration with the Pacific Northwest Economic Region
(PNWER), which leads the coordination efforts. The focus of the
pilot is on interdependencies and the cascading impacts
associated with disruptions of dams, locks, and levees along
the Columbia River Basin. In the event of natural disasters,
man-made events, aging infrastructures, and sub-standard
conditions, failure of these key assets could affect maritime
transportation, energy, agriculture, manufacturing, the overall
economy, health and human safety, and national security. The
goal of this multi-year effort is to identify a holistic
approach with States, localities and relevant key public and
private stakeholders.
As per the National Response Framework, the Office of
Infrastructure Protection has also instituted the Infrastructure
Liaison (IL) to provide the private sector a vital resource during
disasters, in part by enhancing the communications that are so vital to
resilient systems and sectors. The IL acts as the principal advisor to
the Joint Field Office Coordination Group regarding all national and
regional CI/KR incident-related issues and assists the Principal
Federal Official in the prioritization of protection and restoration
efforts. The IL coordinates CI/KR-related issues and actions with the
appropriate Emergency Support Functions (ESFs) and other State and
local components represented in the JFO, providing valuable reach-back
to DHS headquarters and the operational components of the National
Operations Center (NOC), including the NOC Watch, the NICC, and the
National Response Coordination Center (NRCC). Additionally, the IL
provides impacted private sector partners with an established mechanism
and process to address requests for information and assistance, either
directly or via the NICC, in compliance with applicable policies and
laws.
Finally, the CIKR sectors just completed participation in National
Level Exercise (NLE) 2-08, which involved both a hurricane making
landfall and a chemical terrorism threat. The exercise provided the
opportunity for all participants to assess where they have or need
redundancy for business continuity, and the ability to deal with
significant potential power outages and distribution systems
disruptions.
Additionally, we focus on CIKR with the activities of the Homeland
Infrastructure Threat and Risk Analysis Center (HITRAC), a joint
infrastructure-intelligence fusion center with the Office of
Intelligence and Analysis (OI&A). HITRAC analyzes and monitors risks to
U.S. CIKR, allowing IP to provide DHS decisionmakers, the Federal CIKR
community, owners and operators of CIKR, as well as State, local, and
tribal and territorial authorities with actionable analysis and
recommendations to manage risk. Analytical products are developed at
the asset, sector, region, and national level and provide an
understanding of the threat, CIKR vulnerabilities, the potential
consequences of an attack, and the effects of risk-mitigation actions.
Again, protection can include a wide range of activities. There
cannot be a one-size-fits-all approach to CIKR protection, and we work
with a variety of partners in a dynamic risk landscape to prioritize
activities and devise a strategy based on a combination of
considerations that reflect an understanding of vulnerabilities and
interdependencies in the all hazards context. We view protection as an
overarching risk management strategy that fully acknowledges and
supports the concept of resiliency where it offers the best solution to
managing a particular risk or set of risks. The NIPP and its supporting
SSPs chart the path forward for continuous improvement of security and
resiliency of our critical infrastructures, and the focused activities
of IP in concert with all of our CIKR partners ensures their
preparedness.
Thank you for your attention and I would be happy to answer any
questions you may have at this time.
Ms. Jackson Lee. I thank the Assistant Secretary. Without
objection, we will put his entire testimony, including his
documents, in the record.
Thank you again. I now recognize Mr. Czerwinski to
summarize his statement for 5 minutes.
Welcome.
STATEMENT OF JONAH J. CZERWINSKI, SENIOR FELLOW, HOMELAND
SECURITY, IBM GLOBAL LEADERSHIP INITIATIVE
Mr. Czerwinski. Given the unique risks of 21st century,
resiliency is a necessary goal. The balance you spoke of is
key.
I am a senior fellow at IBM's Global Leadership Initiative,
where I work on public-sector homeland security challenges from
a private-sector perspective, much of it on resilience. For the
past 15 months, I have worked on a framework for strengthening
commerce, security and resiliency.
Today, I would like to touch upon three things. First,
resilience and its definition, which can be an elusive concept,
meaning different things to different stakeholders; second, the
unique role served by the private sector; and, third, a
recommendation for how DHS can engage the private sector in
making this a more resilient Nation.
Chairman Thompson said that we all have a role to play,
because resilience is the responsibility of the Federal
Government, States and localities, academia, and the private
sector.
The first step toward accomplishing this is establishing an
agreed-upon vision for how we as a Nation can become more
resilient. That vision rests upon a clear understanding of what
is meant by resilience.
Resilience is the ability to reduce the risk and impact of
a terrorist attack or disruption, while also improving the
facilitation of trade and travel. In the context of natural
disasters, resilience enables people closest to the crisis to
act, provides them with the authorities and information
necessary to succeed, and employs an effective governance
framework.
However, redundancy is not resiliency. Having costly back-
up systems or two of everything is the easy, yet most expensive
way for infrastructure to bend and not break.
Finally, the private sector is an asset first and a
vulnerability second. It is an asset because the goods, people,
conveyances and information that comprise private-sector
activity interact at critical nodes that must be both protected
and viewed as a source of resilience.
This is a critical step toward being able to make the case
for private-sector engagement and to establish the form of
partnership this committee rightly calls out as a priority.
At IBM, we have been working on the issue of resilience in
the global trade system for the past several years. We found
that the global trade system can be organized and viewed as a
circulatory system of goods, people, conveyances, money and
information.
While many things that move through our systems of
transportation, immigration and trade are monitored a lot,
isn't monitored at all, even fewer things are monitored in
conjunction with one another. Yet it is those linkages that
often give us the clearest picture of what is going on and what
might be going wrong.
A robust framework that embraces the fundamental complexity
and networked nature of these systems will identify critical
interrelationships, inefficiencies, and vulnerabilities across
the flows. Staying within the stovepiped systems puts our
competitiveness and possibly our security at risk.
IBM recently released our paper, entitled ``Global Movement
Management: Commerce, Security, and Resilience in Today's
Networked World,'' in which my co-authors and I outline an
analytical framework we developed to strengthen the global
trade system by helping to identify and address vulnerabilities
in and across the elements that make up our global movement
system. It brings those interrelationships into focus.
This framework requires a partnership between the
government and the private sector, because it involves an
integrated and evolving mix of preemptive, preventive,
preparatory and responsive measures across three vital areas:
human capital, technology, and governance.
Individuals within companies and governments face
increasingly complex choices about how to perform and address--
how to improve performance and address risk.
Strategic human capital requires leaders to employ emerging
techniques for managing in a networked environment, some of
which are highlighted in my written statement.
We also need to change how we use technology to seek
efficiencies. By sharing greater volumes of information,
companies and governments can take advantage of open-source
techniques to drive innovation and help make the global systems
more efficient, resilient and secure.
Governance in this context requires that participants in
the global movement systems embrace a more comprehensive set of
factors to understand and a means by which to organize their
efforts to address the actual risks, costs and benefits that
accrue to an organization in today's networked environment.
Our research shows that organizations have successfully met
the challenges of organizing efforts across national
boundaries, but not yet across sectors.
In summary, to create a system in which security
improvements and performance improvements are not mutually
exclusive, but mutually reinforcing requires a partnership
between the owners and operators of this movement system and
the Federal homeland security enterprise.
For this reason, today's hearing represents a productive
step forward. With a common vision, better information, with
the right technology and well-trained government and commercial
employees who are empowered to take action, a more resilient
Nation is within reach.
Thank you very much for having me. I look forward to your
questions.
[The statement of Mr. Czerwinski follows:]
Prepared Statement of Jonah J. Czerwinski
May 14, 2008
Chairwoman Jackson Lee, Ranking Member Lungren, distinguished
Members of the subcommittee, I am pleased to appear before you today. I
commend you on your leadership to focus on a resilience-based approach
to securing the homeland. Given the unique risks of the 21st century,
resilience is a necessary goal.
I am a Senior Fellow with IBM's Global Leadership Initiative where
I work on public sector homeland security challenges from a private
sector perspective, much of it on resilience. I am also Managing
Consultant for IBM's Global Business Services practice. For the past 15
months I have worked on a framework for strengthening commerce,
security, and resiliency.
Today, I thought it would be useful to focus on three things.
First, really defining resilience, which can be an elusive
concept meaning different things to different stakeholders;
Second, the unique role served by the private sector; and
Third, a recommendation for how DHS can better engage the
private sector in making this a more resilient Nation.
Chairman Thompson said that ``we all have a role to play'' because
resilience is the responsibility of the Federal Government, States and
localities, academia, and the private sector.
The first step toward accomplishing this is establishing an agreed
upon vision for how we as a Nation can become more resilient. That
vision rests upon a clear understanding of what is meant by resilience.
i. defining resilience
Resilience is the ability to reduce the risk and impact of a
terrorist attack or disruption while also improving the facilitation of
trade and travel. In the context of natural disasters, resilience
enables people closest to the crisis to act, provides them with the
authorities and information necessary to succeed, and employs an
effective governance framework.
Resilience helps to avoid unintended consequences: Resilience--if
done right--affords the decisionmaker the enhanced ability to focus
response efforts on the part of the system that is actually stressed
and limits the risk of over-reacting, which often times leads to
unintended consequences.
Many suggest that resilience is the ability to ``bounce back.'' And
it is, but resilience is different from response and recovery.
Redundancy is not resiliency. Having costly back-up systems or two
of everything is the easy yet most expensive way for infrastructure to
``bend and not break.'' If done correctly, resiliency is more akin to
the concept of Intelligent Immunity that we put forth in the most
recent IBM report on Global Movement Management, and which I'll touch
upon in a moment.
ii. unique role of the private sector
Finally, the private sector is an asset first, and a vulnerability
second: It is an asset because the goods, people, conveyances, and
information that comprise private sector activity interact at critical
nodes that must be both protected and viewed as a source of resilience.
This is a critical step toward being able to make the case for private
sector engagement and to establish the form of partnership this
committee rightly calls out as a priority.
At IBM we have been working on the issue of resilience in the
global trade system for the past several years. We found that the
global trade system can be organized and viewed as a circulatory system
of goods, people, conveyances, money, and information.
While many things that move through our system of commerce are
monitored to a greater or lesser extent, a lot isn't monitored at all.
Even fewer things are monitored in conjunction with one another.
And yet it is those linkages that often give us the clearest
picture of what's going on and what might be going wrong.
A robust framework that embraces the fundamental complexity and
networked nature of these systems will identify critical
interrelationships, inefficiencies, and vulnerabilities across the
flows. Staying within a stovepiped system puts our competitiveness and
possibly our security at risk.
iii. a framework to support dhs leadership in building a resilient
nation
IBM recently released our paper entitled ``Global Movement
Management: Commerce, Security, and Resilience in Today's Networked
World,'' in which my coauthors and I outline an analytical framework we
developed to strengthen the global trade system by helping to identify
and address vulnerabilities in and across the elements that make up our
global movement system. It brings the interrelationships into focus.
This framework requires a partnership between the government and
the private sector because it involves an integrated and evolving mix
of preemptive, preventive, preparatory and responsive measures across
three vital areas: Human Capital, Technology, and Governance.
Strategic Human Capital
Individuals within companies and governments face increasingly
complex choices about how to improve performance and address risk.
Individual managers and employees face unprecedented volumes of
information, new technologies and competitive pressures that complicate
their work. At the same time, in a networked economy, decisions made at
the individual level can have increasingly global ramifications.
Strategic human capital requires leaders to employ emerging techniques
for managing in a networked environment. These techniques include
improved collaboration, latitude to reach across and outside
organizational boundaries, investment in organizational transformation,
enhanced technology and, above all, greatly improved training.
Technology
We need to change how we use technology to simplify work processes
and seek efficiencies. By sharing greater volumes of information,
companies and governments can take advantage of open-source techniques
to drive innovation and help make global systems more efficient,
resilient, and secure. Upstream companies can be better equipped to
provide warnings of supply shortages or other disruptions before they
affect downstream partners. Downstream companies can provide early
warnings about demand or delivery disruptions to those upstream.
Governments can augment counterterrorism efforts with more accessible
commercial data while also providing a higher degree of protection for
privacy and civil liberties than is currently the case.
Governance
Governance in this context can be characterized by the lack of a
coordinated approach that is necessary to address networked risk. Call
this a ``governance gap.'' To bridge this gap, participants in the
global movement systems need to embrace a more comprehensive set of
factors to understand the actual risks, costs, and benefits that accrue
to an organization in a networked environment. Moreover, participants
need a means by which to organize their efforts to address these risks,
costs, and benefits. Our research shows that organizations have
successfully met the challenges of organizing efforts across national
boundaries but not yet across sectors.
conclusion
In summary, to create a system in which security improvements and
performance improvements are not mutually exclusive, but mutually
reinforcing, requires a partnership between the owners and operators of
this global movement system and the Federal homeland security
enterprise. For this reason, today's hearing represents a productive
step forward.
With a common vision, better information, with the right technology
and well-trained government and commercial employees who are empowered
to take action--a more resilient nation is within reach.
Thank you.
Ms. Jackson Lee. We thank you for your testimony.
I now recognize Mr. Johnson to summarize his statement for
5 minutes.
STATEMENT OF SHAWN JOHNSON, VICE CHAIRMAN, FINANCIAL SERVICES,
SECTOR COORDINATING COUNCIL
Mr. Johnson. Thank you. Thank you, Chairwoman Jackson Lee,
Ranking Member Lungren, and members of the committee.
I am Shawn Johnson, chairman of the Investment Committee
for State Street Global Advisors and vice chairman of the
Financial Services Sector Coordinating Council, or FSSCC, a
volunteer position.
My comments today focus on efforts to improve resilience in
the financial services sector, and in particular the
resilience-based related activities of the FSSCC.
Thought established at the request of the Department of
Treasury, the FSSCC is a private-sector coalition working to
improve the financial sector's resilience to terrorist attacks,
manmade and natural disasters, cyber attacks, and other
threats.
In general, the U.S. financial services sector has
performed well in times of crisis. While events such as 9/11
and the attacks have revealed some weaknesses in the resilience
of our financial systems, industry and government have
responded and work cooperatively to address these weaknesses.
Some of the government's resilience activities have been in
the form of specific regulatory proposals, such as the issuance
of the best practices white paper by the Federal Reserve, the
OCC, and the SEC in 2003, addressing contingency planning and
backup facilities for clearing and settlement activities.
Implementation of the white paper has required significant
changes in business practices and substantial investment by
financial investment firms. But the result has been a more
resilient financial services system.
The government participates in other, less formal
activities, such as working with local public-private
partnerships to sponsor resilience exercises, which simulate
flu pandemic, natural disasters, or other terrorist events, and
provide valuable lessons to both the public and the private
sector.
Much of the work of FSSCC, of which I am currently vice
chair, has focused on resilience.
For example, the FSSCC has been working to improve industry
access to emergency credentials, which are critical in times of
emergency. We have also worked to expand the GETS program,
which provides access to priority telephone services during a
crisis.
We held a cybersecurity summit in February 2008 with
private- and public-sector participation, and the FSSCC and
FBIIC have since each launched new cybersecurity committees.
The FSSCC maintains relationships to help align academic
research with real-world business needs and offers programs
such as the FSSCC SMART program, which provides subject matter
expertise from financial institutions to R&D organizations.
The FSSCC is an active participant in the Partnership for
Critical Infrastructure Security, which is dedicated to
coordinating cross-sector initiatives.
Our infectious disease forum develops and communicates
information and strategies the private sector can employ to
prepare for an avian flu pandemic or other infectious disease
outbreak. In addition, all FSSCC members are active with their
own resiliency efforts aimed at their particular segment of the
financial services industry.
These efforts are summarized in the FSSCC's annual report,
which can be found on the FSSCC Web site.
I would like to conclude my testimony today by describing
one of the largest financial services industry resilience
exercises to date, the FBIIC-FSSCC Pandemic Flu Exercise of
2007.
The exercise was a public-private partnership, sponsored by
the FBIIC, the FSSCC, and SIFMA. It was conducted in the fall
of 2007 and simulated a pandemic flu impacting the financial
services sector.
More than 2,700 financial services organizations
participated. Participation was voluntary, free of cost, and
open to all organizations within the U.S. financial services
sector.
The results were aggregated, with anonymity provided by the
participating institutions. Participants were given scenarios
to implement that represented an escalating pandemic flu
epidemic. At the height of the exercise, for example, absentee
rates in some cases reached 49 percent, a level sufficient to
stress even the best contingency planning efforts.
The performance of the financial services sector under the
conditions simulated by the exercise was laudable, but not
perfect. In general, it appeared that, while there would have
been significant impacts to the financial sector, it would have
continued to cope and operate.
Perhaps more important than the immediate results of the
exercise, however, is the reaction of the participants: 99
percent of participants found the exercise useful in assessing
their organization's business-planning needs; 97 percent of
participants said the exercise allowed their organization to
identify critical dependencies, gaps, and seams that warrant
additional attention; and 91 percent said their organization
planned to initiate additional all-hazard plan refinements.
Full details of the exercise are provided in the after
action report.
Overall, I think the pandemic exercise provides a good
example of the potential benefit of the strong public-private
partnership that exists. While continuity and resilience
planning are certainly key regulatory and enforcement issues,
it is clear to me, as a representative from the private sector,
that the quality of the data obtained was considerably improved
by the cooperative and anonymous nature of the exercise.
As a result, both the private and public sectors were able
to obtain insights that would have been difficult or impossible
to obtain through standard regulatory channels.
Once again, thank you for providing me the opportunity to
testify on behalf of the FSSCC. I will be pleased to answer any
questions you have.
[The statement of Mr. Johnson follows:]
Prepared Statement of Shawn Johnson
May 14, 2008
Chairwoman Jackson Lee, Ranking Member Lungren, and members of the
Subcommittee on Transportation Security and Infrastructure, I am Shawn
Johnson, Chairman of the Investment Committee of State Street Global
Advisors and Vice-Chairman of the Financial Services Sector
Coordinating Council (FSSCC). I am pleased to submit this testimony
today on behalf of the FSSCC.
I appreciate the subcommittee's invitation to testify at this
hearing, titled ``Partnering with the Private Sector to Secure Critical
Infrastructure: Has the Department of Homeland Security Abandoned the
Resilience-Based Approach?'' Given my position with the FSSCC, my
comments today focus on the experience of the financial services sector
with regard to resilience, and, in particular, resilience related
activities in which FSSCC has participated.
The FSSCC was established at the request of the U.S. Department of
the Treasury in 2002 in response to Homeland Security Presidential
Directive 7, which required sector-specific Federal department and
agencies to identify, prioritize, and protect United States critical
infrastructure and key resources. We are a private sector coalition of
financial services firms and trade associations working to reinforce
the financial sector's resilience to terrorist attacks, man-made and
natural disasters, cyber attacks, and other threats to the sector's
critical infrastructure.
The FSSCC closely interacts with its Sector Specific Agency (SSA),
the Department of the Treasury, it public-sector counterpart, the
Financial and Banking Information Infrastructure Committee (FBIIC), and
the Department of Homeland Security. Membership lists for the FSSCC and
the FBIIC are attached.
We also strongly support regional public/private partnerships, such
as ChicagoFIRST, DFWfirst, and numerous others. These organizations
address homeland security and emergency management issues at the local
level, where many catastrophic events are primarily managed.
In general, the U.S. financial services sector has performed well
in times of crisis. While events such as the 9/11 attacks have revealed
some weaknesses in the resilience of our financial systems, industry
and government have responded, and worked cooperatively to address
these weaknesses.
Some of the government's resilience activities have been in the
form of specific regulatory proposals, such as the issuance of the
Interagency White Paper on Sound Practices to Strengthen the Resilience
of the U.S. Financial System in 2003 by the Federal Reserve, OCC and
SEC.
The White Paper addressed the importance of resilience in financial
clearing and settlement activities critical to U.S. financial markets,
and is intended to reduce systemic risk created when primary and back-
up facilities and staffs are located within the same geographic region.
Implementing the requirements of the White Paper has required
significant changes in business practices, and substantial investment,
by financial services firms--but the result has been a more resilient
U.S. financial system.
Formal rulemaking, however, is not the government's only means of
improving the resiliency of our financial infrastructure. For example,
the Department of the Treasury has worked with local public/private
partnerships to sponsor several resilience exercises, including:
A pandemic exercise in Chicago in December, 2006 (with
ChicagoFIRST),
A pandemic exercise in San Francisco in May, 2007 (with
BARCfirst),
A radiological attack exercise in Tampa Bay in July, 2007
(with FloridaFIRST), and
A hurricane exercise in Alabama in March, 2008 (with Alabama
Recovery Coalition for the Financial Sector).
Other similar exercises are being planned, including a terrorist
attack simulation involving all of the regional coalitions (through RPC
FIRST) in San Francisco this week.
Much of the work of the FSSCC, of which I am currently Vice-
Chairman, has also focused on resilience. FSSCC resilience-related
activities include:
Emergency Credentialing.--The ability of the private sector
to obtain security credentials during times of emergency is a
critical element to the financial services sector's resiliency.
The FSSCC has been involved in efforts to encourage States to
adopt credentialing programs, and expansion of the GETS
program. The GETS Program allows critical infrastructure
operators to gain priority telephone service during a crisis.
Cyber Security.--A Cyber Security Summit was held in
February, 2008 with information technology leaders from across
the public and private sectors, to discuss threats to the
financial sector from cyber vectors. The FSSCC and FBIIC have
since each launched new cyber security committees, whose
mission is to work with the financial services sector to
strengthen cyber security and resilience of current and future
IT operations.
Research and Development.--The FSSCC and its R&D Committee
encourage alignment of research into infrastructure protection
through outreach to academic institutions, and programs such as
FSSCC SMART, which provides subject matter expertise from
financial institutions to research and development
organizations.
Cross-Sector Cooperation.--FSSCC is an active participant in
the Partnership for Critical Infrastructure Security (PCIS),
which is dedicated to coordinating cross-sector initiatives to
improve the security and safety of U.S. financial
infrastructure.
Infectious Disease Forum.--A long-standing FSSCC work group
is the FSSCC Infectious Disease Forum. The purpose of the
Infectious Disease Forum is to develop and communicate
information and strategies that FSSCC members and their member
organizations may employ to prepare for an avian flu pandemic
or other infectious disease outbreak.
These ongoing efforts, and others, demonstrate the FSSCC's strong
commitment to resiliency. In addition, all FSSCC members are active
with their own resiliency efforts, aimed at their particular segment of
the financial services industry segment. These efforts are summarized
in FSSCC's annual report, which can be found on the FSSCC Web site
(https://www.fsscc.org/fsscc/reports/2007/annual_report_
2007.pdf).
I'd like to conclude my testimony today by describing one of the
largest financial services industry resilience exercises to date, the
FBIIC/FSSCC Pandemic Flu Exercise of 2007.
This exercise, conducted in Fall 2007, simulated a pandemic flu
impacting the financial services sector, and was intended to:
Enhance the understanding of systemic risks to the financial
sector;
Provide an opportunity for firms to examine the
effectiveness of their pandemic plans; and
Explore the effects of a pandemic flu on other crucial
infrastructures impacting the financial services sector.
The exercise was a public/private partnership, organized by the
FBIIC, the FSSCC, and the Securities Industry and Financial Markets
Association (SIFMA), the trade association representing the securities
industry.
By all accounts, the execution of the exercise was a success. More
than 2,700 financial organizations participated. Participation was
voluntary, free of cost, and open to all organizations within the U.S.
financial sector. Results were aggregated, with anonymity provided to
participating institutions. The exercise was intended to simulate the
medical, financial, and societal impacts of a pandemic flu, and gather
information about how financial institutions were able to react to such
scenarios. At the height of the exercise, for example, absentee rates
in some cases reached 49 percent, a level sufficient to stress even the
best contingency planning efforts.
The performance of the financial sector under the conditions
simulated by the exercise was laudable, but not perfect. In general, it
appeared that while there would have been significant impacts to the
financial services sector, it would have continued to cope and operate.
Perhaps more important than the immediate results of the exercise,
however, is the reaction of the participants:
99 percent of participants found the exercise useful in
assessing their organizations business planning needs;
97 percent of participants said the exercise allowed their
organization to identify critical dependencies, gaps, and seams
that warrant additional attention; and
91 percent said their organization planned to initiated
additional all-hazard plan refinements based upon lessons
learned during the exercise.
The After Action Report, issued in January 2008, provides
considerable detail on the results of the exercise, both in aggregate
and by industry segment, as well as numerous illustrations of possible
opportunities for further improvement, for both the public and private
sector. One such area for improvement is in the area of regulatory
relief. Discussions between the private sector and the regulators
continue regarding possible regulatory relief during a pandemic. The
industry recently started developing an internet-based application to
facilitate the collection of information to better gauge the health of
the sector.
Overall, the pandemic exercise provides a good example of the
potential benefit of strong public/private cooperation and
collaboration. While continuity and resilience planning are certainly
key regulatory and enforcement issues, it is clear to me as a
representative of the private sector that the quality of data obtained
was considerably improved by the cooperative, and anonymous, nature of
the exercise. As a result, both the private and public sectors were
able to obtain insights that would have been difficult or impossible to
obtain through standard regulatory channels.
Once again, thank you for providing me the opportunity to testify
on behalf of the FSSCC. I would be pleased to answer any questions.
APPENDIX
fsscc members
American Bankers Association; American Council of Life Insurers;
American Insurance Association; American Society for Industrial
Security (ASIS) International; BAI; BITS/The Financial Services
Roundtable; ChicagoFIRST; Chicago Mercantile Exchange; The Clearing
House; CLS Group; Consumer Bankers Association; Credit Union National
Association; The Depository Trust & Clearing Corporation (DTCC); Fannie
Mae; Financial Information Forum; Financial Services Information
Sharing and Analysis Center (FS-ISAC); Financial Services Technology
Consortium (FSTC); Freddie Mac; Futures Industry Association; ICE
Futures U.S.; Independent Community Bankers of America; Investment
Company Institute; Managed Funds Association; The NASDAQ Stock Market,
Inc.; National Armored Car Association; National Association of Federal
Credit Unions; National Association of Securities Dealers (NASD);
National Futures Association; NACHA--The Electronic Payments
Association; The Options Clearing Corporation; Securities Industry
Automation Corporation (SIAC); Securities Industry and Financial
Markets Association (SIFMA); State Street Global Advisors; VISA USA
Inc.
fbiic members
American Council of State Savings Supervisors; Commodity Futures
Trading Commission; Conference of State Bank Supervisors; Department of
the Treasury; Farm Credit Administration; Federal Deposit Insurance
Corp; Federal Housing Finance Board; Federal Reserve Bank of New York;
Federal Reserve Board; National Association of Insurance Commissioners;
National Association of State Credit Union Supervisors; National Credit
Union Administration; North American Securities Administrators
Association; Office of the Comptroller of the Currency; Office of
Federal Housing Enterprise Oversight; Office of Thrift Supervision;
Securities and Exchange Commission; Securities Investor Protection
Corporation.
Ms. Jackson Lee. Mr. Johnson, thank you very much for your
testimony.
I now recognize Mr. Raisch to summarize his statement for 5
minutes.
STATEMENT OF WILLIAM G. RAISCH, DIRECTOR, INTERNATIONAL CENTER
FOR ENTERPRISE PREPAREDNESS, NEW YORK UNIVERSITY
Mr. Raisch. Chairwoman Jackson Lee, Ranking Member Lungren,
and distinguished members of the subcommittee, thank you for
inviting me this afternoon to testify on the vital issue of
private sector resilience and, in particular, the Voluntary
Private Sector Preparedness Certification Program called for by
the implementing recommendations of the 9/11 Commission Act of
2007.
I am most honored to join you from the International Center
for Enterprise Preparedness at New York University. As you
mentioned, the center serves as the first academic center
focused specifically on private-sector resilience and
preparedness.
I am also most honored to have served as a private-sector
adviser to the 9/11 Commission.
More importantly, though, I am here to reflect on the
perspective garnered from 12 forums on this specific voluntary
certification program held since this past fall involving over
550 private-sector representatives and current five different
working groups, with over 250 participants in the private
sector.
Let me clearly state that there is substantial and growing
interest and also concern in the private sector on this
program. That being said, also, in preface, I would like to say
that it is my personal opinion that this single program has the
potential for doing more to institutionalize or economically
embed private-sector preparedness than much of the outreach, ad
campaigns, and other well-meaning and perhaps productive public
affairs efforts to date.
However, this is achievable if and only if two items are
addressed in priority. One, it must focus on enabling real
economic value to businesses. Further, it must actively and
directly involve and engage the private sector in the
development and ongoing implementation of the program itself.
Allow me to outline, perhaps, a couple of key
considerations for this program going forward and to
acknowledge, as well, that much good work has been accomplished
by a variety of organizations in the arena of public-sector
preparedness and resilience.
At our center, we have tried to reflect on this and really
present you with perhaps some key themes in that respect.
From that, we see four basic themes evolving.
They are, one, firstly and foremost, with respect to this
program, we need to assure that voluntary certification in this
program is a private-sector-led effort, that it specifically
addresses private-sector needs through the ongoing engagement
of key stakeholders. This engagement must involve both DHS and
the ultimate accrediting body to be chosen.
Secondly, it must build on existing efforts, specifically
those efforts in certification, standards, and elements of
accrediting bodies. These basic building blocks already exist
for the program. The program should seek to integrate them and
focus them on private-sector preparedness.
There are existing standards that have been developed by
the private sector. Further, there are existing accreditation
and certification processes that have been utilized in private-
sector voluntary certification in such areas as quality
management, the ISO 9000 accreditation program, and
environmental management, the ISO 14000 program.
These processes were developed with active involvement of
the private sector and have evolved with private-sector
application for over 2 decades, in many cases.
There is also an existing accrediting body, ANAB, which has
administered private-sector certification for years, as well. I
am happy to note that this body has been preliminarily
designated by DHS as the appropriate body for the program
itself.
Thirdly, the program should allow for flexibility,
potentially utilizing a high-level umbrella or framework
approach that can be used independently to relate multiple
focused standards and practices, which business may already be
using.
Key organizations in the private sector have already
developed a seminal work on this, the framework for
preparedness, on a voluntary basis, sponsored by the Alfred P.
Sloan Foundation.
A real effort must be made to recognize, also, and accredit
effective activities already in practice by each key sector.
These sectors must be brought directly into the process.
Fourthly and finally, that we must enable potential market-
based incentives through the involvement of their stakeholders
and needs. First and foremost, business practitioners must be
actively involved in the development of this program to assure
that the program has real operational value.
Secondly and as importantly, potential incentive
stakeholders should be directly involved in the process,
including supply chain management community representatives,
legal counsel, insurance companies, rating agencies, and other
reporting entities.
Key action items for government are an opportunity in this
respect. I would suggest they are as follows, and I would
preface it by the fact that I would underline government in
this case can truly be a catalyst, it can be a convener, and it
can be, if you will, an investor, at least from a seed-funding
perspective on this important process.
Firstly, both DHS and ultimately the accrediting body it
designates must actively and consistently engage the private
sector in the development implementation of the program.
Specific considerations and issues are identified in my written
remarks in this respect.
DHS must also continue to maintain its integrated approach
to supporting this program, which includes FEMA currently as
program lead, but also active involvement by infrastructure
protection, science and technology, and the DHS private-sector
office, as well as others, as appropriate.
Additionally, other agencies in the executive branch,
including Commerce and SBA, should have involvement.
Congress should provide the resources, also, to enable
ongoing commitment by DHS to this program. It is an investment
that will yield substantial benefits, in terms of societal
resilience, given the role the private sector plays in backbone
critical infrastructure and dramatic impacts on the overall
economy.
Additionally, DHS should continue to evaluate the overall
opportunity for voluntary participation in the program by the
critical infrastructure business sectors. This community can
bring much insight to the program and may find significant
value in the assessment capability of the program.
Furthermore, the program may provide a very valuable tool
in cross-sector cooperation and assessment. A common reference
platform--a Rosetta Stone, of sorts--could aid in sharing best
practices and crosspollination across sectors.
Education and tools must also be developed by key
stakeholders, optimally with government support, to enable
businesses, large and small, to pursue program assessment and
implementation with minimal cost and disruption. Key trade and
professional associations may be very helpful in this regard.
In addition and finally, Congress should consider enabling
incentives for the program, including potentially facilitating
effective public reporting and appropriate acknowledgement of
proactive companies in this respect.
Additionally, Congress should consider legal liability
protections for those proactive firms that undertake
certification, perhaps including safe harbors and privilege for
vulnerability assessments.
Finally, enabling key industries, such as the insurance
industry, to consider industry-wide incentives or initiatives
in this regard around the issue of resilience, without concern
of antitrust considerations, should also be addressed by
Congress.
I welcome your questions. Thank you.
[The statement of Mr. Raisch follows:]
Prepared Statement of William G. Raisch
May 14, 2008
Chairwoman Jackson Lee, Ranking Member Lungren, and distinguished
members of the subcommittee, thank you for inviting me to testify on
the vital issue of private sector resiliency and the Voluntary Private
Sector Preparedness Certification Program called for by Title IX,
Section 524 of Pub. L. 110-523, The Implementing Recommendations of the
9/11 Commission Act of 2007.
As with many undertakings in the private sector, this new program
offers both substantial opportunity and significant risk, most
especially if the private sector is not effectively engaged. It will be
the balancing of these two elements that will determine the ultimate
success or failure of this program. It is an effort though that I
believe to be well worth undertaking for sake of both the individual
businesses and our wider society.
the 9/11 commission's private sector recommendations focused on the
``what'' and ``why'' of preparedness
As you may be aware, our Center, the International Center for
Enterprise Preparedness (or InterCEP) at New York University is the
first academic research center dedicated to private sector resilience.
Our activities regularly involve outreach to hundreds of businesses,
much of it through interactive forums focused on key issues.
The Center takes its primary focus from the private sector
recommendations of the 9/11 Commission, which I was honored to advise
on private sector preparedness.
The Commission's recommendations and thus InterCEP's research focus
on promoting private sector preparedness through the linking the
``what'' and the ``why'' of preparedness/resilience. The 9/11
Commission clearly understood that absent a compelling bottom-line
rationale for preparedness, businesses would not invest the funds and
other resources necessary to develop a preparedness program. The
Commission sought to leverage basic market-based economics, bottom-line
orientation, to promote effective private sector preparedness
activities by business. They did so with an initial focus on two key
elements:
1. Identifying a consensus-based industry standard for business
preparedness (the what to do); businesses were looking for a
high-level set of criteria that represented best practices in
preparedness yet allowed the business flexibility as to how to
achieve particular outcomes.
2. Identifying potential incentives for businesses to voluntarily
conform with that standard (the why to do it) including
mitigating legal liability after an event, potential insurance
recognition, and encouraging rating agency acknowledgement (all
in addition of course to the basic rationale of continuity of
the business in the aftermath of a crisis).
there is a need for a measurement approach/tool to assess business
preparedness
Since establishing our Center in October of 2004 and the extensive
research and interface with business that followed, it has become clear
that the linkage of the ``what'' and ``why'' of preparedness often
requires measurement or assessment to determine if the ``what'' to do
of preparedness has been or is being accomplished so that the ``why''
to do it can be confirmed or rewarded. Thus, there is a third key
element that our research with the business sector has identified as
critical to successfully promoting private-sector preparedness:
3. A method to measure or assess achievement of preparedness
objectives, i.e., identifying ``if preparedness is being
achieved.''
Measurement is important for several reasons. Internally, there are
multiple benefits:
First and foremost, a business needs a yardstick to assess
if it is achieving its preparedness goals for which it may have
invested effort and resources to assure its business
continuity.
Measurement may also have reputational benefits for
corporations that wish to demonstrate to their customers and
other stakeholders that they are prepared.
Measurement may additionally help advance corporate
governance goals, especially in validating risk management
efforts.
External to the firm, potential ``incentives stakeholders'' such as
supply chain partners, insurance underwriters, rating agencies and the
legal community need a credible confirmation that preparedness efforts
have been undertaken. These communities generally grant that there is
value in preparedness efforts by businesses, and these stakeholders may
be disposed toward acknowledging or rewarding preparedness in their
activities.
These potential incentives stakeholders do not however wish to
undertake the actual assessment or measurement of preparedness on their
own on a business-by-business basis. They do not want to nor do they
have the resources to send out assessors to a business to ascertain if
a particular business's program conforms to a particular industry
standard. Yet, if there was a credible program which indicated
compliance with such a standard, these stakeholders may consider
rewarding it, at least over time. Thus, external benefits to
measurement include:
Measurement could promote resilience of supply chains by
supplying a common approach and tool for assessing supplier
preparedness.
A common measurement program may make it easier for various
business incentive communities to acknowledge the value of
effective preparedness (e.g., insurance, legal, rating agency,
etc.) overtime.
Measurement to a commonly recognized standard may help
facilitate exchange of best practices, enabling business to
more easily compare practices across industries and sectors
which may have distinct terminology and approaches but lack a
``rosetta stone'' or common set of criteria to compare their
efforts.
A common measurement program may also enable more consistent
benchmarking to other firms both within and industry and
potentially across sectors--including potentially the critical
infrastructure sectors.
the developing voluntary private sector preparedness certification
program
It is in light of these three elements: (1) what to do, (2) why to
do it, and (3) a measurement of achievement that I would like to
discuss the developing Voluntary Business Preparedness Certification
Program.
This new program is proving to be a distinct catalyst, with
significant initial and potential impact on private sector
preparedness. It is also a program that nonetheless must be guided by
key considerations and private sector input to assure its success.
This new program could potentially integrate:
The ``what to do'' in the form of one or more preparedness
standards to be designated under the legislation,
An evolving ``why to do it'' by proactively identifying the
business case for preparedness and integrating its elements
into the program where possible including potential incentives
stakeholders in the process of program development and
implementation,
A credible measurement/assessment methodology based upon
historic experience with other voluntary certification programs
such as those in quality management (ISO 9000) and
environmental management (ISO 14000) which have been
implemented in and by the private sector for decades.
The announcement of this program has already to date provided a
catalyst for business sector activity. Despite the legislation's
annunciation that the program is to be voluntary, the perceived threat
of potential government regulation along with other concerns has
motivated significant private sector activity. Much of it based on the
presumption that the private sector must take the lead in this process
to assure that the outcome has positive value and not onerous impact.
For example, one remarkable effort involved four key professional
organizations coming together to define the core elements of private
sector preparedness based on existing standards and professional
practices across multiple disciplines. This effort was sponsored by the
Alfred P. Sloan Foundation which is a key funder of InterCEP's
activities and involved representatives from ASIS International (a key
security association), the Disaster Recovery Institute International (a
key business continuity association), the National Fire Protection
Association (which maintains the Standard on Disaster/Emergency
Management & Business Continuity referenced in the legislation and
endorsed by both the 9/11 Commission and DHS) and the Risk & Insurance
Management Society (a leading risk management society for businesses).
These organizations collectively defined a framework for voluntary
preparedness that supports a flexible approach to assessing
preparedness potentially including multiple standards reflecting a
common core set of preparedness elements. The final report is available
at www.sloan.org.
Additionally, other organizations have begun forums to discuss the
program including the U.S. Chamber of Commerce among others. As an
example, InterCEP currently has dozens of businesses actively engaged
in five different Working Groups which initially address key potential
incentive areas for program acknowledgement:
Supply chain management;
Legal liability mitigation;
Insurance;
Rating agency acknowledgement;
Business reporting acknowledgement/crediting.
key considerations and concerns of the private sector
Key considerations and concerns identified by the private sector
through a diversity of forums hosted by the Center are outlined in the
Appendix. The key themes include:
1. Assure that the program is private sector led and addresses
private sector needs through ongoing engagement of key
stakeholders.
2. Build on the existing including existing standards, proven
accreditation/certification processes and established industry
practices--key building blocks already exist.
3. Allow for flexibility potentially utilizing a high-level
umbrella or framework standard which can be used independently
or to relate multiple more focused standards and practices
which business may already be using.
4. Enable potential market-based incentives through involvement of
their stakeholders and concerns.
action items for government going forward
It will be vital to the ultimate success of the program that
government take the initiative as a catalyst and investor in this
process:
Both DHS and the ultimate accrediting body to be designated
by it must actively and consistently engage the private sector
in the development and implementation of the program. Specific
considerations and issues are identified in the Appendix.
DHS must continue to maintain its integrated approach to
supporting this program which includes FEMA as program lead but
also includes active involvement by Infrastructure Protection,
Science & Technology and the DHS Private Sector Office (and
others as appropriate).
Congress should provide the resources to enable an ongoing
commitment by DHS to this program. It is an investment that
will yield substantial benefits in terms of societal resilience
given the role that the private sector plays in backbone
critical infrastructure for our Nation.
DHS should continue to evaluate the voluntary application of
the program to critical infrastructure as this community may
find significant value in the capability of the program.
Furthermore, the program may provide a very valuable tool in
cross-sector cooperation and assessment.
Education and tools must be developed by key stakeholders
(optimally with government support) to enable business (large
and small) to pursue program assessment and implementation with
minimal cost and disruption.
Appendix.--Summary of InterCEP Research to Date On the Voluntary
Private Sector Preparedness Certification Program
per title ix, section 524 of pub. l. 110-523, the implementing
recommendations of the 9/11 commission act of 2007
may 14, 2008
Key Points & Considerations
Four basic themes are reflected in the following considerations,
they are:
1. Assure that the program is private-sector-led and addresses
private-sector needs through ongoing engagement of key
stakeholders.
2. Build on the existing including existing standards, proven
accreditation/certification processes and established industry
practices--key building blocks exist.
5. Allow for flexibility potentially utilizing a high-level
umbrella or framework standard which can be used independently
or to relate multiple more focused standards and practices
which business may already be using.
6. Enable potential market-based incentives through involvement of
their stakeholders and concerns.
Specific Considerations
Early and continuing stakeholder involvement must be
maintained to assure that the program is private-sector led.--
While government can play a catalytic role in the early
development of the program, ultimately the program should be
market-driven as has been the case with the continuing
voluntary certification programs in quality and environmental
management. Key to assuring that the voluntary certification
program has real operational value to business is to involve
the full-spectrum of the business sector in the development and
ongoing implementation of the voluntary certification program.
There is concern within the private sector that the program
could develop into a mandatory requirement by government.--
Similar concerns exist about whether the program will be truly
voluntary once market pressures force firms to pursue
certification in order to remain competitive.
There are concerns about the potential costs and liabilities
associated with the program.--It will be important to contain
the implementation costs and minimize the bureaucracy
associated with the certification process.
The program should build on existing voluntary accreditation
and certification processes. There are lessons to be learned
from historical experience with existing voluntary
certification programs in quality and environmental
management.--Current voluntary certification programs in
quality management and/or environmental management utilize
established processes for accreditation and certification.
These could potentially be utilized in the development of the
preparedness certification program thereby avoiding significant
time and effort as well as benefiting from substantial
historical application. Furthermore, opportunities and
efficiencies might potentially be achieved by businesses that
currently have existing quality and environmental programs by
building upon them (i.e., existing management processes). For
example, the program should be informed by lessons learned from
C-TPAT and pandemic planning regarding the best way to minimize
impacts on business and maximize benefits to business.
Existing efforts of key vertical industries, such as the
financial services sector, should be acknowledged and
incorporated into the voluntary certification program.--Some
business sectors have a long history in preparedness activities
and robust programs in place. The financial services sector is
one. The new law specifically calls for existing industry
efforts, standards, practices and reporting in the area of
preparedness not be duplicated or displaced but rather
recognized and integrated where appropriate. Opportunities
should be evaluated with each sector to see not only how their
existing efforts can be credited in the process but also how
the new certification program can address unique issues
important to their sector. Sector coordinating councils and key
industry associations should be involved.
A ``maturity model'' or multi-level approach should be
considered.--A ``maturity model'' approach should be considered
which could acknowledge various levels of preparedness and
depth of program; for example: Level 1, Level 2, Level 3, etc.
This could be helpful in several ways. Depth of program
capacity could vary based on how critical a particular
organization is in a supply chain. Levels could also be used as
targets for progression over the course of time to allow for a
step progression from a lower level of preparedness to a higher
level. Furthermore, levels may be appropriate in considering
expectations for small, medium and large organizations with
their varying levels of size, complexity and resources.
The voluntary certification should credit/integrate other
business reporting requirements when valuable.--Based on the
functions of a business, its vertical industry and public or
private ownership, there are a variety of reporting
requirements that businesses have to shareholders, customers,
partners, the government and others. As reflected in the
enabling legislation, efforts should be made to acknowledge and
existing reporting activity where appropriate so as to avoid
duplication and excess effort. Certification activity may be
able to ``piggy-back'' on some existing auditing efforts.
The program should support self-assessment by businesses as
well as external second party and third party assessments.--
Businesses should be able to apply elements of the program to
self-assess their operations and self-declare (first party
assessment) as well as utilize it in assessing related parties
such as suppliers (second party assessment). Third party
certification by unrelated certifiers should also be an option.
First, second party and third party assessments could be
valuable in assuring business preparedness in supply chains.
The corporate governance & corporate social responsibility
(CSR) areas should be evaluated for past lessons learned and
possible synergies with the voluntary certification program.--
In an increasingly risky business environment, risk management
is a growing concern among boards of directors and executive
management. The voluntary certification program might
potentially be structured to address these concerns at least in
part by assessing the state of business preparedness.
In designating one or more preparedness standards for use in
the program, a constellation of standards or framework approach
should be evaluated. An umbrella standard should be considered
in this regard to assure core consistency among various
standards.--There are multiple preparedness guidance documents
with significant value to one or more business sectors. Some
are general or program level; others may be more functionally
oriented, for example, risk assessment-focused. Consideration
should be given to structuring a certification process which
accommodates the assessment of the business against one or more
standards but in a unified framework. Such a framework could
acknowledge a common core of program elements potentially
utilizing an ``umbrella standard.''
The program and chosen standards should be applicable on an
international basis to have the most value to multinational
corporations.--The program may involve a number of standards,
but whichever standards are chosen, they should be capable of
being applied on an international basis in order to accommodate
the needs of multinational firms.
Special considerations should be made for small businesses
that wish to pursue voluntary certification. The involvement of
industry associations and large-to-small business mentoring
should be considered.--Clearly not all small businesses will
see value in pursuing the voluntary certification. This is to
be expected. For those that do, the new certification program
must be economically and operationally achievable. Separate
classifications and methods of certification for small
businesses should be established as appropriate and in
consultation with small business representatives and
organizations. Supply chain mentoring should be explored to
consider how larger companies might assist their critical
suppliers that are small businesses.
Potential ``incentives stakeholders'' should be welcomed
into the process from the beginning to assure that the
voluntary certification program has value to them in
potentially acknowledging and rewarding business preparedness
efforts.--A major rationale cited in the testimony for the
program was the need to enable a closer link between
preparedness and benefits for business. Key stakeholders in
such areas as supply chain management, legal liability,
insurance and rating agencies have generally concurred that
business preparedness is valuable and should be acknowledged
more widely but to date there has been no generally accepted
methodology to confirm that preparedness exists in a business
so that it could be acknowledged. This program could supply
such a method, and so the process should involve these
potential incentives stakeholders as well as others early in
the development of the program. Following are considerations in
this regard:
As rating agencies potentially widen their review of
enterprise risk management in their analysis of businesses,
the rating agency perspective should be invited into the
development and ongoing operation of the certification
program.--This could potentially facilitate greater
recognition of effective corporate preparedness. Rating
agencies are increasingly focusing on enterprise risk
management in their analysis including business continuity
and emergency management programs by the corporation.
Including rating agency input into the voluntary
certification program might allow for these agencies to
acknowledge this voluntary certification more readily in
their own analysis and thereby effectively reward
preparedness by corporations.
Supply chain resilience is a growing concern among
corporations. The voluntary certification program offers
value in assessing supplier resilience. The supply chain
management perspective should be included in the
development and ongoing operations of the certification
program.--There is an increasing focus on supply chain
resilience and the preparedness of critical suppliers.
Firms frequently require supply partners to adhere to
certain preparedness requirements. Some firms promote
preparedness-related best practices through mentorship,
training, education and joint exercises with supply
partners. Corporations are looking for tools to assess the
resilience/reliability of the suppliers of critical goods
and services. From the supplier perspective, some firms are
noting significant time spent on interfacing with multiple
customers assuring each of the business' preparedness
status. A voluntary certification program could potentially
provide a commonly-accepted verification of preparedness
and thereby avoid multiple customer queries. Similarly,
customers could use the certification to minimize their
supply assessment efforts.
Insurance company and related input should be incorporated
into the voluntary certification program to support
increased recognition of business preparedness in the
future.--It can be argued that the insurance industry on
the whole understands the general value of business
preparedness to minimize losses to both the individual
businesses and the insurance company. However, how and if
insurance companies measure preparedness varies
significantly. Current efforts to correlate preparedness
actions to loss reductions are largely focused on property
risk. The insurance market is stratified, with larger
companies receiving relatively more attention and greater
flexibility from underwriters than smaller companies. A
commonly-accepted third party assessment of business
preparedness could be a valuable indicator of risk which
might be used by insurance companies in their underwriting
potentially. This could possibly result in a greater
recognition of preparedness in the future. The audit
processes involved with the certification program may
provide underwriters with data they cannot access otherwise
due to lack of time or expertise, helping them to
systematize their understanding of business continuity. In
addition, a voluntary certification program could also
begin to build a historical record that over time could
inform a closer understanding of what preparedness measures
best minimize future insurance claims. Challenges that need
to be addressed include how preparedness standards would
fit into underwriting guidelines. State insurance
regulators may also consider how to promote the
incorporation of elements of the certification program in
the underwriting process. Another possibility for driving
the development of insurance incentives for preparedness is
to approach it from a consumer demand standpoint. Insured
companies may take individual and/or collective action to
demand acknowledgement of preparedness efforts by insurers.
Representatives from the corporate counsel and wider legal
community should be incorporated in the development and
implementation process of the program to support a
potential role of certification in minimizing legal
liability for the impacts of emergencies.--Negligence tort
and other legal liability can be a major exposure for
companies of all sizes in the aftermath of an emergency.
When another party is impacted by the event, it is often
argued that the company did not do enough to prepare for
emergencies. Yet, it can be difficult to ascertain how much
preparedness is enough given the diversity of risks that
face a company. Advance and documented compliance with an
established recognized standard for preparedness can serve
to support an affirmative defense to liability claims after
an emergency. The certification program will be centered on
voluntary compliance with one or more industry standards.
Thus, the certification program should optimally be
structured to minimize legal liability of the business
which pursues preparedness in compliance with it. The
development of statutory guidelines would provide
additional legal motivation to pursue certification. On the
other hand, there is a potential disincentive pertaining to
undertaking preparedness certification and the related
documentation of preparedness actions undertaken by a
company, especially with respect to the identification of
risks to the company and its current vulnerabilities.
Legislation providing safe harbor from litigation to any
certified firm would provide a major incentive for
certification, as would the development of what is called
``self-evaluative privilege'' to ensure that the findings
of the certification process would not be used in court
against a proactive corporation.
Ms. Jackson Lee. Thank you very much for your testimony.
I now recognize Dr. Stephens for 5 minutes. Dr. Stephens,
you may also summarize your statement and be recognized for 5
minutes. Thank you.
STATEMENT OF DR. KEVIN U. STEPHENS, M.D., DIRECTOR, HEALTH
DEPARTMENT, CITY OF NEW ORLEANS
Dr. Stephens. Thank you, Chairwoman Jackson Lee, the
Ranking Member Lungren, and other members of the committee and
guests.
Thank you for your invitation and, of course, your most
gracious introduction.
New Orleans is one of America's most beloved and culturally
distinctive cities. As you are all aware, it has faced many
challenges in recovery and the rebuilding after the--and
perhaps our worst natural and manmade disaster to occur in the
United States of America.
Please know that I speak for our entire community when I
say that we are grateful for all that Congress has done. We are
very happy to have you help us recover from Hurricane Katrina
and the subsequent flooding. We are truly appreciative of your
continued concerns about our progress in caring for our
citizens, while we work diligently towards resolving our
longer-term recovery challenges.
Thank you for providing this opportunity for us to share
with the committee our unique perspective on the concept and
implementation of resilience, particularly regarding the
critical health care infrastructure of a community.
Being resilient means having the ability to withstand a
blow and to bounce back, a capacity which must be built on an
already-solid foundation. Our community suffered a catastrophic
disaster that destroyed most of its private and public health
care infrastructure when the levees broke, flooding 80 percent
of the land area in our city.
We continue to struggle to rebuild the health care
foundation and cover basic medical needs for our citizens. We
still have excessive waits at our emergency rooms. We have a
shortage of mental health inpatient beds. We have a lack of
primary care clinics to provide day-to-day health care for the
indigent and uninsured and minimal medical surge capacity, even
though we are ranked high in vulnerability, in terms of
terrorism and natural disaster.
Below are some of the major challenges we have encountered
to building resilience in the greater New Orleans health care
community, as well as some suggested solutions.
One of our challenges in the recovery and building
resilience that plagues our health care providers is the
duality that they face, as victims, as well as responders in a
critically needed system. It is quite difficult to play both of
these roles simultaneously.
Many of our providers lost everything, including their
offices, their medical diagnostic equipment, medical and
financial records, and their homes. Provisions must be made for
providers to resolve their personal difficulties before they
can begin to provide critically needed services.
Even for those providers and institutions left standing
after the disaster, a significant number of them experienced
losses in revenues and a scattering of their patients. Many of
our regional hospitals decided not to re-open their facilities,
and those that remain have a drastically reduced number of
inpatient beds.
This reduced capacity and capability has left doctors with
no place to admit their patients. Faced with a decreased
population pool and no reliable source of income, many had no
choice but to relocate, resulting in a further damage of an
already decimated health care system.
It should be noted that several local and regional
hospitals stayed open and re-opened immediately following
Hurricane Katrina. These hospitals have incurred tremendous
financial losses, primarily due to the number of increased
patients of uninsured individuals seeking health care.
While we owe a debt of gratitude to our community partners
for assisting our citizens in a time of need, financial relief
needs to occur for these institutions to continue to provide
quality health care services.
Many of our private-sector hospitals realized that rather
quickly following Hurricane Katrina that their financial risks
were tremendous. These institutions faced higher labor costs,
higher insurance costs, higher provider cost, higher uninsured
numbers, and higher construction costs.
It was evident that if they re-opened that they would be
likely to lose millions of dollars. Hence, four of our regional
health care facilities have decided not to re-open.
As mentioned earlier, in providing care in the increasing
indigent and uninsured population, due to dislocation, job
loss, and other financial woes stemming from the disaster, has
been one of the greatest financial liabilities in our private
hospital facilities.
Federal laws require emergency departments to accept and
treat patients regardless of their financial capability. With
the collapse of a State-run charity system immediately after
the hurricane, private hospitals were forced to assume the care
of the uninsured.
Some compensation for these services was provided by the
State at a later date, however, but according to many CEOs it
has been late in coming and woefully inadequate.
Following Hurricane Katrina, there was no readily
accessible database of patient health information available to
providers. But we would like to thank the American Medical
Association and other organizations who put together a database
that enabled patients to access their pharmacy information and
get badly needed prescriptions filled.
While this database proved to be an invaluable service,
much more health information is needed in a disaster situation
in order to provide excellent care to our citizens.
So we have just basically three solutions, starting with
the patients. It would be great to develop a national
continuity of care record system, which would allow patients to
access critical health care information at the time of a
disaster.
Entrepreneurs have also identified this and are flooding
the market with various forms of mobile personal data archiving
systems. While many health care provider associations have
agreed to the critical fields in a continuity of care record, a
federally standardized approach is warranted.
One must ask: Why we can access our e-mail accounts,
banking information, and other critical data while we are
abroad, but no such means for accessing our medical data
exists?
No. 2, for our providers, some of our action reviews that
were performed after Hurricane Katrina response cited a need
for a mechanism where providers can easily access across State
boundaries in a response to a disaster.
An avenue for expediting medical licenses and
certifications needs to be in place to facilitate the
credentialing and responding health care providers. A national
practitioner database could be used to meet this goal.
While we are aware of the Department of Health and Human
Services, that they created the Emergency System for Advance
Registration of Volunteer Health Professionals in response to
9/11, we need more emphasis linking various States, because
this is primarily a State-run program. We need a national
registry of providers.
For the hospitals, the health care community is pleading
for a more reliable and predictable reimbursement mechanism for
providers and hospitals that respond to a disaster, as declared
by the president.
The private sector must also have some assurances upfront
that they will be reimbursed for their contributions. Health
care services can be quite costly, and the health care
community should not be expected to absorb all of the expenses
incurred after a disaster.
For example, Medicaid payments should be made portable
during the time of a declared disaster so that health providers
in another State----
Ms. Jackson Lee. Mr. Stephens, if you could--I don't know
how much more you have. If you could summarize for us, please.
Thank you.
Dr. Stephens. Yes. The other stats would basically give
full faith and credit to their whole State Medicaid insurance
card.
Finally, we do acknowledge that we have a whole lot of
initiatives organized and authorized by Congress in the UASI
and the metropolitan response system. They are underfunded, and
we will suggest that they will be continued funding for the
local and State agencies.
So thank you very much for allowing me time to speak, and I
look forward to your questions.
[The statement of Dr. Stephens follows:]
Prepared Statement of Dr. Kevin U. Stephens
May 14, 2008
Chairman Thompson, Ranking Member King, Chairwoman Jackson Lee,
Ranking Member Lungren, and other distinguished members of the
committee and panel: I am Dr. Kevin U. Stephens, Director of the New
Orleans Health Department. New Orleans is one of America's most beloved
and culturally distinctive cities, but as you are all aware, it is
facing the challenge of recovering and rebuilding after the worst
natural and man-made disaster to occur in the United States of America.
Please know that I speak for our entire community when I say that
we are grateful for all that you in Congress and that the people of the
United States have done to help us recover from Hurricane Katrina and
the subsequent flooding. We truly appreciate your continued concern
about our progress in caring for our citizens while we work diligently
toward resolving our longer-term recovery challenges.
Thank you for providing an opportunity for us to share with the
committee our unique perspective on the concept and implementation of
resilience--particularly regarding the critical healthcare
infrastructure of a community. Being resilient means having the ability
to withstand a blow and to bounce back--a capacity that must be built
on an already solid foundation. Our community suffered a catastrophic
disaster that destroyed much of its private and public healthcare
infrastructure when the levees broke, flooding 80 percent of the land
area of our city. We continue to struggle to rebuild the healthcare
foundation and cover the basic medical needs of our citizens. We still
have excessive waits at our emergency rooms, a shortage of mental
health inpatient beds, a lack of primary care clinics to provide day-
to-day healthcare for the indigent and uninsured, and minimal medical
surge capacity, even though we are ranked high in vulnerability for
terrorism and natural disasters.
Below are some of the major challenges we have encountered to
building resilience in the Greater New Orleans Healthcare community, as
well as suggested solutions.
challenges
One of the challenges to recovery and building resilience that
plagues our healthcare providers is the duality they face as victims as
well as responders in a critically needed system. It is quite difficult
to play both of these roles simultaneously. Many of our providers lost
everything, including their offices, medical diagnostic equipment,
medical and financial records, and their homes. Provisions must be made
for providers to resolve their personal difficulties before they can
begin to provide critically needed services.
Even for those providers and institutions left standing after the
disaster, a significant number experienced loss of revenues and a
scattering of their patients. Many of our regional hospitals decided
not to reopen their facilities and those that remain have a drastically
reduced number of inpatient beds. This reduced capability has left the
doctors with no place to admit their patients. Faced with a decreased
population pool and no reliable source of income, many had no choice
but to relocate, resulting in further damage to an already decimated
healthcare system.
It should be noted that several local and regional hospitals either
stayed open or reopened immediately following Hurricane Katrina. These
hospitals have incurred tremendous financial losses primarily due to
the increased number of uninsured individuals seeking healthcare. While
we owe a debt of gratitude to our community partners for assisting our
citizens in a time of need, financial relief needs to occur in order
for these institutions to continue to provide quality healthcare
service.
Many of our private sector hospitals realized rather quickly
following Hurricane Katrina that their financial risks were tremendous.
These institutions faced higher labor costs, higher insurance costs,
loss of providers, higher uninsured numbers and higher construction
costs. It was evident that if they reopened, they were very likely to
lose millions of dollars. Hence, four of our regional healthcare
facilities have decided not to reopen.
As mentioned earlier, providing care to the increasing indigent and
uninsured population (due to dislocation, job loss and other financial
woes stemming from the disaster) has been one of the greatest financial
liabilities to our private hospital facilities. Federal laws require
Emergency Departments to accept and treat patients regardless of their
financial capability. With the collapse of the State-run ``Charity''
system immediately after the hurricane, private hospitals were forced
to assume the care of the uninsured. Some compensation for these
services was provided by the State at a later date, but according to
many CEOs it has been late in coming and woefully inadequate.
Following Hurricane Katrina, there was no readily accessible
database of patient health information available to providers. We would
like to thank the American Medical Association (AMA) and other
organizations that put together a database that enabled patients to
access their pharmacy information and get badly needed prescriptions
filled. While this database proved to be an invaluable service, much
more health information is needed in a disaster situation in order to
provide excellent care to evacuated citizens.
solutions
Some of the after-action reviews that were performed on the
Hurricane Katrina response cited the need for a mechanism where
providers can easily cross State boundaries in response to a disaster.
An avenue for expediting medical licenses and certifications needs to
be in place to facilitate the credentialing of responding healthcare
providers. A national practitioner database could be used to meet this
goal. While we are aware that the Department of Health and Human
Service's (HHS) created the Emergency System for Advance Registration
of Volunteer Health Professionals (ESAR-VIP) program in response to
September 11, more emphasis needs to be placed on the agency's ultimate
goal of linking these various State-managed ESAR-VIP programs into one
national database. This will ensure that healthcare providers are not
caught in bureaucratic red tape when citizens are in need of the
services that they can provide.
The healthcare community is pleading for a more reliable and
predictable reimbursement mechanism for providers and hospitals that
respond to disasters declared by the President. The private sector must
have some assurances up front that they will be reimbursed for their
contributions. Healthcare services can be quite costly and the
healthcare community should not be expected to absorb all of the
expenses incurred. For example, Medicaid payments should be made
portable during the time of a declared disaster so that health
providers in another State could receive reimbursement for services
rendered. One possible way to achieve this would be for States to give
full faith and credit to the Medicaid insurance card from the disaster
affected locality. The host State would allow their providers to bill
their Medicaid program for the care of evacuees. The host State
Medicaid program would then bill the disaster-affected State for
reimbursement. This would also allow for evacuees to obtain medical
care as well as medications in the event of an evacuation.
The Nation should develop a national CCR (Continuity of Care
Record) system which would allow patients access to critical health
information in the time of a disaster. Entrepreneurs have also
identified this need and are flooding the market with various forms of
mobile personal data archiving systems. While many healthcare provider
associations have agreed to the critical fields needed in such a
record, a federally standardized approach is warranted. One must ask
the question why we can access our email accounts, banking information
and other critical data while we are abroad, but no such means for
accessing our medical data exists.
It is important for Congress to authorize and continue to fund the
major grant programs that communities use to build resilience into
their critical infrastructure. Programs such as the Urban Area Security
Initiative (UASI), and the Metropolitan Medical Response System (MMRS)
support medical surge capacity, mass fatality prophylaxis, and other
key needs. Specific to the healthcare community, the Hospital
Preparedness Program (HHP), under the U.S. Department of Health and
Human Services, is a key provider of funding for hospitals and
healthcare systems' all-hazards preparedness and response capability.
During the past five funding years of the HPP grant, significant
improvements have been made in our area regarding interoperable
communication, surge capacity, decontamination capabilities, training,
and education. It is important to note that funding for these programs
has been reduced and their existence is constantly threatened every
budget year. For our community, the current allocation of funds for
healthcare preparedness as well as additional financial support is
needed to bring our healthcare infrastructure back.
We also advocate that Congress make provision for communities hit
by catastrophic disasters to have automatic access to funding to
rebuild what is lost or damaged by a disaster. Our Office of Emergency
Preparedness is faced with the daunting task of redeveloping our
medical surge, decontamination, triage and pre-hospital treatment
capabilities utilizing the MMRS grant. Many of the non-disposable items
that were purchased by this grant to support the 11 Target Capability
Focus Areas, outlined in the MMRS grant guidance document, were either
utilized or destroyed during the aftermath of Hurricane Katrina.
Additional grant dollars would greatly assist this initiative to return
our city's level of preparedness to our pre-Katrina standards.
conclusion
Ladies and gentlemen, thank you for allowing me to speak with you
on the status of our recovery and the challenges we and the Nation face
to make our homeland more resilient. I believe the proposals outlined
in this document will accelerate our recovery and assist others to
rebound faster and more effectively after a disaster of catastrophic
proportions. We thank you, the Homeland Security Committee, the
Subcommittee on Transportation Security and Infrastructure Protection
and Congress, for your continued support as we rebuild our city and
region. Though we still face historic challenges, we are hopeful that
with your assistance, we can solve the remaining problems and build a
better and stronger community for everyone.
Ms. Jackson Lee. I thank you very much for your testimony.
I thank all the witnesses for their testimony.
I remind each member that he or she will have 5 minutes to
question the panel.
I now recognize myself for 5 minutes.
Assistant Secretary Stephan, we hear the number 85 percent
over and over again of the critical infrastructure that is
owned and operated by the private sector. Among that 85
percent, with what percentage of the Department continuously
engage for critical infrastructure security purposes?
Because many of these assets are not regulated for security
purposes, what is the business case the Department makes to
these entities to secure their assets? What are the carrots you
use to get them to do the right things?
Do you encourage the private sector to be resilient and be
able to bounce back to effective operations? How do you do
that?
Colonel Stephan. Yes, ma'am. To answer your first question,
I do not have an exact percentage for you, but we routinely
engage with all 17--actually, now 18 critical infrastructure
sectors that are defined in the National Infrastructure
Protection Plan from communications, electricity, oil and gas,
I.T., transportation, you name it.
We have sustained governance mechanism that allows very
frequent meetings between our different entities, as well as an
information sharing, where virtually every day we are passing
either threat information or operationally-related information,
based upon what is happening with our infrastructures on a
daily basis, train derailments, bridges collapsing, the
wildfires in California and Florida that we are monitoring
today, ongoing activities and relationships.
Resiliency is built in as part of our organizing framework,
in terms of national level documents that we have built in
voluntary partnership with the private sector over the past 3
years, all the way down to our facility-level security plans
and buffer zone security plans that resiliency, redundancy,
robustness, redundant command post-type considerations that are
built into those frameworks.
The other piece on incentivization, as Congressman Lungren
pointed out, the threat piece is key. We can bring a lot of
people to the table with respect to providing them information
on what exactly the threat is.
If we have an emerging, credible threat in the sector, we
do everything we can to develop tearline information with the
intelligence community, get it into the hands of the owners and
operators.
Where we don't have that type of information, we have got a
special team of analysts in my shop, and Charlie Allen's shop,
that work on lessons learned from abroad. If the terrorists
start attacking hotels and discos and transit systems here,
they are certainly doing it abroad almost every day somewhere.
Iraq, Afghanistan, Indonesia, Jordan, Egypt, you name it, there
they are.
We are capturing those lessons learned, learning the
techniques and procedures, and exporting that information
across our private-sector information network.
Ms. Jackson Lee. Let me quickly ask another question. You
have submitted a lot of documents. Do you have an internal
white paper or managerial directive dealing with infrastructure
protection that define resiliency and how it is going to be
implemented?
If you have those, we would like to have those submitted to
the committee.
Colonel Stephan. Yes, ma'am. The definitions of protection
and resiliency and all of its other components are included in
the National Infrastructure Protection Plan that I have
provided or brought with me today to submit to the committee.
Ms. Jackson Lee. Do you have how it can be implemented? Is
that----
Colonel Stephan. Ma'am, it is all part and parcel of the
framework. For me, this is all about trying to drive--not you,
not members of this committee, but there are academics and
think-tanks out there that would like to drive a wedge and
cause us to make a choice between protection, prevention, and
the response and recovery side, or the resiliency side.
I would argue, as I heard you also argue, ma'am, in your
opening testimony, there isn't a choice to make. It is how do
we combine the two imperatives, how do we blend them? On the
prevention and protection side, we have to do it on a risk-
based approach or else we could be spending a lot of resources,
a lot of money in areas that don't provide bang for the buck.
We are not for that. Risk-based approach to the upfront
components, combined with the capability to absorb a strike and
respond adequately, that is what this Nation is all about.
Ms. Jackson Lee. Well, let me get Mr. Czerwinski and Mr.
Johnson, Mr. Raisch, to respond to that.
Mr. Czerwinski.
Mr. Czerwinski. Thank you, Madam Chairwoman. The Assistant
Secretary makes a very clear and important point, that is, that
the balance is critical.
The way in which resilience ought to be considered in this
context of the private sector is that risk has changed to the
point where prevention, yes, is critical and protection is
indispensable, but the resilience component has to evolve to
reflect the interconnectivity between the different sectors
themselves, so that, as we go through the process of educating
the sectors about the threats that they face and the risks that
are peculiar to those different sectors, the other side of the
coin is for us to identify the ways in which these different
sectors are actually interdependent themselves.
I know there are already efforts underway in this domain.
But there could be a great deal that we could gain from a
framework that might develop the information-sharing to the
next level, such that there is different kind of resiliencies
evolved.
The redundancy is a part of it that the Federal Government
has to embrace, but the redundancy is not the sort of thing the
private sector is going to be too enthusiastic about. So there
is still some opportunity to drill into that.
Ms. Jackson Lee. You think that the Federal Government can
do a better job?
Mr. Czerwinski. Well, I am an American citizen. I always
think the American government can do a better job. But I think
the--I think the Department of Homeland Security has been given
the authority and freedom to work with the private sector and
has created some engagement mechanisms that enable that. We
participate in some of them at IBM.
The way in which the opportunity resides, though, I think,
is actually to look at this framework that embraces a broader
picture of human capital technology and governance, not just
threat information.
Ms. Jackson Lee. If we can't get the private sector to give
us a good give-and-take, Mr. Czerwinski, we can't get to a
better product.
So, Mr. Johnson, please don't hold back. We are not here to
sugarcoat, nor are we here to suggest that Colonel Stephan does
not have a strong constitution and can accept constructive
criticism. So we would like to see what your thoughts are,
please.
Mr. Johnson.
Mr. Johnson. Thank you, Madam Chair.
The issue of resiliency in the financial services sector is
one that is longstanding. In fact, we are, in some ways, a bit
of a unique sector in that, in order to efficiently operate,
every one of the competitors in our private sector must trust
each other to operate efficiently as we pass money around the
system. Indeed, it goes out beyond the United States.
So resiliency is really core to what we do, and we are only
as strong as our weakest link. So we have to always ensure that
we are resilient in what it is we do, because we are so
interconnected.
That is different, potentially, in other sectors. As far as
what the public sector can do or do better, I don't have a
strong point of view that that is anything that needs to be
done in addition. I think most of what I see is the private-
sector organizations realizing how important resiliency is in
what it is we do every day and spending money because it is the
right thing to do.
Ms. Jackson Lee. Is that the industry spending money?
Mr. Johnson. That is the industry spending money.
Ms. Jackson Lee. Can the government do more in assisting
that? Is there the interaction between the government on
resiliency with the private sector from the financial services'
perspective?
Mr. Johnson. On financial services, there is a great
relationship between us and our sector-specific agency, which
is the U.S. Treasury. Lots of discussions about, as Secretary
Stephan said, a prioritization on the front end, or risk
assessment on the front end for protection, as well as a
resiliency perspective on day-to-day operations.
Ms. Jackson Lee. Well, can you point us to written
documents where you have received from the U.S. Department of
Treasury that focuses on resiliency? Do you have those?
Mr. Johnson. I do not have those with me, no, but I can
provide you guidance that comes from the Federal Government, as
well as our sector-specific plan--thank you, Secretary
Stephan--which articulates across the entire sector, from
banking to insurance.
Ms. Jackson Lee. Well, let me do this. I mean, a document
that has already been submitted into the record is fine. The
question is whether there is interaction that focuses on
resilience.
Let me yield to Mr. Raisch. I thank you for your answer, so
I can yield to the distinguished ranking member from
California.
Mr. Raisch. Thank you, Chairwoman.
A few very brief comments. I would say, firstly, I don't
think it is an either-or, prevention versus resiliency. This is
a continuum. I mean----
Ms. Jackson Lee. We agree on that.
Mr. Raisch. Got that.
Ms. Jackson Lee. But we want to know whether the Federal
Government can do better. That is what we would like to hear.
Mr. Raisch. Certainly, and I would think the Assistant
Secretary would agree, we can always improve.
Ms. Jackson Lee. The secretary is not the singular
representation of the Federal Government. So I know you are
sensitive to his presence on the panel.
Mr. Raisch. Very good. I think we can all do more to
leverage the economic rationale. We can call for business and
government to do--to be more prepared. Quite frankly, that is
right up there with apple pie, mom and pop, and so forth.
At a certain point, businesses have a responsibility to
their stakeholders to essentially make rational economic
choices. As such, I think DHS and other elements of government,
Congress included, can help clarify some of the business case
incentives, develop, perhaps, new ones.
As I mentioned in my testimony before, I think this
certification program that was recently passed has an
opportunity to link good practice with direct economic benefits
in a way that has not happened in the past. We have directly
worked in the past with elements of, if you will, the external
stakeholders, those being insurance, rating agency, legal
liability community.
Many of them are disposed towards acknowledging resiliency,
but have not had an effective measure to date to acknowledge
it. If you can't acknowledge it or measure it, you can't reward
it.
So I think there is a real opportunity in moving forward
this voluntary certification program, particularly with an
emphasis towards economic value to business.
Ms. Jackson Lee. I thank you.
Dr. Stephens, I am going to hold my questions for you.
I yield to the distinguished gentleman for his time of
questioning from California.
Mr. Lungren. Thank you very much.
I think the panel is to be commended for resisting the
temptation to treat Colonel Stephan as a pinata here.
Colonel, I happen to think that you have done a very good
job and the Department has done a good job in launching this
effort. That is what we have done: We have launched the effort.
There still remains a lot to be done.
Mr. Johnson, you made a very obvious point, but something
that we often overlook. The very nature of the financial
services industry is one of dependence on resilience. I mean,
if you go down for a day or two, your business essentially has
been drastically punished or suffered. I would say the same
thing with the communications industry, for instance.
But when we get into some of the other industries, I don't
think the resilience aspect is as obvious and, therefore, as
obvious to the bottom line and, therefore, as justifiable to
shareholders. It seems to me that is the nexus that we need to
sort of reach.
So let me posit this question to you, Mr. Raisch. Is that
the proper way to pronounce Mr. Raisch?
Mr. Raisch. Yes.
Mr. Lungren. Mr. Czerwinski.
Let's presume the government--the answer is not going to be
a lot more government money. Let's just set that aside, because
that is an easy one to say. ``Well, we will give you more
grants. We will do this.''
Setting aside money, what are the kinds of things that can
most effectively, efficiently and quickly allow that kind of
economic value to be realized by sectors other than the
financial services sector or the communications sector?
I mean, what are the keys to getting other parts of
American industry to have resilience as a part of--and it is
more than resilience, it is also protection and prevention from
terrorist attack or natural disaster?
Mr. Czerwinski. Well, I will go first. Thank you for that
question. This gets to the real critical point, which is, how
does this issue become portable across different sectors?
What we tried to look at, actually, was the cargo
container, flow of cargo and container traffic across maritime,
for example, if you were to take that, you could look at this
from a double bottom-line concept, where there is a way in
which you could find economic efficiencies to create better
system visibility, that is, understand what is going on from
end to end for a container cargo ship.
That is obviously useful from a regular bottom-line
perspective, because it gives you the understanding of where
disruptions exist or inefficiencies are.
But if you look at this from a double bottom-line, that is,
the resiliency component, that same system visibility--which,
by the way, is never perfect, and usually that information
resides in different sectors--could also enable this
decisionmaker to say, ``This disruption is actually unique.
This is not a situation where we are looking at a derailment of
a certain cargo, but we are looking at something completely
new.''
Without the ability to have that visibility, that
decisionmaker wouldn't be able to say, ``We need to react
differently,'' or, ``We need to re-route this,'' just taking
the cargo one, for example. So in that case, you could have
both resiliency and efficiency resulting in a double bottom-
line.
I hope that answers your question.
Mr. Lungren. Mr. Raisch.
Mr. Raisch. In reference to really the governmental role
that can add a new equation to this, I think--let's look at
businesses. They are organized as individual organizations and,
as such, that is their focus primarily.
I think government can bring a wider perspective. I think
we have touched on some other issues where we looked at
critical dependencies across sectors and across businesses and
so forth.
The reality of this is, right now, globalization is most
compelling bottom-line argument for a lot of resilience.
Organizations that we deal with daily have supply chains that
reach from here through Mumbai in India to Shanghai and back
again.
As such, I think businesses are learning the lesson, to the
extent they have a wider geographic footprint, if you will, for
any one adversity, whether the manmade or natural disasters to
occur.
But I think government can play a role in perhaps
distilling some of those lessons, reinforcing also the ability
to cross-pollinate across various elements of business. There
is a lot of good learning that has happened, particularly in
the critical infrastructure areas, under Assistant Secretary
Stephan, but also, quite frankly, I think cross-pollination
across those sectors, those 18 sectors now, can be facilitated.
I think the ability to, again, communicate in some common
elements of preparedness, defining, if you will, as I mentioned
earlier, that Rosetta Stone. I think this--again, getting back
to this certification program, I think that offers a tremendous
opportunity to do so.
So I think facilitating crosspollination across various
sectors, so we are sharing our insights in an effective manner,
providing an understanding of the societal dependencies, that
certainly the experience in New Orleans underscored
dramatically, that no company, no entity, no household is an
island, and, in fact, we are all very much integrated.
I think that is very much a governmental role in that
respect and one that, I think, provide assistance. The other
thing, I think, on a low-cost basis, I think the provision of
some common tools, based upon those key elements, preparedness.
In this electronic environment--and there are some good
things being done now on ready.gov, but I think we can move
forward and have a truly robust resource from an electronic or
Web-based environment that facilitates business preparedness
across the Nation.
Mr. Lungren. Dr. Stephens, I asked the others not to
consider money, but I want to change that with respect to a
question for you, and that is that, on the Federal side, we
have, in terms of the reimbursement we give to hospitals and
medical institutions, factored in a number of different things.
We have factored in and factored out costs of education,
training, et cetera.
Is there, on the part of the Federal Government, in terms
of reimbursement for expenses by medical institutions,
particularly hospitals, any consideration at the present time
of the resiliency factor, and particularly, if we do an
analysis of a hospital, and we try and analyze whether or not
there are sufficient beds to take care of a pandemic or other
natural disaster?
Dr. Stephens. No, unfortunately, we don't take that into
consideration, in terms of resiliency. In New Orleans
particularly, we are so busy trying to just mine day-to-day
that to get to resilient is not high on the radar.
I think it should be, though, because I think that the
ability to respond in the midst of a disaster is dependent upon
your ability to have resilience.
Mr. Lungren. See, I recall over about a 25- or 30-year
period of time Federal Government decisionmaking drove
hospitals to be more ``efficient'' and, in the process, we
actually caused hospitals to reduce the number of available
beds they had.
One of the ways we did that was making sure the patients
got up sooner, rather than later. I have seen it in communities
across America.
We prided ourselves on making our health care system more
efficient, and one of the indices was, hey, we have fewer beds
sitting out there. That is great, unless you need the beds.
So I think one of the things we have to deal with from a
governmental standpoint is, as we have tried to make the
medical system more efficient, we have created conditions that,
if we have a tremendous impact on a health care system in a
particular area, we don't have the infrastructure we had 40
years ago when we had so many beds available. I am not sure we
have totally dealt with that question.
Dr. Stephens. Your point is highlighted with the mental
health beds. You not only in New Orleans, in the State of
Louisiana, we have basically zero availability of mental health
beds, so our patients have to be transferred out-of-State to
get resources. That is private and public, so that point is
well taken.
Mr. Lungren. I yield back the balance of my time. Thank
you.
Ms. Jackson Lee. I thank the gentleman and yield myself an
additional 5 minutes.
Dr. Stephens, can you tell me how many hospitals, public
and private, were in New Orleans prior to Hurricane Katrina?
Dr. Stephens. Approximately 11.
Ms. Jackson Lee. What do you have now?
Dr. Stephens. Open, we have four.
Ms. Jackson Lee. Okay. Do you have a public Charity
Hospital open?
Dr. Stephens. Yes, we do. We have University Hospital,
which is our Charity Hospital.
Ms. Jackson Lee. The hospital--one of the hospitals that
was open before that is now closed, was that a Charity
Hospital? You indicate you had 11; there are now four.
Dr. Stephens. Yes. One of the hospitals--Charity Hospital
has had two hospitals, University, and the old Charity, as we
knew it.
Ms. Jackson Lee. It was open prior to----
Dr. Stephens. Yes, they both were open.
Ms. Jackson Lee [continuing]. Katrina?
Dr. Stephens. Now, only the University Hospital, which has,
as I understand it, maybe 200 beds is open now.
Ms. Jackson Lee. I didn't hear you. Pardon me?
Dr. Stephens. University, University Hospital.
Ms. Jackson Lee. Has how many beds?
Dr. Stephens. Two hundred.
Ms. Jackson Lee. How many did Charity have?
Dr. Stephens. Totally, they had 539, as I recall.
Ms. Jackson Lee. Is that building still standing?
Dr. Stephens. It is still standing.
Ms. Jackson Lee. All right. So, in actuality, if we looked
at the practicalness of what has happened, you had 11 hospitals
pre-Hurricane Katrina, is that correct?
Dr. Stephens. That is correct.
Ms. Jackson Lee. You now have four?
Dr. Stephens. Correct.
Ms. Jackson Lee. Now, one could put on the record that you
obviously have had a decrease in population, but I assume that
every effort that the city government is making and corporate
fathers and mothers are to build back your population by many
returning New Orleanians?
Dr. Stephens. Correct.
Ms. Jackson Lee [continuing]. People from New Orleans, is
that correct?
Dr. Stephens. That is correct.
Ms. Jackson Lee. So, in essence, if you were to go back to
full capacity of your population, you would have and may have
now a health crisis?
Dr. Stephens. We do. We currently have a--in fact, to go
from beds, we had 2,250 beds available in New Orleans before
Katrina. Now we have less than 1,000 available.
Ms. Jackson Lee. There was a MASH unit that was in, I
believe, the Hyatt. Has that been closed?
Dr. Stephens. Yes, it has been.
Ms. Jackson Lee. Where do those patients now go?
Dr. Stephens. To the University Hospital system, which is
the 200-bed facility that I mentioned.
Ms. Jackson Lee. Would you suggest that your health system
is at capacity or even beyond?
Dr. Stephens. Yes, we are bursting at the seams. We have
basically no available beds anywhere in the city.
Ms. Jackson Lee. So what could have been--and you have made
your appropriate statements. We thank you for recognizing the
hard work of this Congress in a bipartisan way. We accept that.
But what could have been more effective from a resilience
perspective, one, as you look at it, as a medical professional,
what could have been done pre-Katrina, but now, as we look at
post-Katrina, resilience also is the ability to get back in
operation?
Where did the resilience aspect of fixing the health care
system in New Orleans fall after Hurricane Katrina? What was
missing to put you in near-capacity?
Dr. Stephens. Well, I think the big thing is reimbursement,
the predictability and reliability of reimbursement.
We had several hospitals that opened up, but we couldn't
tell them, for the uninsured, when our Charity Hospital system
closed, we had a lot of uninsured patients that would show up
at your doorstep.
There was no predictable, reliable way that hospitals would
know, ``If I treated this person, I would get $1 or anything
for treatment of this patient,'' because--laws require that, if
somebody shows up in your emergency room, you have to see them,
but there are no revenues associated with that treatment.
So without having a predictable, reliable source of income,
the private-sector hospitals chose not to open, because the
hospitals that stayed open--I think I heard like $135 million
was lost last year among five hospitals that were open.
So without a predictable, reliable source of income, the
private sector says they are for-profit, they have to show----
Ms. Jackson Lee. But there is an aspect to resiliency that
deals with a revenue stream.
Dr. Stephens. Absolutely.
Ms. Jackson Lee. So, if we were to look at that sector, we
need to be assured that we have an immediate revenue stream or
some bridge that would keep them going?
Dr. Stephens. Absolutely.
Ms. Jackson Lee. What was the difficulty in opening--what
was the missing resiliency that would allow you to have opened
the other Charity Hospital with 539 beds?
Dr. Stephens. Well, the other Charity Hospital, as I
understand it, from the flooding, we had structural integrity
problems. In fact, there is a group now--looking at that
facility to see what impediments are preventing this one from
being opened or not.
But it was an old facility, grant you. They had many
problems. But I am not really sure. That is a very hot potato,
if you will.
Ms. Jackson Lee. But there was no capacity for you to sign
or to collaborate to have other resources to immediately find a
substitute location for those 539 beds?
Dr. Stephens. That is correct.
Ms. Jackson Lee. So there was a crack in the resiliency,
the start-up of getting back to where you were?
Dr. Stephens. Bigger than a crack.
Ms. Jackson Lee. Okay.
Let me pose a question to you, Mr. Czerwinski. Your
testimony clearly states that a resilience-based approach to
disruptions, including intentional human-made attacks, is a
company's best interests. How broadly practiced is such an
approach within the private sector? How can it be promoted?
As Colonel Stephan is not a good pinata, I hope that you
will give us a good critique of what we may do better in the
Federal Government in answering the question.
Mr. Czerwinski. Understood. Thank you, Madam Chairwoman.
Is it the case that the entire private sector embraces this
idea that resilience is in their economic interest? Likely not.
However, there is no doubt that the current efforts at the
Department of Homeland Security to engage these separate 18
sectors to communicate to them the importance of understanding
the threats that face them and the ways in which they can
protect themselves is sinking in.
There is no question that there are some sectors that are
absolutely more receptive to this than others. The financial
services sector, let's say, or the I.T. sector, they understand
their vulnerability and their criticality.
However, the next step beyond that is to be even more
proactive to suggest that, in fact, there is a way we can
bridge these different sectors to identify where these sectors
are dependent upon one another. If we can do that, we can
identify a different level of vulnerability that is no doubt
part and parcel of the 21st century type of risk we are facing.
How that would be incentivized could be taken in a few
different ways. One would be to provide a framework that
allowed these private-sector participants to gain some
different kind of treatment, let's say, when it interfaces with
the government.
Customs and Border Protection does this now, where they
work with multiple different sectors in their automated customs
environment. They share information across different sectors.
They, therefore, facilitate the flow of travel.
What that also provides them is the ability to see any sort
of aberrations that may be threats themselves.
Ms. Jackson Lee. Let me ask Mr. Raisch, does he have any
examples through his research of companies who have done a good
job at resilience? In your certification pilot or idea, does
there need to be assessments--I hate to use the word punitive
measures--but does there need to be a stronger assessment of
whether or not there is a resilient plan?
Does there need to be some punitive measures, some fines
assessed for those who don't have them? Is it that important?
You need to use as a backdrop Dr. Stephens, who indicated
that pre-Katrina there were 11 hospitals. There are now four in
New Orleans.
Mr. Raisch. Clearly----
Ms. Jackson Lee. Some of that is private, and some of that
is public, and we understand the challenges. But just use it as
a backdrop, that there was a problem with being resilient in
New Orleans in the medical sector, and so if you would respond.
Mr. Raisch. You bring in a very good point, assessment. I
mean, the question, as I think someone else mentioned earlier,
the issue is, what is preparedness or how much preparedness do
we need?
It is a difficult situation to assess, just given the fact
that many of us have different other operation
responsibilities. Nonetheless, speaking to your issue of
assessment, I think there is an opportunity, utilizing existing
private-sector standards, to assess the level of preparedness.
These are standards that developed through common practice
over the course of many years, input by corporations,
professionals in this area. So I think the criteria exist
currently to define effective preparedness.
The 9/11 Commission in particular recommended a particular
standard in SK 1600 that was developed some--I guess early
1990s--as one of those standards. There are other ones out
there, as well.
But what has been lacking in the past is a measurement
methodology. That is what, essentially, the legislation that
this Congress passed--I am sorry, last Congress passed in 2007,
and the focus there specifically was on one of developing an
assessment methodology that was built upon existing historical
experience.
In the world of business, there is quality management. ISO
9000 is a type of certification manufacturers have gotten since
the early, the mid-1980s, when quality was a problem in our
manufacturing firms. We can leverage that, and I think that is
what this program offers in the way of potential.
Relative to your other issues, I think you have
specifically focused on, what can government do better, and
particularly what can DHS do better?
I think the opportunity to be a convener--we don't have all
the answers at this table. There are very learned individuals
here, without doubt. I would like to say that there are pearls
of wisdom that would roll out of each of our lips.
At the same time, I think the answer probably is resident
out there. I think, just as this committee is convening
experts, I think DHS could do a--increase its activities in
convening, but convening with a specific focus, not only what
should be done, but why should it be done, really getting
Congress, congressional representation there, as well, to look
at what both legislative issues, as well as market-based
incentives are important.
We can't just look for these. We need, in some cases, to
create them. By bringing together private sector, bringing
together, I think, the congressional and legislative branch,
and the executive branch, I think there is an opportunity,
perhaps, to really define some, if you will, bottom-line
rationale and develop it over time.
Ms. Jackson Lee. So you don't think the certification
should have a fine component to it?
Mr. Raisch. Well, I think it is unrealistic at this point.
Quite frankly, I don't think there is the political will to
move this to a mandatory stage.
I think, quite frankly, though, there is a market-based
punitive element to it, to the extent--let's give supply chains
as an example. Many corporations out there right now, for their
critical suppliers--we have financial services here as an
example--they are regulated already to bring their offices up
and their operations up within 4 hours, many of them my primary
market-maker.
At the same time, for them to do that, they need critical
suppliers, in I.T., in telecom, in other elements of power
generation. They are looking, in many cases, for tools, a
measurement that would allow them to define whether or not
those particular suppliers in their supply chain can be there
for them when they are needed.
Now, if there is an effective measure out there and if
their suppliers that they are currently using don't meet that
measure, then you are going to see an economic impact, an
economic punitive, if you will, element, that will suggest,
``Jeez, if you are not prepared, I am going to go with this
other entity over here that has validated its preparedness
efforts.''
This was done in the manufacturing industry, again, with
quality management. It is done in environmental management. So
I think there is good precedent there.
I think we should look for--the opportunity here is for
government to be a convener and, if you will, to be a catalyst
in creating and accessing this in the way of bottom-line
incentives.
Ms. Jackson Lee. Let me--I ask unanimous consent to move
without a quorum--let me continue the other questioning. We are
moving toward the floor for a vote.
Mr. Johnson, the financial services industry, because of
Wall Street, I think, showed itself very much in tune with
resilience. Is there one singular aspect of what happened
during that time frame and what you have done since that you
think is very important for us to have on the record as it
relates to resilience and as you have seen it in the financial
services industry?
Mr. Johnson. Thank you, Madam Chairman. I would say one
thing that we have done and continue to do is test. I think if
there is one lesson learned out of 9/11 is to--you can't test
every scenario, but you can test.
I think that that is something that goes beyond financial
services to, indeed, other sectors.
Ms. Jackson Lee. So during the ongoing existence of your
business, you are repeatedly testing your ability to be
resilient?
Mr. Johnson. That is absolutely correct. Whether it was
required by a regulation or not, it is done, because all of the
financial services companies have, if you will, a motivation to
ensure they can continue to operate.
If there is something that I think we have learned, testing
does pay dividends. That would be my answer.
Ms. Jackson Lee. Let me ask, Colonel Stephan, Secretary
Stephan, to tell us what incentives DHS is providing to the
public, to the public and private, private sector, to encourage
more organizations to be resilient.
I know the documentation reports, but what is the
engagement? What is the thought of having a chief that deals
particularly with assessing risk, that companies may have
within the DHS shop?
Colonel Stephan. Well, what we have done is--the
infrastructure that we have identified to be most at-risk from
various threat vectors across the country, they number about
2,800 to 3,000. We are very focused on----
Ms. Jackson Lee. I didn't--what is 2,800 to 3,000?
Colonel Stephan. The infrastructures that we have
determined to be the most at-risk across the country on a
steady-state basis, lacking any specific----
Ms. Jackson Lee. That is in the private sector?
Colonel Stephan. The private sector mostly, although there
is----
Ms. Jackson Lee. Focused on what incentives you are giving
them to move toward resilience?
Colonel Stephan. Yes, ma'am. What we do is we have
vulnerability assessment programs in concert with them, and we
have buffer zone protection programs in concert with that.
Where we do security planning, that facilitates interaction
between the private-sector security folks, owners and
operators, and local, State law enforcement and National Guard.
The incentive there is that, with DHS facilitation, we
build a team of security and resiliency. Resiliency is
embedded, built into the security plan template--so is cyber
security, for that matter--rolling in there and facilitating
the interaction and getting the private sector, local law
enforcement, State law enforcement and the National Guard to
pony up to the plate based upon this nucleus of critical
individual facilities, assets, systems and networks that we
work together to identify.
That is one example. The exercise piece, bringing people
together very routinely, whether it is tabletop or full-scale
boots on the ground activity, like we did last week, we have
invited private-sector folks inside our National Infrastructure
Coordinating Center for the first time last week, during our
big national-level continuity of operations exercise, figuring
out the resiliency piece, the security requirements, the
information-sharing requirements, who needs what, based upon
what type of disaster.
Last week, we dealt with the double-headed monster of a
terrorism attack, as well as a major Category 4 hurricane
hitting the national capital region.
Ms. Jackson Lee. Mr. Secretary, let me ask that in writing
if you will focus on--and I have heard the sort of give-and-
take, and I think that we will ask staff to review closely the
documents that you are submitting--but if you can give some
particular corporate examples where DHS has interacted and, in
the letter, writing of companies that are under a particular
sector, showing the incentives and showing the give-and-take,
and seeing the progress of resiliency being built under our
present structure, I would appreciate it.
Colonel Stephan. We would be happy to do that.
Ms. Jackson Lee. I want the record to be clear that
Assistant Secretary Stephan is here, but he doesn't represent
the wholeness of America, the wholeness of the Department of
Homeland Security, though we appreciate his patriotism.
He is well able to engage in give-and-take to make things
better. Is that my--and I hope that that clears the record.
Dr. Stephens, let me close by simply acknowledging your
delegation with Melancon and Mr. Jefferson and others who have
been diligent on working on New Orleans. We thank you.
We expect that you will be able to give us some very good
insight. I would ask--I know your testimony has been put in the
record--but I would ask to be able to follow up with you on the
reason why, beyond the revenue stream, what the Federal
Government has not done to ensure that the resiliency of your
public health system, such as Charity Hospital, could not be in
place 3 years after Hurricane Katrina, particularly the
physical plant.
Maybe you could put that for me in writing. Would that be
all right? I thank you so much.
As I do for all of the witnesses, I thank them very much
for their testimony, valuable testimony. The members of the
subcommittee may have additional questions for the witnesses,
and we will ask you to respond expeditiously in writing to
those questions.
Having no further business, the subcommittee stands
adjourned. I will say thank each and every one of you for what
has been an instructive, but, I am sorry, abbreviated hearing.
Thank you very much.
[Whereupon, at 3:50 p.m., the subcommittee was adjourned.]
�