[House Hearing, 108 Congress]
[From the U.S. Government Publishing Office]
PROTECTING OUR
FINANCIAL INFRASTRUCTURE:
PREPARATION AND VIGILANCE
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED EIGHTH CONGRESS
SECOND SESSION
__________
SEPTEMBER 8, 2004
__________
Printed for the use of the Committee on Financial Services
Serial No. 108-108
U.S. GOVERNMENT PRINTING OFFICE
97-449 WASHINGTON : 2004
____________________________________________________________________________
For Sale by the Superintendent of Documents, U.S. Government Printing Office
Internet: bookstore.gpo.gov Phone: toll free (866) 512-1800; (202) 512�091800
Fax: (202) 512�092250 Mail: Stop SSOP, Washington, DC 20402�090001
HOUSE COMMITTEE ON FINANCIAL SERVICES
MICHAEL G. OXLEY, Ohio, Chairman
JAMES A. LEACH, Iowa BARNEY FRANK, Massachusetts
RICHARD H. BAKER, Louisiana PAUL E. KANJORSKI, Pennsylvania
SPENCER BACHUS, Alabama MAXINE WATERS, California
MICHAEL N. CASTLE, Delaware CAROLYN B. MALONEY, New York
PETER T. KING, New York LUIS V. GUTIERREZ, Illinois
EDWARD R. ROYCE, California NYDIA M. VELAZQUEZ, New York
FRANK D. LUCAS, Oklahoma MELVIN L. WATT, North Carolina
ROBERT W. NEY, Ohio GARY L. ACKERMAN, New York
SUE W. KELLY, New York, Vice Chair DARLENE HOOLEY, Oregon
RON PAUL, Texas JULIA CARSON, Indiana
PAUL E. GILLMOR, Ohio BRAD SHERMAN, California
JIM RYUN, Kansas GREGORY W. MEEKS, New York
STEVEN C. LaTOURETTE, Ohio BARBARA LEE, California
DONALD A. MANZULLO, Illinois JAY INSLEE, Washington
WALTER B. JONES, Jr., North DENNIS MOORE, Kansas
Carolina MICHAEL E. CAPUANO, Massachusetts
DOUG OSE, California HAROLD E. FORD, Jr., Tennessee
JUDY BIGGERT, Illinois RUBEN HINOJOSA, Texas
MARK GREEN, Wisconsin KEN LUCAS, Kentucky
PATRICK J. TOOMEY, Pennsylvania JOSEPH CROWLEY, New York
CHRISTOPHER SHAYS, Connecticut WM. LACY CLAY, Missouri
JOHN B. SHADEGG, Arizona STEVE ISRAEL, New York
VITO FOSSELLA, New York MIKE ROSS, Arkansas
GARY G. MILLER, California CAROLYN McCARTHY, New York
MELISSA A. HART, Pennsylvania JOE BACA, California
SHELLEY MOORE CAPITO, West Virginia JIM MATHESON, Utah
PATRICK J. TIBERI, Ohio STEPHEN F. LYNCH, Massachusetts
MARK R. KENNEDY, Minnesota BRAD MILLER, North Carolina
TOM FEENEY, Florida RAHM EMANUEL, Illinois
JEB HENSARLING, Texas DAVID SCOTT, Georgia
SCOTT GARRETT, New Jersey ARTUR DAVIS, Alabama
TIM MURPHY, Pennsylvania CHRIS BELL, Texas
GINNY BROWN-WAITE, Florida
J. GRESHAM BARRETT, South Carolina BERNARD SANDERS, Vermont
KATHERINE HARRIS, Florida
RICK RENZI, Arizona
Robert U. Foster, III, Staff Director
C O N T E N T S
----------
Page
Hearing held on:
September 8, 2004............................................ 1
Appendix:
September 8, 2004............................................ 47
WITNESSES
Wednesday, September 8, 2004
Abernathy, Hon. Wayne, Assistant Secretary for Financial
Institutions, Department of Treasury........................... 10
Britz, Robert G., President and Co-Chief Operating Officer, New
York Stock Exchange, Inc....................................... 29
Dolloff, Wilton, Executive Vice President, Operations and
Technology, Huntington Bancshares Incorporated, on behalf of
Bits and The Financial Services Roundtable..................... 34
Gaer, Samuel, Chief Information Officer, NY Mercantile Exchange.. 36
Liscouski, Robert, Assistant Secretary, Information Analysis and
Infrastructure Protection, Department of Homeland Security..... 11
Mohr, John, Executive Vice President, The Clearing House
Association L.L.C.............................................. 32
Olson, Hon. Mark W., Member, Board of Governors, Federal Reserve
System......................................................... 8
Tishuk, Brian S., Executive Director, ChicagoFIRST............... 38
APPENDIX
Prepared statements:
Oxley, Hon. Michael G........................................ 48
Bachus, Hon. Spencer......................................... 50
Emanuel, Hon. Rahm........................................... 52
Gillmor, Hon. Paul E......................................... 53
Hinojosa, Hon. Ruben......................................... 55
Kelly, Hon. Sue W............................................ 57
Abernathy, Hon. Wayne........................................ 59
Britz, Robert G.............................................. 65
Dolloff, Wilton.............................................. 86
Gaer, Samuel................................................. 101
Liscouski, Robert............................................ 109
Mohr, John................................................... 116
Olson, Hon. Mark W........................................... 125
Tishuk, Brian S.............................................. 136
Additional Material Submitted for the Record
Britz, Robert G.:
Written response to questions from Hon. Ruben Hinojosa....... 151
Olson, Hon. Mark W.:
Written response to questions from Hon. Spencer Bachus....... 152
Written response to questions from Hon. Ruben Hinojosa....... 155
Tishuk, Brian S.:
Written response to questions from Hon. Ruben Hinojosa....... 158
PROTECTING OUR
FINANCIAL INFRASTRUCTURE:
PREPARATION AND VIGILANCE
----------
Wednesday, September 8, 2004
U.S. House of Representatives,
Committee on Financial Services,
Washington, D.C.
The committee met, pursuant to call, at 10:07 a.m., in Room
2128, Rayburn House Office Building, Hon. Michael Oxley
[chairman of the committee] presiding.
Present: Representatives Leach, Bachus, Kelly, Biggert,
Miller of California, Capito, Tiberi, Brown-Waite, Frank,
Maloney, Gutierrez, Ackerman, Sherman, Lee, Inslee, Hinojosa,
Lucas of Kentucky, Matheson, Miller of North Carolina, Emanuel,
Scott, and Bell.
Mrs. Kelly. [Presiding.] This hearing of the committee will
come to order.
This morning the committee convenes to continue its ongoing
oversight of preparedness incident recovery and critical
infrastructure protection issues. I thank Chairman Oxley for
holding this hearing.
At the heart of critical infrastructure is the safety and
soundness of the financial services sector which drives every
aspect of our economy. Earlier this Congress, the Oversight and
Investigations Subcommittee held a hearing to examine the state
of readiness of the financial services sector and the critical
infrastructure that allows it to serve our country. In that
hearing, the subcommittee learned about many promising steps
that have been taken by our financial caretakers, as well as
the constant assessment and improvements that still must be
performed.
Over the last several years, our country has experienced
many extraordinary events that have threatened the safety of
the American people and of our financial system, from the
horrific attacks of September 11, 2001 to the blackouts and
hurricanes, but fortunately our markets have experienced
remarkably quick recoveries, illustrating the tremendous
resiliency of the financial system and the U.S. economy.
As a result of these events, it is apparent that the
technology age we live in, which allows us to provide services
and access information in a heartbeat, is both a boon and one
of our greatest vulnerabilities. It is imperative that we
continually revise our efforts to protect data systems and the
infrastructure that allow them to operate, which are ever more
entwined and dependent on one another.
Today, this review could not be any more timely. Last
month, Department of Homeland Security Secretary Tom Ridge
issued a warning of possible al Qaeda terrorist attacks to our
financial institutions, including the Prudential Financial, the
Citigroup Center Building, and the New York Stock Exchange, as
well as the International Monetary Fund and World Bank
buildings. The committee is very interested in the steps that
have been taken to protect our financial infrastructure since
the threat level was elevated to code orange for the financial
services sector in New York City, Northern New Jersey and here
in Washington, D.C.
As terrorists continue to target our economy and financial
institutions, we must ensure our financial infrastructure is
strong enough to withstand diverse types of attacks. We must
ensure that all our systems, whether financial, energy,
transportation or telecommunications, are able to operate under
extraordinary circumstances.
The committee is pleased to have with us this morning
Federal Reserve Board Chairman Mark Olson, who has been a
leader in these efforts in his role at the Fed. We also welcome
the Assistant Secretary for Financial Institutions at the
Treasury Department, Wayne Abernathy, who also serves as the
department's sector coordinator for critical infrastructure
protection. And joining us is the Assistant Secretary of
Homeland Security for Infrastructure Robert Liscouski, who is
responsible for the department's efforts to identify our
critical infrastructures and propose protective measures to
keep them safe from terrorist attacks.
Keeping our financial systems functioning and safe requires
a high degree of coordination between many different and
important parties, both public and private. The committee is
also pleased to have with us witnesses on our second panel who
are leaders in protecting critical financial services assets
from major disasters, including several individuals from the
great State of New York. These witnesses, along with others in
the private sector and the government who could not be
represented here today, are working in the field every day to
protect our financial systems.
The committee thanks all of our witnesses today for your
appearance, and we look forward to your testimony. Together, we
hope that we can ensure that our financial systems are
functioning smoothly under all circumstances and the American
people should have full confidence in the financial services
sector.
[The prepared statement of Hon. Sue W. Kelly can be found
on page 57 in the appendix.]
Mrs. Kelly. I would like to now recognize my colleague, Ms.
Maloney.
Mrs. Maloney. Thank you very much. I join you in thanking
Chairman Oxley and Ranking Member Frank and my colleague from
the great State of New York for chairing this meeting. I
welcome all of our witnesses, who include a number of
organizations that I am privileged to represent. Some of them
are my constituents.
In New York City, the heart of the nation's financial
infrastructure, we can vividly remember what it was like to
have that infrastructure damaged by terrorist attack just 3
years ago. We know very well the extraordinary lengths that
many of New York's fine institutions, some of which are
represented here today, went to ensure that the financial
markets functioned as soon as possible to protect not only the
U.S. economy, but that of the world from irreversible harm. I
do not think any of us will forget the anticipation, the
anxiety before the big boards opened up again and were there to
serve the people. These terrible events demonstrated clearly
that the protection of our financial infrastructure is
essential to the nation's financial system. Unfortunately, they
also demonstrated that we were ill-prepared for an attack on
it.
So my fundamental question today, to each of the private
sector witnesses represented today, is what would happen
differently today. My even more basic question to Treasury, the
Fed and Homeland Security is who would be in charge of the
government response. I would like to hear that there is an
established, tested and proven system of coordination and a
clear line of authority and accountability so that decisions
can be made in a prompt and informed manner, but I am not sure
that that is the case.
We have several new committees, the Financial and Banking
Information Infrastructure Committee, the Financial Service
Sector Coordinating Council, and the Financial Services
Information-Sharing and Analysis Center. But how exactly do
they work in practice? Who makes the final call? Who staffs
these committees? And who is responsible for carrying out their
decisions?
I would like to hear how our response system held up last
month when the terror level was raised for financial
institutions in New York City and elsewhere. I would also like
to hear how that system is working now to ensure a speedy and
sufficient response to the danger posed by Hurricane Frances to
the financial institutions in its path. We, this committee,
know the government is capable of a sustained and coherent
response to threats to the financial infrastructure.
As those of us who have served on this committee know, we
were prepared for the Y2K threat. There were many hearings, the
government response, and many oversight hearings. But as the 9/
11 Commission reports, that effort relaxed after the millennium
passed and the government was not well coordinated nor was key
information properly shared among various agencies or with the
private sector in the months leading up to September 11.
One year after September 11, this committee asked the
General Accounting Office to report on what additional steps
had been taken to protect the financial infrastructure since
that catastrophe. The GAO report, which was the last government
report issued on this subject in February of 2003, gave
regulators and firms a mixed assessment, criticizing them for
having focused on clearing and settlement activity, to the
exclusion of trading and retail firms.
Our Oversight Committee reviewed the ground again in
October of 2003 in the context of the August 2003 blackout, and
we had the pleasure of hearing from many of our panelists
today. As a New Yorker, I am proud of the way in which the
public and private financial sectors of my city worked together
to respond to these two tremendous disasters and are continuing
to work with the federal government.
Such efforts demonstrate that our cities are prepared to
protect their financial industry and that the calls some have
made for financial institutions to create backup locations
hundreds of miles away from an urban area are totally
misguided. They can have them in a different area of the urban
area. Congress and the federal government should support the
hubs of our nation's finance by providing additional homeland
security funding to them and by assisting them in identifying
and protecting the critical elements of our financial
infrastructure that they possess.
So as we sit here today, we have recent reminders of how
crucial it is constantly to review and refine the safeguards of
our financial infrastructure. I look forward to hearing from
our witnesses what they have done to protect the physical body
of the nation's financial system from harm, and what we can do
to be of assistance in that effort.
I thank all the panelists for being here and yield back my
balance.
Mrs. Kelly. Thank you very much.
Mr. Bachus?
Mr. Bachus. I thank the Chairman.
I would say in response to what Ms. Maloney said, that of
course the structure for responding to a terrorist attack
actually was established back in 1998 by Presidential Decision
Directive 63, signed by President Clinton. Then it was refined
by Executive Order by President Bush right after 9/11. I think
that the experience that we had on 9/11, that experience was
that our financial markets are very resilient and that we were
in fact prepared for something which is almost impossible to be
prepared for, something we never faced before. But the
financial markets functioned very well, and showed a great
amount of resilience.
Despite the infrastructure damage to the World Trade towers
and actually the physical loss of the facilities, the market
operations recovered very quickly. I think we are all amazed at
how quickly they responded. I think that is very good news. The
GAO did make certain recommendations, but again a lot of what
you all focused on was because really you were directed to
focus on those things. I think all in all, clearing and
settlement, if you do not focus on those things, you have a
real problem. As far as retail firms and trading organizations,
I think since the last year and a half, and we are going to
hear from our second panel, you have done a great deal to focus
on that. I know the latest threat is what the two speakers
before are focused on, was actually car bombs or a bomb which
would take out some physical structure.
But you are actually, our first panel, you are the
designated people under the presidential directives to be in
charge, and the designated agency for our financial
institutions is the Treasury Department, working with other
organizations. So I think the underlying message ought to be
that financial institutions, our financial markets performed
very well under a tremendous attack. The market did not
recover, but that was a result of just market factors and
facing a new threat, and the facts of uncertainty in the world,
not anything to do actually with the inability of the markets
to operate.
I would also say, and I am sure that there will be a
question addressing this, there are certain things that you
have asked us to do, and one of them is the netting provisions,
which in the Congress, we passed it out of the House, but the
Senate has never taken it up. You have identified that as one
of your top priorities in case of another financial attack. So
this Congress really has failed to do some of the things that
you have said are most important.
So with that, I end my comments, but I applaud the
administration for everything they have done.
[The prepared statement of Hon. Spencer Bachus can be found
on page 50 in the appendix.]
Mrs. Kelly. Thank you very much.
Mr. Hinojosa?
Mr. Hinojosa. Thank you, Chairwoman Kelly.
I want to thank you and Ranking Member Frank for holding
this very important hearing today.
The United States needs to remain prepared for any and all
terrorist attacks following the horror that we endured on 9/11.
We need to remain vigilant to ensure that similar attacks never
happen again on U.S. soil.
As I noted during the committee's hearing on the 9/11
Commission report during the August recess, we here in the
United States need to focus on increasing the security of our
own documentation such as driver's licenses, passports, and
visas in order to prevent such terrorists from entering the
United States again. The 9/11 Commission Vice Chairman Lee
Hamilton agreed that we need to increase the security of our
own documentation and such measures should include requiring
biometric information and security features such as
fingerprints, digitized photos, holograms and serial numbers on
these types of documents, and increasing the technology with
which financial institutions can verify IDs.
Prior to 9/11, the United States consulate that required
biometric information from individuals seeking entry into the
United States was the U.S. consulate in Mexico. Such biometric
data and more is now included as part of the 12 security
features Mexico added to the matricula consular ID card in
2002. As the Washington Times noted some time ago, the updated
matricula consular ID card is more secure than many of our U.S.
documents. Perhaps we should emulate the security features
incorporated into the card as we create a new, more secure
system of documentation in the United States.
The U.S. was very lucky that the 9/11 terrorist attacks did
not completely halt the free flow of the U.S. capital markets
for very long. Granted, the New York Stock Exchange and others
closed down for a short time, and certain Federal Reserve Bank
airplanes were unable to fly for a time due to the flight
restrictions following the terrorist attacks. These Federal
Reserve flights are an integral part of the payment
clearinghouse system in the United States. Nonetheless, I was
very impressed by the ability of the New York Stock Exchange to
adapt quickly to the terrorist situation and to accommodate the
trades of so many exchanges on its own system in the days
following 9/11.
I ask that the balance of my opening statement be included,
Madam Chair.
[The prepared statement of Hon. Ruben Hinojosa can be found
on page 55 in the appendix.]
Mrs. Kelly. Of course. We would be glad to include the
opening statement of anyone of the members of this committee,
and it is so moved.
Mr. Leach, have you an opening statement?
Mr. Leach. Just briefly. Just very briefly let me mention a
couple of things by perspective. As everybody in banking knows,
a century ago a famous bank robber once commented that, why do
you rob banks? You do it because that is where the money is.
But the interesting aspect about the modern financial system is
that financial institutions and trading institutions are not
where the money is. It is simply where assets are traded and
kept track of. Great violence applied to a bank; great violence
applied to a trading institution in one sense does not destroy
a lot of assets. It destroys to some degree or disrupts
tracking mechanisms, but if there is good redundancy, the
system itself can be not harmed gravely. So redundancy is
really the issue.
Secondly, I think that we ought to beware that even though
it is true that Congress has really been slacking in its
discipline in not putting forth a netting bill, which is a very
important bill and one which I have long advocated, and it is
not done largely because we have problems that related to
inter-institutional committees of jurisdiction, but hopefully
it will happen this year. But the big issue is, what happens if
there is a calamity? Here, the great aspect of perspective is
that we have had for many decades authorized an institution of
the United States Government, the Federal Reserve, to liquefy
any calamity anywhere in the world, but particularly in the
United States. So if something awful were to happen to a
financial institution, the Fed is there to make sure the system
can be sustaining.
I only say this because acts against the financial
community are acts of barbarism, but they are not acts that
bring down the American system. They are simply acts of
barbarism. Everybody in the private and public sector has to be
very concerned that we get any system that goes down, up and
running again, but that can happen. The American system will
not be affected as a country. It will simply be a disruption.
That is the way we have to work at it because we cannot
perfectly protect anybody and anything.
Let me just in conclusion say, because I tried to discount
the importance of the netting bill, let me raise its importance
again. It is really irresponsible that Congress has not acted
yet to put forth a bill that settles derivatives-type trading
instruments on an orderly basis instantaneously. We are
obligated to do that and I am hopeful that that will happen
this fall.
Thank you, Madam Chairman.
Mrs. Kelly. We turn now to Mr. Gutierrez.
Mr. Gutierrez. Good morning and thank you, Madam Chairman,
for calling this hearing on protecting our nation's financial
infrastructure. I am particularly pleased that we will be
hearing from Brian Tishuk of ChicagoFIRST, an organization
composed of Chicago's primary financial institutions that was
formed to address these various issues.
ChicagoFIRST is an excellent example of a public-private
partnership that should serve as a model for other regions. We
will be hearing in detail about the formation of the
organization, which was not an easy task. We will also hear
about their recent tabletop exercise which tested the
partnership's ability to function under the threat of a
terrorist attack. At the appropriate time, I will be asking the
Department of Homeland Security about certain matters in the
written testimony, specifically the fact that ChicagoFIRST has
discussed with DHS its interest in hardening Chicago in general
and the financial district specifically.
As part of that, ChicagoFIRST has recommended funding for
certain equipment being sought by both the City of Chicago and
ChicagoFIRST; the placement of a DHS center in Chicago; and has
asked for DHS's help in procuring security clearances for
certain financial representatives so that they can participate
more actively in the protection of the city's financial
infrastructure. These recommendations and requests have
apparently gone unheeded and no answers have been forthcoming
from Homeland Security to ChicagoFIRST. I will be asking DHS,
though it has been helpful to ChicagoFIRST, if it could take
more of an initiative to reaching out to financial centers
other than Chicago to promote regional partnerships.
I wish to thank my colleague, Congressman Emanuel, for his
request that ChicagoFIRST testify before us, and I look forward
to the testimony, as well as the testimony of the other
witnesses.
Thank you, Madam Chairman.
Mrs. Kelly. Thank you very much, Mr. Gutierrez.
Mr. Scott.
Mr. Scott. Thank you very much, Chairlady.
This is a very timely hearing, and I, like many people
across this nation, am quite worried about another possible
attack. I certainly want to thank Chairman Oxley and Ranking
Member Frank, Ms. Kelly, for holding these hearings today.
The recent warnings of attacks on financial services
targets caused no disruption to financial activity. However,
concrete Jersey barriers have multiplied around New York and
Washington. While these temporary barriers provide some
cosmetic protections against potential terrorist attacks such
as car bombs, what about suicide bombers who could very well
just be walking Wall Street or any of the streets in the area
or any of the streets in Washington, D.C., and get very close
to us, as we have seen from other places around the world?
To be prepared, to be vigilant, we need to know concretely,
what is the role of our Federal Reserve? What is the role of
our Treasury Department? How are their roles coordinated with
our basic intelligence agencies of the CIA, the FBI and the
Defense and State Departments's intelligence agencies, of what
is happening around the world in other financial capitals? I
would be very interested to hear your response in terms of our
reshuffling the deck on our intelligence operations to see if
our financial services industry's intelligence apparatus will
work better under a new general authority of an intelligence
czar.
I think further also we have to work to prevent attacks by
monitoring and by detecting terrorists. Let us take a look at
certain organized crime groups that work concretely with
terrorist organizations. I think also that we are going to have
to look at other areas, our computer systems, our
telecommunications networks, our electrical power grids, our
transportation systems, how all of those work. Also, terrorist
organizations may be targeting cities other than New York and
Washington, D.C. And maybe they may be even more likely
targets, regional financial centers like Atlanta, Chicago, San
Francisco, and Houston.
It is important that the financial infrastructure include
regional plans to address these threats. For example, federal
agents recently arrested a man from Pakistan who was
videotaping buildings in several southern cities, including my
own city of Atlanta. And other regional threats, that would be
power failures, natural disasters.
Certainly, as Congress reviews the financial services
industry's readiness to respond to attacks, we must also work
to ensure that any attacks do not cause long-term damage on
creditworthiness of innocent consumers. And then finally
looking at the world, and the impact of how, for example, a
terrorist attack on a financial center such as Tokyo or Paris
would have on our financial system, this particularly in view
of the fact that we are the world's leading financial center.
These and many other questions I look forward to examining.
I think this is a very important hearing this morning, and I
look forward to each of your testimonies.
Thank you, Madam Chair.
Mrs. Kelly. Thank you, Mr. Scott.
Without objection, all members' opening statements will be
made part of the record.
We turn now to our first panel. We have three witnesses on
our first panel: The Honorable Mark W. Olson, member of the
Board of Governors, Federal Reserve. We have the Honorable
Wayne Abernathy, Assistant Secretary of the Treasury for
Financial Institutions, Department of Treasury. And we have the
Honorable Robert Liscouski, Assistant Secretary of Homeland
Security for Infrastructure Protection.
Without objection, your written statements will be made
part of the record. You will each be recognized for a 5-minute
summary of your testimony. I am sure that all of you have
testified in front of these committees before, so I do not need
to explain the lighting system.
Mr. Olson, let us begin with you.
STATEMENT OF HON. MARK W. OLSON, MEMBER, BOARD OF GOVERNORS,
FEDERAL RESERVE SYSTEM
Mr. Olson. Thank you very much, Chairwoman Kelly. We thank
you, Ranking Member Frank, Chairman Oxley and members of the
committee for holding this hearing. I agree with all of the
members who have acknowledged that this is an important subject
and a very timely subject.
A number of questions have come up. I would be happy to
address them as the questioning goes around, but let me just
open by talking about three specific points that I would like
to highlight. First, many of you started your opening remarks
by talking about the efforts of 9/11. Of course, that was what
constituted the start of a new era for us in terms of our
recognition of both the exposure to terrorism activities and
other threats to the financial services system.
The Federal Reserve, of course, responded that day by
providing, among other things, $100 billion of liquidity into
the financial services system, as Congressman Leach alluded to
in his opening remarks. I think that the resilience of the
system at that point was demonstrated by a number of facts.
Number one, the fact that the Fed over the course of a 5-day,
in fact even a several-week period, responded in a different
way providing either liquidity or overdraft protection or
responding to changing needs as a result of the excesses of
float that were building up in some parts of the system.
We also initiated the swap lines for currencies with other
central banks, indicating the cooperation internationally that
we have been able to achieve and had achieved up to that point.
Beyond that point, the Fed then began to look at its own
resiliency. We initiated 40 different efforts to test our own
ability to provide financial services, the redundancy necessary
to provide the financial services, and the ability to sustain
operations over a period of time.
I would point out that on 9/11, the Federal Reserve Bank of
New York did not close; that last weekend with the hurricane in
Miami, the Miami Fed and Jacksonville Fed did not close. So we
have a very strong track record of being able to meet those
needs.
Beyond our own efforts, of course, an interagency team
produced a white paper involving the Fed, the Comptroller of
the Currency, and the SEC, where we identified the requirements
of the critical financial institutions in order to meet
clearing and settlement responsibilities on an ongoing basis,
and in order to meet the critical functions of the financial
services network. For each of the institutions that have been
identified, a target deadline has been set to achieve the level
of readiness which is anticipated either in 2005 or 2006,
depending on their starting points.
Additionally, and this is the point that a number of you
alluded to, there is a heightened level of cooperation among
the federal agencies and within the private sector. The
Treasury Department has been designated as the lead as sector
liaison, and we have been happy to work with them. I think the
resilience of it and the importance of it was brought out in
response to the elevation to code orange under the direction of
Homeland Security. In our judgment, that worked very well and
we achieved a state of readiness very rapidly after the
information was made available.
Indeed, Congresswoman and members of the committee, we feel
that the financial institutions sector has progressed in a very
significant way over the course of the past several years,
particularly the last 3 years, and it continues to improve. It
is a moving target, as we learn more about the potential
threat. As Congressman Scott suggested, we need to adjust as
new information is produced, and we have done so.
I would be happy to answer questions when my time comes.
[The prepared statement of Hon. Mark W. Olson can be found
on page 125 in the appendix.]
Mrs. Kelly. Thank you very much, Mr. Olson.
Mr. Abernathy.
STATEMENT OF HON. WAYNE ABERNATHY, ASSISTANT SECRETARY FOR
FINANCIAL INSTITUTIONS, U.S. DEPARTMENT OF TREASURY
Mr. Abernathy. Chairwoman Kelly, Ranking Member Frank,
members of the committee, I am pleased to tell you that the
financial services sector is in a state of advanced readiness
and preparation, and that it handled well the recent
information about terrorist targeting of specific institutions.
Customers were able to continue business as usual. While there
was concern, there was no crisis. There was no panic, but
rather activation of planned steps to mitigate exposure to
risks. I applaud our intelligence and law enforcement agencies
for obtaining this vital information and promptly sharing it
with the affected institutions.
President Bush has led the development and implementation
of an effective program to defend our country against
terrorism. Protection of our financial infrastructure is a key
element of that program and much valuable work has already been
done. That is because we have long known in general what recent
information has reaffirmed with specificity, that our financial
institutions are being targeted by our enemies. They are under
assault every day. Most of these assaults are in the nature of
electronic or cyber attacks such as computer viruses, trojans,
worms and various forms of financial fraud, including fishing
and spoofing. These assaults have progressed from computer
hackers and pranksters into theft, and now we believe on to
schemes to disrupt organizations and operations.
Some of these attacks have their sources in organized
crime. Increasingly, still more sinister actors are involved. I
do not say this to be alarmist, but rather to make the point
that our financial institutions have for some time now been
operating in a dangerous environment, and they are becoming
increasingly adept at doing so successfully. This success is a
result of careful organization and hard work by the private
sector and government agencies at all levels.
The organized government effort today is based upon a
directive from President Bush, Homeland Security Presidential
Directive 7. This is a flexible, coordinated program that works
well in marshaling resources and activities. HSPD-7 places upon
the Department of Homeland Security the central responsibility
for coordinating the overall national program. The directive
relies upon specific agencies to take the immediate lead,
ensuring that critical protection efforts will be led by
departments that have the expertise and experience. Treasury is
the lead agency for the banking and finance sector.
Nearly all of the financial infrastructure is owned by the
private sector. We work closely with the private sector through
reliance upon several organizations. Chief among these is the
Financial Services Sector Coordinating Council or FSSCC, the
chairman of which is appointed by the Treasury secretary. The
current chairman is Don Donahue, a senior officer of the
Depository Trust & Clearing Corporation in New York City. The
FSSCC is made up of entities and trade associations
representing virtually every financial institution in the
nation.
Alongside the FSSCC is the Financial Services Information-
Sharing and Analysis Center, or FS-ISAC, the chief
communications system for the sector on a wide variety of
threats and challenges. Last year, Treasury devoted $2 million
to develop and implement a plan for broadening the reach of the
FS-ISAC. In the last couple of weeks, Federal Housing Finance
Board Chairman Alicia Castaneda and I sent a joint letter to
each of the federal home loan banks encouraging them to join
the FS-ISAC. We continue to encourage all financial
institutions to sign up.
Under the sponsorship of the President's Working Group on
Financial Markets, and chaired by the Treasury, the Financial
and Banking Information Infrastructure Committee, or FBIIC,
brings together representatives of all of the federal and state
financial regulators. A cardinal rule of the FBIIC and the key
to its success and achievement over the last several years is
the principle of responsibility. The FBIIC does not try to take
over the responsibility or interfere in the work of any agency.
What the FBIIC provides is a means of coordinating efforts,
sharing best practices, pooling talents and resources,
facilitating communication, encouraging wherever possible and
cajoling where necessary.
While terrorist threats themselves are bad news, I see much
good news in our latest experience. Our antiterrorism efforts
are bearing fruit, providing valuable information that is being
applied and acted upon appropriately by the financial sector
just as soon as it is made available, without disruption or
degradation of services. The success of the collective actions
of the federal, state and local governments and the
preparedness and response of the private sector are
progressively denying terrorists their objective, their goal of
disrupting our free markets. Freedom and free markets are the
targets of the terrorists, and we are showing that we can
harness the power of free people and free institutions to
defeat the terrorists.
So in conclusion, there is much work yet to do, but
tremendous work has already been done. Our markets are deeper,
more resilient than ever before, and they are becoming more so
every day.
Thank you.
[The prepared statement of Hon. Wayne Abernathy can be
found on page 59 in the appendix.]
Mrs. Kelly. Thank you, Mr. Abernathy.
Mr. Liscouski.
STATEMENT OF ROBERT LISCOUSKI, ASSISTANT SECRETARY, INFORMATION
ANALYSIS AND INFRASTRUCTURE PROTECTION, DEPARTMENT OF HOMELAND
SECURITY
Mr. Liscouski. Good morning and thank you, Chairwoman Kelly
and Ranking Member Frank and distinguished members of the
committee. It is a pleasure to be before you this morning to
discuss the protections that we have with the financial
services sector. I am going to address some of the comments
specifically in the question-answer period, but I would like to
give an overview of where we are today in working with the
Department of Treasury and the Fed.
The Office of Infrastructure Protection specifically has
focused on monitoring and assessing threats and vulnerabilities
to all sectors, including the banking and the financial
services sector. Before I begin, I would like to recognize the
efforts of the Department of Treasury and the Fed, and commend
them for their leadership to organize and take the first steps
to protect the financial infrastructure prior to September 11.
Subsequent to the creation of the Department of Homeland
Security, the Treasury Department and the Fed have been key
partners with DHS in continuing the execution of our efforts to
protect our critical infrastructure. In preparation for
responding to threats and elevated threat levels, my office and
the directorate for which I work, IAIP, has been building and
coordinating a two-way exchange of information with the public
and private sectors. These efforts have also included building
relationships with the private sector and government entities,
as well as implementing and integrating technical and
information-sharing solutions.
The financial services sector has developed two effective
mechanisms for two-way information sharing. The Financial
Services Sector Coordinating Council, the FSSCC, as Assistant
Secretary Abernathy just described, consists of senior
representatives of major financial institutions representing a
cross-section of the financial industry. The second component,
the Financial Services Information Sharing and Analysis Center,
the FS-ISAC, provides a mechanism for gathering and analyzing
and appropriately sanitizing and subsequently disseminating
information to and from its members and the federal government.
The FS-ISAC conducts threat intelligence conference calls
periodically at the unclassified level for subscriber members.
With IAIP providing input, these calls cover physical and
cyber-threats and vulnerabilities and incidents that have
recently occurred. It includes suggestions and recommended
proactive actions that can be taken to mitigate the threats.
Sector coordinating councils and their ISACs maintain and
provide DHS with distribution lists, which allow them to
quickly disseminate threat warnings, alerts and advisories to
members of their sectors. Information provided by the sectors
is incorporated into the situational awareness picture,
together along with the intelligence community's information
and the law enforcement community concerning possible threats
to the nation's critical infrastructures.
The sectors are also capable of initiating crisis
conference calls within an hour of notification via a crisis
alert. In addition, DHS has established close working
relationships with the appropriately cleared senior sector
members such as the financial services sector to provide
classified information relevant to the threat environment.
The interconnected and interdependent nature of our
infrastructure makes our physical and cyber-assets difficult to
separate and therefore it would be ineffective and inefficient
to address them in isolation. Consequently, my office
integrates both the strategy and the tactics necessary for the
appropriate protection of the cyber, physical and people assets
in concert. In working with the infrastructure protection
office of the United States secret service, for example, it
recently joined forces with the Carnegie-Mellon University
Software Engineering Institute's CERT Coordination Center,
CERT/CC, in order to conduct an analysis of the insider threat.
The insider threat study is a collaborative effort to
better understand the insider activities affecting information
systems and data in critical infrastructure sectors, to include
the banking and finance sector. The insider threat study
examined incidents involving employees who intentionally
exceeded or misused an authorized level of system access that
affected the organization's data, daily business operations,
systems security, or other areas via computer. The study
focused on online behaviors and communications in which the
insiders engaged prior to the incidents.
On August 24 of this year, the first part of the report was
released to the public sector. It is referenced as the Insider
Threat Study Elicits Cyber-Activity in the Banking and Finance
Sector. This portion of the report focused on individuals who
have had the access and perpetrated harm using information
systems in the banking and finance sector, which includes
credit unions, banks, investment firms, credit bureaus, and the
financial institutions. The findings highlighted in this area
of the report are of great benefit to the financial sector and
provided concrete examples of how insiders accomplish their
activities and offered suggestions on what security and policy
procedures might deter or prevent future activity.
I would like to discuss now the latest series of threats
against U.S. financial institutions spurred by ongoing concerns
over al Qaeda's interest in targeting U.S. critical
infrastructure, as well as recent intelligence revelations of
detailed reconnaissance of several U.S. financial institutions.
The level and specificity of information found was alarming,
prompting DHS to recommend raising the threat level of orange
for the financial services sector in New York, Northern New
Jersey and Washington, D.C. on August 1. This was the first
time the level had been changed for an individual sector and
geographic-specific location.
In response to the heightened threat level, IAIP acted on
several fronts in coordination with Treasury and Fed to address
the threat. Conference calls were arranged between DHS,
industry leaders, chief security officers, state and homeland
security officials, and local law enforcement officials, and
with numerous financial institutions. Our relationship and
communications with the private sector security leadership for
the affected institutions particularly were key to our overall
approach on how to effectively manage the threat situation.
We provided immediate alerts to the financial sector
regarding the threat and we continued to work with the industry
to ensure that all targeted financial institutions were
individually briefed. IAIP coordinated with federal, state and
local law enforcement entities to ensure that the appropriate
information was exchanged between government and the private
sector.
We also polled the various financial institutions to
determine what additional protective measures were needed for
implementation as a result of the heightened alert period. We
dispatched personnel immediately to the facilities in
Washington, New York and Northern New Jersey to conduct site-
assist visits, which would evaluate the recommended security
measures in collaboration with local law enforcement officials
and asset-owners and operators to ensure that the appropriate
vulnerabilities were identified and remediation measures were
taken.
In addition to the site-assist visits, IAIP personnel have
been working with the individual facilities and local law
enforcement to create buffer zones around the most critical
facilities. These are community-based efforts focused on
rapidly reducing vulnerabilities outside the fence of an
institution or facility to select critical infrastructure
components in key resources. We work closely with the law
enforcement community and the private sector to ensure that
these plans and implementation strategies are effective and
efficient.
As I have discussed with you today, IAIP has taken many
actions to secure the financial services sector, in partnership
with treasury and the Fed, and we have laid a foundation for a
true partnership with the public and private sector. Based on
this foundation, with continued dedication we will continue to
work to protect the nation's critical infrastructure.
Thank you for the opportunity today and look forward to
your questions.
[The prepared statement of Robert Liscouski can be found on
page 109 in the appendix.]
Mrs. Kelly. Thank you very much, Mr. Liscouski.
I would like to ask you about a question you just brought
up. Mr. Liscouski, you mentioned the Carnegie study, and you
talked about the insider threat. My first question, does it
make any difference? You talked earlier about the department
working with financial institutions and software companies to
identify vulnerabilities and to design enhanced software
assurance practices. Does it make any difference if these
vulnerabilities are international or if they are home-grown?
Mr. Liscouski. The concern you raise is a valid one,
particularly because of the way software is deployed throughout
our critical infrastructure at-large and particularly in the
banking and finance sector. Let me just preface my remarks by
saying a holistic security program has to consider all elements
of security. So it is a physical security approach, cyber as
well as personnel security. The software assurance practices
that you are discussing also include insurance that software is
developed and engineered to the appropriate specs and standards
and there are quality assurance conducted on software before it
is shipped out.
So when we talk about internationally developed software or
that which is outsourced internationally versus that which is
developed here in the United States, the first point in
securing an institution, whether it be a banking institution or
other critical infrastructure component, is to ensure that the
appropriate procedures and mechanisms, the people and process
part of the security approach, is taken.
We cannot take a slice of that pie and examine it
independently for its vulnerabilities without examining the
interdependencies of the entire process. So we alleviate those
concerns by assuring that best practices are followed within
institutions, within critical infrastructure components, and
good policies and procedures and security practices are set up,
so we can mitigate the potential effects of any software
vulnerability, irrespective of whether it is internationally
developed or developed by an international company abroad or
domestically.
So the insider threat study looks at ways that those
exploits could be manifested or can be exploited, and it looks
at ways that security procedures and processes can be put in
place to help mitigate that risk.
Mrs. Kelly. What recommendations did the study make? Have
you additional recommendations? Would you care to share that
with the committee?
Mr. Liscouski. Yes, ma'am. I would refer to the report
specifically. I apologize for not having a copy in front of me,
but my recollection of the report, and I can validate this in
writing to you later, it did not specifically address software
development in the context of insider threat. It looked more
from the perspective of the insider threat as a trusted user on
a system, and therefore someone who potentially could abuse
their trusted access internally to an organization.
So in the context of that part of the study, there were a
variety of recommendations made for procedures and policies
which would limit a person's access, but yet balancing the need
for conducting business. So it focused on behavioral aspects of
insiders that might foretell that there was a problem, as well
as recommended policies that could help mitigate those threats.
Mrs. Kelly. Thank you. I want to ask one other question of
you, sir. What sorts of warning signs should financial
institutions be looking for in the case of both physical and
cyber attacks? Are there warning signs out there that these
institutions should be looking for?
Mr. Liscouski. Yes, ma'am. I think this past month, in
August and the end of July when we received the threat
information is a good indicator or a good example of how those
warning signs can be manifested. What we learned from the
casing reports that were exploited from the information we
received that resulted in the threat warning going up was that
there is oftentimes detailed surveillance occurring at
financial institutions and other critical infrastructure
components which are observable behaviors. And subsequently, as
we have indicated, these precursors or pre-incident indicators
of terrorist activity resulting in surveillance, anomalous
types of activities that can be observed need to be
communicated.
So what the lesson from that was that that information was
shared with the private sector, the banking institutions in
this case and the financial institutions, to be shared with
their security personnel, and those folks were in a position to
observe anomalous behavior and report that back. So the types
of attacks that we are concerned about in this particular case
were typically kinetic or bombing types of attacks, those which
would require a breach of a perimeter and some sort of pre-
operational surveillance to identify the vulnerabilities of a
particular institution. Those things are all observable, and if
they are observed and reported, we can get an indication of
what is occurring pre-incident, just as an example of something
that was shared.
Mrs. Kelly. You looked at bombing attacks, did you say, but
you have also looked at the cyber-threats. So you have looked
at both sides of what is happening.
Mr. Liscouski. That is correct. In the context of the
recent threat, the job of my office is precisely looking at the
nexus of all threats, irrespective of if they seem to be
dominated by a physical threat as in this case initially. We
take a very detailed look at the cyber-environment to see if
there is any activity that would indicate that a specific
institution is being targeted as a result of various types of
probing. So we consider all the threats, either cyber or
physical or the people aspect of it, in concert when we get
threat information.
In this particular case, we had no evidence that there was
a cyber-threat manifesting itself in the context of this
particular physical threat.
Mrs. Kelly. Thank you very much.
My time is up. We turn now to Ms. Maloney.
Mrs. Maloney. I would like to ask the Fed, Honorable Mark
Olson, the white paper you discussed focuses on clearing and
settlement. Are you planning a companion piece focusing on the
areas that the GAO noted were left out? They cited trading and
retail firms.
Mr. Olson. A number of things have happened since the GAO
study, or at least concurrent with the GAO study. Primarily
among those was the release of an FFIEC best practices, that
focused on those issues. So in addition to the clearing and
settlement, there has been an internal effort within the
regulatory agencies focused on the trading platforms and the
retail platforms.
Mrs. Maloney. I would like to ask the Homeland Security
Assistant Secretary, Robert Liscouski, I understand that we
were lucky in that the targets identified in the recent terror
alert were not facilities whose destruction would pose a
systemic risk to our financial structure. Rather, they were
highly visible targets whose destruction would likely cause a
large loss of life and have a symbolic value of attacking some
of the most successful institutions in our financial services.
As you know, many of those targets are in cities. I would
like to say that, especially New York City was cited in the
last terrorist threat. Even worst, I believe, is that the
facilities whose destruction would pose a systemic risk to our
financial infrastructure are also largely located in major
cities like the one I am privileged to represent, New York
City.
My question is, how does this square with a formula for
funding homeland security protections under which, to give one
example, New York, according to the congressional survey, CRS
report, ranks number 35? Yet in our area, certainly financial
infrastructure, both the systemic structures that could cause
disruption to our services, and certainly the ones that even
the terrorists cite that are symbolic, are in New York City and
other large places. So I wonder why this is happening? I
commissioned a CRS study myself which showed that New York City
has gotten about 30 cents per person for every dollar, and
other states have received much, much more.
So just focusing on the infrastructure of our financial
services, it seems incredibly unfair that New York City, which
is cited by terrorists and also cited in intelligence
briefings, is having the systemic structure that could really
permit damage.
Mr. Liscouski. Ma'am, I am not familiar with the results of
the study you cited. I would be happy to get back to you with
the exact dollars that have been distributed to New York City.
I do not have that in my data here. I can tell you I am working
with the New York City Police Department and the homeland
security adviser in New York, as well as the private sector
institutions. They have a very robust capability to respond to
that threat.
As you well know, recently with the most recent threat
situation we had in New York, the Department of Homeland
Security as well as the New York City Police Department and the
state police in New York responded very aggressively and very
robustly to that particular threat. They were not impeded at
all. We work very closely with the city in providing the
appropriate level of resources they need to supplant their
efforts. Again, I will get back to you in writing if you
prefer, to respond to the exact dollar figures that have been
provided. I just do not have that information.
Mrs. Maloney. Even the 9/11 Commission report noted that
the funding formulas for high-threat homeland security, they
called it ``pork barrel'' politics, and certainly it should be
based on need. I would appreciate your getting back to me.
Mrs. Kelly. Thank you very much. Ms. Maloney, your time is
up.
Mrs. Maloney. The light is not red yet.
Mrs. Kelly. Oh, I am sorry. I thought it was.
Mrs. Maloney. Okay. I would like to ask Mr. Olson, did the
events of 9/11 reveal a need for either new powers for the Fed
or a need for new arrangements with the private sector, for
example, foreign banks?
Mr. Olson. Clearly, Congresswoman, we recognized that
following 9/11 one of the most important things that we needed
to have happen is that the Fed needed to be designated as an
enforcement agency. That was accomplished in the Patriot Act.
Congress responded very rapidly to that important need.
I think the response to 9/11 suggested to us is that there
was a need to consider the risks at a level at which we had
never considered them before, which is exactly what your
opening series of questions was designed to get at, the most
chilling of which was up to that point most business continuity
plans were made presuming that the people would still be there.
Post 9/11, that was the one thing that changed and the one
thing that was different, and the one thing that we now
anticipate seeing both from our own perspective and when we
examine financial institutions.
The Chairman. [Presiding.] The gentlelady's time has
expired.
The gentlelady from Illinois, Ms. Biggert.
Mrs. Biggert. Thank you very much, Mr. Chairman, and thank
you members of the panel for your testimony and efforts to help
America's financial sector prepare to withstand catastrophic
events.
I am going to address my first question to Mr. Liscouski. I
also am from Illinois, as the Chairman just said, and we do
have concerns here about ChicagoFIRST. We will hear testimony
later, so I do not want to say too much about it. I am
concerned, and I would like to ask you what the Department of
Homeland Security is doing to promote and encourage the
infrastructure preparedness in the financial service sector,
particularly with ChicagoFIRST, which was a group formed by the
financial sector in Chicago in the outlying areas after
September 11.
I think the achievements that they have found in a regional
way that they have to really have at their tabletop to have 27
financial institutions serving the City of Chicago, all of the
agencies, the Federal Bureau of Investigation, Federal Deposit
Insurance Corporation, FEMA, financial and banking information
infrastructure.
What seemed to be missing there with all of these agencies
was really the Department of Homeland Security stepping up to
the plate and really being there for that, and to see how that
works. Because I think that we see this as a model that can be
used across the country. It seems that there has not been much
support from the Department of Homeland Security.
Mr. Liscouski. Congresswoman, thank you for your question.
Actually, I would like to just add some more context to that,
because I believe that since we have started up we have
provided a lot of support to the financial sector, and
particularly to the Chicago Mercantile Exchange and others
where we have done tabletop exercises. So I think maybe a lack
of initial visible support was just a function of the way we
were starting up our organization.
Since that time, in the past year and a half, we have been
working very closely with the sectors, particularly in the
Chicago area. I think at the first tabletop, ChicagoFIRST was
just standing up, so it might have been a little bit too early
at that point. I can give you more details on that. But as you
well know, working with Treasury and other members of the
financial sector, we stood up at the Financial Services ISAC to
conduct a number of tabletop exercises, all geared at the
financial sector. We broadened the financial sector's tabletop
exercises to not just include the cyber aspects, but now
physical aspects. We are taking that on the road so we now can
do more interdependent sector-type of tabletop exercises, just
not uniquely those positioned for the financial services
sector.
We are working very closely with the U.S. Secret Service,
which is part of DHS as you well know. We have a very close
working relationship with the investigative division of the
U.S. Secret Service in remediating and working real-time on
investigations and identifying various vulnerabilities in the
financial sector, and quickly remediating those vulnerabilities
in a virtual sense, working with banks and other financial
institutions as they are found.
So while we have been building up our processes within DHS,
I would remind you we have been around for about a year-and-a-
half now. My department really was something that came up
virtually with very little infrastructure of its own. As we
have been building it and building partnerships, I think we
have a very effective and very good story to tell there. So as
I pointed out, we are funding many different types. These
tabletop exercises are a prime way for us to be able to ensure
that we have best practices and effective measures for
protection of the financial sector.
ChicagoFIRST has been on our list now to work with. We
understand that there is a request for some financing outside
the FS-ISAC. We are working with them to examine that, maybe
not as quickly as they would like at this point, but as in all
things they do take some time, so we are examining those
opportunities. I would suggest to you that we will find ways
that we continue to work with the financial sector.
Mrs. Biggert. I know that the testimony in the next panel
will address those issues and say that they really have
received no communication from the department as far as their
inquiries into the funding, into procuring security clearances
for key financial representatives, so that there can be a
deeper collaboration. It seems to me that this does seem to be
a real model, and I would hope that you would work closely with
them and use them.
Mr. Liscouski. Sure. I will take that under advisement and
I will look into that specifically and get back to you. Thank
you.
Mrs. Biggert. All right. Thank you.
And then Mr. Abernathy, certainly the Department of
Treasury has been involved with ChicagoFIRST, too. Could you
tell me a little bit about how you have worked with the
ChicagoFIRST?
Mr. Abernathy. We certainly agree with you, Congresswoman
Biggert, that ChicagoFIRST is a model to be taken around the
country. We were involved with the ChicagoFIRST from its
beginnings. In fact, one of my senior staffers is currently the
head of ChicagoFIRST, Brian Tishuk. He was very much involved
when he was working for Treasury in helping to get ChicagoFIRST
organized.
But I want to give the chief credit to the financial
community in Chicago that came together and realized that they
have some very important national financial assets in that city
that need protecting, and the best way to protect them is to
coordinate efforts, to team up and to recognize that when it
comes to protecting the financial infrastructure, it is not a
matter of competition. It is a matter of coordination and
cooperation.
What we are now in the process of doing is working together
with the Financial Services Roundtable's BITS organization,
another industry-coordinating organization, to document how
ChicagoFIRST was put together, how it works, and put together
what we call a cook book that we would then like to take to the
other financial centers around the country and have them apply
it as appropriate in those cities.
Mrs. Biggert. Thank you very much. I yield back, Mr.
Chairman.
The Chairman. The gentlelady yields back.
The gentleman from Georgia, Mr. Scott.
Mr. Scott. Thank you very much, Chairman Oxley.
I have a couple of questions. First Governor Olson, in your
testimony you stated that vulnerabilities continue to pose
challenges to the financial system and that sound practices
will be able to help recover from a widescale disruption. Yet
you mention that sound practices addresses only recovery, and
not prevention of a terrorist attack. I would like for you to
talk about that for a moment, and particularly answer this
question in light of that. Is the Federal Reserve currently
involved with providing information or sharing information with
law enforcement agencies to help prevent attack? What is the
Federal Reserve doing in working with our other intelligence
agencies to prevent the attack? Answer that one first.
Mr. Olson. Sure. It is an excellent question and it gets to
the heart of what we spend a great deal of our time doing. In
the post-9/11 era, we in particular have strengthened the
resiliency. We have increased our focus on prevention. We begin
with a premise that our number one priority is our people, so
you cannot focus on your people without focusing primarily on
prevention. So what we have done is we have looked at our
perimeter security, and we have significantly upgraded both the
quality and the quantity of our protection force, not simply at
the Fed in Washington, but also throughout the Federal Reserve
System.
We have increased our communication with law enforcement
agencies and with other governmental agencies. We have
monitored information carefully. The reason I bring that point
up is because when we reviewed the information that was
intercepted in the last several months, we have discovered how
much information that was intercepted was information that was
already on the public record. So we choose not to be real
specific in a public forum. But you and other members of this
committee are entitled to a lot more information on what we are
doing, and we would be very happy to provide a private briefing
for you on what we are doing in that area, because your
questions are right on point. Much of what we are doing,
particularly in the way of perimeter security, is involved in
protection.
Mr. Scott. Thank you very much. I would be interested in
that other detail.
Mr. Olson. I have one more follow-up, because I would be
remiss if I do not speak to it. The telecommunications area is
one that we are still working on because of the interdependency
of both the financial institutions and the interconnectivity
among the private sector telecommunication companies. We are
working jointly with that industry to try to assure a greater
protective capability, but that is a subject which we will
continue to focus on and hopefully the Congress will too.
Mr. Scott. Thank you, Governor.
Assistant Secretary Abernathy, in your testimony you said
that most of the assaults on our nation's financial
institutions are cyber attacks, computer viruses and organized
crime. Could you share with this committee how those three
areas impact our readiness for these terrorist attacks,
organized crime, cyber attacks and computer viruses? And have
you seen any evidence that terrorists have been sophisticated
enough to mimic these types of attack? And how are they
coordinating it, especially with organized crime?
Mr. Abernathy. Congressman, you have zeroed in on what I
think is probably the number one area of concern and effort in
terms of responding to existing vulnerabilities. We have done a
good job as far as I think can be done with regard to the
physical security. But with regard to the danger to the
systems, the question is, what are the vulnerabilities to these
cyber-attacks? As I mention in my testimony, we have seen them
evolve from the pranksters into organized crime, and now we are
beginning to see what we think is a pattern suggesting that it
is going beyond organized crime to perhaps terrorists or others
that are not interested in stealing the money so much as trying
to keep the systems from operating.
We have been working very carefully with the financial
institutions themselves, as well as the computer experts, the
makers of software, the designers of the hardware, and the
designers of the systems, to create a more resilient system to
respond to those kinds of cyber-attacks that might occur.
Mr. Scott. When you say ``organized crime,'' are we talking
about American organized crime? Are we talking about
international organized crime?
Mr. Abernathy. It is both, sir. Now, American organized
crime, but one that is particularly difficult to deal with is
organized crime that originates from a foreign country. That is
something that we have seen on the significant increase in
recent months.
Mr. Scott. Okay. My last point was, if I could Mr.
Chairman, very quickly, you also stated, Mr. Abernathy, that
you sent a letter to the federal home loan banks to ask that
they join the Financial Services Information Sharing and
Analysis Center. Have you heard from these banks? If so, what
have they said?
Mr. Abernathy. We have just recently sent the letter, so as
we expect it takes time for them to process and make the
decisions. We have asked the FS-ISAC, the financial services
organization itself, to make the direct contacts to these banks
and to ask them, you have heard from the secretary, the
assistant secretary; you have heard from the chairman of the
Federal Housing Finance Board; are you ready to sign on. We are
very hopeful that they will, but we have not had any takers yet
to this point, but it is still early.
Mr. Scott. Thank you.
Thank you for your generosity, Mr. Chairman.
The Chairman. The gentleman's time has expired.
The gentleman from Iowa, Mr. Leach.
Mr. Leach. I am just trying to put a sense of perspective
in what you are saying. It is impressive to me that a couple of
words have come up. One is resiliency of institutions; another
is redundancy of systems. It strikes me that the two R's are
probably the most important concepts.
Just in terms of defense of our systems, I think we have to
make it clear that decapitation does not bring us down. That
is, loss of life, as Mr. Olson mentioned, is something that we
are prepared to deal with in terms of how we proceed in the
future.
My concern is that we have a dual circumstance, resiliency
and redundancy in the private sector. We also have it in the
public sector. In an emergency, the Fed is the center point. So
I would like to ask Mr. Olson, are you confident of the Fed's
resiliency and the Fed's redundancy of systems? While it was
not designed for this purpose, does the fact that you have
regional institutions magnify your strengths? Is
decentralization also a systemic strength?
Mr. Olson. Let me answer your questions in the reverse
order of the one in which you asked them. In terms of the
dispersal, the fact that we have Fed systems throughout the
country is indeed part of our strength. It is part of our
strength in terms of its role in monetary policy, but it also
provides us with a physical diversity that is very important
for us, while we are assuring both the resiliency and the
redundancy. It meant that in many cases our ability to provide
backup or partnering, the capability, the facilities were
already there to do so. So that is particularly important.
In terms of our ability to meet future circumstances as
they unfold, I think that the best way to respond to that is
evaluating the manner in which we have responded in the past,
for example to 9/11. I think the fact that the banking system
did not close; that at no point in time did any customer even
in Manhattan not have access to their personal financial
information. Now, they might not have had access to the
information at the branch or the ATM where they were accustomed
to having it, but it was available because of the resiliency of
the system and because of the large numbers of systems.
So I would say we are cautiously confidence. That is not a
subject that we would ever take for granted.
Mr. Leach. Is there such a thing as a Fed in a mountain?
[Laughter.]
Mr. Olson. I am not sure what you are asking me.
Mr. Leach. What I am saying is, do you have a second
Federal Reserve headquarters?
Mr. Olson. Oh. Could I get back to you on that on a private
basis?
Mr. Leach. Of course, fair enough.
Mr. Olson. As with Congressman Scott, these are important
questions that we would be happy to provide that information
for you in another setting.
Mr. Leach. Fair enough. Just one final, just to be very
precise, the subject of Congress's approach to a possible bill
on netting has been raised and addressed. I am correct in
assuming that as Chairman Greenspan indicated in the last
hearing, the Federal Reserve strongly supports a netting bill.
Is that correct?
Mr. Olson. Very much so. We appreciate your support and the
support of the other members of this committee who have
indicated their support for moving that bill. That would be a
very important step forward, we believe.
Mr. Leach. Treasury concurs?
Mr. Abernathy. Yes, sir. We would like to see that enacted
either as part of the bankruptcy legislation or as free-
standing legislation. It is very important.
Mr. Leach. And our third witness, you would concur on that
as well? Thank you.
Thank you, Mr. Chairman.
The Chairman. The gentleman's time has expired.
The gentleman from North Carolina, Mr. Miller.
Mr. Miller of North Carolina. Thank you, Mr. Chairman.
My questions are about private sector preparedness and what
we are doing to encourage it. The 9/11 Commission devoted a
page to the topic. They pointed out that 85 percent of the
critical infrastructure was in private sector hands. They said
that they had encouraged the American National Standards
Institute, ANSI, a very well respected industry group, to
develop and promulgate national standards for preparedness,
convening safety, security, business community experts, and to
develop a voluntary national preparedness standard.
Mr. Liscouski, do you agree that those standards should be
voluntary? Should there be some force of law behind them? Let
me first disagree to some extent with Mr. Leach, who said that
he thought an attack on our financial institutions would be an
act of barbarism, but not something that would bring our system
down. It strikes me that a serious disruption in our financial
institutions could have a catastrophic effect on our economy.
Do you agree, first of all, that the risk is grave to our
economy generally? And then second, that whatever standards we
come up with, what we think the private sector should be doing,
should be voluntary, as opposed to having some force of law
behind it?
Mr. Liscouski. Congressman Miller, I do not want to take
this out of context, but I believe the statement regarding the
catastrophic effect of the attack was the concern about the
most recent threat.
Mr. Miller of North Carolina. I was not referring to
anybody else's testimony, then. I was talking about my own
perception. I have attended a hearing on the Science Committee
about the loss or disruption of the electrical grid. If that
happened, the ripple effect through our economy could be very,
very serious. It strikes me that the same thing is true in the
financial services sector. If American business cannot get
access to money, they cannot pay their bills, they cannot make
payroll, they cannot buy materials. The people they do business
with are not getting paid, and on and on. The possible loss
there is serious. Do you not agree with that?
Mr. Liscouski. Of course. In the broad context of what the
overall catastrophic effect could be on the financial services
in general, yes, that is exactly the type of thing we look at
from the consequence-of-loss perspective. We always look at the
consequence of loss when we are looking at sectors and
vulnerabilities.
Mr. Miller of North Carolina. Okay. How about the
voluntariness? Do you think it should be voluntary or do you
think there should be some force of law behind the standards
that ANSI has promulgated, that the 9/11 Commission has said
need to be abided by American business?
Mr. Liscouski. I just want to conclude my previous comment
by saying that we have yet to see, however, anything that would
manifest itself in terms of a threat that would be at that
catastrophic loss level. With respect to standards and
regulation, as you well know the financial industry is fairly
well regulated now. The standards that are imposed by the
regulation in many cases adequately addresses the requirements
to meet the specific threats that we are operating against.
I think in a general sense with respect to standards, we
are looking to establish best practices and guidelines
throughout the community, all the critical infrastructure
components, to ensure that we get good compliance and practices
to respond to various types of threat scenarios against which
we are operating. Whether it be ANSI, we are currently working
with the American Society of Mechanical Engineers to develop
ways to bake into business processes for best practices. It is
at that level that we think we can have the most benefit to
affect the outcome of security for the long term.
I think the challenge in terms of looking at regulation or
standards to remediate against a current threat, and they can
never happen quickly enough. I think the best efforts we can
make are looking for long-term systemic changes in business
practices and security practices for the industry is
irrespective in the financial sector across critical
infrastructure. My office in particular in working with the
private sector to ensure that we take that approach.
The one thing we have to be very careful of is that there
is not a one-size-fits-all standard. We have to be careful
about ensuring that when we look at it.
Mr. Miller of North Carolina. I am not sure I got an answer
to my basic question of what should be behind it other than a
hope for goodwill.
Mr. Abernathy, in your testimony you said the FBIIC will
also try to share best practices, encouraging whenever
possible, cajoling where necessary. That strikes me as a fairly
limited range of options. First, we are going to encourage you,
and if you do not do right, we are going to ratchet up and
cajole you. I am not sure the prospect of being cajoled is
going to strike fear in the hearts of a lot of folks. Is that
your whole range of options, to encourage compliance with best
practices or standards or whatever you call it?
Mr. Abernathy. Let me explain the context. The cajoling and
encouraging is with regard to the federal and state regulatory
agencies themselves. We do not have any enforcement authority
with regard to the Securities and Exchange Commission, but the
Securities and Exchange Commission, for example, has very
significant authorities with regard to the entities that they
supervise.
So when it comes to the encouraging and cajoling, it is
making sure that the banking regulators, including the Fed, the
SEC and other banking regulators are using their authorities to
make sure that the financial institutions themselves are
applying their regulatory powers and employing the kinds of
best practices that you talk about, what the various standards
are, to make sure that they are able to continue to provide the
services that they are chartered to provide.
So the enforcement tools are in the hands of the
regulators. The job of the FBIIC is to make sure that the
regulators are using and applying those enforcement tools.
The Chairman. The gentleman's time has expired.
The gentleman from Alabama, Mr. Bachus.
Mr. Bachus. Thank you, Mr. Chairman.
Governor Olson, I want to commend you. We talked about
netting earlier, and I want to commend you and the Fed because
Chairman Greenspan in some testimony before the Congress
recently talked about how important the netting provisions
were. So I hope the Senate gets the message, and we are able to
include that in some legislation.
Mr. Olson. We thank the members of this committee that have
been supportive in that effort. We agree that it is important.
Mr. Bachus. I would take this time just to say again that,
Chairman Oxley, before 9/11 took steps which I think this
committee, working with the regulators, to ensure that our
financial institutions and our markets did go through 9/11 I
think in an exemplary way.
My two questions I am going to ask are for Assistant
Secretary Abernathy. You mentioned that $2 million that
Treasury spent on the Financial Services Information Sharing
and Analysis Center.
Mr. Abernathy. Yes, sir.
Mr. Bachus. Can you tell me about what Treasury's
commitment is to that center, which was formed actually by
Executive Order?
Mr. Abernathy. The center itself was formed in 1999, if I
am not mistaken.
Mr. Bachus. Or 1998, by a presidential decision.
Mr. Abernathy. Yes. It was actually formed by the private
sector pursuant to encouragement from the federal government,
but it is a privately created and organized entity. What we did
was in recent years, we looked at that entity that originally
had a very narrow focus, coordinating the largest financial
institutions. In visiting with them, we said in order to do
your job you need to be able to reach all of the financial
institutions. Of course, their response was, how do we do it?
So we funded a consulting group to look at just how you can
expand the FS-ISAC and have it self-supporting. The FS-ISAC
does not receive any operating funds from the federal
government and we wanted to have a system that was sustainable
by being funded by its members exclusively. We have come up
with a plan and a reorganization that we believe is working and
is moving forward very well.
Mr. Bachus. What are your plans in regard to the future of
the center?
Mr. Abernathy. It is to continue to have it develop as the
central means of coordinating information among the whole
financial sector. To demonstrate just how flexible it is, we
have various levels of communication that are available on the
FS-ISAC. There are first of all threat announcements that go
out to everybody, but it is also a platform where specific
segments of the financial sector can get together and
communicate with one another on important critical
infrastructure problems, and we are seeing already a number of
efforts to do that and to use that as the platform for it.
Mr. Bachus. Okay. Treasury provides critical financial
services that need protection every day, like daily check
forecasts and cash forecasts and collection and disbursement of
federal funds or federal monies, conducting Treasury auctions,
things of that nature. What are you doing to see that these
important functions are somewhat insulated against potential
threats?
Mr. Abernathy. You are absolutely right, Congressman.
Besides being the chairman of these coordinating roles,
Treasury itself has important roles in the financial system,
particularly with regard to the movement of all the federal
money, both the money that is coming in and then the money that
is disbursed to pay all the bills and all of the checks. We
frequently work with that element of Treasury in those
particular bureaus to make sure that they have those two words
that Congressman Leach talked about, resilient and redundant
operations in place. We feel very confident that Treasury has
those not only established, but we test them frequently.
Mr. Bachus. All right. I have no further questions. I would
like to say for the record, I think this is correct, the PDD-63
which President Clinton authorized and it was amended by
Executive Order, but I think that mandated that the center be
established. I could be wrong, but I am pretty sure that that
would make sense because that was 1998, and if it was created
in 1999.
Mr. Abernathy. Yes, I believe that is right. What I wanted
to emphasize, though, is that it is a privately owned entity
and we think it derives a lot of strength because of that,
fostered by government, if you will, and encouraged, and it is
built into a network of other ISACs. But its strength comes
from the fact that it is owned and governed by the private
sector.
Mr. Bachus. Right. And I think we will see that in the
second group of panelists who are some of the stakeholders or
participants.
The Chairman. The gentleman's time has expired.
The Chair would announce we have about 8 minutes left on
two floor votes. I would ask the gentleman from New York if he
would be brief.
Mr. Ackerman. Brief.
The Chairman. That was the word I was looking for. The
gentleman from New York.
Mr. Ackerman. Yesterday, the nation received very startling
information from the Vice President of the United States. He
contended that if he were not reelected, together with the
President, and the Democrats instead were elected, that
hundreds of thousands of Americans would be killed in a
terrorist attack. I would like to know if that is a bunch of
political hyperbole, or in the hard work that you have been
doing at the Federal Reserve, at the Treasury Department, at
Homeland Security, you have come across any information
whatsoever, over the transom, rumors, chatter, or anything else
that would indicate that there is any validity or truth to what
the Vice President says.
Mr. Olson. Speaking on behalf of the Fed, that is above my
pay grade, Congressman. I do not have access to the information
to answer it.
Mr. Ackerman. So you have seen no information that that is
true?
Mr. Olson. I would say that the question is above my pay
grade. I have not addressed the question.
Mr. Abernathy. Congressman, I did not see the comments so I
would not want to comment on it for my own. I will just add
that we see constantly, as I have pointed out in my testimony,
that the financial services sector is under assault every
single day.
Mr. Ackerman. Nothing to do with Democrats?
Mr. Abernathy. As far as I can tell, it is a continuous
assault that is not letting up in intensity.
Mr. Ackerman. Under a Republican administration.
Mr. Abernathy. This has been in place now happening for
numbers of years.
Mr. Ackerman. But there is no indication that it is
politically biased. Okay.
Mr. Abernathy. Nothing that I have seen.
Mr. Ackerman. And Homeland Security?
Mr. Liscouski. I think my colleagues have perfectly
addressed the question, sir. Thank you.
Mr. Ackerman. Has anybody made contingency plans just in
case the Democrats are elected, in any of your agencies?
[Laughter.]
The Chairman. I have made some contingency plans.
[Laughter.]
Mr. Ackerman. I do not mean about your future personally. I
thank the panel and I thank the Chairman for his indulgence.
The Chairman. Thank you.
Ms. Lee?
Ms. Lee. Thank you, Mr. Chairman.
Very quickly, let me just thank you again for being here. I
come from the San Francisco Bay Area, and of course we are very
concerned not only from attacks and vulnerabilities as it
relates to natural disasters, but of course as it relates to
vulnerabilities from terrorism.
I would just like to know what, as you see it in terms of
the Bay Area, in terms of financial institutions, because many
of the top financial institutions are in the San Francisco Bay
Area, what do you see as some of the vulnerabilities?
What do you recommend, especially Mr. Liscouski, in terms
of the coordination between federal, state and local officials
in terms of the San Francisco Bay Area?
Mr. Liscouski. Without getting into the specifics of the
protective measures and the vulnerabilities, it is probably not
appropriate for this forum, but I think I can talk generally
speaking with respect to our coordination with state and local
officials. We work very closely with the Homeland Security
officials in California, and specifically the local officials
in San Francisco, and routinely.
I would be happy to provide to you a separate reporting as
far as what specific measures we have taken, again just out of
deference for the type of information we are talking about.
Ms. Lee. Thank you.
Assistant Secretary Abernathy, what do you identify or have
you looked at some of the greatest vulnerabilities facing San
Francisco's financial district? Is that part of the overall
planning that you have done?
Mr. Abernathy. One of the things that we do on a constant
basis is trying to identify what are the key critical elements
of the financial infrastructure; what their vulnerabilities are
and then how we can address those. Certainly, we look at
wherever they are. They are not located all in New York City.
Some are there, and some are in other parts of the country.
Financial services are extremely important to the economy of
San Francisco and from San Francisco a lot of important
financial services are provided throughout the nation.
One of the things that we think will be of great help to
San Francisco and other money centers around the country is, as
I mentioned, this cook book that we are putting together of
looking at the ChicagoFIRST model and providing that to
financial centers around the country and encouraging them to
develop appropriate coordinating efforts in their cities as
well.
The Chairman. The gentlelady's time has expired. We have to
go to vote.
Ms. Lee. Okay. We have to go.
The Chairman. I want to just take the Chair's prerogative
to ask Mr. Abernathy the status of TRIA, and just a few
comments, then we have to close this down.
Mr. Abernathy. Certainly, Mr. Chairman. We are progressing
as the law has outlined for us an analysis of how the Act is
performing. We put in place, as I think we mentioned here
previously, a very meticulous, sequenced data collection
exercise so we could see just what is happening on the ground.
The Chairman. As required in the Act.
Mr. Abernathy. As required in the Act. We just received the
most recent collection of data from insurance providers. We are
also looking at developments not only here in the United
States, but there is a very interesting development with
connection to the Olympic Games.
There we had some very prominent activities that had
absolutely no government support at all that were able to find
terrorism risk insurance. We are looking at that example to see
what it tells us with regard to the availability of the
products.
The Chairman. I thank all of you, and this panel is
dismissed. The committee stands in recess until 12 noon.
[Recess.]
Mrs. Kelly. [Presiding.] We welcome our second panel today.
We have Mr. Robert G. Britz, president and co-chief operating
officer of the New York Stock Exchange; Mr. John Mohr, chief
operating officer, New York Clearing House; Mr. Wilton Dolloff,
executive vice president, operations and technology, Huntington
Bancshares Incorporated, on behalf of BITS and the Financial
Services Roundtable; and Mr. Samuel Gaer, chief information
officer, New York Mercantile Exchange.
Mr. Emanuel, I understand that you would like to introduce
our next guest on the panel.
Mr. Emanuel. Thank you, and thank you for holding this
hearing.
I first went to meet with Brian and the ChicagoFIRST group
a couple of months ago. Brian Tishuk is the executive director,
and prior to that he had a distinguished career at Treasury
working on a set of issues over there. ChicagoFIRST, in Brian's
discussion and in answer to questions, will show as a role
model to what other cities can do in a sense of the private
sector coming together, starting ready-to-do planning to deal
with unintended events.
In Chicago, like other major financial centers, we have
about 320,000 to 350,000 jobs in the area who rely on the
financial services industry, leaders in the future, it is an
options industry. And what ChicagoFIRST has done is a
remarkable job in coordination with also what the City of
Chicago has done.
So I am pleased that the Chairwoman agreed to have
ChicagoFIRST and Brian as a person to testify today. As I told
Brian earlier, I have Alan Greenspan in the Budget Committee,
and no disrespect intended, I am going to get and go there and
ask my questions of Chairman Greenspan so I can tell Brian what
interest rates are going to be like tomorrow.
I want to thank the Chairlady for holding this hearing and
thank the entire panel for giving their time today.
Mrs. Kelly. Thank you very much.
Let us begin with you, Mr. Britz.
STATEMENT OF ROBERT G. BRITZ, PRESIDENT AND CO-CHIEF OPERATING
OFFICER, NEW YORK STOCK EXCHANGE, INC.
Mr. Britz. Thank you, Chairwoman Kelly.
Ranking Member Frank, distinguished members of the
committee, I am Robert Britz. I am president and co-chief
operating officer of the New York Stock Exchange. As such, I am
directly responsible for the day-to-day operation of our
market, our trading floor, our data-processing sites, our
technical infrastructure, software development, and our
information business. In addition, I also serve as the chairman
of the Securities Industry Automation Corporation, or SIAC,
which is a technology subsidiary of the New York Stock Exchange
and the American Stock Exchange.
On behalf of the NYSE, I want to thank the committee for
holding this hearing and giving us the forum to discuss the
NYSE's investment in business continuity and contingency
planning post-9/11. The NYSE lists more than 2,750 companies
with a combined market capitalization of around $18 trillion.
Just for context, the next-largest marketplace in the world
hovers between $2 trillion and $3 trillion. We trade on average
1.5 billion shares a day, or in dollar terms about $50 billion.
Ensuring the world's largest equity market can open for
business every day under all circumstances is clearly our
highest priority.
Madam Chairwoman, the NYSE has a long history of developing
forward-looking business continuity strategies that harden and
protect our physical and technology infrastructure and improve
our ability to withstand or recover from a disaster. Our
approach consists of three components: to prevent an attack or
natural catastrophe; to withstand them; and to recover from
them.
In close cooperation with federal, state and local law
enforcement, the Exchange has expanded its physical security
perimeter. We have also taken measures to increase the
screening of all people, package delivery and mail that enters
the NYSE or our data centers. And we have instituted a more
restrictive policy vis-a-vis visitors and deliveries. Business
continuity planning did not begin after 9/11. Before 9/11, we
made sure that all of our facilities had emergency generators,
uninterrupted power supply, and stored water on-site, to enable
continued operation after the potential loss of power or water.
Our technology infrastructure was already connected to a
private extranet that utilizes geographically redundant fiber
routes. The NYSE and SIAC employ large security forces and
invest in automated security systems to protect the
infrastructure. Significant investments have been made in
information security personnel and infrastructure to protect
our systems from intrusions and attacks, while enabling our
business partners to connect to the NYSE technology complex in
a secure manner.
Our primary trading floor is actually five different
trading floors located in four different buildings. Trading can
be moved from one location to another as may be necessary.
Since September 11, the NYSE has made an investment totaling
more than $100 million to prevent and/or recover from an
interruption to our market. The specific business continuity
programs include both new initiatives, as well as enhancements
to existing programs. In particular, the NYSE has built a
contingency trading floor, expanded SIAC's emergency command
center, created the Secure Financial Transaction Infrastructure
network or so-called SFTI network, constructed a remote network
operations center, and recently received approval to establish
a remote national market system data center.
The NYSE's regulatory group filed and the SEC recently
approved new business continuity rules, Rule 446 for NYSE-
member firms. In addition, beyond ensuring the resiliency of
the NYSE, to ensure continuity of trading the NYSE has modified
its systems to accept four-character symbols so that we can be
a position to trade over-the-counter Nasdaq securities should
that ever be necessary.
In addition, we have enhanced NYSE and SIAC disaster
recovery planning, physical and information security; developed
and implemented a mandatory business continuity training
program for all NYSE and SIAC employees; enhanced emergency
employee communication systems to ensure key personnel can be
reached; and all personnel have access to relevant and timely
information in an event. We have instituted a temporal
dispersion initiative with respect to the data center staff,
and we also are adding additional generating capacity at the
New York Stock Exchange proper.
The NYSE employs a rigorous information technology
structure to ensure reliability of all of the information that
we receive, process and disseminate to the world every day. We
employ external perimeters, firewalls, intrusion detection,
internal access controls, and we conduct penetration testing
with so-called ``friendly'' hackers.
The NYSE and SIAC launched the Secure Financial Transaction
Infrastructure network, or SFTI, as I mentioned a moment ago.
It has become the primary extranet serving the financial
industry. It provides diverse redundant routing to SIAC data
centers for member firms, national market system participants
that are connected to the NYSE, to the American Stock Exchange,
the National Market System, and DTCC's IT infrastructure as
well.
Following 9/11, U.S. equity trading was interrupted because
many broker-dealers lost their connectivity to the markets due
to the damage suffered by a major central telecommunications
switching facility near ground zero. SFTI addresses this by
enabling member firms to connect to the NYSE's data centers via
multiple access points, so-called carrier hotels throughout the
New York metropolitan area, as well as Boston and Chicago. From
these access centers, message traffic is carried over a
geographically diverse fiber network owned and managed by SIAC.
Beyond the resiliency of our market, the NYSE is prepared
to trade Nasdaq stocks if that case ever arises. While NYSE
systems have been modified and can support four-character
symbols used by the unlisted stocks, no need for any
modification on the part of the broker-dealer systems. And
because our capacity today, NYSE's capacity vis-a-vis its own
stocks, is about five times our average daily volume of 1.5
billion shares, we have no question about the ability to absorb
the extra traffic resulting from Nasdaq stocks.
Madam Chairman, in your invitation to testify this morning,
you also asked that the NYSE share its experiences relative to
the limited code orange threat issued on August 1. On Sunday,
August 1, Secretary Ridge of the U.S. Department of Homeland
Security announced that al Qaeda was targeting specific sites
in Washington, D.C.; Newark, New Jersey; and New York City,
including the NYSE. In addition, Secretary Ridge announced that
the Department of Homeland Security was raising the terror
threat level to orange for New York City. At approximately 6
p.m. the prior evening, the New York office of the FBI
contacted NYSE security officials to inform them that the FBI
had information that was very pertinent to the NYSE, and they
requested that we meet with them immediately, which indeed we
did.
This intelligence clearly indicated that al Qaeda had
surveiled the NYSE. On Sunday, August 1, the FBI and the NYPD
informed the NYSE that there would be immediate increase in
NYPD officers and NYPD ``Hercules'' teams deployed around the
NYSE's perimeter. In addition, the NYPD would increase the
number of truck inspections for vehicles traveling south of
Canal Street to determine if those trucks actually needed to
proceed downtown toward the financial district.
On Sunday, August 1, the NYPD pledged their assistance for
police department access and cooperation during the heightened
alert. The Department of Homeland Security, as well as other
federal, state and local agencies, notified the NYSE before
Secretary Ridge's announcement that the exchange was a specific
target. With this advance notice, the NYSE was able to
communicate with its employees through our contingency Web
sites. Under these contingency sites, we are able to provide
timely information about the status of our operations for
Monday, August 2, to members, member firms, member firm
employees, and NYSE employees.
On Tuesday, August 3, NYSE officials met with Homeland
Security Secretary Ridge, New York City Mayor Michael Bloomberg
and both pledged their cooperation in the provision of federal
and New York City assets as needed.
Since 9/11, all of our efforts have served to increase the
NYSE's physical security, presence, and its business continuity
planning. Our enhanced business continuity contingency planning
are online and being tested every day. Unlike many localities
and sites, New York City and the NYSE remain at a higher level
and will remain at a heightened alert to protect the people and
the infrastructure that operate the NYSE's agency-oriented
market.
In the event of another terrorist attack or catastrophe,
the NYSE plans to resume trading in a timely, fair and orderly
fashion that will provide confidence to America's 85 million
investors. While the NYSE and SIAC have implemented a
comprehensive contingency plan that will provide for an orderly
resumption of trading in the event of an attack or other
catastrophe, we cannot prepare for every possible contingency.
We will continue to work with the SEC, the Department of
Treasury, Homeland Security, and the NYSE's member firms, the
financial services industry, and federal, state and local law
enforcement to address the threats and to implement strategies
and solutions.
I hope the foregoing is helpful to the committee. We look
forward to working with this committee going forward on matters
of mutual interest, and I would be happy to answer any
questions. Thank you.
[The prepared statement of Robert G. Britz can be found on
page 65 in the appendix.]
Mrs. Kelly. Thank you so much, Mr. Britz.
Mr. Mohr?
STATEMENT OF JOHN MOHR, EXECUTIVE VICE PRESIDENT, NEW YORK
CLEARING HOUSE
Mr. Mohr. Good afternoon. My name is John Mohr and I am an
executive vice president of The Clearing House, which is
headquartered in New York. Just to correct the record of the
cover sheet of the testimony, it lists me there as the chief
operating officer. I wish that I were, but I am not.
Mrs. Kelly. Thank you.
Mr. Mohr. We are headquartered in New York and we are the
nation's oldest and largest clearinghouse. We are owned by 19
very large, global, international and regional banks. We were
founded in 1853, and we are a private sector global payments
system infrastructure that clears and settles more than $1.5
trillion each day. We serve as an industry forum for addressing
strategic and regulatory issues dealing with payments made in
U.S. dollars. The Clearing House serves more than 1,600 U.S.
financial institutions and manages payment services that span
the entire spectrum of paper, paper-to-electronic, and
electronic payments.
I want to thank you for this opportunity to update you on
steps we have taken to further strengthen the key elements of
the U.S. payment infrastructure which are operated by The
Clearing House. One of the key lessons learned from the 9/11
disasters was that from a business continuity perspective
business as usual was no longer adequate. Contingency and
business continuity plans needed to be reevaluated and
refocused.
Since 9/11, the financial industry has increased its focus
on the resiliency of its high-value payment systems. It is
universally agreed that systems such as CHIPS, which is our
large-value payment system, must be capable of resuming full
capacity operations quickly, within hours of any catastrophe.
We take this responsibility seriously. It is worth noting that
CHIPS never skipped a beat on 9/11 and the days that followed.
CHIPS itself operated without interruption during the
entire crisis and all 56 banks that connect to it were able to
continue to conduct business. This included the 19 banks that
were located in or near the World Trade Center. Each of these
banks was required to relocate their operations to contingency
sites in the middle of an unimaginable disaster. The fact that
this was successfully accomplished I believe is a great
testament to the leadership in these banks.
Following 9/11, our management reviewed the events of the
week for lessons learned. Some of the things that we have done,
we added additional security staff to perform more frequent and
random patrols of our facilities. We conducted penetration
tests of both our physical security and our logical security
for our systems. We reconfigured one of our facilities to make
it better prepared to prevent penetration. We implemented
state-of-the-art biometric access controls. We also all but
eliminated visitor access to all of our operating centers.
We reviewed where our critical employees worked and
relocated some of these individuals to avoid a concentration
risk of having too many key individuals in one place. We have
taken measures to ensure that key operations and support staff
have secure remote access to our electronic systems so that
they can operate remotely in the event that they cannot get to
our principal operating centers. For many years, The Clearing
House has operated fully redundant data centers, each with the
capability of backing up the other. To further enhance its
resiliency, we have developed and out-of-region third data
center. This new center is fully equipped to take over the
operation of CHIPS within an hour of a simultaneous failure of
the other two sites.
One key procedure which was reaffirmed during the events of
9/11 is contingency tests. Mandatory testing of contingency
capabilities has been conducted by CHIPS since the early 1980s.
The tests cover a variety of disaster scenarios and exercise
the backup and recovery capabilities of the participants, as
well as CHIPS. The performance of each participant during these
tests is evaluated by The Clearing House and those banks that
fail the test are required to continue to re-test until they
pass. The discipline of regular testing helped contribute to
the quick recovery of the banks following the events of 9/11.
Since 9/11, we have expanded our own testing regimen to include
two tests a year, coordinated with the Federal Reserve's
Fedwire system.
Another significant initiative led by the Clearing House
following the events of 9/11 was our Intercept Forum which
addressed the question, what could financial institutions,
working with the public sector, do to eliminate the flow of
funds to terrorists and their organizations. We had senior
representatives from 34 public and private sector
organizations. This forum identified five task groups which
were co-led by representatives from both the public and private
sectors. These five groups, let me touch on them briefly:
patterns of behavior, account transaction monitoring, and
global cooperation.
The first three I think are easily understood, their
purpose, their mission clearly understood by the names of their
groups. The other two, control list, following the events of 9/
11, the banks and the regulators and the law enforcement
agencies needed to sit down and clarify what we were trying to
accomplish in terms of identifying terrorists, flows of funds
to terrorists, what policies and procedures had to be in place,
what new was being put in place. All this had to be
communicated effectively, so we put a group together to work on
that.
Our fifth group, a database team, was originally set up to
develop a highly secure real-time capability to download
suspected terrorist information and to upload hits that
financial institutions may have, reporting them back to the law
enforcement agencies. This fifth group was superseded by FinCEN
and their PAC system which was set up in 2003, I believe. We
work closely with them and handed over that responsibility to
them. All of our banks have been working with them since.
I think the Intercept Forum is a great example of the
private and public sector's ability to work together to achieve
shared goals. Financial institutions, law enforcement agencies,
and regulators were able to draw upon each other's core
competencies in a cooperative way and achieve meaningful
results. It is clear that going forward we will need continued
cooperation in all three areas to be successful.
Thank you.
[The prepared statement of John Mohr can be found on page
116 in the appendix.]
Mrs. Kelly. Thank you.
Mr. Dolloff, I understand that Mr. Tiberi was wanting to
come to introduce you because you were a fellow Ohioan. I hope
you will take my introduction, from being a former Ohioan who
now is in New York. We are delighted to have you here. You may
proceed.
STATEMENT OF WILTON DOLLOFF, EXECUTIVE VICE PRESIDENT,
OPERATIONS AND TECHNOLOGY, HUNTINGTON BANCSHARES INCORPORATED,
ON BEHALF OF BITS AND THE FINANCIAL SERVICES ROUNDTABLE
Mr. Dolloff. Thank you, Madam Chairman and members of the
committee for this opportunity to testify about the financial
services industry's efforts to address critical infrastructure
protection. I am Wilton Dolloff, executive vice president for
operations and technology at Huntington Bancshares,
Incorporated. I am pleased to appear before you today on behalf
of BITS and the Financial Services Roundtable. I have submitted
a written statement that provides details on efforts by BITS
and the financial services industry to strengthen our nation's
critical infrastructure.
I would like to use this time today to deliver three
messages. First, the financial services industry is doing an
outstanding job strengthening our slice of the critical
infrastructure pie. Among other things, we have developed
emergency communication tools, conducted worst-case scenario
exercises, engaged in partnerships with the telecommunications
sector and key software providers, compiled lessons-learned
from the 9/11 attacks and the August 2003 blackout, and
combated new forms of online fraud.
Second, as you know, our industry is heavily regulated. The
regulators have stepped up their oversight, but we cannot
address these problems alone. Our partners in other sectors,
primarily telecommunications, power, software, must also do
their fair share to ensure the soundness of the nation's
critical infrastructure.
Third, I want to review several recommendations for the
Congress to consider. Since 9/11, our sector has done a lot to
respond to the risk we face today. Protecting our nation's
critical financial services infrastructure is a top priority. I
would like to highlight several efforts to help assure the
security stability of our sector.
We have improved communications and enhanced our ability to
analyze and disseminate information. For example, we have
enhanced the financial services information sharing and
analysis center, the ISAC, providing an important tool for
members to share and analyze cyber and physical threat and
vulnerability information. In addition, we have established the
BITS-FSR crisis communicator. This high-speed alert system
rapidly notifies CEOs and CIOs and others as appropriate to
convene conference calls during which industry leaders share
information and make decisions. The system was recently
activated on August 1 immediately following the threat-level
escalation by the Department of Homeland Security for the
financial industry.
One of the key lessons learned in recent years is our
sector's dependence on other critical infrastructure sectors,
namely telecommunications and power. BITS is working with the
telecommunications industry to identify and mitigate
vulnerabilities and enhance recoverability. While the
cooperation between these two sectors has been unprecedented,
much more work remains to be done.
In August 2003, the blackout occurred in the Northeast. It
gave us an opportunity to test our assumptions about what would
happen in a large-scale loss of power. In general, the
financial services industry performed well. Backup systems
operated. Alternate communications systems were used and there
was no measurable impact on settlements and payments.
Our industry has also been working hard to strengthen
cyber-security. We have stepped up our efforts by sharing
information, analyzing threats and working more closely with
the software industry. In December 2003, BITS surveyed its
members on the cost of addressing software vulnerabilities and
learned that costs are approaching $1 billion annually. In
February 2004, BITS and the Roundtable held a cyber-security
CEO summit to launch efforts to promote CEO-to-CEO dialogue on
software security issues.
In short, we want the software industry to improve the
security of products and services that they provide to us. Just
as financial institutions are key targets for hackers and other
cyber-criminals, our industry is increasingly the target of
fraudsters operating online. We are responding to the
escalation in identity theft with a series of steps to
facilitate prevention of the crime and assist victims when it
occurs. The cornerstone to these efforts is the BITS-FSR
Identity Theft Assistance Center, or ITAC. The concept of this
pilot program is to provide a simplified recovery process that
benefits victims by relieving much of the current burden of
reporting the theft and restoring one's financial identity.
The Congress can help the financial services sector meet
the challenge of the post-9/11 environment in three ways.
Number one, encourage the telecommunications industry to
provide diverse and reliable services to critical
infrastructure sectors. Two, recognize the dependence of all
critical infrastructures on the software operating systems and
the Internet. And finally, number three, encourage law
enforcement to prosecute cyber-criminals and identity thieves
and publicize U.S. Government efforts to do so.
I am pleased that Congress has an active interest in
helping to shore up the financial sector against
vulnerabilities and hope that we can work together to heighten
security. Financial firms will continue to work diligently to
achieve the level of security that our customers demand.
Madam Chairman, I will be happy to answer any questions.
Thank you.
[The prepared statement of Wilton Dolloff can be found on
page 86 in the appendix.]
Mrs. Kelly. Thank you so much.
Mr. Gaer, we welcome you.
STATEMENT OF SAMUEL GAER, CHIEF INFORMATION OFFICER, NY
MERCANTILE EXCHANGE
Mr. Gaer. Thank you, Madam Chairwoman. Good morning, and
thank you to the members of the committee for inviting me to
address the issue of emergency preparation and vigilance for
the financial services sector. The subject matter is of timely
concern and I sincerely welcome the opportunity to both express
what the New York Mercantile Exchange has accomplished to date,
as well as to express concerns regarding areas in which you
might consider providing assistance to our efforts going
forward.
The Exchange is the world's largest physical commodities
futures exchange and has been an example of market integrity
and price transparency throughout its 132-year history.
Commercial enterprises and government entities all over the
world use our marketplace to manage their energy metals risk, a
function that is particularly critical to the global economy in
any time of crisis. The Exchange is also a technology leader in
the futures industry, developing robust, redundant, best-of-
breed trade management clearing and reporting systems capable
of quick fail-over to backup systems when required.
No preparedness planning, however, can be accomplished
without a careful analysis of the business that needs to be
protected. Our core business is trading and clearing. In order
to ensure the continuity of this core business, we have pursued
several alternatives. The Exchange headquarters was designed to
be as redundant as possible, including the availability of
backup generators, which became critical during the blackout of
2003.
One of the first priorities for the Exchange after
September 11, for example, was to build a replica trading floor
which contains trading rings, administrative space, live price
feeds, and a fully operational and redundant data center. In
other words, it is a complete facility. This facility has been
powered-up since the beginning of the Iraq War and is ready to
go on a moment's notice.
The Exchange also has two electronic trading systems, both
of which have round-the-clock trading capability. In fact, we
were the first exchange in New York to reopen following
September 11 when we opened our electronic trading system for a
2-hour session on September 14, which resulted in a record
70,000 contracts being traded in 2 hours.
During an emergency, the high-level strategic decision-
making authority rests with the crisis management team which we
call the CMT. It is comprised of members of the executive
committee of the board of directors, C-level executives and
critical senior executives. Their role is to assess a threat
and if necessary provide an official declaration of disaster,
to interface with the members of the exchange, and to
coordinate with industry and regulatory agencies.
Maintaining communication between recovery units and
resources is the single most important aspect of any emergency
recovery effort. The Exchange has gone to great lengths to
ensure that the CMT and their subordinates are all able to
communicate, including provision of cell phones with two-way
radios, mobile e-mail devices, laptops with cellular modems
which we affectionately call footballs, and access to CFTC-
sponsored GETS cards. Every critical exchange system is
duplicated and can provide services in the event the main
facility or system is unavailable. Data moves across redundant
optical fiber links, linking our backup site to the primary
site. In addition to the network created between the two hot
sites, the Exchange maintains multiple links to Internet
service providers.
Training, education and regular testing will ensure that
the systems and staff are ready to respond to any event that
disrupts our business. Ongoing planning for events keeps the
Exchange planners in top form. The Exchange, along with the
Futures Industry Association, or the FIA, have begun planning a
major multi-company and multi-exchange coordinated testing
effort which will culminate in the first annual industry-wide
disaster recovery test this fall on Saturday, October 9. The
effort is extremely important to our industry and will be
repeated annually.
As a critical infrastructure organization, we strive to
learn from every event we face. So what were the lessons we
learned from the various events that we have handled recently?
The tragic and cataclysmic events that took place on September
11, 2001 showed us that planning for emergencies that involve a
single company, building or service is no longer adequate. As
we look back at 9/11, the relationships the Exchange has forged
with government agencies will always be of critical importance
in planning for and support during an emergency event. In
addition, the relationships our member firms have formed with
important government leaders have enabled the Exchange to
overcome many difficult recovery challenges in the past.
The blackout of 2003 taught us different lessons, foremost
of which is that the unavailability of a facility is not a
prerequisite to an emergency event. Multiple redundant service
providers need to be secured for all critical business
services. Other events that the Exchange planners carefully
consider are the planning we have done for the Republican
National Convention and the regular disaster recovery testing
and mock disasters that the Exchange conducts all serve to
reinforce and fine-tune the planning we have at the ready.
Communications stands alone as the key equalizer when facing
the surprises any emergency delivers. A disaster gives no
advance warning.
Madam Chairwoman, in closing I ask this committee to
consider the following concerns from the Exchange. As an
integral part of the critical infrastructure, the Exchange
already manages a full complement of continuity plans, backup
sites and emergency operation locations. However, our business
relies upon the coordination of many services within the
financial sector. It also relies heavily on telecommunications,
utility and transportation infrastructure over which the
Exchange has no control. The Exchange is prepared to recover
our systems and business processes if faced with another event
such as 9/11, but the recovery of the services and the price
discovery mechanisms we provide to the financial services
sector and economy also relies on resiliencies of the external
businesses on which the Exchange depends.
I would like to thank the Chairwoman and the members of
this committee for inviting the Exchange to speak with the
other distinguished panelists on this extremely important
topic. I would be happy to answer any questions the committee
has.
[The prepared statement of Samuel Gaer can be found on page
101 in the appendix.]
Mrs. Kelly. Thank you very much, Mr. Gaer.
Mr. Tishuk.
STATEMENT OF BRIAN S. TISHUK, EXECUTIVE DIRECTOR, CHICAGOFIRST
Mr. Tishuk. Good afternoon. Chairman Kelly, members of the
Financial Services Committee, I am Brian Tishuk, the executive
director of ChicagoFIRST, a coalition of 16 of Chicago's
leading financial institutions. A list of our members and
government partners is appended to my written statement.
Through ChicagoFIRST, these institutions cooperate with one
another and collaborate with government to address common
business continuity and homeland security issues. This ensures
that our business continuity and disaster recovery plans
conflict neither with one another nor with the government's
plans for prevention, response and recovery.
In light of the events of September 11, the Chicago
financial community, as others, reexamined and enhanced their
individual business continuity plans. During the spring and
summer of 2003, a number of these institutions also decided to
form ChicagoFIRST. Two leaders took it upon themselves to
commit their time and their respective firms's resources to
make this coalition a reality: Louis Rosenthal, executive vice
president at LaSalle Bank and Ro Kumar, first vice president at
the Options Clearing Corporation.
From the beginning, our top priority was to get a seat in
the city's Joint Operations Center or JOC. The JOC is a place
where different government agencies, city agencies, come
together to address a crisis, whether it is a snowstorm or a
terrorist attack. We sought a seat to ensure access to accurate
and timely information in case of an emergency. We obtained
this seat in July of 2003. Our members are also working with
the city and the state to learn where our respective evacuation
procedures may conflict and to take remedial action.
Another absolutely critical objective for the financial
community in Chicago is credentialing. ChicagoFIRST and the
city are using an interim credentialing solution that we put
together with them, while the city and the state together
develop a permanent one. ChicagoFIRST is also working with the
city and the Red Cross to develop shelter-in-place protocols.
These best practices will protect our members' employees at the
office and their families at home.
Now, every regional partnership will necessarily be unique.
However, ChicagoFIRST has been constructed in a manner that
would allow its salient elements to be replicated in other
parts of the country. I would like to highlight four components
of our model. First, financial institutions should organize
themselves in a grassroots fashion and leadership should come
from within the financial community. Second, with the critical
infrastructure largely in the hands of the private sector, we
have an obligation to put some ``skin in the game,'' as the
saying goes. However, at least in the short term, funding from
the public sector should also be provided.
Third, information sharing is key. Such sharing ranges from
the mundane of my calling the city to find out why there are a
number of police cars and fire trucks outside a particular
building, to the absolute essential of having the city and
state give us a heads-up about impending issues and
announcements such as the August 1 disclosure of terrorist
threats against financial institutions on the east coast.
Finally, not only can the above elements be replicated
elsewhere, but also adapted to any region, even outside of
financial centers where other sector participants may be
necessary.
I would like to mention briefly the crowning achievement of
2004, a July tabletop exercise that proved successful in every
way. Most importantly, we devised a scenario that examined how
the partnership would function if financial institutions were
forced to operate for an indefinite period of time under the
threat of terrorist attack. Unfortunately, 2 weeks after the
event, we saw that very scenario unfold in real life on the
east coast that allowed us to be ahead of the game in Chicago.
In conclusion, the members of ChicagoFIRST are very proud
of our progress. While much remains to be done, Chicago's
financial community is better prepared to protect its employees
and businesses than it was before ChicagoFIRST was formed. We
hope that our successful approach can provide a model for
private-public partnerships in other cities throughout the
country. Thank you again for the opportunity to testify at this
important hearing, and I am happy to answer any questions the
committee may have.
[The prepared statement of Brian S. Tishuk can be found on
page 136 in the appendix.]
Mrs. Kelly. Thank you, Mr. Tishuk.
I would like to ask a couple of questions, but before I do
three of the five members of this panel are from New York and
participated in the recovery. I want to compliment all of you.
You were back up. You were functioning. Our financial systems
in New York were functioning so quickly. You are to be
complimented for the work that you did prior to 9/11 to ensure
that that actually happened.
I would like to begin with asking a general question,
actually, but I am going to focus this on you, Mr. Britz. The
Stock Exchange has often been thought to be a target for
terrorists. In the press, it was indicated that terrorists had
cased the Exchange as a potential target. In a broad sense,
what additional steps have you taken since you heard about
people casing the place?
Mr. Britz. First of all, I will share with you an anecdote,
Congresswoman. When we met, I referenced in my remarks, we met
with Homeland Security, we met with the FBI the evening before,
the Saturday evening as a matter of fact, and the NYPD and a
number of local law enforcement agencies. We asked them point
blank, what can we do, what might we do that we are not now
doing? The answer uniformly was, nothing; that they regard what
we do today or what we did prior to the most recent
announcement as the gold standard.
They, in turn, again as I referenced in my remarks, the
NYPD in particular supplemented their force on the ground
around our perimeter both in terms of patrolmen, but also in
terms of the Hercules swat team, if you will, so that we had a
very substantial presence over and above what we normally have.
I know you have seen what we normally have, so I think it is
the gold standard. But post-9/11, essentially what we did was
push out our perimeter.
We had well before 9/11 magnetometers, X-rayed every
package, every valise. I myself walk through a magnetometer
every morning. My briefcase goes through the X-ray every
morning. But that, of course, is once you are inside the
building. We pushed the perimeter out, as you know, with the
help of the NYPD so that you cannot get within a block of the
Stock Exchange with a vehicle without going through a
checkpoint, having canine sniff, checking the manifest, having
the dog sniff as to whether or not there is any explosive
capability and so on. So essentially what we have done and what
we have reinforced with the help of the police department is to
extend that external perimeter away from the building.
Mrs. Kelly. Thank you.
I know there are a number of people who enjoy the fact that
now there is a sense of a mall around the Stock Exchange. It
certainly is pleasant to be able to walk without having to
worry about the traffic down there.
Mr. Britz. Those are the people who are not in vehicles.
[Laughter.]
Mrs. Kelly. Right. Exactly.
Mr. Dolloff, you represent BITS. I asked a question of Mr.
Liscouski in the earlier panel. I do not know if you were in
the room. I am very concerned about the insider threat with
regard to the programs that are in each one of the businesses
that work in the financial industry. I am concerned about them
because I understand that it is possible for people in the
process of the programming and reprogramming to fit the niche
market that each business needs, there are programmers who are
there who are doing certain things.
Is there something that you can tell me that the industry
itself, from your BITS organization, the BITS FSR is doing, to
perhaps profile the people who are doing programming, to do
some kind of a check so that the programs do not yield up
information that might be essential information to people that
we actually would rather not have that information?
Mr. Dolloff. Congresswoman, if I understand the question
correctly, I would like to address it from the Huntington's
perspective first, because I am not sure of the organization
efforts of BITS in this area. I can tell you that many
financial institutions have programming standards and
oversights over their programmers. One person may develop a
program and it then goes through a testing process, and what we
call a ``change control'' process where people outside the unit
that did the program, review the program for its legitimacy and
to make sure that it is doing as it is intended to do.
Now, is it possible for somebody to be so clever that it
could sneak by even that checkpoint? Probably. You can only
protect against what you think you know. But I think that is a
standard that you will find in most financial services industry
shops, if you will, on how they control the quality of the
programs that they develop.
Mrs. Kelly. My concern is that so many of us look at a
threat from outside, hackers, people like that. My concern is
the threat from inside.
Mr. Dolloff. I would agree with you. There is always a
threat, both externally and internally. As I said, we need to
make sure that we have these dual checks in place, and
sometimes it is more than dual checking. They go through very
extensive testing processes to make sure that the program
development that has taken place does what it is intended to
do.
Mrs. Kelly. My time is up. I do have a few more questions,
but I am going to turn this over now to Mr. Miller.
Mr. Miller of North Carolina. Thank you, Madam Chair.
I wanted to pursue a question that I began with the first
panel about compliance in the private sector with the necessary
safeguards against terrorism; that 85 percent of our
infrastructure is in the private sector. There has been
apparently a fair amount of effort to try to develop standards.
Mr. Britz, you referred to the New York Stock Exchange's
standard as the gold standard, which I commend you for, but I
am afraid that a great deal of the private sector will not
adopt a gold standard, but a tarnished brass standard of going
cheap on terrorism safeguards, when in fact they are at risk
and there are consequences beyond. There are consequences to
their employees. There are consequences to anybody else who may
be on their premises. And there are consequences to the people
that they do business with, in a ripple effect.
The 9/11 Commission recommended a voluntary standard. Any
of you, do you agree that it should be voluntary? Or should
there be some force of law behind some standard in the private
sector for terrorism safeguards? We can start with you, Mr.
Britz, and work our way down.
Mr. Britz. First of all, Congressman, when I referenced a
gold standard, it was the New York City Police Department and
the FBI referring to us, not us referring to ourselves. It was
in the area of physical security.
Mr. Miller of North Carolina. Either way, I commend you.
Mr. Britz. Gosh, I really do not feel confident to address
that question other than to perhaps offer a private sector
comment which would be that it is in the private sector's
interest to safeguard their respective franchises. I know that
the New York Stock Exchange has done everything it has done,
even though we are overseen by the Securities and Exchange
Commission to be sure, and the word ``cajole'' was used
earlier. They cajole us every now and again.
But most, if not everything that we have done in the area
of protecting our infrastructure has been self-initiated
because it is in our business and our franchise interest to do
that. So you have that kind of a motivator resident within
every private sector business that has assets and franchises to
safeguard.
Beyond that, I am not a regulator of the banks or the
paying agencies and so on, and I do not know if I would comment
beyond that.
Mr. Miller of North Carolina. Anybody else? Try to keep it
fairly brief because I only have 5 minutes. Yes, sir?
Mr. Mohr. Yes, I would agree with most of what Mr. Britz
said. I think it is in the interests of the private sector to
make sure they are safe and sound. I would also point out that
the regulators, in my opinion, did an excellent job following
9/11, leading the review on an industry-wide basis and coming
up with a lot of good clear thinking, good clear direction.
I think the partnership between the two was essential to
making us as strong as we are today. I think the best way
forward is to keep that partnership going, keep driving the two
together to make sure that they are working together.
Mr. Miller of North Carolina. Anyone wish to speak up for
something other than a volunteer standard? All right.
A second point that the 9/11 Commission made, let me read
one question, their bolded recommendation: ``We believe that
compliance with the standards should define the standard of
care owed by a company to its employees and the public for
legal purposes.''
I took that to be a reference to the substantial body of
state negligence law, of common law negligence of what the
standard of care is, and that reference means that they believe
that under state common law businesses that did not adopt the
appropriate safeguards, and there are consequences to others as
a result of their failures, should give rise to civil
liability.
There is also a wealth of economic theory that says that
the civil liability system is a market mechanism to assure
proper safeguards. Do you agree that the civil liability system
would apply in cases, certainly now that we know there is a
terrorism threat, to the consequences of a failure to take
appropriate safeguards? Anybody want to stick up a hand? Mr.
Britz, do you want to start with you?
Mr. Britz. Congressman, I apologize. I do not feel
confident to respond to that question. I am neither a lawyer
nor an expert on what it is the Commission intended in those
words.
Mr. Miller of North Carolina. Okay.
Mr. Mohr, do you have any comment?
Mr. Mohr. I have nothing to add to that.
[Laughter.]
Mr. Miller of North Carolina. Mr. Dolloff?
Mr. Dolloff. I would agree. I do not feel qualified to
answer that question.
Mr. Miller of North Carolina. All right.
Mr. Gaer?
Mr. Gaer. I would also agree. I am neither a lawyer nor an
expert on what you are reading.
Mr. Miller of North Carolina. Mr. Tishuk?
Mr. Tishuk. I am afraid it is not my area of expertise
either.
Mr. Miller of North Carolina. Okay. I am pleased that I was
able to bring about so much unanimity among the panel.
[Laughter.]
Mrs. Kelly. Thank you very much, Mr. Miller.
Ms. Biggert.
Mrs. Biggert. Thank you, Madam Chairman.
I would like to congratulate all of the members of this
panel for their self-initiated efforts to bolster the
infrastructure of America's financial sector, and to take the
offensive approach in that.
I would especially like to applaud you, Mr. Tishuk, not
just because you live in Homer and are a constituent, but for
what you have done with ChicagoFIRST in providing a model
partnership between the public and private sector in this area.
Could you just tell us a little bit more about the tabletop
and what happened and why that is so important, and what you
learned from it?
Mr. Tishuk. Certainly. The tabletop took place in mid-July.
We had terrific participation, some 17 government agencies, 21
financial institutions, telecommunications providers, power,
water. It included all of the relevant areas of the city and
the state, as well as the federal government. It was very
useful.
The whole object of the tabletop was to assess assumptions
that we all had about one another, to make sure that we knew
what we could really expect from one another during an
emergency, rather than finding out something we did not expect
in the heat of the moment.
It certainly provided a lot of grist for our mill.
Everybody has told us it was very successful, that they learned
a lot about all the other participants. We certainly learned a
lot. We learned our communications systems are even more
fragile than we had initially thought, and we are working to
find alternatives to the conference calls that we tend to rely
upon.
We are also reaching out to the counties surrounding
Chicago, because our employees come from there and we certainly
learned more about the city's and state's evacuation plans for
getting folks out of the city, out of Cook County and beyond.
Therefore, it is important to make sure that they are part of
this dialogue so that our employees know what they can expect
to find if such an event occurs.
Perhaps most importantly, given its success, we learned
that it is very much a goal for us to test, implement lessons
learned to fill the gaps, and repeat, both in the table top
format, which is somewhat artificial, as well as in a testing
mode where you are in your office or where you are supposed to
be normally, and then respond.
Mrs. Biggert. It was mentioned earlier, or it was mentioned
in your testimony that you have had trouble communicating with
the Department of Homeland Security, while you have worked very
closely with the Treasury Department. Do you think that that
will change after today?
Mr. Tishuk. I certainly have that expectation, yes. I would
like to point out, though, that we have had excellent support
and a relationship with DHS's regional arms in Chicago. Both
FEMA and the Secret Service have been with us every step of the
way. They have been forthcoming with their ideas and very
supportive to our suggestions. So from that standpoint, things
could not be better.
Mrs. Biggert. One of your suggestions has been that you
would have a regional center for the Department of Homeland
Security in Chicago.
Mr. Tishuk. Correct. Chicago is a vital center. As the East
Coast hardens for good reasons, we certainly want to make sure
that terrorists do not look upon Chicago as a softer
alternative to attacking financial institutions and
metropolitan areas.
Mrs. Biggert. Thank you for all that you do.
I have another question for probably most of the people on
the panel. After 9/11, a number of financial firms managed to
shift trading and portfolio management to their offices in
London and other financial capitals. Should major global
financial institutions include in their disaster recovery plans
the ability to shift trading and book management temporarily
away from the affected country? Do some of you have that in
your plan in case that there is a disaster? Mr. Britz?
Mr. Britz. I will take a shot at that, Congresswoman. In
our Rule 446, the business continuity rule, and I am now
talking about broker-dealer member firms of the New York Stock
Exchange, we impose a requirement that they demonstrate the
ability to operate under various circumstances, but we do not
dictate as to how.
When you say ``shift away'' from the affected country, and
this country is a fairly large country, that may very well
include shifting to other centers that they may have literally
around this country, as opposed to necessarily going to Europe
or some other center. The NYSE as a regulator of broker-dealers
dictates that you have to demonstrate the capability, but we do
not dictate as to how.
Mrs. Biggert. Mr. Mohr?
Mr. Mohr. For the commercial banks, the regulators have
already told the larger banks that they must have certain
recovery capabilities that are outside the immediate region.
That process is already under way, but there is no directive
that they have to move offshore. Those banks that did move
offshore did so because they are multinational banks that have
processing centers in other areas of the world.
Mrs. Biggert. Mr. Dolloff?
Mr. Dolloff. I would agree with what Mr. Mohr just said. We
have backup facilities outside our immediate region. We,
however, are not an international or have an international
presence, so we would not have that capability to go outside
the United States, but we do have backup facilities.
Mrs. Biggert. Mr. Gaer?
Mr. Gaer. Like everybody else on this panel, our business
is intensely competitive. In an event such as 9/11, for
example, let us call it a sister exchange of hours. We got a
phone call from somebody across the pond to host their book,
and that was their biggest fear, if you will, because they felt
that once that liquidity goes offshore, it is going to stay
there.
As such, we do have a fully redundant trading facility
where if we needed to move trading, we could move trading to
that facility. We have two separate, fully redundant electronic
trading systems that if the facilities are not available, we
can use those facilities. We in the midst right now of looking
at actually globalizing and providing a presence offshore as
well.
Mrs. Biggert. Thank you.
Mr. Tishuk?
Mr. Tishuk. You raise an important issue, but it falls
outside the scope of our particular mission.
Mrs. Biggert. Okay. Thank you. Thank you all.
I yield back.
Mrs. Kelly. Thank you, Ms. Biggert.
One thing I did want to just mention, Mr. Gaer you said
that you are dependent on the external infrastructures. I
simply want to offer this committee's help, if you have some
ideas of things that we might be able to do. You can certainly
call my staff. We would be very interested to do whatever we
can for you, because I realize that you are in many ways
affected by that more than some of the other people involved in
financial services.
Gentleman, I neglected to say as you sat down that without
objection, your written statements will be made part of the
record. You have been recognized for 5-minute summaries of your
testimonies, but your testimony will be made a part of the
record, your full testimony.
The Chair notes that some members may have additional
questions for this panel which they may wish to submit in
writing. So without objection, the hearing record will remain
open for 30 days for the members to submit written questions to
these witnesses and to place their responses in the record.
We thank you very much for your patience and for your
testimony today. This hearing is adjourned.
[Whereupon, at 1:15 p.m., the committee was adjourned.]
A P P E N D I X
September 8, 2004
[GRAPHIC] [TIFF OMITTED] T7449.001
[GRAPHIC] [TIFF OMITTED] T7449.002
[GRAPHIC] [TIFF OMITTED] T7449.003
[GRAPHIC] [TIFF OMITTED] T7449.004
[GRAPHIC] [TIFF OMITTED] T7449.005
[GRAPHIC] [TIFF OMITTED] T7449.006
[GRAPHIC] [TIFF OMITTED] T7449.007
[GRAPHIC] [TIFF OMITTED] T7449.008
[GRAPHIC] [TIFF OMITTED] T7449.009
[GRAPHIC] [TIFF OMITTED] T7449.010
[GRAPHIC] [TIFF OMITTED] T7449.011
[GRAPHIC] [TIFF OMITTED] T7449.012
[GRAPHIC] [TIFF OMITTED] T7449.013
[GRAPHIC] [TIFF OMITTED] T7449.014
[GRAPHIC] [TIFF OMITTED] T7449.015
[GRAPHIC] [TIFF OMITTED] T7449.016
[GRAPHIC] [TIFF OMITTED] T7449.017
[GRAPHIC] [TIFF OMITTED] T7449.018
[GRAPHIC] [TIFF OMITTED] T7449.019
[GRAPHIC] [TIFF OMITTED] T7449.020
[GRAPHIC] [TIFF OMITTED] T7449.021
[GRAPHIC] [TIFF OMITTED] T7449.022
[GRAPHIC] [TIFF OMITTED] T7449.023
[GRAPHIC] [TIFF OMITTED] T7449.024
[GRAPHIC] [TIFF OMITTED] T7449.025
[GRAPHIC] [TIFF OMITTED] T7449.026
[GRAPHIC] [TIFF OMITTED] T7449.027
[GRAPHIC] [TIFF OMITTED] T7449.028
[GRAPHIC] [TIFF OMITTED] T7449.029
[GRAPHIC] [TIFF OMITTED] T7449.030
[GRAPHIC] [TIFF OMITTED] T7449.031
[GRAPHIC] [TIFF OMITTED] T7449.032
[GRAPHIC] [TIFF OMITTED] T7449.033
[GRAPHIC] [TIFF OMITTED] T7449.034
[GRAPHIC] [TIFF OMITTED] T7449.035
[GRAPHIC] [TIFF OMITTED] T7449.036
[GRAPHIC] [TIFF OMITTED] T7449.037
[GRAPHIC] [TIFF OMITTED] T7449.038
[GRAPHIC] [TIFF OMITTED] T7449.039
[GRAPHIC] [TIFF OMITTED] T7449.040
[GRAPHIC] [TIFF OMITTED] T7449.041
[GRAPHIC] [TIFF OMITTED] T7449.042
[GRAPHIC] [TIFF OMITTED] T7449.043
[GRAPHIC] [TIFF OMITTED] T7449.044
[GRAPHIC] [TIFF OMITTED] T7449.045
[GRAPHIC] [TIFF OMITTED] T7449.046
[GRAPHIC] [TIFF OMITTED] T7449.047
[GRAPHIC] [TIFF OMITTED] T7449.048
[GRAPHIC] [TIFF OMITTED] T7449.049
[GRAPHIC] [TIFF OMITTED] T7449.050
[GRAPHIC] [TIFF OMITTED] T7449.051
[GRAPHIC] [TIFF OMITTED] T7449.052
[GRAPHIC] [TIFF OMITTED] T7449.053
[GRAPHIC] [TIFF OMITTED] T7449.054
[GRAPHIC] [TIFF OMITTED] T7449.055
[GRAPHIC] [TIFF OMITTED] T7449.056
[GRAPHIC] [TIFF OMITTED] T7449.057
[GRAPHIC] [TIFF OMITTED] T7449.058
[GRAPHIC] [TIFF OMITTED] T7449.059
[GRAPHIC] [TIFF OMITTED] T7449.060
[GRAPHIC] [TIFF OMITTED] T7449.061
[GRAPHIC] [TIFF OMITTED] T7449.062
[GRAPHIC] [TIFF OMITTED] T7449.063
[GRAPHIC] [TIFF OMITTED] T7449.064
[GRAPHIC] [TIFF OMITTED] T7449.065
[GRAPHIC] [TIFF OMITTED] T7449.066
[GRAPHIC] [TIFF OMITTED] T7449.067
[GRAPHIC] [TIFF OMITTED] T7449.068
[GRAPHIC] [TIFF OMITTED] T7449.069
[GRAPHIC] [TIFF OMITTED] T7449.070
[GRAPHIC] [TIFF OMITTED] T7449.071
[GRAPHIC] [TIFF OMITTED] T7449.072
[GRAPHIC] [TIFF OMITTED] T7449.073
[GRAPHIC] [TIFF OMITTED] T7449.074
[GRAPHIC] [TIFF OMITTED] T7449.075
[GRAPHIC] [TIFF OMITTED] T7449.076
[GRAPHIC] [TIFF OMITTED] T7449.077
[GRAPHIC] [TIFF OMITTED] T7449.078
[GRAPHIC] [TIFF OMITTED] T7449.079
[GRAPHIC] [TIFF OMITTED] T7449.080
[GRAPHIC] [TIFF OMITTED] T7449.081
[GRAPHIC] [TIFF OMITTED] T7449.082
[GRAPHIC] [TIFF OMITTED] T7449.083
[GRAPHIC] [TIFF OMITTED] T7449.084
[GRAPHIC] [TIFF OMITTED] T7449.085
[GRAPHIC] [TIFF OMITTED] T7449.086
[GRAPHIC] [TIFF OMITTED] T7449.087
[GRAPHIC] [TIFF OMITTED] T7449.088
[GRAPHIC] [TIFF OMITTED] T7449.089
[GRAPHIC] [TIFF OMITTED] T7449.090
[GRAPHIC] [TIFF OMITTED] T7449.091
[GRAPHIC] [TIFF OMITTED] T7449.092
[GRAPHIC] [TIFF OMITTED] T7449.093
[GRAPHIC] [TIFF OMITTED] T7449.094
[GRAPHIC] [TIFF OMITTED] T7449.095
[GRAPHIC] [TIFF OMITTED] T7449.096
[GRAPHIC] [TIFF OMITTED] T7449.097
[GRAPHIC] [TIFF OMITTED] T7449.098
[GRAPHIC] [TIFF OMITTED] T7449.099
[GRAPHIC] [TIFF OMITTED] T7449.100
[GRAPHIC] [TIFF OMITTED] T7449.101
[GRAPHIC] [TIFF OMITTED] T7449.102
[GRAPHIC] [TIFF OMITTED] T7449.103
[GRAPHIC] [TIFF OMITTED] T7449.104
[GRAPHIC] [TIFF OMITTED] T7449.105
[GRAPHIC] [TIFF OMITTED] T7449.106
[GRAPHIC] [TIFF OMITTED] T7449.107
[GRAPHIC] [TIFF OMITTED] T7449.108
[GRAPHIC] [TIFF OMITTED] T7449.109
[GRAPHIC] [TIFF OMITTED] T7449.110
[GRAPHIC] [TIFF OMITTED] T7449.111
[GRAPHIC] [TIFF OMITTED] T7449.112
�